NEW POST INTERNATIONAL MLD S.R.L. PRIVACY POLICY

1. 1
   GENERAL INFORMATION

   1. 1.1
      This Privacy and Cookie Policy, being a set of rules for processing personal data and collecting cookies (hereinafter referred to as the "Policy") of NEW POST INTERNATIONAL MLD S.R.L., (IDNO 1014600029674), with its legal address at 3 Barbu Lautaru St., Chisinau, Republic of Moldova (hereinafter referred to as "New Post," "Administrator," or "Company"), including the website www.novapost.com/en-md/ (hereinafter referred to as the "Service"), outlines the types of data we collect from consumers using our services (hereinafter referred to as "Users"), as well as other individuals whose personal data we process in the course of our operations, including job applicants.
      
      This Policy also applies to the processing of personal data and communications through the Company’s social media accounts (e.g., Facebook, LinkedIn), as well as via phone, email, or postal mail. Additionally, this Policy describes the measures we take to protect your personal data.
   2. 1.2
      Users may contact the Administrator in the following ways:
      
      A.   By mail: 3 Barbu Lautaru St., Chisinau;
      B.   By email: dpo@novapost.com;
   3. 1.3
      Personal data refers to any information relating to an identified or identifiable natural person. This includes, but is not limited to, first name, last name, address, telephone number, and email address. Information that cannot be linked to an identified or identifiable individual (e.g., statistical data) is not considered personal data.
   4. 1.4
      Before using the Service and the Company’s services, Users must review this Privacy and Cookie Policy. The purpose of this Policy is to establish requirements and procedures for protecting Personal Data against unauthorized disclosure and ensuring compliance with data processing rules, thereby safeguarding the privacy of data subjects.
2. 2
   CURRENT DATA PROTECTION LEGISLATION AND CONFIDENTIALITY OBLIGATIONS

   1. 2.1
      New Post complies with the requirements of the Law No. 133 of July 8, 2011 “On Personal Data Protection” of the Republic of Moldova (hereinafter referred to as the Law), as well as the provisions of the EU General Data Protection Regulation (GDPR), ensuring an appropriate level of personal data protection according to national and European legislation.
   2. 2.2
      New Post’s operations are governed by the legislation of the Republic of Moldova, including Law No. 36 of March 17, 2016, "On Postal Services."
3. 3
   INFORMATION PROTECTION

   1. 3.1
      By applying appropriate technical and organizational measures, New Post takes all physical and technical efforts to protect personal data from loss, damage, disclosure to unauthorized persons, alteration, or misuse.
   2. 3.2
      All communications related to personal data protection are recorded, thoroughly explained, and analyzed according to the current legislation.
4. 4
   DATA SUBJECT RIGHTS

   1. 4.1
      The data subject has the right to:

      1. 4.1.1
         Be informed about the collection of his/her personal data (Article 12 of the Law);
      2. 4.1.2
         Access data concerning him/her (Article 13 of the Law);
      3. 4.1.3
         Request data intervention, including the rectification, updating, blocking, or deletion of personal data processed in violation of the Law, particularly where such data is incomplete or inaccurate (Article 14 of the Law);
      4. 4.1.4
         Restrict the processing period of personal data (Article 15 of the Law);
      5. 4.1.5
         Object to the processing of his/her personal data (Article 16 of the Law);
      6. 4.1.6
         Avoid being subjected to a decision based on automated processing of personal data (Article 17 of the Law);
      7. 4.1.7
         Seek judicial remedy (Article 18 of the Law).
5. 5
   WITHDRAWAL OF CONSENT FOR PERSONAL DATA PROCESSING

   1. 5.1
      If the legal basis for data processing is the data subject's consent, please note that the individual has the right to withdraw such consent at any time (Article 5(2) of the Law). A withdrawal of consent request must be submitted to the Administrator via email or postal mail according to the provided contact details.
   2. 5.2
      Receiving such a request does not affect the lawfulness of prior personal data processing. The withdrawal of consent is not retroactive.
   3. 5.3
      Withdrawal of consent for personal data processing is ineffective to the extent necessary for the proper provision of services or terms of the applicable agreement, including complaint settlement. In this case, the withdrawal of the above consent becomes effective upon resignation from services, termination of the contract, or complaint settlement.
   4. 5.4
      Even after a valid withdrawal of consent, the Administrator retains the right to process data where required, including but not limited to:

