PRIVACY POLICY of “IWM Holding” Closed Joint Stock Company

This Privacy Policy (the “Policy”) does not constitute a public offer, securities advertising, an invitation to make offers, or any other proposal addressed to an indefinite number of persons, within the meaning of Article 437 of the Civil Code of the Republic of Armenia and the Law of the Republic of Armenia “On the Securities Market”.

The Company is a closed joint stock company (CJSC) under the laws of the Republic of Armenia and is undergoing reorganisation in the form of conversion into an open joint stock company (OJSC). Until the state registration of such conversion is completed, any placement of the Company’s shares is carried out exclusively in the context of closed rounds among a pre-determined and limited circle of investors, in accordance with the provisions of the Law of the Republic of Armenia “On Joint Stock Companies”.

Any interaction with the Company and its website does not create for third parties any right to require the Company to enter into any transactions in securities.

1.1.1. This Policy sets out the procedure for the processing of personal data by “IWM Holding” Closed Joint Stock Company (the “Company”, the “Operator”) and defines the organisational and technical measures for the protection of personal data against unlawful or accidental access, destruction, alteration, blocking, copying, provision, dissemination, as well as against other unlawful actions in relation to personal data.

(a) the Constitution of the Republic of Armenia;

(b) the Law of the Republic of Armenia “On Personal Data Protection” dated 18 May 2015 No. ЗР-49 (the “PD Law”), taking into account the amendments and supplements adopted in 2018;

(c) the Civil Code of the Republic of Armenia;

(d) the Law of the Republic of Armenia “On Joint Stock Companies” dated 25 September 2001 No. ЗР-232;

(e) the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data and its Additional Protocol; and

(f) the European Convention on Human Rights and Fundamental Freedoms.

Full legal name: “IWM Holding” Closed Joint Stock CompanyLegal form: Closed Joint Stock Company (CJSC)Jurisdiction of incorporation: Republic of ArmeniaEmail address for personal data matters: [email protected]

1.3.1. This Policy applies to the processing of personal data carried out by the Company using automated means and without the use of such means, where processing without the use of such means corresponds, by its nature, to the actions (operations) performed with personal data using automated means.

(a) the Company’s website;

(b) electronic feedback/contact forms;

(c) email correspondence; and

(d) other channels of interaction with the Company.

In this Policy, the following terms are used in the meanings set out in Article 3 of the PD Law:

“Personal Data” means any information relating to an individual (a personal data subject) which enables, or may enable, the direct or indirect identification of such individual.

“Special Categories of Personal Data” means personal data relating to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, and an individual’s sex life.

“Processing of Personal Data” means any action or set of actions performed in relation to personal data, including collection, recording, systematisation, accumulation, storage, rectification, retrieval, use, transfer (provision, access), anonymisation, blocking, deletion and destruction.

“Personal Data Operator” means a state body or local self-government body, a state or municipal institution or organisation, and/or a legal entity or individual that organises and/or carries out the processing of personal data.

“Personal Data Subject” means an individual whose personal data is processed.

“Consent of a Personal Data Subject” means a voluntary, specific, informed and unambiguous expression of will by which the personal data subject gives consent to the processing of his/her personal data.

“Cross-Border Transfer of Personal Data” means the transfer of personal data to the territory of a foreign state to an authority of a foreign state, a foreign individual, or a foreign legal entity.

The Company processes personal data based on the principles set out in Article 4 of the PD Law:

3.1. Lawfulness and good faith: personal data shall be processed lawfully and in good faith, with due respect for the rights and legitimate interests of personal data subjects.

3.2. Purpose limitation: processing of personal data is limited to achieving specific, pre-determined and lawful purposes. Processing of personal data incompatible with the purposes of collection is not permitted.

3.3. Data minimisation: the scope and content of personal data processed correspond to the declared purposes of processing. Processed personal data shall not be excessive in relation to the declared processing purposes.

3.4. Accuracy: personal data shall be accurate and, where necessary, kept up to date; reasonable measures shall be taken to ensure the prompt deletion or correction of inaccurate personal data.

