Data Processing Agreement

Effective Date: January 12, 2026

DigitalCraft Consulting - Fzco, operating under the brand name AdTarget ("AdTarget"), seeks to implement this data processing agreement (the "Agreement") in accordance with the requirements of current legal frameworks in relation to data processing, including those of the United Arab Emirates, the United Kingdom, and the European Union.

This Agreement aims to comply with the UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data ("UAE PDPL"), the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018 (together, the "UK Data Protection Legislation"), and, where applicable, the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the "EU GDPR"). The UAE PDPL, UK GDPR, UK Data Protection Legislation, and EU GDPR are referred to collectively in this Agreement as the "Data Protection Legislation".

For the purposes of this Agreement, the party executing this Agreement ("Customer") acts as the data controller and AdTarget acts solely as the data processor. Customer determines the purposes and means of the processing of personal data, and AdTarget processes personal data only on Customer's behalf and in accordance with Customer's documented instructions.

As controller, Customer is solely responsible for ensuring that all processing of personal data is lawful. In particular, Customer represents and warrants that it has obtained all necessary notices, consents, and other lawful bases required to collect, use, and share personal data (including through cookies, pixels, and other tracking technologies); that it is solely responsible for configuring which events are tracked and what data is included in any postbacks or transmissions (including click IDs, campaign IDs, or similar identifiers); and that it shall not submit, transmit, or otherwise make available to AdTarget any personal data that it does not have the legal right to process.

This Agreement sets out the subject matter, duration, nature and purpose of the processing, the type of personal data and categories of data subjects, and the obligations and rights of the Parties to this Agreement.

1. Area of application, definitions

This Agreement stipulates the rights and obligations of the controller and processor (hereinafter referred to as the "Parties") in the context of processing personal data on behalf of the controller. AdTarget acts as processor for the purposes of this Agreement.

The competent supervisory authority shall be the UAE Data Office for UAE data subjects, or the relevant supervisory authority in the data subject's jurisdiction.

In this Agreement the terms controller, processor, personal data, special categories of personal data, processing, personal data breach and supervisory authority shall have the meanings given to them in the Data Protection Legislation.

For the purposes of the UAE PDPL, references to 'controller' shall be interpreted as the 'data controller' that determines the purposes of processing personal data; 'processor' shall be interpreted as a 'data processor' processing personal data on behalf of the controller; and 'supervisory authority' as the UAE Data Office or relevant competent authority.

In addition, the following definitions shall apply in this Agreement:

• a. Telegram Ecosystem: refers to the controller-owned Telegram assets (Telegram Bots, Telegram Channels, Telegram Mini Apps, Telegram Personal Accounts).
• b. CAPI: refers to the conversion API(s) provided by platforms such as Meta, Google, TikTok and other platforms.
• c. Ad Provider Account: refers to controller's accounts in one of the following platforms: Meta, Google, YouTube, TikTok, which allow the controller to launch targeted advertising.
• d. Platform: refers to processor's web service.
• e. End-User: refers to any person who interacts with the controller's Telegram Ecosystem or controller's domains.
• f. End-User Data: refers to personal data collected from End-Users manually by the controller or automatically as per controller instructions and processed by the processor on the controller's behalf in accordance with this Agreement.

2. Scope and duration of the data processing

2.1 Scope

The processor shall carry out the following processes by providing a platform that allows the controller to:

• Connect and manage controller's Telegram Ecosystem and interactions of controller's end-users with controller's Telegram Ecosystem.
• Connect existing Ad Provider tracking assets (e.g. Meta Pixel) to automatically attribute in-Telegram actions to controller-managed Ad Provider advertisements.
• Connect existing domains to enable tracking and attribution.
• Create redirect pages, to allow the processor to match Meta tracking parameters with Telegram metadata, which can be connected to controller's domains.
• Collect various end-user data, including but not limited to Telegram identifiers and metadata, web metadata, and event logs.
• View and visualize information about controller's end-users, and collected end-user data.
• Send tracked Events to Ad Provider Accounts via CAPI, subject to the controller's subscription plan and event limits.
• Integrate controller-managed external sources to send end-user events such as purchases back to the Platform. The processor can then forward the events to the Ad Provider Account and visualize the events on the dashboard, as per controller instructions.

The above list of processing activities is illustrative and not exhaustive. The Processor may carry out additional processing activities as instructed by the Controller, provided such activities fall within the scope and purposes of this Agreement.

