Confidentiality and Data Protection Policy

GRUPO NUBIA HOMES (hereinafter, the Group) is made up of NUBIA HOMES, S.I.C.C., S.A. and its subsidiaries, which own a portfolio of residential real estate assets for rent and distributed throughout the national territory. The identification and contact details of the different companies that make up the Group are detailed below:

Entity: NUBIA HOMES, S.I.C.C., S.A.

NIF: A06974687

Address / C. P.: Calle Fernanflor 4, planta 4, 28014, Madrid

Email (for all entities): alquileres@nuvaliving.com

Entity: NUVA POZUELO, S.L.

Neeff: B88461025

Address / C. P.: Plaza de las Cortes 2, planta 4, 28014, Madrid

Entity: DUNAS DESARROLLOS FOTOVOLTAICOS 12, S.L.

Neeff: B88461074

Address / C. P.: Plaza de las Cortes 2, planta 4, 28014, Madrid

Entity: NUVA LAVAPIES, S.L.

Neeff: B87215430

Address / C. P.: Plaza de las Cortes 2, planta 4, 28014, Madrid

Entity: NUVA VALLECAS, S.L.

Neeff: B88461066

Address / C. P.: Plaza de las Cortes 2, planta 4, 28014, Madrid

Entity: MAZZERONIA, S.L.

Neeff: B05341292

Address / C. P.: Calle Fernanflor 4, planta 4, 28014, Madrid

Entity: NUVA NEWCO 3, S.L.

Neeff: B67882605

Address / C. P.: Calle Fernanflor 4, planta 4, 28014, Madrid

Entity: NUVA NEWCO 4, S.L.

Neeff: B67882613

Address / C. P.: Calle Fernanflor 4, planta 4, 28014, Madrid

Companies operate by assuming the highest level of commitment to responsibility and compliance with data protection regulations. By virtue of the above, this document has been prepared in order to inform about the processing of personal data within the framework of the activities carried out by the companies of the NUBIA HOMES GROUP, as well as to inform of the data protection rights of the interested parties and the care and support mechanisms enabled in this matter.

GRUPO NUBIA HOMES carries out its activities through a centralised organisational structure, managed from its offices in Madrid, so the processing of personal data will be carried out in accordance with the regulatory framework on data protection implemented through the General Data Protection Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ( GDPR) and Organic Law 3/2018 on Data Protection and Guarantee of Digital Rights (LOPDGDD).

Data Controller

This data protection information is established on behalf of the NUBIA HOMES GROUP, so it applies and encompasses all the companies that belong to the Group and that will process personal data in their capacity as Data Controllers.

The identification and contact details of the Group for the purposes of this data protection information, as well as of the Data Protection Officer (DPO) are as follows:

Address / C. P: Calle Fernanflor 4, planta 4, 28014, Madrid

E-mail: alquileres@nuvaliving.com

DPO contact details: dpdexterno@bonetconsulting.com

Canal: www.corporate-line.com/cnormativo-nubiahomes / www.corporate-line.com/cnormativo-nubiahomessicc

Purposes of processing

The Group will process the information provided to us by interested parties for the following purposes: To manage their attention, visit and meeting at our facilities and/or buildings and/or those of our collaborators. Real estate development and operation of NUVA LIVING buildings, including purchase, sale, construction, refurbishment, completion of work and maintenance, directly by the Group or through third parties. Manage the making of property reservations and the subsequent signing of lease contracts, as well as their renewal and/or any other agreement related to real estate transactions. To manage any type of request, suggestion or request about our properties that interested persons make to us through any means.

Information and commercial communications: processing of your data in order to inform you about activities, events, news and general information related to our activity and our properties. Manage the NUVA LIVING customer access area on the website. Carry out commercial campaigns and prepare marketing materials (website, banners, brochures, microsites, etc.), in order to advertise and position the properties.

Validate the economic conditions of potential tenants and the requirements demanded in the applicable regulations, including social housing.

