PRIVACY POLICY

Updated and published: July 2025

1. SCOPE

PRIVACY POLICY
Pluris Group


The purpose of this Privacy Policy (hereinafter referred to as the “Policy”) is to set out the commitments of Pluris Investments S.A., a public limited company with registered offices at Rua de Miragaia, n.º 103, Porto, registered at the Commercial Registry Office under the single registration and legal person number 508 767 881, and the corporate group it heads (defined below), in relation to the management of the privacy and protection of the personal data of the individuals for whom it is responsible for processing, and to meet the requirements of the General Data Protection Regulation (hereinafter referred to as the “Regulation”)1 and the respective national implementing legislation2.
This Policy therefore applies to all companies which, directly or indirectly, belong to the corporate group headed by Pluris Investments S.A., i.e. its current and future3 subsidiaries, and shall also apply to companies in which more than 50% of their share capital and voting rights are held directly by the majority shareholders of Pluris Investments S.A. (hereinafter collectively referred to as “PLURIS” or “Pluris Group”), but shall not apply, by way of exception, to Pluris Group companies that have their own privacy policy, which shall apply to those companies to the detriment of this Policy.
It is also intended to demonstrate how personal data will be processed in the context of the activities carried out within the scope of the Pluris Group and its employees, by defining internal rules that comply with the requirements of the Regulation, namely, legitimacy, processing and conservation.
All personal data will be processed and managed under the terms of this Policy together with the Information Security Management Policy, which can be accessed via the following link 00

1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 and subsequent
amendments.
2 Law no. 58/2019, of August 8 (and its subsequent amendments), which ensures the implementation of the General
Data Protection Regulation in the national legal order.
3 For this purpose, a subsidiary means all the companies in which Pluris Investments, S.A. holds, directly or indirectly, at least 10% of its share capital.

Information Security Management EN.pdf, taking into account a completed and up-to-date inventory of such personal data.
2. ROLES AND RESPONSIBILITIES

The Pluris Group Management will ensure that this Policy is aligned with the Group's strategy, in order to guarantee its continuous improvement with regard to information security and privacy.
The role of the Data Protection Officer (“DPO”) is, among other things, to ensure compliance with the requirements of the Regulation on an ongoing and systematic basis, that all data holders' rights are respected and that the appropriate security controls are in place for the purposes set out herein.
The Board of Directors of the Pluris Group designates and assigns to the DPO the duties and responsibilities described above in relation to all Pluris Group companies, with the exception of those that have their own DPO, who will assume such duties and responsibilities in those companies.
All Pluris Group employees, as well as their subcontractors - so long as this applies to them - are responsible for collaborating with, complying with and enforcing the commitments of this Policy.
In the case of river and sea vessels, there is also the definition of a “Local DPO” per vessel, whose mission is to exercise local DPO functions when the vessels are cruising, and who will act in accordance with the rules of this Policy.
3. PERSONAL DATA HOLDERS

In order to carry out its activities and associated processing purposes, the Pluris Group collects personal data from the following sources:
• Corporate clients through contract;
• Clients registered via web tools;
• Clients through ticket purchases;
• Candidates by submitting spontaneous applications or responding to advertised job vacancies;
• Internal employees and contracted service providers;
• Suppliers and service providers;
• Visitors to the physical or nautical facilities;

• Third parties requesting contact and/or newsletters.

4. GUARANTEE OF CONFIDENTIALITY AND PRIVACY OF PERSONAL DATA

The personal data identified in this Policy will be individually processed by the entities belonging
to the Pluris Group as the respective personal data processors.

In order to guarantee the confidentiality and privacy of the data, the Pluris Group ensures that it
is only accessed by employees formally authorized to perform their duties.

The responsibilities of each employee in terms of security, privacy and protection of personal data are detailed in the contracts signed with the Pluris Group, including the obligations of confidentiality and discretion to which they are bound.
Furthermore, the personal data collected by the Pluris Group is not shared with third parties without the consent of the data holder, except in the cases permitted by the applicable legislation, such as, for example, if the data holder contracts services from the Pluris Group that are provided by other entities responsible for processing personal data, or if the sharing arises from a legal obligation to which the Pluris Group is subject, or if it is necessary to fulfill the legitimate interests of the Pluris Group or a third party.
In the event that personal data is shared with third parties, reasonable efforts will be made to
ensure that the transferee uses such data in a manner appropriate to this Policy.

