Page 1 | General Policy and Scope of Application This Privacy Policy (hereinafter referred to as “this Policy”) is formulated by LuxeLex Legal International Law Firm (hereinafter referred to as “the Firm”). It aims to clarify how the Firm collects, processes, uses, and protects personal information and institutional data of clients during the provision of legal services and operations. This Policy applies to all individuals or legal entities that access the Firm’s platform, submit service requests, participate in legal consultations, or interact with the Firm in any way (hereinafter referred to as “clients”). I. Applicable Scenarios This Policy applies to data processing activities in the following scenarios, including but not limited to: Data generated when clients visit the Firm’s website, online systems, or interactive interfaces; Information provided by clients during the submission of consultation applications, background materials, or legal documents; Content transmitted by clients through emails, document exchanges, or remote meetings during the service process; Data legally collected by the Firm under compliance requirements such as anti-money laundering, identity verification, and customer due diligence. II. Legal Effectiveness of the Policy Before accessing or using the Firm’s services or providing any information to the Firm, clients should carefully read and understand the entire content of this Policy. Once clients use the services or provide data, they are deemed to have agreed to and accepted all the rules and processing methods outlined in this Policy. If clients have objections to this Policy or cannot accept some of its provisions, they should immediately stop accessing the Firm’s platform and avoid further submission of personal information or materials. Third, Data Control Statement: This firm is the sole controller of all customer data and the responsible party for data processing. Unless required by law or authorized by the customer, this firm will not use customer data for purposes other than those outlined in this policy, nor will it disclose or transfer any sensitive information to unauthorized third parties. This policy applies to all services provided by this firm and remains valid regardless of the country or region where the customer is located.

Page 2 | Explanation of Information Collection Types and Sources To provide precise, secure, and compliant legal services, our firm will collect personal data and business information as needed during the use of services or communication with clients. All information collection adheres to the principles of ‘minimum necessity’ and ‘legality and compliance,’ ensuring that no data unrelated to the service or unauthorized by the client is collected. I. Information Provided by Clients During the application for services or project advancement, clients may voluntarily provide the following information: Identity Information: Name, position, company/institution name, ID card or passport number (if applicable); Contact Information: Email address, encrypted communication account, authorized signatory information (if applicable); Legal Affairs Information: Brief description of legal issues, background of the parties involved, relevant contracts or supporting documents; Compliance Materials: KYC/AML background documents, proof materials, and declaration forms required by regulatory requirements. All submissions must be voluntary, and the content provided must be true, complete, and legally usable. II. Automatically Collected Information When clients visit our website or digital platform, the system may automatically collect the following technical information for service security, function optimization, and risk protection: Browser type and operating system information; Access time, page path, duration of stay; IP address, device fingerprint, language settings; Login behavior records and system access trails. The above data does not include direct identity information and is not used for user profiling or advertising marketing. It is only used for platform protection, service debugging, and security analysis. Third-party Information Sources: In specific legal or compliance contexts, our firm may legally obtain customer information from the following sources: public information platforms (such as business registration, judgment announcements, and regulatory notifications); authorized partners, foreign law firms, compliance agencies, or custodians; third-party certification platforms (such as identity verification tools) required for anti-money laundering reviews. All third-party data collection activities are conducted with legal authorization, transparent processing, and customer awareness.

Page 3 | Purpose of Information Collection The sole purpose of LuxeLex Legal International Law Firm in collecting customer information is to provide high-quality, compliant, and confidential legal services. All information is used on a legitimate, legal, and necessary basis, and the firm explicitly commits to not using customer information for commercial marketing or unauthorized purposes. I. Purpose of Service Delivery and Communication Verify the identity of customers to ensure that communication partners are genuine and authorized; Analyze the legal needs of customers to assess case feasibility and match service resources; Provide customized legal advice, risk assessments, solutions, and document preparation; Send updates on service progress, legal risk alerts, or operational confirmations to customers. II. Purpose of Compliance and Regulatory Compliance Fulfill customer due diligence (CDD) and KYC/KYB (identifying real beneficiaries) obligations; Assist in preventing financial crimes such as anti-money laundering (AML) and counter-terrorist financing (CTF); Cooperate with regulatory authorities, judicial bodies, or compliance partners to complete data verification and risk reporting when authorized by law. III. Purpose of Information Security and System Protection Detect, prevent, and respond to illegal intrusions, system abuse, fraud, or data breaches; Use for platform log recording, operation permission review, and access control; Within the scope of customer authorization, use for initiating encryption services, data backup, and data verification procedures. Fourth, the purpose of internal management and service optimization: to optimize process management based on service records, thereby enhancing service efficiency and delivery quality; to collect non-individual behavior data for project configuration, team matching, and response mechanism adjustments; to evaluate the stability and accuracy of compliance processes, document templates, and case systems. LuxeLex explicitly commits to not using customer information for advertising, user profiling, or any form of third-party commercial exchange, ensuring that customer privacy is not misused.