3.5. Storage limitation: personal data shall be stored in a form permitting identification of the personal data subject for no longer than is required for the purposes of personal data processing, except where otherwise provided by law.

3.6. Security: personal data shall be processed in a manner ensuring appropriate security of personal data, including protection against unauthorised or unlawful processing, and against accidental loss, destruction or damage.

(a) providing information about the Company’s activities, its affiliates and the group structure;

(b) processing enquiries and requests received from personal data subjects;

(c) ensuring the operation of the Company’s website;

(d) complying with the requirements of the laws of the Republic of Armenia, including in the area of anti-money laundering and counter-terrorist financing;

(e) performing contractual obligations towards counterparties;

(f) engaging with a pre-determined circle of investors within closed rounds of securities placement in accordance with Article 41 of the Law of the Republic of Armenia “On Joint Stock Companies”; and

(g) protecting the Company’s lawful rights and interests.

4.2. The Company does not carry out automated decision-making, including profiling, which produces legal effects for the personal data subject or otherwise materially affects his/her rights and legitimate interests.

5.1.1. Consent of the personal data subject to the processing of his/her personal data. Consent shall be a voluntary, specific, informed and unambiguous expression of will. Consent may be expressed in writing, in the form of an electronic document signed with an electronic signature, or by conclusive actions clearly indicating the data subject’s consent.

5.1.2. Necessity of processing for the performance of a contract to which the personal data subject is a party, or for taking steps at the request of the personal data subject prior to entering into a contract.

5.1.4. Necessity of processing for the purposes of legitimate interests pursued by the Operator or a third party, provided such interests do not infringe the rights and freedoms of the personal data subject.

5.2. Special Categories of Personal Data shall be processed exclusively where the personal data subject has given explicit consent or where such processing is expressly permitted by law.

6.1.3. Technical data: IP address; browser type and version; device type and operating system; time zone and approximate location; data regarding interaction with the website (cookies, web analytics data).

6.2. The Company does not intentionally collect Special Categories of Personal Data unless required by applicable law or unless explicit consent has been obtained.

(a) collection – obtaining personal data directly from the personal data subject or from other sources in accordance with the law;

(b) recording and systematisation – capturing and arranging personal data in information systems;

(c) storage – ensuring the safekeeping of personal data for the established retention periods;

(d) rectification (updating, modification) – maintaining personal data up to date;

(e) use – applying personal data to achieve the processing purposes;

(f) transfer (provision, access) – disclosure of personal data to specified persons or to a specified circle of persons;

(g) anonymisation – transforming personal data so as to exclude identification of the personal data subject;

(h) blocking – temporary suspension of personal data processing; and

(i) deletion and destruction – irreversible termination of personal data storage.

7.2. Personal data is processed using automated means (information systems) and without such means, in accordance with the requirements of the laws of the Republic of Armenia.

(a) where the personal data subject has consented to such transfer;

(b) in the course of performing obligations under a contract with the personal data subject;

(c) upon request by authorised state bodies in cases provided for by the laws of the Republic of Armenia;

(d) in connection with the Company’s reorganisation, merger, accession, division or separation, provided that personal data confidentiality is maintained; and

(e) for the protection of the lawful rights and interests of the Company or third parties.

8.3. When transferring personal data to third parties, the Company ensures the confidentiality regime is complied with by entering into appropriate non-disclosure and/or personal data processing agreements.

9.1. The Company may carry out cross-border transfers of personal data to the territories of foreign states in accordance with Articles 19 and 20 of the PD Law.

9.2. Cross-border transfer of personal data is permitted to states ensuring an adequate level of personal data protection, the list of which is determined by the Personal Data Protection Agency of the Republic of Armenia.

9.3. Cross-border transfer of personal data to states that do not ensure an adequate level of protection shall be carried out where one of the following applies:

(a) the personal data subject has provided written consent to such transfer;

(b) there is a contract between the Operator and the personal data recipient containing appropriate safeguards; or

(c) prior authorisation has been obtained from the Personal Data Protection Agency of the Republic of Armenia (review period: 30 days).

9.4. By using the Company’s website, the personal data subject acknowledges the possibility of cross-border transfers of his/her personal data and consents to such transfers.