2.2 Duration

Processing shall begin on the account creation date and be carried out for an unspecified period until the Platform account is deleted by the controller. The processor shall retain personal data only for as long as necessary to fulfill the purposes of processing or as required by law, after which it shall be securely deleted or anonymized.

3. Nature and purpose of collecting, processing or using the data

3.1 Nature and purpose of processing the data

Processing the data consists of the following: collecting, sorting, saving, transferring, restricting and deleting data.

The data is processed for the following purpose: to allow end-users of the controller to manage the aspects of their business processes that are scoped to their Telegram Ecosystem.

3.2 Type of data

The following personal data is to be processed on behalf of the controller:

• Web data of the controller's end-users collected in connection with their interactions with the controller's domains, including but not limited to technical device and browser information, tracking identifiers, cookies, URL or query parameters, and other metadata associated with end-user activity.
• Controller's end-users' Telegram metadata, such as usernames, IDs, first and last names, collected on interactions with the controller's Telegram Ecosystem.

3.3 Categories of persons affected

Under this Agreement, the data subjects affected by the data processing are the end-users of the controller.

4. Obligations of the processor

• The processor shall only process personal data as contractually agreed or as instructed by the controller, unless the processor is legally obliged to carry out a specific type of data processing. Should the processor be bound by such obligations, the processor is to inform the controller thereof prior to processing the data, unless informing them is illegal. Furthermore, the processor shall not use the data provided for processing for any other purpose, specifically their own.
• The processor confirms that they are aware of the applicable legal provisions on data protection. They are to observe the principles of correct data processing.
• The processor shall be obliged to maintain strict confidentiality when processing the data.
• The processor shall ensure that the individuals they employ, who are to process the data, have been made aware of the relevant data protection provisions as well as this Agreement before starting to process the data. The corresponding training and sensitisation measures are to be appropriately carried out on a regular basis. The processor shall ensure that the individuals tasked with processing the data are adequately instructed and supervised on an ongoing basis in terms of fulfilling data protection requirements.
• Should the controller be subject to the inspection of supervisory authorities or any other bodies or should affected persons exercise any rights against the controller, then the processor shall be obliged to support the controller to the extent required, if the data being processed on behalf of the controller is affected.
• Information may be provided to third parties by the processor solely with the controller's prior consent, or per controller instructions. Inquiries sent directly to the processor will be immediately forwarded to the controller without undue delay.
• For the purposes of the UK Data Protection Legislation and the EU GDPR, any data processing may only be carried out in a country with an adequate data protection regime under UK and EU law, or with appropriate safeguards in place. Any processing outside such countries shall be done in accordance with the relevant data protection laws and this Agreement.
• Any change to a third-party country may take place with the controller's consent and in accordance with the relevant data protection laws and this Agreement.
• The processor shall assist the controller, at the controller's reasonable cost, through appropriate technical and organisational measures, in fulfilling the controller's obligations to respond to requests for exercising data subject rights under the Data Protection Legislation.
• The processor shall assist the controller in ensuring compliance with its obligations relating to security of processing, data breach notifications, data protection impact assessments, and prior consultations with the relevant supervisory authority.

5. Technical and organisational measures

• The processor shall implement technical and organizational measures appropriate to the risk, in accordance with applicable law, including but not limited to:
  1. Data minimization
  2. Encryption of sensitive data at rest
  3. Encryption in transit, subject to section 5(e) of this Agreement
  4. Regular backups
  5. Recovery procedures
  6. Access controls
• The data protection measures may be adjusted according to the continued technical and organisational advancement subject to compliance with Data Protection Legislation. The processor shall immediately implement, upon discovery of an information security inadequacy, the changes required for the purposes of re-establishing information security.
• The processor may publish or otherwise make available to the public or its customers a summary or list of the technical and organisational measures implemented to safeguard personal data (the "Security Overview"). Such publication shall not require prior approval from the controller, provided that the information disclosed does not compromise the confidentiality or effectiveness of the processor's security measures. The Security Overview is for transparency purposes only and shall not limit or replace the processor's obligations under this Agreement or applicable data protection law.
• Should the security measures implemented by the processor not, or no longer, be sufficient, the processor is to inform the controller immediately.
• Encryption of personal data in transit depends on the controller performing and maintaining required configuration steps as instructed by the processor. The processor shall not be liable for encryption failures caused by the controller's failure to follow instructions or for any subsequent changes that compromise encryption.

6. Stipulations on correcting, deleting and blocking data

• In the scope of the data processed on behalf of the controller, the processor may only correct, delete or block the data in accordance with the Agreement or the controller's instructions.
• The processor shall comply with the respective instructions provided by the controller.