      1. 5.4.1
         Fulfilling an agreement to which the data subject is a party, or taking pre-contractual steps at his/her request;
      2. 5.4.2
         Complying with the Administrator’s legal obligations;
      3. 5.4.3
         Protecting the legitimate interests of the Administrator or a third party to whom the data was disclosed, unless overridden by the data subject’s interests or fundamental rights and freedoms;
      4. 5.4.4
         Data sharing in compliance with the current data exchange and interoperability legislation;
      5. 5.4.5
         Handling claims related to the concluded agreement.
6. 6
   EXERCISE OF RIGHTS UNDER THE LAW

   1. 6.1
      The data subject has the right to contact New Post to exercise his/her rights under the Law of the Republic of Moldova No. 133 of July 8, 2011, “On Personal Data Protection”, in particular, requesting access to his/her personal data, their rectification, blocking, or deletion (if the processing is inaccurate or unlawful), as well as requesting the withdrawal of consent for data processing.
   2. 6.2
      6.2. To do so, the data subject must submit a written or electronic request to: dpo@novapost.com. The request must include: full name, contact details (phone number), a clear description of the request (e.g., “I hereby withdraw my consent for the processing of my personal data”), and a signature (for written requests) or an electronic signature/identification data (for electronic submissions) to verify identity.
   3. 6.3
      New Post reserves the right to request additional information to verify the applicant's identity and prevent unauthorized access to personal data. Requests will be processed within the timeframes established by current legislation.
7. 7
   CATEGORIES OF PERSONAL DATA. PURPOSES OF PROCESSING AND LEGAL BASIS

   1. 7.1
      For the purpose of providing Services and fulfilling the Agreement with its Customers (Senders, Recipients) (according to Article 5(5)(a) of the Law), New Post, as the Administrator, processes the following data:
      
      A.   Customer Data (registration details, contact person details on the customer's side, including first name, last name, phone number, signature, email address);
      B.   Sender Data (shipment address and necessary contact details, signature, payment information, and other data required to fulfill the service ordered by the sender);
      C.   Recipient Data (first name and last name, signature, address, postal code, city, country, and, optionally, other required details provided to the Data Administrator by the sender or specified by the recipient, such as email address or hone number).
   2. 7.2
      Providing personal data is voluntary but necessary for the execution of Services offered by New Post. If the Sender provides additional personal data of the Recipient for choosing one of the additional services, the Sender is responsible for the proper collection of such data, including obtaining the Recipient’s consent for its transfer to New Post.
   3. 7.3
      Sometimes Personal Data is also processed:
      
      А.   Based on consent (under Article 5(1) of the Law), particularly for marketing purposes or regarding data voluntarily provided by the addressee when delivering a parcel.
      Б.   For the legitimate interests of the Administrator (under Article 5(5)(e) of the Law), including creditworthiness checks, compliance programs or sanctions, customer satisfaction surveys (as well as analyzing survey results and enabling follow-up communication with respondents).
   4. 7.4
      As a registered postal service operator, New Post also processes personal data to comply with legal obligations imposed by the legislation of the Republic of Moldova. Such processing is carried out according to Article 5(5)(b) of Law No. 133 of July 08, 2011, “On Personal Data Protection”, as well as the provisions of Law No. 36 of March 17, 2016, “On Postal Services”, the Civil Code, tax legislation, accounting legislation, and other regulatory legal acts.
   5. 7.5
      The use of the website may involve the processing of personal data for the following purposes:

      1. 7.5.1
         Placing an order and taking steps to fulfill it;
      2. 7.5.2
         Tracking shipments (under Article 5(5)(a) of the Law); the parcel number is required to provide information on the parcel status.
      3. 7.5.3
         Applying via the contact form (under Article 5(5)(e) of the Law); data submitted via the contact form, such as first and last name, address, postal code, city, and email address, are necessary for processing and responding to the inquiry;
         
         Consent to process certain data, such as email address and phone number, is required for communication to present a commercial offer (under Article 5(1) of the Law).
      4. 7.5.4
         Communication with a consultant via chat (under Article 5(5)(e) of the Law); data submitted during the conversation with a consultant, including email address, first and last name, address, postal code, and city, are processed for the purpose of reviewing the inquiry and providing a response.
      5. 7.5.5
         Parcel forwarding (under Article 5(5)(a) of the Law); on the website www.novapost.com, the addressee has the option to change the delivery address if he/she is unable to receive the parcel in person. For this purpose, we collect the following personal data:
         
         а.)   Addressee's first and last name or company name;
         b.)   Street name and house number;
         c.)   Postal code/Place of residence;
         d.)   Email address and description of the preferred delivery location.
   6. 7.6
      Direct marketing and sales promotions. To inform you about promotions and new product/service offerings, the Administrator will process the data you provided during registration on the Website/App. The legal basis for processing this data is the Administrator's legitimate interest in direct marketing of its products and services (under Article 5(5)(e) of the Law).
      
