Privacy Policy

MobyFinder is a product belonging to MoOngy S.A. and is an innovative application to support electric mobility, initially intended for Android Automotive, with plans for future expansion to Android, Android Auto, iOS and Apple Car Play. This app revolutionizes the way EV drivers interact with charging stations, offering detailed information about their location, characteristics, price lists, and availability. Through an intuitive interface, users can access crucial data, including the vehicle's maximum charging power, the desired charging profile in terms of battery percentage, as well as consider the associated costs, incorporating the tariffs of Charging Station Operators and Electric Mobility Electricity Traders (CEME), as well as Network Access Fees. This feature ensures that drivers receive up-to-date information tailored to their charging needs. As the protection of the privacy and personal data of all those who interact with MoOngy S.A. is a concern and priority for us, this privacy policy has been prepared accordingly. In this way, it is possible to transmit in a clear and transparent way the good practices concerning this process.

Any and all personal data provided will be treated with the guarantee of security and confidentiality required by the legal framework with regard to the protection of personal data.

3. Framing

This policy describes a set of guidelines, rules and principles that must be observed by MoOngy S.A. to ensure the protection of the rights of data subjects.

MoOngy S.A. undertakes to comply with this policy in accordance with the obligations of Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation) on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as "GDPR").

In this sense, MoOngy S.A. seeks to ensure that its internal procedures are in compliance with the legal obligations of the GDPR and that the personal data of its employees, customers, suppliers or service providers and any other data subjects whose personal data MoOngy S.A. processes in the exercise of its activity, are processed in accordance with the regulatory and legal standards in force and are kept safe.

4. Data Controller

Moongy , S.A., with registered office at Rua Sousa Martins, nº10, Lisbon, registered at the Lisbon Commercial Registry Office, under registration and legal person number 507 431 073, is the entity responsible for the processing of personal data, committing to apply the necessary technical and organisational measures, taking into account all aspects that may influence compliance with the General Data Protection Regulation (hereinafter referred to as the "GDPR"), to safeguard the Fundamental Rights of Data Subjects. To this end, Moongy, S.A. It has several technological measures ("privacy-enhancing technologies") which we constantly seek to update, having employees specially assigned for this purpose, demonstrating our concern and commitment to the Data Subject. In addition, we keep a record of the nature, scope, context and purposes of the processing of the data collected, which allows us to ensure and prove that the processing is carried out in such a way as to guarantee the full Protection of Data Subjects as a commitment that attests to our responsibility.

Contacts:

· Postal address: Rua Sousa Martins, nº10, Lisboa, 1050 - 218 Lisboa

· Telephone contact: 21 313 7680

· Email: gdpr@moongy.pt

5. Application and scope

This Privacy Policy also applies to the respective employees, subcontractors, joint controllers, suppliers, customers, users of this website.

For the purposes of this Privacy Policy, each company holding its own taxpayer belonging to the Moongy, S.A. It has its own Privacy Policy, independent and autonomous, so that, for the purposes of Responsibility for Processing, each Company (and its assets) belonging to this Business Group has its independence, and none of these entities are responsible for the acts or omissions of the other entities of the group with regard to Data Protection.

6. Global Projects Department

Among other responsibilities, this department, which is aware of and always involved, in an appropriate and timely manner, in all matters related to the protection of personal data, must always take into account the risks associated with the processing operations, such as their nature, scope, context and purposes. It must also ensure compliance with all processes established in order to preserve the confidentiality of data.

With regard to requesting the rights of data subjects, reporting personal data breaches and other communications related to the GDPR, this is the point of contact.

Contacts:

· Global Projects Department: gdpr@moongy.pt

7. YOUR PERSONAL DATA

7.1. What is personal data?

Personal Data is information relating to an identified or identifiable natural person (Data Subject), excluding data relating to legal persons. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, etc.

Any specific element of the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

7.2. What data do we need to collect?

The personal data collected are strictly necessary and are limited to the purposes for which they are intended, which are determined, explicit, legitimate and kept for the strict period in which they may be necessary for their purpose. Personal data must be processed lawfully, fairly and transparently in relation to the data subject.