Manage data provided by candidates for a job through the Curriculum Vitae (CV) or other means for the purpose of the selection and recruitment process. Formalise and manage the relationship with suppliers, collaborators, contractors and subcontractors of the Group, as well as comply with the obligations acquired by virtue of professional relationships or agreements/agreements with any third party.

Guarantee the security of people, offices, facilities, buildings and any establishment in which the Group's entities operate and all those entities involved in the construction and completion of the real estate project, through access controls, video surveillance systems and other access control/identification systems.

Comply with the legal provisions that apply to the Group and to all those entities participating in the real estate project, as well as to their activities, in terms of health, equality and occupational risk prevention.

Manage and control the operation of the internal mechanisms, policies and protocols established by the Group for the purposes of regulatory compliance and management of whistleblowing channels for this purpose.

All those treatments that are applicable to us for the due compliance with the regulations and official/sectoral requirements to which our activity is subject.

For the proper purpose and development of your attention and management of the above purposes, the processing of your data for the purposes corresponding to those mentioned above will be carried out under the strictest compliance with the Data Protection regulations and the Policy that we are detailing to you. You may exercise your rights at any time (see specific section).

Data retention criteria

Management and execution of the real estate project: the personal data provided in the contracts, offers and/or service proposals, as well as those of the rest of the people whose intervention is necessary, will be kept for as long as the agreements for the provision of services/products are in force. At the end of the relationship, the personal data will be kept in the event that responsibilities with the Group may arise and/or in compliance with other regulatory frameworks that are applicable to the Group or with a regulation with the force of law that requires the retention of these. Personal data will be kept in such a way as to allow the identification and exercise of the rights of the affected parties and, under the technical, legal and organisational measures that are necessary to guarantee their confidentiality and integrity.

Curriculum Vitae Management: the Group, as a rule, keeps its Curriculum Vitae for a maximum period of one year; At the end of this period, it will be automatically destroyed, in compliance with the principle of data quality. Management of Employment Contracts: personal data will be kept, in any case, for as long as the employment relationship is in force and, at the end of it, in the event that responsibilities may arise between the parties and when required by a regulation with the force of law.

Others: the rest of the data and information provided by the user by any means will be kept for as long as necessary to fulfill the purpose for which they were collected.

Legitimation

The legal basis that enables the Group to process the personal data of users, customers and potential customers by virtue of the following titles:

The consent of the interested parties for the processing and management of any request for information or consultation about our services and products.

Consent given by job candidates for selection and recruitment purposes.

The framework for the provision and/or contracting of services/products with the Group.

The legitimate interest to send you informational, commercial communications and/or promotional offers related to the Group's real estate projects and the services/products contracted through email or any other means.

Compliance with legal obligations and internal regulatory compliance procedures, safety requirements, and ethics and sustainability commitments.

The legitimate interest to ensure the security of offices, facilities and people.

Recipients

Whenever necessary to achieve the purposes described above, the Group will share personal data with the following third parties:

Companies of the NUBIA HOMES GROUP: when it is necessary for the proper management of a contract for the provision of services or products, for the management of the Group by virtue of its organisational structure, for the sending of commercial communications related to the real estate sector, as well as for the sharing of data of potential tenants.

Collaborating entities and commercial agents: when their participation is required within the framework of a contract and/or agreement for the provision of products and services or as intermediaries in real estate transactions. Suppliers: personal data may be communicated to different suppliers due to the provision of services by them that require access to and processing of personal data, such as, for example, providers of consulting and legal advice services, providers of advice on labour, tax and accounting matters, providers of software and maintenance services,  etc.

Solicitors: if their intervention is required due to a judicial proceeding.

Notaries: when their intervention is necessary to act as a notary public of the transaction or formalization of the contract, providing full proof of the reality of the grant, the literal nature of the statements of the parties and their identity.

Administrations or public bodies: in compliance with applicable regulations (labour, occupational risk prevention, tax, accounting, data protection, etc.).