5. IDENTIFICATION OF THE PERSON RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA
Each Pluris Group company that contracts with the holder of personal data is singularly and individually responsible for the processing of personal data that it carries out in the exercise of its activity and pursuit of its purposes.
Without prejudice to the above, the Pluris Group, in accordance with the applicable legislation and this Policy, may resource to third parties, subcontracted by it, to process personal data on its behalf and in accordance with its instructions (for more details, see point 7.3 a) below).
6. DATA PROTECTION IMPACT ANALYSIS

In cases where data processing operations are likely to result in a risk whose level is not accepted by the Pluris Group, it will carry out an impact analysis, in accordance with Article 35 of the

Regulation, prior to the start of processing, with the aim of identifying and reducing and/or
eliminating them.

7. COLLECTION, PROCESSING, SHARING AND RETENTION OF PERSONAL DATA

The personal data collected and processed by the Pluris Group essentially consists of information relating to name, gender, date of birth, telephone number, cell phone number, email address, address, tax identification number, credit card details (collected for payment purposes only). There is also other personal data that may be collected if necessary or convenient for the provision or collection of services by Grupo Pluris.
7.1 Collection of personal data
a) Collected directly

Personal data is collected directly as follows:

• Spontaneous applications or response to job offers by sharing the Curriculum Vitae;
• Filling in paper forms;
• Capturing images and videos at fixed installations and on board sea or river vessels;
• Biometric data;
• E-mail;
• Telephone (for employees);
• When purchasing ticketing, marketing products or other materials in Pluris Group stores or vessels, including catering services;
• Online shopping websites.

b) Indirectly collected

Personal data may be collected indirectly as follows:

• Importing the content of the Curriculum Vitae into the human resources registry;
• Importing data with shared responsibility with contracted commercial partners;
• Marketing outlets, catering services or similar;
• Job candidate selection companies;
• Companies providing medical services;
• Companies providing life insurance services;
• Marketing automation and online advertising tools of subcontracting partners;

• By subcontracting partners relating to the placement of orders, namely the purchase of
ticketing for access to exhibitions and/or Pluris Group products and/or services.

The collection of sensitive personal data will only be carried out in cases that are strictly necessary and justified by the activity carried out by the Pluris Group and in accordance with the legislation in force.
In addition, for personal data collected by computer, the Cookie Policy complements this subject, presenting the “opt-in” and “opt-out” options that are available for this component of the websites.
The holder of personal data may also opt-out of online advertising services in social tools, namely Facebook, Google Ads, Instagram, Linkedin, among others.
The Pluris Group guarantees that no manual or computerized form will have pre-filled options,
with all alternatives being selected by the data holder.

Personal data will be collected on the basis of the legal grounds set out in this Policy and in compliance with the principle of minimization.
7.2 Processing of personal data - Use, purposes and motives

In general terms, the Pluris Group uses personal data in the situations and with the justifications,
purposes and grounds set out below:

Justification Purpose of processing Justification


Management of job applicants Curriculum analysis and selection for interview.
Contact with the candidate at the various stages of the process.
Retention of data for future opportunities, subject to the
candidate's consent.
Contacting the candidate for new opportunities.
Handling of data is necessary to carry out pre-contractual procedures at the request of the data holder.




Human resources management Administrative management of human resources.
Remuneration processing (including allowances, quotas, subsidies and management of obligations such as garnishments).
Suitability form processing.
Analysis of employee availability for hotel operations on board river ships.
Registration in the company's contacts and access
directory.

Data handling is necessary for the performance of the employment contract concluded with the data holder and for compliance with legal obligations to which the controller is subject.

