PRIVACY POLICY

INTRODUCTION

At VILAGOZD HOLDINGS LIMITED (referred to as “we”, “us”, or “our”), we highly value the protection of privacy and are committed to ensuring the security and confidentiality of personal data.

This Privacy Policy explains how and why we collect, use, disclose and otherwise process your personal data when you visit our website, complete our investor contact form, schedule a confidential project briefing or communicate with us regarding potential investment and advisory opportunities.

We are a company established in the United Kingdom and may process personal data of individuals located in both the United Kingdom and the European Economic Area (EEA). We process personal data in accordance with applicable data protection laws, including the UK General Data Protection Regulation (“UK GDPR”), the Parliament of the United Kingdom's Data Protection Act 2018, and, where applicable, Regulation (EU) 2016/679 (the “EU GDPR”).

• DATA CONTROLLER

The data controller responsible for your personal data collected through this website is:

• Company Name: VILAGOZD HOLDINGS LIMITED

• Company Number: 17109348

• Registered Address: 71-75 Shelton Street, Covent Garden, London, United Kingdom, WC2H 9JQ

• Contact Email: [email protected]

We are not required to appoint a Data Protection Officer under the UK GDPR or EU GDPR because our processing activities do not involve large‑scale monitoring or large‑scale processing of special category data.

As a company based outside the European Union, we process the personal data of individuals located within the EU in accordance with Article 3(2) of the EU GDPR. To ensure ongoing compliance with European data protection standards and to fulfill our obligations under Article 27 of the EU GDPR, we have formally appointed our Data Protection Representative in the European Union. Our EU Representative is authorized to act on our behalf and serve as a direct point of contact for European supervisory authorities and data subjects regarding all matters related to our processing of personal data. You may contact our EU Representative directly using the following information:

• Legal Entity Name: VILAGOZD HOLDINGS LIMITED

• Physical Business Address: 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom

• Dedicated Email Address: [email protected]

• PURPOSES, LEGAL BASES, DATA CATEGORIES, AND RETENTION OF PERSONAL DATA

We process this personal data exclusively for corporate and investment-related purposes. We do not sell, rent, lease, or share your information with third parties for marketing or commercial profiling purposes.

• Website Operation, Security, and Administration

This section explains how we process limited technical information automatically collected when you access and browse our website, including server logs, IP addresses, and related technical data used to operate, secure, and maintain our online services.

Data Collected and Processed:

• IP address,

• Browser type and version,

• Device and operating system information,

• Date and time of access,

• Referring website URLs,

• Pages visited and server log data,

• Cookie identifiers and similar technical information (See section 4).

Purpose of Processing: To operate, secure, maintain, and improve our website, to detect and prevent unauthorized access or misuse, and to ensure the technical functionality and security of our online services.

Legal Basis for Processing: We have a legitimate interest in ensuring the security, availability, and effective operation of our website. Where non-essential cookies or similar technologies are used, we rely on your consent where required by applicable law.

Retention Period: Server log data is retained only for as long as necessary for security and operational purposes and is typically deleted or anonymized within 3-6 months, unless a longer retention period is required to investigate security incidents or comply with legal obligations.

• Evaluation of Prospective Business Relationships

This section explains how we process the professional and business information you provide to us so that we can assess your background, evaluate potential investment, partnership, or advisory opportunities, and determine whether it is appropriate to share confidential project information.

Data Collected and Processed:

• First name and last name

• Email address

• Country (jurisdiction)

• Inquiry Preference: The nature of your request and your professional investor classification or interest areas as selected by you on our web forms

Purpose of Processing: To review, verify, and evaluate the professional background of individuals or organizations submitting inquiries. This allows us to identify prospective investors, partners, and advisors and to ensure that confidential project information is shared only with relevant professional parties.

Legal Basis for Processing: Legitimate Interest. We have a valid corporate interest in ensuring that individuals requesting information about our business or projects have a relevant professional or investment background and in protecting confidential and commercially sensitive information.

