PRIVACY STATEMENT 

Last updated 28 January 2026

1. GENERAL INFORMATION

This Privacy Statement (“Statement”) explains how Marktlink Capital (“we”, “us” and “our”) collects, uses, shares and protects personal data.

This Statement applies to:

• Visitors of our website (https://www.marktlinkcapital.com/nl/),

• Users of our investor platform

• Users of our app

• Clients/investors and business partners

• Job applicants and event participants

We are committed to processing personal data incompliance with the General Data Protection Regulation (EU) 2016/679(“GDPR”), its implementation in national law (Uitvoeringswet Algemene verordening gegevensbescherming (“UAVG”)) and other applicable data protection laws.

Personal data is any information related to a specific natural person, such as their name or IP address.

By using any part of our services, visiting our website or app and/or applying for a job application through our website, you acknowledge that your information will be collected, used, and disclosed as outlined in this Privacy Statement.

1.1 Controller Information

The controller of personal data within the meaning of Art. 4 (7) GDPR is Marktlink Capital Management Coöperatief U.A., Trompenburgstraat 2 C, 1079TX Amsterdam, the Netherlands.

If you have any questions related tothis Privacy Statement, please reach out at: privacy@marktlinkcapital.com

1.2. Purposes of Processing and Legal Bases

We only process personal data if this permitted by one of the following legal bases for data processing:

• Art. 6(1)(a) GDPR serves as our legal basis for processing operations for which you have explicitly agreed to such processing (for example, but not limited to, newsletters, non-essential cookies, and consent about retaining data from job applications beyond the standard period).

• Art. 6(1)(b) GDPR is the legal basis when the processing of your personal data is necessary for the performance of a contract (for example, but not limited to, investor onboarding or providing access to the investor platform). This legal basis also applies to processing that is necessary for pre-contractual measures, such as processing an applicant’s job application as part of a recruitment process or in cases of inquiries about our products.

• Art. 6(1)(c) GDPR applies when the processing of personal data is required by law. These cases may include, not exhaustively, for example, obligations under the Dutch Anti-Money Laundering and Anti-Terrorist Financing Act ("Wwft"), tax law and/or financial regulatory requirements we are subject to.

• Art. 6(1)(f) GDPR serves as the legal basis when we can rely on legitimate interests to process personal data (for example, but not limited to, cookies that are strictly necessary for the technical operation of our website).

1.3. Data Sharing

Within Marktlink Capital, access to personal data is limited to employees and departments that need it to fulfil our contractual and legal obligations or to perform operational tasks. This ensures that data are shared strictly on a need-to-know basis.

1.4. Transfer of personal data to third parties

We may share data with trusted service providers, who process data on our behalf under Data Protection Agreements, in accordance with Art. 28 GDPR. These providers acting as processors are bound by our instructions, are contractually required to implement appropriate security measures, and are regularly monitored by us. We limit any disclosure of personal data to what is strictly necessary and always take into account the relevant data protection requirements.

In addition, we may share personal data with public authorities, regulators, professional advisors, or other third parties, acting as independent controllers, where this is necessary to perform a contract(Article 6(1)(b) GDPR), to comply with a legal obligation (Article 6(1)(c)GDPR), or where we have a legitimate interest in doing so (Article 6(1)(f)GDPR). Before relying on legitimate interest, we ensure that your rights andfreedoms are not overridden.

Finally, we will only transfer your personal data to third parties in certain cases if you have given your express consent to do so in accordance with Art. 6 (1)(a) GDPR. You can withdraw your consent at any time by contacting us at the email address mentioned in this Statement.

We ensure that all data sharing is limited to what is necessary and carried out under appropriate safeguards in compliance with applicable data protection laws. In case more information is needed, you can contact us at the email address mentioned in this Privacy Statement.

1.5. Data Processing outside the EEA

In principle, we are not transferring personal data to service providers or partners located outside the European Economic Area (EEA). However, in cases where this may happen, we ensure that such transfers are carried out in accordance with applicable data protection laws (Art. 44 – 50 GDPR) and that an adequate level of protection is guaranteed. To keep this Privacy Statement concise and easy to read, we do not describe the specific circumstances or safeguards in detail.

For more information, you may contact us at the email address mentioned in this Privacy Statement.

1.6. Data Storage (Location)

We generally only store personal data on our servers within the European Union (EU).

Where we engage external service providers to process data on our behalf, these processors may only store or use the data for as long as necessary to perform their contractual duties and must delete or return the data once their assignment ends, unless a longer retention period is required by law.

Any disclosures or transfers outside the EU will take place only as described in this Statement and in compliance with the applicable data protection requirements.

