TERMS AND CONDITIONS OF USE AND PRIVACY POLICY

(hereinafter, the “General Terms and Conditions”)

I. General information about the Supplier Administrative Portal

Affinity Petcare, S.A., Sociedad Unipersonal, the parent company of the Affinity Group is the owner of the Vendor Portal, set up to facilitate the handling of invoices between the companies in the Affinity Group and its suppliers. The companies listed in Schedule 1 belong to the Affinity Group.

Affinity Petcare, S.A., Sociedad Unipersonal (hereinafter, “AFFINITY”), is a Spanish trading company, holder of TIN A-62.295.761 and registered with the Companies Registry of Barcelona on Folio 94, Volume 32.672, sheet number B-217.337, 13th Entry. AFFINITY is dedicated, amongst other activities, to the manufacture and sale of pet food.

The parent company of the Affinity Group, namely, AFFINITY PETCARE, S.A. has its registered offices at:

Plaça Europa, 54-56

L’Hospitalet de Llobregat

08902 Barcelona (Spain)

Tel.: +34 93 492 70 00.

Fax: +34 93 492 70 01.

II. Acceptance and amendments to the General Terms and Conditions of the Vendor Portal

• Acceptance of the General Terms and Conditions

These General Terms and Conditions govern the use of this Supplier Administrative Portal (the “Vendor Portal”) that is made available to the Affinity Group’s suppliers and, therefore, to their employees and agents (the “User”). The use of this Vendor Portal implies the full and unreserved acceptance of each of the General Terms and Conditions that may be in force at any given time by the User on accessing it and, therefore, if the User disagrees with any of the General Terms and Conditions whatsoever, the User must refrain from using the Vendor Portal.

• Amendments to the General Terms and Conditions

AFFINITY reserves the right to amend these General Terms and Conditions of this Vendor Portal at any time whatsoever, as well as any of the other general or specific terms and conditions, regulations on its use, instructions or warnings that may apply. Therefore, the User must read these General Terms and Conditions every time this Vendor Portal is accessed. As a consequence, the User expressly and fully accepts that the access to and use of this Vendor Portal is undertaken under the sole and exclusive responsibility of the User.

III. Personal data

• Data controller and data protection officer

Unless otherwise stated, AFFINITY is the entity responsible for all the databases that contain any personal data collected on this Vendor Portal. This policy on personal data protection may vary over time due to changes in the law, case law or the standards followed by the Spanish Data Protection Agency. AFFINITY hereby informs the Users that it complies with all regulations on personal data protection and, specifically, with the EU’s General Data Protection Regulation (hereinafter, the “GDPR”) and with the Spanish regulation derived from the GDPR.

AFFINITY is not subject to the obligation to appoint a Data Protection Officer. However, notwithstanding any other points of contact that are designated in these General Terms and Conditions, should you have any queries, requests or require further clarifications on the processing of your personal data, you may send an email or letter to the following addresses: gdpr@affinity-petcare.com/Affinity Petcare, S.A., Plaça Europa, 54-56, L’Hospitalet de Llobregat, Barcelona, 08902, with the subject line “Protección de datos”.

• Personal data subject to processing

AFFINITY shall process the following personal data:

- Any initial data that you may have voluntarily submitted in relation to your request to sign up as a user. We shall give clear, precise instructions on the mandatory data you must provide on each form so that you are able to request the information or service that you may ask us for at any given time.

- Any data that are subsequently generated or exchanged with Users in order for AFFINITY to fulfil their initial request.

• Purpose of data processing

AFFINITY shall process its Users’ personal data for the sole purpose of being able to maintain its trading, contractual and working relationships with its suppliers.

• Legal basis for data processing

The processing of your corporate contact details related to the relationship the company, entity or organisation you work for or are subcontracted by has with AFFINITY is in line with the legal rights of our entity, expressly recognised by the data protection regulation.

• Assignment to third parties

AFFINITY shall only assign the User's personal data to its subsidiaries whose business is related to pet food, products and services for the purposes set forth in the sub-section “Purpose of data processing” of this section, “III. Personal data”, in which the business of each subsidiary is explained, whenever such an assignment is essential for fulfilling the purposes of processing personal data as described in the aforementioned sub-section of this privacy policy. In this case, they shall be assigned for the purposes of fulfilling the obligations arising from its contractual relationship with the Users (suppliers).