Retention Period: If the initial evaluation does not lead to a business relationship, substantive engagement, or ongoing communications, the personal data associated with the enquiry will be securely deleted within twelve (12) months from the date of submission.

• Responding to Enquiries and Providing Requested Information

This section explains how we use your contact details to respond to your enquiries, manage our correspondence with you, and provide the documents, information, or materials you specifically request.

Data Collected and Processed:

• First name and last name

• Email address

Purpose of Processing: To respond to your enquiries, manage our correspondence with you, and provide information and materials that you request.

Legal Basis for Processing: Performance of a contract. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.

Retention Period: If our correspondence does not result in a formal agreement, your data will be retained for 2 years after our last meaningful communication to maintain the record of steps taken at your request.

• Verification of Eligibility and Compliance with Financial Promotion Exemptions

This section explains how we process your information to ensure compliance with financial services regulations and corporate governance standards before disclosing sensitive investment or project details.

Data Collected and Processed:

• Full name and professional contact details,

• Investor status declaration (e.g., Self-Certified Sophisticated Investor, High Net Worth Individual, or Professional Client status),

• Geographic location/jurisdiction,

• Evidence of professional credentials or corporate affiliation.

Purpose of processing: To verify whether an individual meets the relevant professional, jurisdictional, or financial promotion exemption criteria before any projectspecific information is shared.

Legal Basis for Processing: Legitimate Interest and Legal obligation. We have a legitimate corporate interest in ensuring that only qualified and appropriate individuals access confidential project information. We must ensure compliance with financial promotion regulations regarding the disclosure of investment opportunities to qualified individuals.

Retention Period: Personal data processed on the basis of our legitimate interests is retained only for as long as necessary to fulfill the specific purpose for which it was collected, or until you successfully exercise your right to object to such processing. Personal data processed for regulatory eligibility verification will be securely retained for the full duration of the applicable statutory limitation periods following the conclusion of our interaction or business relationship. This extended retention is strictly required to demonstrate regulatory compliance to financial authorities and to protect the company against potential legal or regulatory liabilities.

• Booking a meeting

When you request or schedule a "Confidential Project Briefing" with our founder, we collect and process your personal data to organize, confirm, and prepare for our meeting.

Data Collected and Processed:

• Name

• Email Address, and any guest email addresses you provide,

• Your professional or institutional investor classification

• Your telephone number (only if you explicitly choose to opt-in to receiving mobile text reminders).

Purpose of Processing: We process this information to organize, confirm, and host the scheduled briefing session with our founder, to send NDA to your inbox immediately following your booking, and to send you automated meeting updates and reminders.

Legal Basis for Processing: Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. If you choose to provide your phone number for SMS reminders, we process this specific data category solely based on your explicit, voluntary opt-in consent at the time of booking. You can withdraw this consent at any time by opting out of the text reminders.

Retention Period: Meeting registration details and related declarations are retained within Calendly for as long as necessary to facilitate the meeting and follow up on the initial project briefing, typically up to 1 year from the date of the meeting, unless the interaction progresses into a formal contractual relationship or a longer retention period is required for legal documentation.

• Contract Execution and Management

When you enter into a formal contract or agreement with us, we collect and process your personal data to establish, execute, and manage our contractual relationship, as well as to meet our subsequent legal and regulatory obligations.

Data Collected and Processed:

We process the personal data strictly necessary to set up and manage our agreement, which varies depending on the type and scope of the contract but generally includes:

• Identity and contact information required to identify the contracting party and/or its authorized representatives;

• Financial, transactional, or billing information necessary to fulfill the terms of the agreement.

Purpose of Processing: We process this data to manage and administer the contract effectively, fulfill our contractual obligations, process financial transactions, maintain mandatory corporate and tax records, and ensure our ability to handle post-contractual inquiries or legal disputes.