1.7. Data Retention (Storage duration)

Unless otherwise specified in this Privacy Statement, we delete personal data once it is no longer necessary for the purposes for which it was collected and provided that no statutory retention obligations require otherwise. If deletion is not possible because the data must be retained for other legitimate or legal reasons, the processing of such data will be restricted. In such cases, thedata will be securely blocked and not processed for any purposes, other than those for which they must be retained, such as compliance with commercial or tax law obligations.

1.8. Data Subjects Rights

You can assert your rights as a data subject with regard to your processed personal data against us at any time using the contact details provided in this Privacy Statement. As a data subject, you have the following rights, provided that the legal requirements are met:

• Right of access (Art. 15 GDPR): request information about your personal data processed by us;

• Right to correction (Art. 16 GDPR): request the immediate correction of incorrect personal data stored by us or the completion of your personal data;

• Right to deletion (“right to be forgotten”) (Art. 17 GDPR): request the erasure of your personal data stored by us, unless processing is necessary for reasons arising from the law;

• Right to restrict the processing (Art. 18 GDPR): request the restriction of the processing of your personal data, insofar as the legal requirements are met;

• Right to data portability (Art. 20 GDPR): receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller;

• Right to object to the processing (Art. 21 GDPR): object to the processing of your personal data if there are reasons for doing so that arise from your particular situation;

• Right to revoke consent at any time (Art. 7(3) GDPR). As a result, we are no longer allowed to continue the data processing based on this consent in the future;

• Right to lodge a complaint (Art. 77 GDPR): file a complaint with the competent supervisory authority. The competent authority in the Netherlands is the Autoriteit Persoonsgegevens ("Dutch Data Protection Authority"). Further information and contact details are available at https://www.autoriteitpersoonsgegevens.nl/en

1.9. How to Exercise your Rights

To exercise your rights, please contact us at theemail address mentioned in this Privacy Statement. We will respond to your request without undue delay and at least within one month of the receipt of the request as specified by Art. 12(3) GDPR.

1.10. Obligation to provide data

In the context of establishing and maintaining a business-or investment relationship, we are legally required to collect certain personal data. We may only be able to provide certain services to a limited extent or not at all if you do not provide the necessary data.

1.11. No automatic decision making

In principle, we do not use a fully automated decision-making process in accordance with Article 22 GDPR when establishing or managing business or other relationships. Should we apply such procedures in individual cases, we will inform you separately in advance, where required by law.

2. NEWSLETTER

We collect:

• Name and email address

• Subscription preferences and consent record

We reserve the right to occasionally contact investors who have already used our services, or have downloaded our teaser, by e-mail to inform them about new investment opportunities. This processing is based on our legitimate interest in maintaining customer relationships and promoting our own services(Art. 6(1)(f) GDPR, recital 47). Clients maintain the right to object to receiving this type of communication at any time, free of charge, by using the unsubscribe link included in each e-mail or by contacting us at privacy@marktlinkcapital.com

Based on the consent of the recipients (Art.6(1)(a) GDPR), we also measure the opening and click-through rate of our newsletters to understand what is relevant for our audience.

We send newsletters with HubSpot of the provider HubSpot,Inc., 25 1st Street Cambridge, MA 0214, USA. The provider processes content, usage, meta/communication data and contact data in the EU. Further information is available in the provider's privacy policy at https://legal.hubspot.com/privacy-policy

3. USE OF THE WEBSITE

3.1. Personal data we collect

During the use of our website, we collect the personal data that the browser transmits to our server in order to ensure the stability and security of our website. The legal basis for that collection is Art. 6(1)(f) GDPR.

This data is:

• IP address and browser type/version

• Operating system and its interface

• Date and time of access

• Time zone difference to Greenwich Mean Time (GMT)

• Access status/HTTP status code

• Amount of data transferred in each case

• Language and version of the browser software

3.2. Contact Form

Through the contact form we may further collect the data requested there, such as name, email address and the content of the message with any other details provided voluntarily. The legal basis for the processing of this data is our legitimate interest in answering inquiries directed to us and therefore the legal basis for the processingprocessing is Art. 6(1)(f) GDPR.

For this purpose we use Hubspot. The provider is HubSpot, Inc., 25 1st Street Cambridge, MA 0214, USA. In doing so, the provider processes the personal data transmitted via the website,e.g. content, usage, meta/communication data or contact data, in the EU. Further information is available in the provider's privacy policy at https://legal.hubspot.com/privacy-policy

3.3. Vacancies

We publish vacant positions on our website, on pages linked to the website or on third-party websites.