Furthermore, in compliance with and within the scope and restrictions provided for in the regulation, AFFINITY may assign the User's data to public administrations and authorities, provided it is obliged to do so due to the regulations that govern AFFINITY’s business. Beyond such cases, AFFINITY shall not assign the User's personal data to third parties, without the prior express consent of the User on every occasion this occurs.

AFFINITY hereby informs you that it works in partnership with third-party service providers as provided for by law. These providers may have access to your personal data in order for them to provide the services and/or fulfil the obligations arising from the legal relationships entered into between third parties and AFFINITY, in the framework of AFFINITY carrying out its corporate purpose. In any event, AFFINITY has entered into the statutory non-disclosure and data protection agreements with such service providers, in full compliance with the provisions of the regulations in force on personal data protection.

• Rights of Users

In respect of the data collected, the Users may exercise their rights as provided for in the GDPR and related regulations and, specifically, the right of access, rectification, objection, erasure, restriction of processing and data portability. These rights may be exercised by sending an email with the subject line “Protección de datos” to gdpr@affinity-petcare.com or by any postal service, providing AFFINITY is able to acknowledge the receipt of notifications sent in this way, by writing to: Affinity Petcare, S.A., Plaça Europa 54-56 08902 L'Hospitalet de Llobregat (Barcelona), with the attention line “Affinity Petcare, S.A. - Protección de datos”.

Furthermore, if you consider that the processing of your personal data infringes current legislation or your privacy rights, you may submit a complaint:

• By writing to the postal or email addresses that appear in the section “Personal data storage, purpose and recipients” herein.

• By lodging a complaint with the Spanish Data Protection Agency via its website or by writing to its postal address.

• International transfers of personal data

AFFINITY has subcontracted services from technology providers based in countries that do not have a data protection regulation similar to the EU’s (“Third Countries”). These providers have entered into the non-disclosure and personal data processing agreements with AFFINITY required by law for providers based in Third Counties, subject to all of the guarantees and safeguards required to protect your privacy. Users may obtain further information about the safeguards for protecting their privacy by writing to the postal or email addresses that appear in the sub-section “Rights of Users” herein.

• Data retention period

The personal data of Users shall be kept on record throughout their relationship with AFFINITY. Once a User ends the relationship, AFFINITY shall keep the User’s data on record for the retention periods required by law. In such cases, your data shall only be processed for the purpose of proving that we have met our legal and contractual obligations. Once such statutory limitation periods have expired, your data shall be deleted or, alternatively, anonymised.

• Obligations in the event of being the Data Processor

a. To solely process the personal data to render the services subcontracted by following the instructions that may be issued at any given time by the Data Controller (unless there is a regulation that requires additional data processing, in which case the data processor shall inform the controller of the legal requirement prior to processing the data, unless this were prohibited by Law on the overriding grounds of public interest.

b. To abide by the duty of secrecy in respect of all personal data to which it may have access, even once the contractual relationship has ended, in addition to ensuring that the persons who have entered into an undertaking in writing to keep the personal data processed in the strictest confidence likewise do so.

c. To take all the technical and organisation measures required to ensure a level of security appropriate to the level of risk, based on the state-of-the-art, the implementation costs, the nature, scope, context and purposes of processing the data, in addition to the likelihood and seriousness of putting the rights and freedom of natural persons at risk, that shall include, amongst others:

• The pseudonymisation and encryption of personal data.

• The ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services.

• The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.

• A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

In assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

In any event, in view of the type of data processing to be carried out, at the very least, the security measures listed in the Schedule to this Agreement must be implemented.

d. To store under the strictest controls and safeguard the personal data it accesses as a result of rendering the Service and not to disclose them, assign them, or in any other way release them, not even for their storage, to outsiders or persons not entrusted with rendering the Service subject to this Agreement.