10.1.1. Right to information: obtain information about his/her personal data, the processing of such data, the legal grounds and purposes of processing, the Operator and its location, and the circle of persons to whom personal data may be transferred.

10.1.3. Right to rectification, blocking and deletion: require the Operator to correct personal data if it is incomplete or inaccurate; to block personal data where there are grounds to believe it is processed unlawfully; and to delete personal data obtained unlawfully or no longer required for the stated purposes.

10.1.4. Right to complain: apply to the Personal Data Protection Agency of the Republic of Armenia with a request to correct, block or delete personal data, and to challenge the actions or inaction of the Operator in court, including by seeking compensation for losses.

10.1.5. Right to withdraw consent: withdraw previously given consent to personal data processing at any time. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent prior to its withdrawal.

10.2. To exercise these rights, the personal data subject shall submit a written request to the Company by email at [____________________] or by post to the Company’s address. The Company shall consider the request and respond within five (5) business days from receipt of the request.

11.1. The Company implements necessary and sufficient organisational and technical measures to protect personal data in accordance with Articles 16 and 17 of the PD Law, including:

(a) appointing a person responsible for organising personal data processing;

(b) establishing access rules to personal data;

(c) familiarising employees with personal data legislation and processing requirements; and

(d) internal monitoring of compliance with personal data processing requirements.

(a) applying cryptographic means to protect personal data when transmitting it via open communication channels;

(b) using systems to detect and prevent unauthorised access;

(c) regular backup of personal data; and

(d) controlling physical access to personal data storage media.

11.2. The Company shall promptly notify the Personal Data Protection Agency of the Republic of Armenia and the competent law enforcement authorities in the event of a personal data leak or other information security incident relating to personal data.

12.1. Personal data shall be retained for no longer than is necessary to achieve the purposes of processing, except where longer retention periods are established by law.

12.2. Upon expiry of the retention period, or upon achievement of the processing purposes, as well as where the personal data subject withdraws consent to processing, personal data shall be destroyed or anonymised within a period not exceeding thirty (30) business days, unless otherwise required by law.

13.1. The Company’s website uses cookies and similar technologies to ensure website functionality, improve user experience and collect analytical information.

13.2. Cookies are small text files stored on a user’s device when visiting the website and enabling the identification of the user and/or the user’s device during subsequent visits.

13.3. By continuing to use the Company’s website, the personal data subject consents to the use of cookies. The personal data subject may disable cookies in browser settings; however, this may affect the functionality of the website.

(a) securities advertising or an invitation to make offers;

(b) an offer addressed to an indefinite number of persons; or

(c) an individual investment recommendation.

14.2. As a closed joint stock company under the laws of the Republic of Armenia, the Company places its shares exclusively among a pre-determined circle of investors in accordance with Article 41 of the Law of the Republic of Armenia “On Joint Stock Companies”. The Company does not conduct any public offering of securities.

14.3. Any information published on the Company’s website shall not be treated as a basis for investment decisions. The Company shall not be liable for any losses arising from the use of information published on the website.

15.1. The Company shall register in the Register of Personal Data Operators maintained by the Personal Data Protection Agency of the Republic of Armenia in accordance with Article 23 of the PD Law.

15.2. The Company shall notify the Personal Data Protection Agency of the Republic of Armenia of any changes to the information submitted for registration within ten (10) business days from the date of such changes.

16.2. The revised Policy shall take effect upon publication on the Company’s website, unless a different effective date is specified in the revised version.

16.3. Continued use of the Company’s website after publication of the amended Policy constitutes the personal data subject’s acceptance of such amendments.

17.2. Any disputes and disagreements relating to the application of this Policy shall be resolved through negotiations. If the dispute cannot be resolved through negotiations within thirty (30) calendar days, the dispute shall be referred to the competent courts of the Republic of Armenia at the Company’s place of location.

For all matters relating to personal data processing, personal data subjects may contact the Company at:

Email address: [email protected]

19.3. The official language of this Policy is Russian. In the event of any inconsistency between language versions, the Russian version shall prevail.

© “IWM Holding” CJSC, 2026. All rights reserved.

This document is the intellectual property of the Company.