Courts and Tribunals and the State Security Forces and Corps: personal data will be communicated to these entities whenever we are officially required to do so.

Apart from the cases detailed above, personal data will not be communicated to third parties, except in compliance with a legal provision.

Origin

Personal data is collected directly from data subjects and from our collaborators, suppliers or agents. The categories of personal data you provide to us are:

Identification data.

Mailing or e-mail addresses.

Bank details.

Data provided and/or consented to by the interested parties themselves related and necessary for the management and performance of the requested service/product.

Rights

Right of Access, Rectification and Deletion: interested parties have the right to obtain confirmation as to whether or not the Group is processing personal data concerning them. Data subjects have the right to access their personal data, as well as to request the rectification of inaccurate data or request its deletion when, among other reasons, the data is no longer necessary for the purposes for which it was collected.

Right to Restriction and Opposition: in certain circumstances, interested parties may request the restriction of the processing of their data, in which case we will only keep them for the exercise or defence of claims. In certain circumstances and for reasons related to their particular situation, data subjects may object to the processing of their data. The Group will cease to process the data in this case, except for compelling legitimate reasons, or for the exercise or defence of possible claims.

Right to revoke the consent given: the interested parties have the right to withdraw their consent at any time, except in the case of processing of personal data provided for in the Data Protection regulations or necessary for the provision of the contracted service, which do not require such consent. However, this withdrawal does not have retroactive effect and therefore will not affect the lawfulness of processing based on previously given consent.

These rights can be exercised on our Channel (see specific section).

Security and Control Measures

General

In compliance with data protection regulations, the Group will process personal data by applying the appropriate technical, legal, organisational and security measures, in order to guarantee the confidentiality and integrity of the information it manages in accordance with the provisions of current regulations. We would appreciate that you would inform the Data Protection Officer through the contact details / Channel established in this Privacy Policy, of any security risk, of which you have indications or knowledge, that may compromise the integrity and confidentiality of personal data and/or confidential information, in order to be able to adopt the necessary measures to prevent their unauthorised processing,  accidental loss, destruction or damage.

Cybersecurity

As a specific concept and complementary to the above, the Group applies cybersecurity measures to prevent and manage possible attacks and fraud by cybercriminals that threaten the privacy and protection of the data that our Entity processes and accesses within the scope of its activities and operations. In this regard, we would like to warn that in the event of possible risk situations due to communications whose content and/or format generate doubts as to their authenticity, we recommend omitting them and contacting the Data Protection Officer through the contact details indicated in this Privacy Policy.

Likewise, any request received from our Entity regarding changes in payment methods, requests for contact details or persons or confidential (non-public) information, bank and/or credit card details and/or other official data, must not be dealt with without direct confirmation from our Entity by another alternative means. We appreciate and need your collaboration with the communication and reporting of any notification in relation to this type of request and other possible situations of risk of cyberattacks in which our Entity may be used, as well as any possible security risk that you may be aware of.

Channel

The Group has implemented a Channel, contemplating the highest commitment, rigour and professionalism in terms of security, experience, independence and knowledge in the processing of the communications received.

The Channel, which includes use in the field of Data Protection, has been implemented through a web platform, developed and managed by an independent external expert, to provide and guarantee our previous commitments.

Through the Channel, you will be able to communicate and process the exercise of your Rights (see previous section) and communicate any indication or knowledge you may have of possible security breaches (breaches), cyberattacks and/or possible breaches or irregularities regarding the Data Protection regulations and this Group Policy.

The access details to the Channel are detailed at the beginning of this Policy.

Supervisory Authority

In the event of disagreements with the Group regarding the processing of your data, you have the right to lodge a complaint with the relevant Data Protection Supervisory Authority. In Spain, this Authority is the Spanish Data Protection Agency (www.aepd.es).

Care & Support

Interested parties may inform the Group of any questions regarding the processing of their personal data or interpretation of our Policy by contacting the Data Protection Officer (DPO) at the address indicated at the beginning of this Policy.