      Sending commercial and marketing communications via electronic channels and push notifications. To keep you informed about promotions, new products, and joint offers from New Post and our Partners, we may send you messages through electronic channels such as SMS, email, or push notifications. The processing of your personal data for these purposes is carried out only with your voluntary consent, according to Article 5(1) of the Law No. 133 of July 08, 2011, “On Personal Data Protection”. You have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of any processing that occurred before the withdrawal.
   7. 7.7
      Candidate selection. As part of the recruitment process, New Post, as the Personal Data Administrator, processes the following categories of candidates’ personal data under the legal grounds specified in Article 5 of Law No. 133 dated July 08, 2011:

      1. 7.7.1
         Categories of data that may be processed:
         
         ■   Core identification data: First name, last name, date of birth (if provided);
         ■   Contact details: Residential address, phone number, email (if provided);
         ■   Application-submitted information: CV, cover letter, references, certificates, interview recordings, and any other information you provide voluntarily;
         ■   Photographs or video recordings (if available and submitted voluntarily);
         ■   Citizenship and work permit (if legally required);
         ■   Medical data (if necessary to assess fitness for the role);
         ■   Criminal record information (where justified by the nature of the position, e.g., roles requiring high trust, such as drivers);
         ■   Publicly available professional data obtained from platforms (e.g. LinkedIn), according to their terms of use;
         ■   Communication records: Application confirmations, interview scheduling, etc.
      2. 7.7.2
         Purposes and legal bases for processing:
         
         ■   Assessing your candidacy for an open position – Legal basis: taking steps prior to entering into an employment contract (Article 5(1)(a));
         ■   Conducting interviews, including video interviews – Legal basis: legitimate interest;
         ■   Screening against sanctions lists or compliance with legal requirements – Legal basis: fulfillment of legal obligations and/or the company’s legitimate interest.
      3. 7.7.3
         Data sources:
         
         ■   Directly from you when you apply through our website or other channels;
         ■   From professional platforms (e.g., LinkedIn), according to their terms of use;
         ■   Via recruitment agencies, which are responsible for data accuracy and lawful transfer under Moldovan legislation.
   8. 7.8
      Video cameras and surveillance. We monitor and process your personal data when you visit our branches for both your personal safety and the security of our employees, customers, and property. Video surveillance is conducted without identification, following strict security and privacy protocols, using modern technology and equipment.
   9. 7.9
      Call logging and recording. When customers contact New Post’s service numbers via phone, the following personal data may be processed:
      
      ■   The caller’s phone number;
      ■   The number dialed (service number);
      ■   Date, start time, and end time of the call;
      ■   Call recording (audio).
      
      All incoming calls to service numbers are recorded for business purposes, including:
      
      ■   Verifying the contact;
      ■   Ensuring service quality;
      ■   Internal monitoring and staff training;
      ■   Resolving disputes.
      
      Recording begins when the operator answers and ends when the call is terminated. Before the conversation starts, the customer is notified of the recording (via an automated message). When answering, the operator only states his/her name. The customer’s personal data (name, identification, or financial details) is not requested unless necessary to address a specific issue.
8. 8
   DATA EXCHANGE

   1. 8.1
      New Post may disclose personal data to:
      
      A.   Any companies directly and/or indirectly owned or controlled by the same ultimate beneficial owners as New Post and/or subcontractors (e.g. transport partners, operating parcel pickup points, or parcel storage facilities) within the country, the European Union, or outside it, for the purpose of delivering parcels from senders to recipients (under Article 32(5)(b)(c) of the Law);
      B.   Third parties engaged under service agreements with or on behalf of New Post (Processors), including IT service providers;
      C.   Other individuals or organizations as required by current legislation;
      D.   Banks and payment operators to facilitate transactions (including payments made via codes);
      E.   Law enforcement and government authorities to protect vital public interests, such as national defense, state security, or public order, as well as for conducting proper criminal investigations, safeguarding rights in legal proceedings, or investigating unauthorized access to or misuse of New Post's equipment or any other unlawful activity in violation of New Post's policies.
   2. 8.2
      Only the Sender and the Recipient have the right to access shipment information. New Post may disclose such information to third parties only in cases expressly permitted by the laws of the Republic of Moldova, including the provisions of Law No. 36 of March 17, 2016, on Postal Services, and Law No. 241 of November 15, 2007, on Electronic Communications, as amended.
9. 9
   DATA RETENTION AND DELETION