7. Sub-processing

• A "sub-processor" means any third party appointed by or on behalf of the processor to process personal data on behalf of the controller in connection with this Agreement.
• The processor may engage sub-processors only where the sub-processor is bound by a written contract imposing data protection obligations that meet the requirements of the Data Protection Legislation.
• The controller's rights must also be able to be effectively exercised against the sub-processor.
• The controller agrees that third-party reports (such as ISO 27001 or SOC 2) shall be used as the primary means to verify compliance, where an on-site audit for a sub-processor is unreasonable.
• The processor's and sub-processor's responsibilities must be clearly distinguished.
• The processor shall choose the sub-processor by specifically considering the suitability of the technical and organisational measures taken by the sub-processor.
• Appointing any sub-processor, who are to process data on behalf of the controller, who are not located and do not operate within the UK, the EU, or a country with an adequate data protection regime shall only be permitted if the sub-processor provides appropriate data protection measures. Upon request, the processor is to inform the controller of the specific data protection guarantees provided by the sub-processor.
• The processor will be liable to the controller in the event that the sub-processor fails to fulfil his/her data protection obligations.
• The controller hereby provides a general authorization for the engagement of sub-processors. The processor shall inform the controller of any intended changes to sub-processors, at least 10 business days prior to engagement with the sub-processor, thereby giving the controller the opportunity to object within 10 business days of notification.
• Sub-processor services within the meaning of this Agreement, only refers to those services that are directly associated with rendering the primary data processing service. Additional services, such as transportation, maintenance and cleaning, as well as using telecommunication services or user services, do not apply. The processor's obligation to ensure that proper data protection and data security is provided in these cases remains unaffected.
• A list of sub-processors and the scope of use for each sub-processor can be seen in Appendix A below.

8. Rights and obligations of the controller

• The Controller shall be solely responsible for:
  1. Assessing the lawfulness and admissibility of the processing requested
  2. Ensuring compliance with all applicable data protection laws, including the rights of affected data subjects
  3. Determining the lawful basis for any processing instructions provided to the Processor
• The controller shall immediately notify the processor if they find any errors or irregularities when reviewing the results of the processing.
• The controller is entitled to appoint a third party independent auditor in the possession of the required professional qualifications and bound by a duty of confidentiality, which auditor must be reasonably acceptable to the processor, to inspect processor's compliance with this Agreement and the Data Protection Legislation required to determine the truthfulness and completeness of the statements submitted by the processor under this Agreement. The controller's right to audit shall be subject to giving the processor at least 4 weeks prior written notice of any such audit. The controller shall bear any and all cost of the audit.
• Inspections must be carried out remotely, and without any avoidable disturbances to the operation of the processor's business. Unless otherwise indicated for urgent reasons, which must be documented by the controller, inspections shall be carried out after appropriate advance notice and during the processor's business hours, and not more frequently than every 12 months, unless required by law. Any inspections shall be limited to samples, unless required to do otherwise by law.

9. Notification obligations

• The processor shall immediately notify the controller of any personal data breaches. The processor shall notify the controller of any personal data breach within 72 hours of becoming aware of the breach. This notification must contain at least the following information:
  • A description of the type of the personal data protection infringement including, if possible, the categories and approximate number of affected persons as well as the respective categories and approximate number of the personal data sets
  • The name and contact details of a point of contact for further information
  • A description of the probable consequences of the personal data protection infringement
  • A description of the measures taken or proposed by the processor to rectify the personal data protection infringement and, where applicable, measures to mitigate their possible adverse effects
• The processor must also notify the controller without undue delay of any significant disruptions when carrying out the data processing activities as well as violations against the legal data protection provisions or the stipulations in this Agreement carried out by the processor or any individuals they employ.
• The processor shall immediately inform the controller of any inspections or measures carried out by supervisory authorities or other third parties if they relate to the commissioned data processing, unless the processor is obliged not to do so for legal reasons.
• Upon any notification made under this clause, the processor shall ensure that the controller is supported in meeting legal obligations, in accordance with the Data Protection Legislation, to the extent required.