Page 4 | Information Use and Processing Rules LuxeLex Legal International Law Firm always adheres to the principles of transparency, prudence, and compliance in handling client information. We commit to using data only when it is necessary for our services, legally authorized, or with the client’s explicit consent, and we take all reasonable measures to limit the use and access of information. I. Principle of Legal Use Client information is used only in the following scenarios: To fulfill the entrusted agreement with the client and provide the required legal services and professional advice; To disclose or archive information for fulfilling legal obligations or responding to regulatory requirements; With the client’s written authorization, for project collaboration or case handover between partners; When the information has been anonymized or de-identified, for internal training, process optimization, and professional research. All processing must comply with relevant laws and regulations and must not exceed the original collection purpose. II. Principle of Minimal Necessary Use We strictly adhere to the ‘minimum data exposure’ principle in service configuration; Client data is limited to the team members directly serving the client and must not be shared horizontally or used for unrelated matters; We do not actively collect data fields that the client does not wish to provide, is unnecessary for the service, or is controversial. III. Access Rights and Internal Control Access rights to client information are limited to the partners, lawyers, and compliance officers directly responsible for the project; All document operations have hierarchical control, operation logs, and audit trails; We regularly conduct access rights reviews and employee data security training to prevent internal leaks and misuse. 4. Prohibition of External Use and Transfer Without the client’s written consent, this firm will not sell, lease, or transfer any client data to third parties for use; this firm will not use client information for advertising, marketing, or customer profiling purposes; all data usage records can be provided to clients for review summaries or legal verification. LuxeLex commits that every step of its data processing is traceable, and each use is recorded, ensuring that clients have clear awareness and control throughout the service process.

Page 5 | Data Storage, Encryption, and Security Mechanisms LuxeLex Legal International Law Firm is well aware of the sensitivity and confidentiality of client information. We have established a stringent storage framework, security standards, and technical mechanisms to ensure that client information is protected to the greatest extent throughout its lifecycle. 1. Data Storage Mechanism Client information is stored in data centers with international security certifications, equipped with firewalls, intrusion prevention systems, and physical isolation capabilities. All core client data is stored using an encrypted file system (EFS) for long-term retention, prohibiting unauthorized remote access. Data storage nodes are located in jurisdictions recognized by data protection regulations, such as Singapore, the UK, and Switzerland. 2. Encryption and Access Security All document transmissions use 256-bit TLS encryption protocols to ensure the integrity and non-tamperability of files during transmission. Client data access uses two-factor authentication (2FA) and dynamic token authorization. High-risk transactions, such as asset disputes, on-chain evidence, and identity structures, require private key signature systems to unlock relevant files. 3. Operation Records and Audit Mechanisms All views, edits, downloads, and shares of client data are recorded and traceable. Our firm has an independent information security audit team that regularly checks and assesses the risk of file processing. If any abnormal access behavior is detected, the system will automatically trigger an alarm and suspend operation permissions. Fourth, Disaster Recovery and Data Restoration Strategy: Each customer’s data is backed up in at least two physically separate data centers, with weekly disaster recovery updates. In the event of a sudden system failure or information leakage, data recovery and identity verification can be restored within 24 hours. All data restoration operations must be jointly authorized by two partners. LuxeLex believes that information security is not just a technical issue but also a matter of professional ethics. We will always adhere to higher industry standards to ensure our clients’ digital sovereignty and privacy rights.