Announcement of birthdays by internal newsletter and personal SMS.
Recording attendance and working hours.
Management of prior investigation procedures, disciplinary procedures and recording of disciplinary sanctions.
Management of occupational accident insurance. Management and recording of professional training. Career evaluation and progression.
Management of fringe benefits and other bonuses, as well
as meal cards.
Corporate fleet management.
Professional travel management.
Management of documents proving compliance with legal obligations regarding the entry, stay, residence and work of foreign citizens in Portugal.
Payment of contributions, taxes and union dues.
Management of records, communications and legally binding documents.
Compliance with union registration and obligations;
Submission of declarations/information for port security
and immigration control purposes





Health and safety at work Promoting health and safety at work.
Appointment and management of workers responsible for
emergency measures, first aid, firefighting and evacuation. Repairing accidents at work and occupational illnesses.
Occupational medicine.
Consultation with workers on occupational health and safety issues.
Occupational and psychosocial risk assessments.
Issuing medical certificates for maritime or similar
purposes.



Data handling is necessary for compliance with legal obligations to which the controller is obligated.


Physical security Access control.
Video surveillance image capture.
Registration of guests and visitors. Legitimate interest of the controller in ensuring the physical security of buildings, ships and other infrastructure supporting business operations

Internal and external communication Publication of news, testimonials, images and videos on the websites of Pluris Group companies, in internal newsletters, company newspapers and on social networks, with the aim of promoting the companies and the events in which they participate.

Consent of the data holder

Marketing Carrying out advertising campaigns.
Advertising on virtual sites such as Google Ads, Facebook, Instagram and Linkedin. Subject to the consent of the data holder where legally required.

Sending news, advertising and marketing campaigns and
personalized offers to clients. Processing is necessary for the performance of the contract entered into with the data’s holder and for compliance with legal obligations to which the controller is subject.




Commercial management Recording customer contacts in the ERP and customer files. Recording and filing commercial proposals.
Invoicing, transportation and delivery of products. Website registration.
Professional travel management, including booking stays and providing hotel services.
Handling complaints about services provided. Processing photographs and videos of visitors.

Processing is necessary for the performance of the contract concluded with the data’s holder and for compliance with legal obligations to which the controller is subject.



Financial management / electronic payments Invoicing and collections. Processing refunds and returns.
Sharing information with accounting service providers.
Operational needs for interconnection with HiPay and Paypal and other electronic payment gateways using credit cards.
Processing is necessary for the performance of the contract entered into with the data’s holder and for compliance with legal obligations to which the controller is subject.


Purchasing management
Registration of suppliers in the ERP and supplier files.
Consultation of supplier contacts and activity records. Processing is necessary for the performance of the contract entered into with the data’s holder and for compliance with legal obligations to which the controller is subject.


Technical assistance Requests for technical assistance for various pieces of equipment from contracted partners, for the purpose of managing the service provided by third parties.
Requests for technical service support on various matters,
such as legal, tax, consultancy, etc. Processing is necessary for the performance of the contract entered into with the data’s holder and for compliance with legal obligations to which the controller is subject.

Construction permits Construction permit applications and the creation of the respective construction sites and support and maintenance infrastructures.
Construction and maintenance management Processing is necessary for compliance with legal and/or contractual obligations to which the controller is bound.


Information Systems Management Management of e-mail system accounts and related services.
Managing employee access to company systems.
Preparing computers and cell phones for delivery to employees.
Processing is necessary for the performance of the contract concluded with the data’s holder

Real Estate Activities Elements of identification and purpose of the transaction, for the purposes of the Prevention of Money Laundering and Terrorist Financing Processing is necessary for compliance with legal obligations to which the controller is subject.


Contracting insurance Hiring various types of insurance, for employees, civil liability and others;
Creation and registration of insurance policies. Processing is necessary for compliance with legal obligations to which the controller is subject.
Submission of tax and customs declarations
Submitting declarations for the purposes of complying with tax and customs obligations. Processing is necessary for compliance with legal obligations to which the controller is subject.