The processing of personal data provided as part of a job application is carried out for the purpose of managing and evaluating the recruitment process. Where the processing of this information is necessary to decide whether to enter into an employment relationship, the legal basis is Article 6(1)(b) GDPR, in combination with Art. 88 GDPR. We indicate which information is essential for the application process. If applicants do not provide this data, we cannot process the application. Any additional information provided voluntarily is used with consent as legal basis (Art. 6(1)(a) GDPR).

If any information on political, religious beliefs, and similarly sensitive data in the applicants’ CV and cover letter is provided, we cannot prevent their processing as part of the application process. Their processing is then also based on the consent of the applicants (Art. 9 (2)(a) GDPR).

Finally, we process the applicants' data for furtherapplication procedures if they have given us their consent to do so. In thiscase, the legal basis is Art. 6(1)(a) GDPR.

We pass on the applicants' data to the responsibleemployees in the HR department and to the employees otherwise involved in theapplication process.

If we enter into an employment relationship with theapplicant following the application process, this data will become partof their personnel record and will be deleted only after theemployment relationship has ended. Otherwise, we delete the data no laterthan four (4) weeks after rejecting an applicant.

If applicants have given us their consent to use their datafor further application procedures as well, we will not delete their datauntil one year after receiving the application.

3.4. Web Hosting

Our website is hosted by Hubspot. The provideris HubSpot Inc., 21 1st Street Cambrigde, MA 0214, USA. Indoing so, the provider processes the personal data transmitted via the website,e.g. content, usage, meta/communication data, or contact data, in theEU. Further information is available in the provider's privacy policyat https://legal.hubspot.com/privacy-policy

3.5. Log-in area

We maintain a log-in area for ourclients, operated on our behalf by Eleven. To access this area,users enter their email address and password directly into the provider’senvironment. These credentials are processed and stored solely by the providerfor authentication purposes, in the EU as per our Data ProcessingAgreement with Eleven. We do not have access to or store these logindetails. The processing is carried out for the purpose of providingclients with secure access to their account and related services. Thelegal basis for this processing is the performance of a contract (Article6(1)(b) GDPR).

The provider is HFIN One, LLC (Eleven), 33 Nasau Ave,Brooklyn, NY 11222, USA. Further information is available in theprovider’s privacy policy at https://platformeleven.io/privacy

3.6. Cookies and Similar Technologies

Our website uses cookies. Cookies are small text files thatare stored in the web browser on the end device of a site visitor. Cookies helpto make the use of the website more user-friendly, effective, andsecure.

3.6.1. Technically Necessary Cookies

Some cookies are essential for the proper operation of ourwebsite and its core functions (hereinafter "Technically NecessaryCookies"). The use of such cookies and the related data processing arebased on Art. 6(1)(f) GDPR. We have a legitimate interest in providingcustomers and other site visitors with a functional website.

3.6.2. Analytics and Marketing Cookies

We also use cookies that are not strictly necessary but help us improve our website and understand how it is used. These include analytics cookies (for visitor statistics) and, where applicable, marketing cookies (for displaying relevant advertisements or tracking campaign effectiveness). These cookies are only used with the data subject’s prior consent pursuant to Art. 6(1)(a) GDPR. The consent can be given, withdrawn, and managed at any time through the cookie banner displayed on our website or via the browser settings.

Further and detailed information for the Cookies used on our Website can be found in our Cookies Policy.

4. USE OF THE APP
4.1. Downloading the app

Our app is ready for download at Apple’s AppStore and Google’s Play Store (hereinafter “Stores”). Whenusers download the app, certain data is transmitted to thestore and processed by the respective provider, i.e. inparticular username, email address and customer number of theaccount, time of download, and the individual deviceidentification number. We have no influence over this datacollection and are not responsible for the processing activities ofthese Stores.

For more information regarding how these providers handle your data, please refer to their respective privacy policies:

Apple Inc., 1 Infinite Loop, Cupertino, CA 95014, USA. More informationinformation is available in the provider's privacy policy https://www.apple.com/legal/privacy/en-ww/

Google Ireland Limited, Gordon House, Barrow Street, Dublin4 Ireland. More information is available in the provider’s privacy policy at https://policies.google.com/privacy

We process the data only insofar as it is necessary to download the mobile app to the user’s mobile device.

4.2. App Hosting

The back end of the app is provided by XLINQ. The provider is XLINQ B.V., Johan Huizingalaan 763a, 1066 VH, Amsterdam, the Netherlands. In doing so, the provider processes transmitted through the app, such as content, usage, technical or contact data, within the EU. Further information is available in the provider's privacy policy at https://www.xlinq.io/privacy-policy

4.3. Access to functions or data

The app requests the user’s access to functions of the end-device or to data of the device in order to be able to execute functions of the app. By allowing access, the user gives consent to the associated data processing, so that the legal basis is Art.6(1)(a) GDPR. Users can revoke their consent at any time by terminating access in the settings of their end-device. The revocation does not affect the lawfulness of the processing until the revocation.