For the fulfillment of the business activity and as responsible for the collection, Moongy, S.A. needs to collect and process the following data:

Data Category	Information to Collect
MobyFinder App Data	Email; Location (access permission);

Privacy Note: The Application only stores the email in a database. No information regarding the location of the data subject will be retained.

7.3. What is the Purpose of the Processing?

Data Category

Purpose of Processing

MobyFinder App Data

They are used to:

· Management of the Information provided by the user on the platform

· Ensuring the operations determined by the Purpose of the Application

7.4. What is the Legal Purpose of the Processing?

The Purposes of personal data processing are determined by the execution of the various types of formalized legal contracts that become necessary to continue the entire activity of the company, among them we state:

1) the execution of the service contracts we have with our clients;

2) employment contracts we have with our employees;

3) management of internal processes of customers and employees;

4) accounting, tax and administrative management;

5) litigation management;

6) control of physical security and compliance with legal obligations.

Under the terms of the GDPR, we are duly legitimized by the following grounds of lawfulness of processing:

1 – Execution of contracts or pre-contractual steps – The processing is necessary for the conclusion, execution and management of contracts to which the data subject is a party, or at the request of the data subject himself.

2 – Compliance with a Legal Obligation – For the fulfillment of a legal obligation to which the company is subject. For example, communication of tax data.

3 – Pursuit of a legitimate interest, such as providing an improved experience. Moongy , S.A. It carries out a duly recorded weighting test to ensure the legitimacy of the processing.

4 – Consent – Whenever the legal grounds listed above are not applicable, Moongy, S.A. requests the Data Subject's Consent. Consent is a free, specific, informed, and explicit manifestation of will by means of an unequivocal (and written) statement or act in which the Data Subject authorizes the Processing.

The withdrawal/withdrawal of consent can be requested at any time by sending a simple request to the e-mail address: gdpr@moongy.pt.

The Personal Data collected by us will be processed and stored in accordance with the purposes and for the minimum period legally necessary.

8. To whom may we disclose the data?

Moongy , S.A. may, within the scope of its basic activities, disclose the data collected to fulfill the purposes indicated in this policy, being provided to the entities of the Moongy, S.A. network. Only the data strictly necessary for the performance of the service, based on the fulfilment of a contractual obligation (for example, any obligation to be ensured under the ordinary terms of the service), may also, to the extent necessary, be communicated to official entities whenever legally required and may be processed by entities subcontracted by the company (for example, internal and external auditors that allow us to preserve and improve the quality of the service).

In this sense, the entire scope of this policy extends to the processing of third parties and processors, taking into account:

1) Compliance of processing with the GDPR, this privacy policy and lawful, fair and transparent processing;

2) The data collected is merely instrumental to our activity, intended to pursue a determined, specific and legitimate purpose, and there can be no subsequent processing incompatible with the determined purposes;

3) The data collected will be strictly necessary for the purpose, being adequate, relevant and necessary for the purposes and collection of processing, taking into account the principle of data minimization;

4) The data will be kept accurate and up-to-date in order to guarantee the principle of accuracy and to guarantee the integrity and confidentiality of the data;

5) Also with regard to integrity and confidentiality, there can be no illegal and unauthorized processing to prevent any loss, destruction, or damage to the data by adopting all appropriate technical and organizational measures;

6) The retention of the Data Subject's data is a concern for Moongy, S.A. whereby, the data will remain identifiable solely and exclusively for the period necessary for the purposes for which the data is processed.

9. How we design new products

Whenever a new product is developed, it is ensured in the design itself (as a primary aspect) that it has the most advanced technical and organizational measures available to Moongy S.A. (taking into account the risks arising from the processing for the rights and freedoms of data, as well as the risks arising from the processing for the rights and freedoms of natural persons, being aware of the variability of probability and severity), while having privacy as a pillar throughout the processing process. In this way, the application of all the principles determined by the GDPR from the design is ensured, protecting Data Subjects and ensuring the rights of data subjects.

In short, Moongy, S.A. undertakes to implement and have privacy present at the stage of product development and throughout processing in order to ensure data protection from the very design of the product ("Privacy by Design").

10. How long does the data be stored?

The data will be strictly kept for: the period necessary for the purposes for which they are intended and for which they are processed within the scope of the application's activity.