E-Commerce Recruiting User registration on websites, online stores, social networking tools or marketplaces
Management of service requirements on websites
Communication with the user/customer at the various
stages of the service request process
Retention of registered customer data for new service
requests
Transfer of data to a platform for sending promotional digital marketing newsletters
Transfer of data for online advertising on social networks Customer support service (“online” or by telephone)
Preparation of reports with the results of marketing and advertising campaigns
Management of candidates for vacancies in the Pluris Group








Legitimate interest in providing Web customer service


There will be no use of personal data for the purposes of creating and using sales profiles or
product, region or trend indicators.

7.3 Sharing of personal data - third parties

The Pluris Group, as mentioned, communicates personal data to third parties - subcontracted or not - of a public or private nature, with the justifications, purposes and grounds reported above, which will be subject to the legal obligation to process personal data in accordance with the provisions of the GDPR.
a) Recipients of personal data:

In general, the Pluris Group communicates personal data to the following recipients:

• Social security;
• Tax and Customs Authority, enforcement agents or other legal entities;
• Insurance companies;

• Software and systems licensing, maintenance, support and technical assistance companies;
• Security/surveillance companies and preventive and corrective maintenance companies
for security systems
• Occupational health companies;
• AIMA (formerly SEF);
• Trade unions;
• Travel agencies and tour operators;
• Temporary work companies;
• Consultants and lawyers.

b) Sub-contracting entities

Personal data may be shared with sub-contracting entities under the terms of the contracts signed with them. The Pluris Group only uses subcontractors that guarantee, under the terms of the law, the implementation of appropriate technical and organizational measures for the protection of data through subcontractor agreements, concluded under the terms of article 28 of the Regulation, thus ensuring the defence of your rights under the applicable data protection law.
The sharing of data classified as sensitive will only be carried out with legal entities, partners providing medical services and similar, under the terms legally permitted.
This data sharing will, as a rule, take place within Europe.

There are specific situations that require data to be shared with entities outside the European
area, namely:

• With port authorities: for security and immigration control purposes on cruise ships, in accordance with the applicable legal provisions;
• With Pluris Group companies: to support activities of legitimate interest, ensuring that the processing of personal data is minimized.
There is the possibility of sharing data with formally authorized subcontractors for digital marketing purposes, and the personal data involved in these shares is subject to the consent of the respective holder, with the possibility of opting out and withdrawing consent at any time.

This sharing will result in data being transferred outside the European area, in the case of segmentation of digital marketing campaigns with intercontinental subcontracting partners. In these cases, the organization will take care to implement security controls appropriate to each risk situation identified, regardless of whether the data’s holder is guaranteed unconditional execution of their rights and all the requirements of the Regulation.
7.4 Retention of personal data

Data is retained for the period necessary for the purposes for which it is processed, this period may vary according to the purposes in question, and when retained for longer periods, the legally prescribed measures are taken for this purpose. Personal data is regardless kept, inter alia, to comply with legislation in force (e.g. of a fiscal, labor and/or accounting nature), and/or the operational needs and legitimate interests of the Pluris Group (e.g. prevention of money laundering and terrorist financing and support of legal proceedings) and/or to defend the vital interests of the data’s holder or another natural person.
In general, the table below indicates the retention period adopted by the Pluris Group depending on the personal data in question.

Data to be kept Maximum conservation time
Legal documents (e.g. contracts, declarations, agreements, forms, guarantees, powers of attorney, certificates, minutes and related documents, certificates, court documents, tax or administrative documents, etc.)

10 years from the end of their validity

Data related to job applications 5 years from the formalization of the application
Data related to the human resources register 1 year from termination of employment
Data related to:
• Occupational medicine
• Promoting health and safety at work
• Appointment and management of workers responsible for emergency measures, first aid, firefighting and evacuation.
• Repairing accidents at work and occupational
illnesses.
• Consultation with workers on occupational health and safety issues.
• Occupational and psychosocial risk assessments



5 years
40 years for genetic heritage
In both cases from the end of the employment relationship
Data regarding the justification for unavailability for the service 3 years from termination of employment

