Whistleblowing Notice
of StudioTech Ltd.

1. GENERAL

1.1. The present Whistleblower Notice ("Notice") is intended to provide you with clear and easily accessible information about the terms and conditions for reporting a breach through an internal channel of StudioTech Ltd., Unified Identification Code 206612535, with seat and registered address at Tsarigradsko Shose Blvd. No. 141, floor 3, 1784 Sofia, Bulgaria (the "Company"), pursuant to the Whistleblower Protection Law (the "Law").

2. WHAT BREACHES CAN YOU REPORT?

You may report breaches of Bulgarian or European Union law in the following areas:

financial services, products and markets; and the prevention of money laundering and terrorist financing;
protection of privacy and personal data;
security of networks and information systems;
breaches affecting the financial interests of the European Union within the meaning of Article 325 of the Treaty on the Functioning of the European Union (TFEU);
breaches relating to the internal market, as referred to in Article 26(2) of the TFEU;
breaches relating to cross-border tax schemes;
an offence of a general nature of which you have become aware in connection with the performance of your work or the performance of your duties;
the rules on the payment of outstanding public state and municipal debts;
employment law.

The full list of areas regarding breaching reports and public disclosures by Whistleblowers can be consulted in Art. 3 of the Law.

3. WHO CAN SUBMIT A REPORT?

3.1. A natural person may submit reports and/or publicly disclose information about breaches known to him/her in his/her capacity as:

an employee, public servant or other person performing work in exchange for payment, regardless of the nature of the work, the method of payment or the source of funding;
a person working without an employment relationship and/or in a liberal profession and/or craft activity;
volunteer or trainee;
partner, shareholder, sole proprietor, member of the management or supervisory body of a commercial company, member of the audit committee of an undertaking;
a person working for a natural or legal person, its subcontractors or suppliers;
a person whose employment or service is about to commence in cases where Information concerning the breach was obtained during the recruitment process or other pre-contractual relationship;
an employee, where the information was obtained in the course of an employment or service relationship which has terminated at the time of the report of a breach or its public disclosure.

3.2. Protection shall be granted to:

persons who assist the Whistleblower in the reporting process and whose assistance should be confidential;
persons who are related through work or relatives of the Whistleblower and who may be retaliated against for the reported breach;
legal entities in which the Whistleblower has an ownership interest, works for, or is otherwise associated with in a business context.

3.3. In the event that whistleblowing is credible and justified, the protection under the Law shall be available to you from the time of the report or public disclosure of information about a breach.

4. WHAT ARE THE CONDITIONS TO GET PROTECTION?

4.1. You have the right to a defence provided that you:

4.1.1 had reasonable cause to believe that the information provided about the breach in the report was correct at the time of submission and that such information falls within the scope of section 2.

4.1.2 made a report regarding a breach in compliance with the Law.

4.3. You will not be prosecuted or protected in respect of anonymous reporting (unless you have been subsequently identified).

5. HOW AND WHERE CAN YOU REPORT A BREACH? WHAT SHOULD THE REPORT CONTAIN?

5.1. In the event that you wish to report breaches referred to in section 2 and if there is reasonable cause to believe that the information is correct, you may do so by one of the following means:

sending an e-mail to: [email protected]. After an initial review and confirmation that the report falls under the scope of the Law, as well as in cases where any irregularities need to be corrected, we will contact you within 7 days;
reporting orally in a face-to-face meeting with a member of the Legal Department.

5.2. If an oral report is made, we will record it on a form which you will be asked to sign if you wish.

5.3. The report must contain at least: three names, address and telephone number of the sender, e-mail address (if available), names of the person against whom the report is made (where the report is made against specific persons and they are known), specific details of the offence or of a real risk of such an offence being committed, place and period of the offence, if any, description of the offence or the situation and other circumstances as far as such are known to the Whistleblower, date and signature.

5.4. We will take immediate action to ensure your confidentiality.

5.4. In addition, you also have the right to report to an external channel, namely the Commission for Personal Data Protection https://www.cpdp.bg, and the right to publicly disclose the information, in accordance with the Law.