10. Instructions

• The controller reserves the right of full authority to issue instructions concerning data processing on their behalf.
• The processor shall immediately inform the controller if an instruction issued by the controller violates, in his opinion, legal requirements. The processor shall be entitled to forego carrying out the relevant instructions until they have been confirmed or changed by the party responsible on behalf of the controller.
• The processor is to document the instructions issued and their implementation.
• Notwithstanding any provision to the contrary, the processor shall carry out instructions only to the extent that such instructions are compatible with, and can be executed using, the existing functionality of the processor's platform. The processor is not required to implement instructions that would require modifications, custom development, or new features outside the platform's standard capabilities, unless such instruction is necessary for the processor to comply with an applicable legal obligation.

11. Ending the commissioned processing

• Upon the controller's request, the processor must either destroy the data processed as part of the commission or submit the data to the controller at the controller's discretion. All copies of the data still present must also be destroyed. The data must be destroyed in such a way that restoring or recreating the remaining information will no longer be possible, unless otherwise instructed by the controller.
• The processor is obligated to immediately ensure the return or deletion of data from sub-processors.

12. Remuneration

The processor's remuneration is conclusively stipulated in the terms of service. There is no separate remuneration or reimbursement provided in this Agreement.

13. Liability

• The controller shall be liable for compensation to anyone for damage caused by any unauthorised party or for incorrect data processing within the scope of the Agreement.
• The controller shall bear the burden for proving that any damage is the result of circumstances that the processor is responsible for insofar as the relevant data have been processed under this Agreement. If this proof has not been provided, the controller shall, when initially requested to do so, release the processor from all claims that are levied against the latter in connection with the data processing.
• The processor shall be liable to the controller only for failure to comply with relevant Data Protection Legislation, or for actions without the controller's lawful instructions, or against the controller's lawful instructions.
• The processor's liability under this Agreement shall be limited to the amount paid by the controller in the three months preceding the incident, except for liability that cannot be limited under applicable legislation.
• The Processor's liability for breaches of data protection obligations shall only apply to the extent required under the applicable data protection laws in the data subject's jurisdiction.

14. Right to extraordinary termination

• The controller may, at any time, terminate this Agreement without notice ("Extraordinary Termination") if a serious infringement of data protection regulations or the provisions of this Agreement exists on part of the processor or if the processor refuses to accept the controller's rights, in violation of this Agreement.
• A serious breach shall, in particular, be deemed to have occurred if the processor has not substantially fulfilled or failed to fulfil the obligations laid down in this Agreement, in particular the technical and organisational measures.
• For insignificant breaches, the controller shall provide the processor with a reasonable period of time to remedy the situation. Should the situation not be remedied in good time, the controller shall be entitled to Extraordinary Termination as stipulated here.

15. International Data Transfers

Any transfer of personal data outside the country of collection shall only occur:

• To countries for which both the European Commission and the UK Secretary of State have issued an adequacy decision, or
• Where Standard Contractual Clauses, Addendums, or other transfer mechanisms approved under EU or UK data protection law are in place to ensure that the personal data receives a level of protection equivalent to that under EU/UK data protection law. Additionally:
  • The Parties shall cooperate and implement any additional technical, contractual, or organizational measures necessary to ensure compliance with applicable data protection law, including where required by the law of the destination country.
  • The Parties agree that such Addendums (or any replacement mechanism) shall automatically apply to all transfers without the need for further signature.

16. Miscellaneous

• Both Parties are obligated to treat all knowledge of trade secrets and data security measures, which have been obtained by the other party within the scope of the contractual relationship, confidentially, even after the Agreement has expired. If there is any doubt whether information is subject to confidentiality, it shall be treated confidentially until written approval from the other party has been received.
• By creating an account on the Platform, clicking "I Agree", or otherwise electronically indicating acceptance of this Agreement, the controller and processor acknowledge and agree that this Agreement constitutes a legally binding contract between the Parties, effective as of the date of such electronic acceptance.
• Should the controller's property be threatened by the processor, by third-party measures (e.g. by seizure or confiscation), by insolvency or settlement proceedings or by other events, the processor shall immediately notify the controller.
• Should any parts of this Agreement be invalid, this will not affect the validity of the remainder of the Agreement.
• The processor may update this Agreement from time to time to comply with applicable law. The updated version will take effect 10 business days after notice to the controller, unless the controller objects in writing within that period. Continued use of the Platform after notice constitutes acceptance of the updated Agreement.
• This Agreement shall be governed by and construed in accordance with the laws of Dubai, United Arab Emirates. The Parties irrevocably submit to the exclusive jurisdiction of the courts of Dubai, United Arab Emirates.

Appendix A: Sub-processors

The processor may engage the following sub-processors to process personal data on behalf of the controller:

Effective Date: January 12, 2026