Data related to the medical certificate for seafarers
• In normal use 30 days from termination of employment
• When supporting inquiries 45 days from termination of employment
Registration of attendance 5 years from termination of employment
Video surveillance:
• In normal use 30 days from capture, after which the images are destroyed within 48 hours.
• When supporting investigations 45 days after it is not possible to appeal against the (administrative and/or judicial) decisions resulting from the investigations carried out.
Publication of communications containing employees' personal data
3 years from termination of employment
Publication of communications containing personal data 3 years from the date of the communications
Data related to services/orders to customers by contract 3 years from the end of the contract term
Data related to services/orders from web clients 3 years from completion of services/orders
Photos and videos of visitors and clients at events and exhibitions
3 years from the date of the event/exhibition
Data related to marketing and advertising Until consent is withdrawn / opted out

Data related to marketing and advertising campaigns 3 years from the date of the campaign or
until consent is withdrawn / opted out

Complaints and privacy violations 7 years after the underlying case is concluded
Audit records and evidence 5 years after its completion
Real estate activities: proof of the procedures and diligence
carried out as part of the risk assessment of operations
7 years after the transaction is completed


In any case, and taking precedence over what is indicated in the table above, if personal data needs to be kept for the purposes of following up any complaint, inspection process of an administrative, judicial or administrative nature, process of reparation for an accident at work/occupational illness, among others, this data will be kept for a period of 7 years after the date on which the inspection, complaint, administrative or judicial process is definitively concluded without the possibility of a challenge or appeal, or in the case of data related to

reparation for an accident at work/occupational illness, for a period of 5 years after the date on which the inspection is definitively concluded, complaint, administrative or judicial process is definitively concluded, without the possibility of challenge or appeal, or, in the case of data related to compensation for an accident at work/occupational illness, for a period of 5 years after the worker's incapacity is definitively stabilized, without the possibility of future alteration.
In addition, for all intents and purposes, the Pluris Group reserves the right to retain personal data that has been processed in specific matters until the expiry of the limitation period applicable to such matters, whenever this period is longer than any of those indicated in the table above.
Retention means the secure storage of data, in digital format and/or on paper, ensuring access management conditions to guarantee confidentiality, integrity, availability of information and non-repudiation, as well as its preservation in the appropriate conditions for use over a defined period of time.
As mentioned above, the legal requirements that demand the retention of personal data for a minimum period for each purpose will be complied with.
When no such minimum period is imposed, personal data will be kept:

(i) if and when applicable, for the period determined by the competent data protection
authority for the specific cases in question; or
(ii) for the periods indicated above, deemed necessary for the pursuit of the purposes for which the data were collected or will be further processed, periods after which the data will be definitively erased in a secure manner.
8. USE AND PURPOSE OF COOKIES

Cookies are used to personalize content and advertisements according to user characteristics, interact with social networking features, analyse website traffic, as well as to support the security controls implemented.
The websites on which cookies are used are as follows:

www.Douroazul.com, www.mysticcruises.com, www.mysticocean.de, www.riversightseeing.pt, www.portosightseeing.pt, www.worldofdiscoveries.com, www.quintadacarlota.com, www.almada234.com, www.pluris.com, www.fotobeleza.com.

Depending on the options chosen by the user, data may be shared with our social media partners, for advertising purposes, to analyze traffic and navigation through the pages of the websites and social media tools within the scope of this Policy.
Under no circumstances will personal data be collected through cookies. For more details, please consult the policy in force for this purpose.
8.1 Types of cookies

Cookies are text files that can be used by websites to make the user experience more efficient.

In accordance with current legislation, cookies may be stored and operated on the equipment on which the user accesses the website if they are strictly necessary for the website to function.
For all other types of cookies, the user, the holder of personal data, is allowed to exercise their right to informed consent.
Some cookies may be installed automatically by our business partners. However, this is always done explicitly for the user.
Websites may use the following types of cookies:

a) Necessary

Necessary cookies support the execution of basic functions such as navigation between pages
and their tracking.

It is important to note that the website may not function properly without these cookies, and as
such, they are considered fundamental and justified.

b) Statistical or Functional

Statistical cookies help the website manager to understand how the user interacts with the pages that make up the website, collecting and processing information anonymously.
c) Marketing

Marketing cookies are used to track access to and the sequence of use of the page by the user.

They allow the personalization of advertisements and/or other marketing materials to be presented that are relevant and appealing to the user, making the browsing experience more personalized and dynamic.