6. WHAT CAN YOU EXPECT AFTER YOU REPORT A BREACH?

6.1. Once you have reported a breach, we will check whether it is credible and, if so, we will register it and notify you within 7 days of receiving the report. After registering the report, we will take the necessary follow-up action to uncover the objective truth and gather all necessary evidence, including from the parties concerned and the person against whom the report has been made, while respecting the confidentiality and privacy of your personal data.

6.2. If, on examining the validity of the report, we establish that it does not fall within the scope of the Law or is not made by a person with any of the capacities listed under 3.1, we will cease the examination and will notify you of the decision and the basis on which it was made.

6.3. If necessary, we may contact you for further information and documentation.

6.4. In the event that there is a reasonable belief that there is a risk of retaliatory, discriminatory action, and that effective measures will not be taken to verify the reported information, the breach may be communicated through an external submission channel, namely to the Commission for Personal Data Protection.

6.5. Once we have produced a written report and before 3 months have elapsed since the whistleblowing, we will contact you to provide feedback.

6.6. Where the breach is minor and does not warrant further follow-up action and in the case of a repeated report that does not contain new information relevant to the breach, the file on your report may be closed.

6.7. If, after receiving the report, we determine that it relates to the activities of another legal entity that is subject to the requirements of the Law, we will forward the report to the internal channel of this entity and notify you of the action and the basis on which it was taken.

6.8. The Company shall consider all whistleblowing reports in accordance with the principles of confidentiality, impartiality, fairness, independence and absence of conflict of interest.

6.9. The Company shall ensure that Whistleblowers are protected from retaliatory actions that disadvantage them and shall not allow such actions to take place within its organisation.

7. YOUR LIABILITY

7.1. The reporting of breaches or public disclosure of false information shall be liable for administrative penalties under Article 45 of the Law.

7.2. In the event of manifestly false or misleading statements of fact, your report will be returned with instructions to correct the statements and a warning of the liability you bear, namely a fine of up to BGN 7,000.

8. WHISTLEBLOWER NOTICE AVAILABILITY

8.1. This Notice is available on our website, namely [INSERT LINK], and prominently displayed at our offices.

9. PERSONAL DATA

9.1. StudioTech Ltd. will process your personal data for the purposes of handling a report of a breach.

9.2. The information relating to or made known in connection to a reported breach, as well as the identity of the Whistleblower and the person concerned, and other persons named in the report, are protected. Access to your personal data will only be granted to those responsible for handling reports, as well as governmental and supervisory authorities, in cases defined by law.

10. UPDATING THE WHISTLEBLOWER NOTICE

10.1. This notice may be subject to amendment, with the latest effective date being 12.01.2026. Any future changes or additions to information described in this notice that affect you will be communicated to you through an appropriate channel depending on the usual mode of communication.

NOTICE ON THE CONFIDENTIALITY OF PERSONAL DATA PROCESSED IN RELATION TO REPORTS ON BREACHES

PURPOSE

The purpose of this notice is to inform individuals about how we process the personal data of whistleblowers or persons who publicly disclose information about breaches, of persons other than the whistleblower who are afforded protection, and of persons against whom a report is made.

WHO WE ARE?

The controller of personal data is StudioTech Ltd., a solely owned limited liability company incorporated in the Republic of Bulgaria, Unified Identification Code 206612535, with seat and registered address at Mladost district, Floor 3, 141 Tsarigradsko shose blvd., Sofia 1784 ("the Company", "we").

PERSONAL DATA WE PROCESS

Data identifying you	Name, national ID number or date of birth, details of the capacity in which you are submitting the report
Contact details	Current or permanent address, email, phone number
Other information included at your discretion in your report	Other data you have included at your discretion in connection with the report
Other information provided on the basis of your explicit consent	We may also process special categories of data, subject to your explicit consent
Information relating to the persons to whom protection is granted as well as the persons concerned	Names, position, capacity in which the person submits the report, telephone number, correspondence address and/or e-mail address, and other data that may be provided in connection with the report

BASIS FOR PROCESSING

The basis for the processing of the personal data described above is for the purpose of fulfilling a legal obligation under the Whistleblower Protection Law, SG No. 11 of 2 February 2023, effective 4 May 2023 (the "Law"), namely: for the purpose of providing an internal whistleblowing channel.