Page 6 | Data Retention Period and Destruction Mechanism LuxeLex Legal International Law Firm ensures that customer data is retained only when necessary for service, compliance, or risk management. All data retention periods, update frequencies, and destruction mechanisms adhere to the principles of ‘minimum necessary retention’ and ‘controllable lifecycle,’ ensuring that customer information is not retained unnecessarily or misused. I. Data Retention Period The retention period for customer data will be set according to the following scenarios: Normal project data: Retained for 7 years from the end of the project, for regulatory retention, dispute review, and preparation for future client commissions; Compliance and audit data: Such as KYC documents and background investigation reports, retained for 5 to 10 years according to relevant regulations, and automatically removed upon expiration; Legal correspondence, dispute documents, and judicial evidence: Retained for up to 10 years, depending on the case’s risk level and the jurisdictional requirements of the client; Information submitted by clients who have not formally signed contracts: Deleted within 90 days after the evaluation phase, unless explicitly authorized by both parties. Customers can submit written requests to destroy or archive historical data for completed services, provided that such actions comply with legal conditions and do not violate audit or regulatory obligations. 2. Destruction Mechanism Digital Data Destruction: This includes encrypting data, fragmenting it, permanently deleting files, and performing irreversible formatting; Paper Document Destruction: This is done using confidential shredding equipment, with the destruction time and personnel involved recorded; File List Update: After the destruction is completed, the customer’s data directory is updated to mark the data as non-retrievable; Customer Destruction Notification: For data that customers have explicitly requested to be destroyed, a confirmation letter will be issued after processing for the customer’s reference. 3. Exceptional Retention Explanation In the following situations, this ownership extends beyond the standard retention period: The customer has clearly requested long-term archiving in writing; The case is still under judicial review, dispute arbitration, or investigation; There are unresolved service fees or financial disputes that need to be reviewed; The law, regulatory bodies, or courts require the continued retention of relevant materials. LuxeLex commits to not abusing, trading, reusing, or holding unnecessary customer data for extended periods, and to assume legal responsibility and professional obligations throughout the data lifecycle.

Page 7 | Customer Rights Statement LuxeLex Legal International Law Firm respects and safeguards the right of every customer to be informed, to control, and to manage their personal information and organizational data. As the data subject, customers have the following rights, which can be exercised at any time through a formal written application, provided that they comply with legal and contractual requirements: 1. Right to Inquiry and Access Customers have the right to request access to all information provided by this firm at any time, including: -A description of the types and purposes of the customer data currently held by this firm; -Information on the processing period, purpose, and method; -Details on the storage location, access permissions, and usage records. Upon receiving a reasonable request, this firm will respond within 10 working days and provide a verified copy of the data. 2. Right to Correction and Update If customers find that their information is inaccurate, outdated, or contains spelling errors, if there are changes in the cooperating units, contacts, or authorized representatives, or if key field information needs to be updated due to judicial or identity adjustments, they can apply for corrections. After verification, this firm will complete the correction and update the data version within 7 working days. 3. Right to Delete and Restrict Use Customers may request this firm to delete part or all of their data, or to restrict the scope of data processing under the following circumstances: -The project has been completed and exceeds the statutory or contractual retention period; -The customer has withdrawn the commission or no longer accepts any legal services; -There is a reasonable objection to the use of the data, and it meets the legal conditions for deletion. If the requested data is necessary for compliance retention, our obligations, or the review of potential disputes, LuxeLex will communicate with the client to decide whether to retain or delay deletion. 4. Data Portability Rights: Clients can request a structured copy of their submitted materials (such as PDF, CSV, or Word files) for their own archiving or transfer to others. We will provide these services under the premise of ensuring data security and controllable third-party influence.

Page 8 | Third-Party Data Transfer and Compliance Disclosure LuxeLex Legal International Law Firm strictly limits the external transfer of client data. All information transfers must be legally justified, explicitly authorized, or judicially compelled, and implemented to the minimum necessary extent. The firm will never sell, lease, or re-assign client data for any commercial purposes other than service provision. 1. No External Transfer Without Authorization Unless any of the following conditions apply, the firm will not disclose client information to any third party: Client has explicitly authorized and provided written instructions to share the data with specific partners, affiliated service providers, or multinational collaborators; During service execution, it is necessary to share some work materials with external consultants, lawyers, or institutions designated by the client; The client participates in international arbitration, dispute resolution, identity verification, or judicial proceedings, and the data is used as evidence. The firm will ensure that every external transfer is conducted under legal protection, contractual constraints, and information encryption mechanisms, and will retain all transfer records and data logs. 2. Exceptions for Legal Disclosure LuxeLex may legally disclose client information without additional consent if the following conditions are met: In response to court orders, arbitration institution requirements, or regulatory body investigation requests, providing copies of specific data; Fulfilling regulatory obligations such as anti-money laundering, anti-terrorist financing, and foreign asset compliance disclosure; When the client is suspected of illegal activities or subject to judicial freezing, and data disclosure is required as a mandatory cooperation measure. The firm will promptly notify the client of the disclosed matters within the scope of the law, unless otherwise prohibited by law. 3. Explanation of the Technical Service Provider for Cooperation In the processes of data storage, transmission, and information security, third-party compliance service providers, such as encryption cloud services, backup systems, and firewall services, may be involved. Our firm implements the following management mechanisms for all technical partners: signing Data Processing Agreements (DPA); requiring their platforms to comply with international data protection standards, such as GDPR and ISO 27001; regularly reviewing technical security capabilities and maintaining interface logs to prevent unauthorized access. Customers can request in writing to understand whether their data involves third-party interaction interfaces and the minimum scope of interface data transmission. LuxeLex will control all data transmission nodes and authorization boundaries, ensuring that any external access is recorded, verifiable, and accountable, thereby truly safeguarding the customer’s control and protection of their information.

