DATA PRIVACY POLICY

Last update: March 20, 2025.
ADVENTURE SPORTS GROUP EUROPE S.L. (hereinafter, “ASGE”) with National Tax ID B-65896276 and registered office for these purposes at C/Canudas 13, 08820, El Prat de Llobregat, Barcelona (Spain), duly registered in the Register of Commerce of Madrid in Volume 36887, Sheet 89, Page M-659993, declares that it is the owner of the domain giro .com (hereinafter, the “Website”) in accordance with the obligations set forth in Spanish Law 34/2002, of July 11, 2002, on information society services and electronic commerce (hereinafter, the “LSSI-CE”).

1. Information about the data controller

In accordance with the applicable data protection regulations and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter, the "GDPR") and Spanish Organic Law 3/2018 of December 5, 2018 on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter, the "LOPDGDD"), the Data Controller is:

2. Personal Data

Personal data is information that identifies you or makes you identifiable. We collect personal data provided by the user on the website, in the boxes provided for this purpose: first name, last name, email address, telephone number, postal address, city, etc., as well as any data voluntarily provided to us through any of the social networks on which the user is registered. For those networks, the level of data privacy will depend on the settings established by the user, as well as the terms and conditions of the social network itself. Visiting the website does not require the user to provide any personal data. However, if such data is provided, it will be processed lawfully, subject at all times to the principles and rights set forth in GDPR 2016/679 of April 27, 2016, and LOPDGDD 3/2018 of December 5, 2018.

3.Data processing, purposes of and legal basis for processing of the data:

• Identification information: Name, contact information, and other identifiers: such as name, username, account name, address, phone number, date of birth, email address, and online identifier.
• Purchase information: electronic customer records, including purchase information, that contain personal information.
• Device information: Internet Protocol (IP) address, web browser type, operating system version, phone operator and manufacturer, app installations, device identifiers, mobile advertising identifiers, and push notification tokens.
• Notifications: direct notification, web forms, online surveys, or interactions with our blogs and publications
• Commercial information: including records of products or services purchased, obtained, or considered, or other purchasing or usage histories or trends. We collect this information to provide customer support and personalize content and experiences.
• Warranty registration information: this includes information about your product purchase, such as the product name and location, and personal information, including contact information, required to register a warranty.
• Usage data: Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an Internet website, application, or advertisement.
• Location data: location information about a particular person or device, general location information (for example, your IP address may indicate your geographic region more generally).
• Profiles and inferences: inferences drawn from any of the information listed above to create a profile reflecting a user's preferences, characteristics, psychological tendencies, predispositions, behavior, attitudes, intelligence, skills, or aptitudes.

4.International data transfer: yes/no to what extent

The personal data we collect (or process) in the context of our Platform will be stored in New York, United States. Some of the data recipients with whom ASGE shares your personal data may be located in countries other than the country in which the data was originally collected. However, when we transfer your personal data to recipients in other countries, including the U.S., we will protect that personal data as described in this Data Privacy Policy and in accordance with applicable law. We take steps to comply with legal requirements for the transfer of personal data to recipients in countries outside the European Economic Area (EEA). We use a variety of measures to ensure that your personal data transferred to these countries is protected appropriately in accordance with data protection regulations; this includes signing EU Standard Contractual Clauses or verifying that the recipient has adopted the company's binding clauses. When personal data is transferred within ASGE, we use an intragroup data transfer agreement.

In accordance with the GDPR and the LOPDGDG, Users may exercise the following rights:

• Right of access: The User may ask ASGE whether it is processing their data and, if so, access it.
• Right of rectification: The User may request that data be rectified if it is inaccurate, or complete any incomplete data we may be holding.
• Right to request the deletion of your data: When the User exercises their right of deletion, all personal data linked to their account, as well as the information and content included in their profile, will be deleted. Likewise, if the User exercises the right of deletion of the data necessary for ASGE to provide the website services, ASGE will be obliged to terminate its relationship with the User and terminate the User's account, without the User having any right to file any claim in that regard.
• Right to request restriction of the processing: In this case, we will only retain the data in order to process or defend against claims.
• Right to object to processing: ASGE will stop processing personal data, except where it must continue to be processed for legitimate reasons or to process or defend against possible claims.
• Right to data portability: If the User wishes their data to be processed by another data controller, ASGE will facilitate the transfer of their data to the new data controller.
• Right to revoke consent given: If consent was given for a specific purpose, the User has the right to withdraw it, without affecting the lawfulness of the processing based on the consent given prior to its withdrawal.