11. YOUR RIGHTS

11.1. Rights of the Data Subject

The Holder of the personal data has the following rights, which can be exercised easily and free of charge, through the following e-mail: gdpr@moongy.pt

Only in the case of manifestly unfounded or excessive requests may a fee be charged for the exercise of these rights (pursuant to Article 15(3) GDPR).

11.2. Right to Object

The data subject has the right to object at any time, on grounds relating to his or her particular situation, to the processing of personal data concerning him/her.

In this case, the controller ceases to process the personal data, unless it presents compelling legitimate grounds for such processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

11.3. Right of access

The data subject has the right to question whether or not the data is being processed and, if so, the right to access his or her personal data and to be provided with the following information:

I. Purpose of the processing;

II. Categories of data to be processed;

III. Recipients to whom the data will be disclosed;

IV. envisaged retention periods or, if this is not possible, the criteria used to set such a period;

V. Existence of the right to request rectification, erasure, restriction of processing or objection to processing;

VI. security and destination measures related to the transfer of data to third countries;

VII. Right to lodge a complaint with the supervisory authority.

The data subject also has the right to obtain a copy of the personal data that is being processed.

11.4. Right to rectification

The data subject has the right to request and obtain the rectification of inaccurate data and to request that incomplete personal data be completed without undue delay.

11.5. Right to erasure/to be forgotten

The data subject has the right to request the erasure of his or her personal data, without undue delay, whenever it is no longer necessary for the purpose for which it was collected or processed. You can also decide to withdraw your consent to the processing of your personal data whenever you want to exercise your right to object to it.

There are some exceptions to this right, such as if they are against the exercise of freedom of expression and information, if they are necessary for compliance with legal obligations, if they are necessary for reasons of public interest or public health, if they are necessary for archival reasons of public interest, scientific research, historical, for statistical purposes or the exercise or defense of rights in judicial proceedings. In these cases, the data subject should be informed of the reason why it is not possible to respond to their request.

11.6. Right to restriction of processing

The data subject has the right to limit/restrict the processing of his/her personal data whenever one of the following situations occurs:

I. If the data is inaccurate and is disputed during the period for which it is possible to verify its accuracy;

II. If the processing is unlawful, but the data subject opposes the end of the processing and only wants the restriction of its use;

III. If the controller no longer needs the data for processing, but the data is required by the data subject for the establishment, exercise or defence of legal claims;

IV. If at any time you have objected to the respective processing and it has not ceased (i) for compelling legitimate reasons presented to the controller or (ii) for the establishment, exercise or defence of legal claims.

In the situations numbered above, you may be asked to suspend the processing or to limit the scope of the processing to certain categories of data (e.g. only the provision of full name and address) or even to specific processing purposes.

11.7. Direct to notification

Whenever the rectification, erasure or restriction of the processing of data is requested by the respective data controller, the controller informs the data controller that it has complied with the request, unless such communication proves impossible or involves a disproportionate effort. If the data subject so requests, the controller shall provide the data controller with information about those recipients.

11.8. Right to data portability

The data subject has the right to receive the personal data concerning him/her in a structured, commonly used and machine-readable format without Moongy S.A. may object pursuant to Article 20 (1) GDPR:

I. if the processing is based on a contract;

II. the data subject has given consent;

III. the processing is carried out by automated means.

11.9. How can I exercise my rights?

To exercise any of these rights or for any questions regarding the processing of their personal data, the holder of the same must address a request to the data controller, through the email address gdpr@moongy.pt

Although these rights are clarified to the data subject when collecting their personal data, in case of doubt, they may contact the data controller by e-mail gdpr@moongy.pt

12. RESPONSIBILITIES

12.1. How Do We Protect Your Data?

Moongy, S.A. It has been working to maintain and preserve personal data with a high level of security. In obedience to the principle of security, secrecy and privacy, we guarantee the processing of your data only by authorized persons, only accessing and processing your data who has the legitimacy to do so, always doing so in an absolutely confidential manner. The principle of "need-to-know" has been adopted, where employees can only have access to personal data if it is strictly necessary for the performance of their duties. Processing outside this scope is considered prohibited and subject to disciplinary sanctions, in accordance with our internal security and confidentiality policies and procedures, which are periodically updated as needed.