Page 9 | Cross-border Transmission Mechanisms and Regulatory Compliance Given that our clients are located in multiple countries and jurisdictions, certain service scenarios require the legal transfer of client data between overseas teams, partner law firms, or cloud infrastructure. LuxeLex Legal International Law Firm strictly adheres to international data protection regulations in all cross-border data operations, ensuring consistent and equivalent security for client data globally. I. Applicable Regulations and Standards Our firm follows the following international compliance standards for cross-border data transmission: European General Data Protection Regulation (GDPR); Singapore Personal Data Protection Act (PDPA); UK Data Protection Act and post-Brexit extension provisions; other jurisdictions with mandatory data sovereignty laws where clients are located (such as Hong Kong, Switzerland, UAE, etc.). Before data transmission, LuxeLex evaluates the legal protection levels of the receiving country and prioritizes countries with a ‘sufficiently robust’ legal framework or those that have signed standard contract clauses (SCCs) with our firm. II. Client Choice Clients can exercise their choice over the cross-border flow of their data within the following areas: Designating that their data be stored only in specific jurisdictions (such as Singapore/Britain); Requesting that their data not be backed up or processed in specific countries or regions; Requesting the signing of separate cross-border data authorization agreements for specific transmission projects. If the client does not provide a clear written restriction, it is considered that they have implicitly authorized our firm to perform necessary overseas synchronization and backup operations within the scope of compliance. 3. Security Transmission Mechanism All cross-border data transmissions comply with the following technical security standards: Remote synchronization uses SSL/TLS encryption; All files are verified through digital fingerprinting to prevent tampering; Each international operation record is saved in the audit log system for traceability by the client and regulatory authorities. 4. Responsibility and Transparency Principle LuxeLex assumes primary responsibility for all cross-border data operations. Even if the technical transfer is executed by a third-party data processing platform, it must comply with the compliance terms, transmission purpose restrictions, and confidentiality obligations signed by our firm. Our firm will continuously update the cross-border mechanism based on international regulatory trends and data sovereignty policies to ensure that client information is consistently and strictly protected, regardless of its location.

Page 10 | Policy Updates and Interpretation Rights To continuously align with the evolving international data protection laws and our business structure, LuxeLex Legal International Law Firm will regularly review and update this privacy policy as necessary. Customers have the right to be informed of any changes in the policy and to choose whether to continue providing information or using services based on their preferences. I. Policy Update Mechanism Our firm will revise this policy as needed to reflect changes in laws and regulations, technical security standards, and service process optimization. After a policy update, it will be announced through our official website, customer portal system, or other official notification channels. By continuing to use our services, customers are deemed to have read and agreed to the updated privacy policy terms. If customers do not agree with the updates, they can request to terminate the service and exercise their data control rights (such as exporting or deleting data) in writing. II. Customer Notification Obligation Customers are responsible for promptly reviewing the latest policy content. If no objections are raised within 30 days after a significant update, it is considered accepted by default. If customers have objections, they can contact the partner representative to initiate negotiations or requests for data processing restrictions. 3. Policy Interpretation Rights The ultimate interpretation of this policy is the responsibility of LuxeLex Legal International Law Firm. In case of any conflict between the terms of this policy and local regulations, the firm will make a judgment based on conflict of laws principles and practical feasibility. If customers have any questions about the interpretation of the policy text, they can submit a written request for an explanation, which will be responded to in writing by the designated Data Protection Officer or the partner team. 4. Language Version Explanation This privacy policy is available in multiple languages, including Chinese and English. In the event of any ambiguity in language expression, the English version shall prevail. In specific jurisdictions where official language requirements are in place, LuxeLex can provide a reviewed translation version for customers to sign or file.