However, the Data Controller may expressly authorise the Data Processer in writing to resort to another Data Processor (hereinafter, the “Subcontractor”), whose identification details (company name and TIN) and the services subcontracted must be disclosed to the Data Controller, prior to the service being rendered, at least one (1) month in advance. The Data Processor must likewise inform the Data Controller of any change anticipated in taking on or replacing the Subcontractors, in order to give the Data Controller the opportunity to object to such changes.

In the event that the authority granted in the above paragraph is put into effect, the Data Processor must make the Subcontractor aware of all of the obligations arising from this Agreement to which the Data Processor is subject and, in particular, the provision of sufficient safeguards in respect of suitable technical and organisational measures to be implemented, so that the data processing complies with the regulations in force.

In any event, access to the data is authorised by the natural persons who render their services to the Data Processor within its organisational framework by virtue of a non-employment business relationship. Furthermore, companies and experts subcontracted by the Data Processor in its internal organisation shall be authorised to access the data so that they are able to provide general or maintenance services (IT services, consultancy, audits, etc.), provided these tasks have not been arranged by the Data Processor for the purposes of subcontracting all or part of the Services rendered by the Data Controller to a third party.

Should the Subcontractor provide its Services from countries that do not have a data protection regulation equivalent to the European one (“Third Countries”), the Data Processor undertakes to:

• Inform the Data Controller of this circumstance and, if applicable, to collaborate with the Data Controller in processing the relevant authorisation prior to the international transfer of personal data to the Third Country concerned.

• Put as many safeguards in place as required by the European data protection regulation in respect of international transfers of data to Third Countries and, in particular, to enter into agreements with the data importers in Third Countries based on Standard Clauses passed for this purpose by the authorities of the European Union.

e. Delete or return to the Data Controller, as it may decide, all personal data to which it has had access to render the Service. Furthermore, the Data Processor undertakes to delete all existing copies, unless there is a legal rule that requires the personal data to be kept on record. However, the Data Processor may keep the data on record, if duly blocked, inasmuch as they may give rise to liabilities from its relationship with the Data Controller.

f. Notify, without undue delay, the Data Controller of any breaches of personal data security of which it becomes aware, whereby it shall assist the Data Controller in notifying the Spanish Data Protection Agency or the competent Supervisory Authority and, if applicable, the interested parties of the security breaches that occur, in addition to giving assistance to the Spanish Data Agency, whenever necessary, in conducting assessments of the impact on privacy and in any preliminary consultations that may be necessary, as well as assisting the Data Controller so that it may fulfil its obligation to respond to requests to exercise rights.

g. Keep written records of all categories of processing carried out on behalf of the Data Controller.

h. Cooperate with the Spanish Data Protection Agency or other Supervisory Authority, at the latter’s request, in the exercise of its duties.

i. Make all information available to the Data Controller that is required to demonstrate compliance with the obligations established herein, and to enable and contribute to the carrying out of audits, including inspections, by the Data Controller or a third party authorised by it to do so. Any lack of evidence that the Data Processor is properly discharging its obligations pursuant to this Agreement shall be grounds for its termination.

IV. Intellectual property

This Vendor Portal may include, by way of example but not limited to, information, data, contents, texts, documents, advertising materials, drawings, databases, sounds, software, corporate symbols, signs, trademarks, graphic designs, a combination of features, logos and images, which are protected by intellectual or industrial property rights that AFFINITY holds or is a legitimate licence holder thereof.

Thus, it is strictly prohibited to totally or partially reproduce, publicly disclose, modify, transform, copy, distribute or in any other way exploit or handle both this Vendor Portal and its information, data, contents, texts, documents, advertising materials, drawings, databases, sound effects, software, corporate logos, distinctive signs, trade names, graphic designs, combinations of features, logos, images and, in general, any other information contained on this Vendor Portal.

Likewise, it is prohibited to take apart, perform reverse engineering on or, in general, in any way transfer or produce works using the software programs required to run and access this Vendor Portal and the services offered on it, as well as to exploit these elements in any way whatsoever. Specifically, it is prohibited to create links, hyperlinks, frames or similar links that may be posted on the Vendor Portal, without the express prior consent of AFFINITY.