PROCESSING PURPOSES

The purposes of processing personal data are as follows:

Report registration and handling;
Providing protection to the whistleblower, the individuals related to the whistleblower, as well as the person concerned;
To fulfil an obligation imposed by Bulgarian or European Union law in the context of investigations by national authorities or judicial proceedings, including with a view to guaranteeing the right of defense of the person concerned;
To hold the whistleblower accountable and to protect the legitimate interests of the Company in the cases defined by law.

CONFIDENTIALITY OF INFORMATION

We protect information related to whistleblowing, including but not limited to the identities of whistleblowers and persons concerns, and take necessary measures to protect that information.

Access to information relating to whistleblowing, including the identity of whistleblowers and persons concerned, shall be provided, subject to the Law, only to employees and other persons within the Company and to the person responsible and designated for registering and handling the reports.

Within the Company, access to the information shall be limited to the employees responsible for registering and handling the reports. A person against whom a report has been made shall not have access to the information relating to that report, except where the provision of the information is required by law. Access may also be granted to other people depending on the specifics of a particular case.

Disclosure of the identity of the whistleblower and/or other information concerning the report shall be authorized only with the express consent of the whistleblower.

Notwithstanding the foregoing, the identity of the whistleblower, and any other information from which the identity of the whistleblower may be revealed, directly or indirectly, may be disclosed where this is necessary and is a proportionate obligation imposed by Bulgarian or European Union (EU) law in the context of investigations by national authorities or legal proceedings, including with a view to ensuring the right of defence of the person concerned.

YOUR RIGHTS

The Company shall provide to persons reporting or publicly disclosing information about breaches, to persons other than the whistleblowers who are afforded protection, and to persons against whom a report has been made, all the rights set out in national and European legislation, including the right:

on request, to receive all necessary information relating to the processing of the data provided by you, including, if possible, a copy;
to request from the Company access to, rectification, erasure/deletion of personal data or restriction of the processing of personal data, if the prerequisites for this are present;
to object to the processing, as well as to lodge a complaint with the supervisory authority - the Commission for Personal Data Protection (CPDP) (Sofia 1592, 2 Tsvetan Lazarov Blvd. or www.cpdp.bg) in case of unlawful processing of data;
to withdraw your consent at any time, without negative consequences for you, when the basis for processing is consent;
to exercise your right to portability.

In certain cases, informing the whistleblower at an early stage may be detrimental to internal reports examination. Where, at the Company's discretion, it is considered that there is a high risk that providing access will impede the procedure or undermine the rights and freedoms of others, the Company may impose a restriction on the provision of specific information or a delay in its provision.

All requests related to personal data such as: information, access, deletion, withdrawal of consent, etc. described above, shall be made in writing, signed by you and transmitted to the Company for processing at the e-mail address: [email protected] or at the Company's management address. The request must contain three names and, in the event that it relates to specific personal data - these should be specified, together with the precise right being exercised.

DATA PRIVACY MEASURES

The Company has put in place technical and organizational measures to protect information relating to whistleblowing, including the identity of whistleblowers and affected individuals, against unauthorized, accidental or unlawful destruction, loss, alteration, misuse, disclosure or access and against all other types of unlawful processing. Special attention shall be paid to sensitive data. Some of the measures taken are: encryption, pseudonymization, redundancy, access control, strict confidentiality, periodic training, etc.

DATA TRANSFER OUTSIDE THE EUROPEAN ECONOMIC AREA

Your personal data is not transferred outside the EU/EEA. Should such processing be necessary, appropriate safeguards will be used to ensure that such transfer is carried out in accordance with applicable data protection rules, including legal grounds.

CONSERVATION PERIOD

data and materials relating to a specific report shall be kept for a period of 5 (five) years;
in the event of disciplinary, administrative, criminal and/or civil proceedings, the data shall be kept until the final conclusion of such proceedings and for a period of 5 (five) years thereafter, for the purpose of establishing, exercising and defending against legal claims, actions, administrative and other acts, unless a shorter or longer retention period is specified by law or other regulatory act;
data which are found to be manifestly irrelevant to a report shall be kept for up to 2 (two) months after their irrelevance has been established.

UPDATING THE PRIVACY NOTICE

This notice may be subject to change and was last updated on 12.01.2026. Any future changes or additions to the processing of personal data described in this notice will be communicated through an appropriate channel.

Whistleblowing Noticeof StudioTech Ltd.