The data processed or access functions used in this respect are for example camera or existing photos.

4.4. Personal data we collect

During the use of our app, we collect the following information of app-users:

• Device information (model, operating system version, app version)

• Technical data such as crash logs, diagnostics and app performance data

• Analytics and usage data, for example how often features are used and session duration. We use these analytics to understand how our app is used, improve its functionality, and ensure its technical abilities. Where analytics involve assigning a unique identifier or tracking user behaviour across sessions, we do so only with the data subject’s consent, in accordance with Art. 6(1)(a) GDPR and Art. 5(3) of the ePrivacy Directive.

Users can open a user account in the app. We processpersonal data required to create and manage the account, such asname and email address in order to provide youwith the services and functionalities of the app. Furthermore,the time of registration and date and, where applicable, the consent of thedata subject, are also stored. The legal basis for this processingis Article 6(1)(b) GDPR. If a user registers but does not become aninvestor, we do not retain the collected account andcommunication data (email address) longer than necessary, after which theyare deleted. If the user becomes an investor, the dataare retained for the duration of the business relationship and forthe statutory retention period thereafter in accordance with theapplicable legislation.

In addition, we process certain identification andverification data in order to comply with our legal obligationsunder the applicable AML/CTF legislation. The legal basisfor this processing is Article 6(1)(c) GDPR. Forthis purpose, we may collect data suchas country of residence, date and placeof birth, and the citizen service number(BSN).

All data will be deleted when thepurpose for which it was collected no longer applies, and there is noobligation to retain it. Deletion can also take place upon request bythe user, unless the exceptions of Art. 17 (3) GDPR apply. Inply.In such cases, the data will be blocked. Even after termination of the contractual relationship, there may be a need to store your personal data in order to comply with contractual or legal obligations.

We do not use app data for advertising.

4.5. Verification/Identification

In order to enable secure access to the app all users are required to verify their identity before accessing the app. For this purpose, users must upload a valid identity document, such as a passport or driver’s license, which is his used solely for the purpose of confirming their identity. The verification of identity documents is carried out through Ubiqu Access B.V., which processes these data on our behalf under the responsibility of our app provider, XLINQB.V. The legal basis for this processing is Article 6(1)(c)GDPR.

The provider is Ubiqu Access B.V., Kerstant van den Bergelaan 13b, 3054 EM in Rotterdam, theam,the Netherlands. In doing so, the provider processes the personal data transmitted during the verification process, such as identity document details and photographs, within the EU. Further information is available on the provider’s privacy policy at https://ubiqu.com/privacy-policy/

Once the account has been verified and activated, users may choose to access the app by using biometric identification methods provided by their device, such as Face ID or fingerprint recognition, or by setting a personal PIN code. Biometric data are processed exclusively on the user’s device and remain under the control of the device providerprovider. We do not have access to or store any biometric data. The use of biometric identification is voluntary and takes place on the basis of the user’s explicit consent in accordance with Article 9(2)(a) GDPR. Users may withdraw this consent at any time by disabling biometric access in their device settings.

The alternative PIN is processed solely for authentication and access control purposes on the basis of Article 6(1)(b) GDPR and is deleted when the user account is removed, or the App is uninstalled.

4.6. App Analytics and Tracking Technologies

Our mobile application uses analytics technologies comparable to cookies to help us understand usage patterns and improve stability and performance. These technologies may collect technical information such as device type, operating system, app version, screen interactions, and crash data.

We use such analytics exclusively for internal performance measurement, not for advertising, profiling, or tracking across other apps or websites.

Where the data are necessary to ensure the technical operation and security of the app, the processing is based on our legitimate interestinterest under Art. 6(1)(f) GDPR.

If any optional analytics features are used, we will request your consent in accordance with Art. 6(1)(a) GDPR and Art. 5(3) of the Privacy Directive, which can be withdrawn at any time via the app settings or by contacting us.

Our analytics service providers process data within the European Union or under appropriate safeguards pursuant to Art. 46 GDPR. No personal data are shared with third parties for advertising purposes.

Further and detailed information for the cookies used on our app can be found in our app’s Cookies Policy.

5. Changes to this Privacy Statement

We reserve the right to update this Statement periodically. Updates will be posted on this page with a revised “last updated” date. For material changes, we will notify you directly where feasible.

6. Questions and comments

If you have any questions or comments regarding this Privacy Statement feel free to contact us at privacy@marktlinkcapital.com