Depending on the nature, scope, context and purposes of the data processing, as well as the risks arising from the processing to the rights and freedoms of the data subject, we apply, both at the time of defining the means of processing and at the time of the processing itself, the technical and organisational measures necessary and appropriate for data protection.

Employees are not allowed to use personal data for private or economic purposes, transmit it to unauthorized third parties and/or otherwise allow access.

Moongy, S.A. further undertakes to ensure that, by default, only relevant, necessary and appropriate data for each specific purpose of the processing will be processed and that such data will not be made available without human intervention to an indeterminate number of persons.

However, this is not foreseen, if personal data is transferred to countries outside the European Union, the applicable legal provisions are observed, namely regarding the determination of the adequacy of such country with regard to data protection and the requirements applicable to such transfers.

Security measures have also been defined ranging from good practices to the prevention of external threats. These are described in the security policy. If you want to have access to it, you can request it to be sent by e-mail gdpr@moongy.pt

12.2. Global Projects Department (DPG)

The DPG is responsible for:

I. Act on behalf of the controller in respect of all duties and obligations under the GDPR;

II. Monitor and control the compliance of processes with the GDPR and with the policies implemented in an appropriate and timely manner;

III. ensure that it has all the necessary resources to carry out its duties;

IV. Act as a point of contact for requests from data subjects regarding the processing of their personal data and the exercise of their rights;

V. Carry out a data protection impact assessment if a certain type of processing so requires.

13. Personal Data Breach

A personal data breach is considered to be any act that jeopardizes the security of the data, accidentally or unlawfully, and that causes the destruction, loss, alteration, disclosure or unauthorized access to personal data transmitted, stored or subject to any other type of processing.

We reiterate that Moongy, S.A. It has been working to maintain and preserve personal data with a high level of security, having technical staff solely with this mission in the company. However, there may always be slight deviations from the forecast. If any of our candidates, employees, clients, subcontractors, or even third parties detect or suspect a possible data breach, they must immediately send an email to gdpr@moongy.pt , indicating what happened, as well as identifying the data that may be involved. In this way, the responsible department will be able to act quickly and appropriately in accordance with the rules established in the Regulation.

In the event of a data breach and to the extent that such a breach is likely to entail a high risk to the rights and freedoms of customers, employees and other employees and/or partners, we undertake to report such breach to the National Data Protection Commission, within 72 hours of becoming aware of the incident and to the holders of personal data whenever such breach is likely to entail a high risk to your rights.

14. Revocation and management of consents

The user may, at any time, revoke or change the preferences of consents previously granted. To do this, simply access the cookie management tool.

The use of cookies can also be set in your browser preferences, namely in the privacy options. For this purpose, we recommend that you consult the help section/menu of your browser or visit the web pages of the respective provider.

15. Complaint to the supervisory authorities

Notwithstanding the existence of the commitment of Moongy, S.A. for resolving any type of situation. The Data Subject has the right to lodge a complaint with the competent authorities (CNPD) if any of the rights are denied.

From the competent authority:

CNPD (National Data Protection Commission)

Av. D. Carlos I, 134 - 1.º

1200-651 Lisboa / Portugal

Tel: +351 213928400 / Fax: +351 213976832 / e-mail: geral@cnpd.pt

www.cnpd.pt

16. Changes to the Privacy Policy

Moongy, S.A. reserves the right to change this Privacy Policy at any time, and such change will be duly published herein.

In any case, we suggest that you review this Policy regularly so that, in case of changes or updates, you can always be duly informed about them.

17. Governing Law and Jurisdiction

The privacy policy, as well as the collection, processing, or transmission of data from customers, employees and partners, are governed by the provisions of Regulation (EU) 2016/679, of the European Parliament and of the Council, of 27 April 2016, and by the laws and regulations applicable in Portugal, namely Law No. 58/2019, of 8 August.

Any Disputes arising from the validity, interpretation, or execution of the Privacy Policy, or that are related to the collection, processing or transmission of the Client's data, shall be submitted exclusively to the jurisdiction of the judicial courts of the District of Lisbon, without prejudice to the applicable mandatory legal rules.