The user of the website, and as such the holder of personal data, must select the type of cookies they expressly authorize in each available box.
By clicking on the “I accept” button, the user is acknowledging acceptance of this Policy and the
Cookies Policy and confirming authorization for the type of cookies previously selected by them.

G. RIGHTS OF DATA’S HOLDERS

As provided for in data protection legislation and depending on the specific situation, the data’s holder may have the right to:
i. Request access to your personal data: You have the right to obtain confirmation as to whether or not any personal data concerning you is being processed and, if so, to request access to your personal data.
You may have the right to obtain a copy of the personal data being processed.
ii. Request rectification of your personal data: you have the right to obtain the rectification of inaccuracies concerning your personal data. Taking into account the purpose of the processing, you have the right to have incomplete personal data completed, including by means of an additional declaration.
iii. Request the erasure of your personal data: in certain circumstances you may have the right to obtain the erasure of your personal data, and the Pluris Group undertakes, in the circumstances in which it is obliged to do so, to erase such personal data.
iv. Request the restriction of the processing of your personal data: in certain circumstances, you may have the right to obtain the restriction of the processing of your personal data. In this case, your data will be marked and can only be processed by the Pluris Group with your consent or for certain purposes.
v. Request data portability: in certain circumstances, you may have the right to receive the personal data you have provided to the Pluris Group in a structured, commonly used and machine-readable format and you may have the right to transmit such data to another entity without the Pluris Group being able to prevent it.
vi. Object to data processing: in certain circumstances, you may have the right to object, on grounds relating to your particular situation, to the processing of personal data concerning you.
vii. Withdraw your consent at any time

Finally, we inform that you can lodge a complaint with the national supervisory authority (National Data Protection Commission - https://www.cnpd.pt/) if you have not been satisfied in the exercise of your rights.
Data’s holders will be guaranteed the conditions to exercise their rights under the Regulation.

The DPO appointed by the Pluris Group will be involved in all matters relating to the protection of personal data and should preferably be asked in writing via the email address dpo.mysticinvest@mysticinvest.com any questions that data holders deem necessary.
If the data’s holder wishes to report a breach of privacy, they should use the available Complaints Channel or, if this is not applicable, submit a complaint via email to complaint.mysticinvest@mysticinvest.com or directly to the responsible supervisory authority.
Alternatively, the data’s holder will have at their disposal a web-based communication portal where they can carry out all the above-mentioned interactions and obtain information on the processing of such requests.
Following records of complaints and/or breaches of privacy, the Pluris Group undertakes to inform the data’s holder of each step and progress of the complaint process, without prejudice to compliance with the deadlines defined by the Regulation.
The right to be forgotten or to have personal data erased by their holders will only be exercised by the Pluris Group when there is no provision in the applicable legislation for their retention for a certain legal period (e.g. prevention of money laundering and terrorist financing).
10. REVIEW AND CONTINUOUS IMPROVEMENT

This Policy may be reviewed at any time, in particular whenever there are significant changes in the inventory of personal data and/or in the Pluris Group's computer or documentary supports.
Each revision will result in a new version of this Policy.

11. CIRCULATION AND PUBLICATION

This Policy is classified as publicly accessible information and will be available for consultation via the Internet, on the institutional website, on the business support Internet tools and also on the Pluris Group's internal social networks.
During the integration process, new employees will be made aware of this Policy, and it will also be mandatory for them to take part in the training and awareness-raising sessions on security, privacy and personal data protection that will be part of the induction process.
After publication and circulation of the Policy, employees are obliged to:

 Protect the information assets in their charge;
 Collaborate in the management of the respective risk;
 Report any event that may jeopardize information security;
 Comply with and enforce this Policy.

Employees may consult this Policy at any time via the document management platform of the
Pluris Group's internal network.

Entities/employees who, for reasons inherent to their role, do not have access to the platform,
will be made aware of this Policy by sharing it in the format appropriate to each case.

12. VIGENCY OF THE POLICY

This Policy has been approved by the Pluris Group and becomes effective on the date it is
published.

Any subsequent changes