The User may at any time exercise his/her rights of access, rectification, deletion, restriction, portability, or objection to the processing of their data, including by filing a complaint if they believe ASGE is mishandling their personal data, by sending a letter to ASGE at C/Canudas 13, 08820, El Prat de Llobregat, Barcelona (Spain), or by sending an email to legalemea@foxracing.com. If we deem it necessary to identify the User, we may request a copy of the User’s ID or equivalent document. Written correspondence must be sent to the email address legalemea@foxracing.com, including in both cases a photocopy of your National ID card, Foreigner Identity Number, or other equivalent identification document.

You can use the templates and forms on the rights mentioned above by visiting the official website of the Spanish Data Protection Agency (https://www.aepd.es/derechos-y-deberes/conoce-tus-derechos). Furthermore, if you believe that ASGE is processing your personal data inappropriately, you can file a complaint with that same Supervisory Authority (https://www.aepd.es/).

.6.Transfer of data to third parties

Your data will not be communicated or transferred to third parties, unless there is a legal obligation to do so, or to those providers affiliated with the Data Controller who act as data processors. We may share or disclose the Personal Information we collect with the following categories of third parties:

• Service providers: We may share Personal Information with third-party service providers who use this information to provide services to us, such as hosting providers, auditors, advisors, consultants, payment processors, customer service, support providers, and/or advertising and marketing agencies.
• Subsidiaries and associated companies: we may share your personal information with our affiliated companies (i.e., affiliated brands, parent companies, and other companies under common ownership, control or management); these affiliated companies may use such personal information for the purposes set out in this Policy, including for market research, sending promotional materials, newsletters, and surveys.
• Legal compliance:We may need to share Personal Information in response to a valid court order, subpoena, government investigation, or as required by law. We also reserve the right to report to law enforcement any activity we believe in good faith to be unlawful. Additionally, we may share certain Personal Information when we believe doing so is reasonably necessary to protect the rights, property, and safety of our company and/or others.
• Business transfers:we may disclose or transfer Personal Information as part of any actual or contemplated merger, sale, transfer of assets, acquisition, financing, or restructuring of all or a portion of our business, bankruptcy, or similar event, including in connection with due diligence conducted prior to such event, where permitted by law.
• Defending our legal rights: Defending our legal rights

We may share aggregated or anonymized information with third parties for research, marketing, advertising, analytics, and/or other purposes. If we anonymize your Personal Information, we will not attempt to re-identify you.

7.Security measures

ASGE adopts the security levels required by the GDPR which are appropriate according to the nature of the data processed at any given time by its activities. In this sense, it uses encryption techniques that do not allow third parties to trace the identity of the User who interacts with our services. Likewise, it may also implement secure anonymization techniques for the personal data it processes as part of its activities. However, technical security on a media platform such as the Internet is not impregnable, and malicious acts by third parties may occur, although ASGE uses the means at its disposal to prevent such actions.

8.Link to another website

The Services may contain links to websites operated by third parties. This Policy does not apply to third-party websites accessible through our Services, unless that website directs users or visitors to this Policy. When you click on one of these links, you will be transferred off the Site and connected to the website of the organization or company that maintains that website. We are not responsible for the privacy practices or content of third-party websites. Even if there is an affiliation between the Site and a third-party website, we do not exercise any control over the use of those websites and we encourage you to read the privacy policies of those websites.

9.Changes to the privacy policy

We will only use personal data in accordance with the Data Privacy Policy in effect at the time the data is collected. ASGE reserves the right to modify this Privacy Policy at any time, and will publish any such modifications on the Website. Therefore, it is recommended that you review it each time you access the website. If at any time we decide to use personal data in a manner different from that stated at the time it was collected, we will notify the User by email, provided we have their email address. At that time, you will be given the option to opt out of other uses or disclosures of the personal information you provided to us prior to the change to our Privacy Policy. Should any clause of this Privacy Policy be void or deemed invalid, the remaining terms and conditions will remain unaffected and in full force and effect, in accordance with the applicable regulations at all times.

10.Cookie Policy

A cookie is a small file that is downloaded and stored on the user's computer when they access a website. Cookies allow the website, among other things, to store and retrieve information about the browsing habits of the user or their device and, depending on the information they contain and the way in which the user uses their device, they can be used to recognize the user. The user can prevent the generation of cookies by selecting the corresponding option in their browser. You can find more information by reading our Cookie Policy.

11.Processing of data of Minors

Anyone who provides data through the forms on this website and agrees to its processing declares that they are over 14 years of age. Access to and use of the portal is prohibited for minors under this age. If at any time the Data Controller detects that a child under 14 years of age has provided personal data, we will delete it. Likewise, parents or guardians may contact ADVENTURE SPORTS GROUP EUROPE S.L.U. at any time to block the access account of minors in their care who have registered by falsifying their identity.

12.Applicable legislation

The privacy of all information provided, both by the User through the various personal data request forms and through the Website, is governed by current data protection regulations, and in specific by the GDPR and the LOPDGDD.