V. Use of services and contents

All Users who access this Vendor Portal must make proper use of its services and contents in line with the philosophy of this Vendor Portal, as described in this section, and under the principles of good faith and in compliance with current laws.

Therefore, in the case of any services offered or that may be offered on this Vendor Portal (such as chats) where information may be exchanged or where the User may store contents, the User undertakes not to publish, divulge, disseminate, disclose or distribute any type of material and/or, in general, information or opinions, whose contents go against the legislation in force, moral conduct or public order, are libellous or pornographic, or that tarnish the reputation and image of AFFINITY or any other third parties.

Users likewise undertake to solely and exclusively perform such actions related to the contents if they lawfully hold the corresponding exploitation rights as provided for by law, namely, the rights to reproduce, distribute, publicly disclose or transform the contents.

It is likewise prohibited to make any use of the services offered or that may be offered on this Vendor Portal for advertising purposes, or in such a way that it entails or may entail damages to or unfair competition against AFFINITY.

This undertaking also applies to the use of the services that are or may be available on this Vendor Portal. Such use must be in line with the main objective and philosophy of this Vendor Portal, namely, to facilitate the handling of invoices between AFFINITY and its suppliers.

AFFINITY may not be held liable for any third-party contents that are in breach of the above and, likewise, it reserves the right to amend or, if necessary, immediately withdraw such contents or information from this Vendor Portal, without this giving rise to indemnity of any kind for the User responsible for posting such contents or information on this Vendor Portal.

In this regard, AFFINITY enables the Users of this Vendor Portal to report and make AFFINITY aware of any incidents, violation of rights, inappropriate contents or contents that are in breach of the provisions in these General Terms and Conditions that may appear on this Vendor Portal of which they become aware by writing an email to vendorsnotes@affinity-petcare.com. Users must give a brief description of the reasons for their complaint or of the incident in question. In this regard, the User is hereby informed that the personal data of the informant and the accused may be transferred by the AFFINITY for the purposes of investigating the abuse, incident, content or breach reported and deciding whether the competent public authorities should be made aware of this, in which case the data referred to shall be disclosed to the public and/or judicial authorities, and to law enforcement bodies and agencies.

The User is hereby informed that the contents on this Vendor Portal stored by the User as a consequence of using this Vendor Portal shall imply the assignment free of charge for an indefinite period to AFFINITY of all of the exploitation rights over the contents referred to, that is, the rights to reproduce, distribute, publicly disclose and transform such contents.

VI. Release of liability

AFFINITY provides its users with pieces of information that may contain inaccuracies or errors, or they may not be up to date when the User accesses them. Therefore, having made the User aware of potential inaccuracies in the content of this Vendor Portal, AFFINITY may not be held liable for damages arising from the hypothetical lack of reliability, completeness and/or relevance of the contents, in addition to possible typing errors, shortcomings or flaws in figures that may be posted on the Vendor Portal.

Furthermore, AFFINITY may not be held liable for service outages, malfunctions or problems with data network connections through which this Vendor Portal is accessed, whatever the origin of the malfunction.

AFFINITY is unable to guarantee that the contents on this Vendor Portal are suitable or available by law outside of Spain. Should all or part of the contents on this Vendor Portal be considered illegal in countries outside Spain, their access and use by Users shall be prohibited and, in the event that they do access them, the User shall be solely responsible for their use.

The use that may be made of the information and contents that appear on this Vendor Portal and/or access to other third-party websites through the links posted on this Vendor Portal shall remain the sole responsibility of the Users who perform such actions. Under no circumstances may AFFINITY be held liable for any damages that may be sustained from such use or activities.

As a consequence, the User expressly and fully accepts that the access to and use of this Vendor Portal is undertaken under the sole and exclusive responsibility of the User.

VII Applicable law and jurisdiction

These General Terms and Conditions and any matters related to their interpretation, performance or non-performance shall be governed by Spanish law, notwithstanding any EU regulations and international treaties to which they may be subject.

Furthermore, AFFINITY and the User submit, with express waiver of any other jurisdiction to which they may have recourse, all matters, incidents or disputes that may arise related to this Vendor Portal, to the Courts and Tribunals to which AFFINITY is subject by virtue of its registered address.