Legal Basis for Processing: Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Processing is mandatory to comply with corporate, tax, and financial record-keeping laws. We have a legitimate interest to establish, exercise, or defend potential legal claims arising from the contractual relationship.

Retention Period: Your personal data will be retained for the entire duration of the contract to ensure its effective performance and administration. Following the termination or expiry of the contract, your data will be securely archived and retained for the full duration of the applicable statutory limitation periods or as long as it’s needed to comply with our legal obligations.

• COOKIES AND TRACKING TECHNOLOGIES

To give you full transparency and choice over the technical files placed on your device, we maintain a dedicated Cookie Policy that is available at https://vilagozd.com/cookie-policy.

Please refer to our Cookie Policy to view a full list of cookies used, understand their specific operational purposes, and learn how you can manage, configure, or revoke your consent at any time through our interactive cookie banner or your web browser settings.

• HOW WE SHARE YOUR DATA

In addition to our internal team, we share personal data with selected service providers who help us achieve the processing purposes set out in this Privacy Policy. Your data is only shared with these third parties as permitted under UK and EU GDPR.

We share your personal information with the following service providers:

• Internal Infrastructure and Processors:

• Cookie providers: see Section 4.

• Integration and CRM Providers

• GoHighLevel: Used to securely host our website pages, manage customer relationship data, and safely store incoming contact and inquiry records submitted through our forms. Privacy policy is available at: https://www.gohighlevel.com/privacy-policy .

• Communication Providers

• Google Workspace: Used to manage our corporate email infrastructure, allowing us to securely receive, process, and reply to your direct inquiries and business correspondence. Privacy policy is available at: https://workspace.google.com/learn-more/security/security-whitepaper/page-6/ .

• Scheduling providers

• Calendly: Used to host our interactive appointment calendar, enabling you to seamlessly select, book, and confirm meeting. Privacy policy is available at: https://calendly.com/legal/privacy-notice .

• Analytics providers:

• Google Analytics: We use a standard, uncustomized Google Analytics integration to analyze website traffic and visitor behavior. This helps us understand how our website is performing and improve our content. Privacy policy is available at: https://policies.google.com/technologies/partner-sites .

• Corporate and Professional Advisors: To properly evaluate potential partnerships, advisory roles, or funding proposals, your inquiries may be reviewed by our external internal legal, financial, or strategic corporate consultants who are bound by professional confidentiality agreements.

• Legal and Regulatory Obligations: We may disclose your personal information if required to do so by applicable laws, or in response to valid requests by public, financial, or other law enforcement authorities.

• INTERNATIONAL DATA TRANSFERS

To operate our website, we transfer certain personal data to third-party service providers located outside United Kingdom or the European Economic Area (EEA).

Where personal data is transferred to countries outside the United Kingdom or the European Economic Area (EEA) that are not covered by applicable adequacy regulations or adequacy decisions, we ensure that appropriate safeguards are in place in accordance with applicable data protection laws. These safeguards primarily include the UK International Data Transfer Agreement (IDTA), or, where the EU GDPR applies, the European Commission’s Standard Contractual Clauses (SCC).

• DATA SECURITY

We take the security of your personal data seriously. Because we operate as a modern, cloud-based organization, we do not maintain physical servers or local data infrastructure. Instead, our security relies on a strict combination of internal organizational protocols and the enterprise-grade technical frameworks of our trusted infrastructure providers.

The following technical, physical, and organizational security measures are in place to protect your personal data against accidental loss, unauthorized access, alteration, destruction, or unlawful disclosure:

• Encryption in Transit: All traffic to and from our website is strictly encrypted using industry-standard HTTPS and Transport Layer Security (TLS) protocols to prevent interception.

• Mandatory Multi-Factor Authentication (MFA): Access to all our core administrative platforms is strictly protected by mandatory Multi-Factor Authentication across our entire team to prevent unauthorized access.

• Strict Access Control: Personal data is restricted internally on a strict "need-to-know" basis. Access is confined exclusively to a minimized core team requiring it for specified business operations.

• Data Security Awareness: Our team operates under internal security guidelines covering strong password hygiene, data handling best practices, threat identification (such as phishing awareness), and secure network connectivity rules.

• Incident Response Readiness: We maintain a streamlined internal data breach and incident response protocol designed to ensure rapid containment, logging, and compliance with statutory regulatory notification timelines in the unlikely event of a security anomaly.

• Platform-Level Security

• GoHighLevel: Provides platform-level technical safeguards, regular internal vulnerability scanning, automated cloud backups with recovery protocols, and active breach detection systems.

• Calendly: Encrypts data both in transit and at rest. Their system is hosted on infrastructure (Google Cloud Platform) that complies with rigorous international standards, including ISO 27001, SOC 1/2, and PCI Level 1. Calendly maintains formal incident response plans, and their personnel undergo mandatory background checks and security training.

• Google Workspace & Analytics: Utilizes Google’s industry-leading global infrastructure security, featuring advanced physical security measures, continuous threat monitoring, and end-to-end encryption for data handling.

• YOUR RIGHTS

Because we comply with both the UK and EU GDPR frameworks, you hold specific statutory rights regarding your personal data. You may exercise these rights at any time without charge:

• Right of Access: The right to find out what personal data we hold about you and receive a clear, readable copy of that information.

• Right to Rectification: The right to request the immediate correction or completion of inaccurate, outdated, or incomplete data.

• Right to Erasure ("Right to be Forgotten"): The right to request that we delete your personal data from our systems, provided there is no compelling legal or regulatory reason for us to keep it.

• Right to Restriction of Processing: The right to ask us to temporarily suspend or limit how we process your data (e.g., while we verify its accuracy or investigate an objection).

• Right to Data Portability: The right to request that we transfer your data directly to you or another organization in a structured, commonly used, and machine-readable electronic format.

• Right to Object: The right to object to us processing your data based in certain circumstances.

• Right to Withdraw Consent: Where our communication is based entirely on your consent, you have the right to withdraw that consent at any time. This will not affect the lawfulness of any processing carried out before your withdrawal.

We will respond to all valid requests to exercise your data protection rights without undue delay and in any event within one month of receipt, subject to any extensions permitted by applicable laws.

• RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY

If you have any concerns about our use of your personal information, you can make a complaint to us directly at [Insert Email Address].

If you remain dissatisfied with how we have addressed your concerns, you have the legal right to lodge a formal complaint with a competent supervisory authority:

• In the United Kingdom: The Information Commissioner’s Office (ICO), which is the UK supervisory authority for data protection issues.

• Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

• Website: www.ico.org.uk

• Helpline: 0303 123 1113

If you are located in the European union (EU): You also have the right to lodge a complaint with the supervisory authority in the Member State of your habitual residence, your place of work, or the place of the alleged infringement. List of national competent authorities can be accessed here: https://digital-strategy.ec.europa.eu/en/library/list-personal-data-protection-competent-authorities.

• AUTOMATED DECISION-MAKING AND PROFILING

We do not use automated decision-making algorithms or automated user profiling mechanisms.

Every business inquiry submitted through our contact form is reviewed, evaluated, and handled manually by a human member of our team.

• CHANGES TO THIS PRIVACY POLICY

We reserve the right to update or modify this Privacy Policy at any time to reflect operational changes in our project infrastructure, legislative updates, or new regulatory guidance.

Any updates will be published immediately on this page, and the "Last Updated" date at the bottom of this document will be revised. We encourage you to review this policy periodically to stay informed about how we protect your information.

Last Updated: May 29, 2026

• CONTACT US

If you have any questions, comments, or requests regarding this Privacy Policy, our data processing practices, or if you wish to exercise any of your rights under the UK or EU GDPR, please contact us.