   1. 9.1
      New Post processes personal data only for as long as necessary to fulfill the purposes for which it was collected. The retention period is determined based on the following requirements:
      
      A.   Operational needs: The period during which the information is required to deliver the Services provided.
      B.   Legal needs: The period during which New Post is required to retain data under applicable laws.
      C.   Legitimate interests of New Post: The period during which data is processed to pursue such interests, including handling and resolving potential claims related to the Services provided.
   2. 9.2
      What information we collect about you and how we use it:

      9.3   Archived data is accessible only to authorized personnel. Once the retention period expires, the data is permanently deleted.

1. 10
   TRANSFER OF PERSONAL DATA TO NON-EEA COUNTRIES

   1. 10.1
      All companies directly and/or indirectly owned or controlled by the same ultimate beneficial owners as New Post, as well as subcontractors (e.g., transport partners, operating parcel pickup points, or parcel storage facilities) within or outside Ukraine and the European Union, for the purpose of delivering parcels from the Sender to the Recipient (Article 32(5)(c) of the Law);
   2. 10.2
      New Post does not transfer Personal Data to international organizations.
   3. 10.3
      New Post does not transfer Personal Data to third countries if such transfer is impossible or violates generally applicable legislation.
2. 11
   INFORMATION ON DATA COLLECTED VIA THE WEBSITE

   1. 11.1
      Event logs and cookies. Whenever a user visits the website, data is stored in a log file. The temporarily stored data includes:
      
      A.   The IP address of the requesting computer;
      Б.   Domain name;
      C.   Date and time of access;
      D.   HTTP response code;
      E.   Pages visited;
      F.   Name and version of the operating system;
      G.   Name and version of the browser;
      H.   Screen resolution.
   2. 11.2
      The use of the website may involve the use of cookies by New Post’s servers. These files are utilized by the website administrators. Each user can configure their browser settings to reject all cookies except strictly necessary ones. In such cases, no data will be stored on the visitor's computer. The information stored in cookies is not transmitted to New Post.
3. 12
   COOKIES

   1. 12.1
      Cookies are internet data, specifically text files, stored on the User's device (computer, mobile phone, tablet). They primarily contain the name of the website they originate from, a unique identifier, and the storage duration on the device. Cookies are used to provide the Administrator with statistical information about User visits, activity, and how the Service is used. They allow for the customization of content and services based on User preferences.
   2. 12.2
      We provide the following key information about how we use cookies:
      
      A.   The cookie mechanism is not used to collect any User data beyond their behavior on the Service’s pages;
      Б.   The Administrator stores cookies on the Users' computers for the following purposes:
      
            1.а.   Proper adaptation of the Service to Users' needs and website optimization;
            1.b.   Remembering User preferences and individual settings, recognizing the User’s device, and displaying the website correctly (full version, mobile version);
            1. c.   Generating website visit statistics to understand User behavior, helping improve website structure and content;
            1.d.   Maintaining the User's session (after login) so that the User does not have to re-enter his/her credentials on each subpage of the Website;
            1.e.   Preserving shopping cart data in the online store to prevent loss upon revisiting the Service.
   3. 12.3
      The service uses three main types of cookies:
      
      ■   Essential cookies: Required to use the services available on the Website. These include authentication cookies for services that require login on the Website, as well as security cookies used to detect fraudulent activity during authentication on the Website;
      ■   Functional and Analytical cookies: These remember User preferences and personalize the User's interface, for example, in terms of the language or region selected by the User, font size, or website layout. They also collect data on how the Website’s pages are used, etc.;
      ■   “Advertising cookies: These enable the Website to deliver ads more relevant to users’ interests.
   4. 12.4
      Upon your first visit to the website, you will be presented with information regarding the use of cookies. The website requires the processing of essential cookies to function properly. Other cookies will only be processed after you grant your consent as described in this Policy. You may withdraw your consent at any time by adjusting your browser’s cookie settings. These settings can be modified to block the automatic processing of cookies or to notify you whenever they are placed on the end device of the website User. For detailed instructions on managing cookies, refer to your software (web browser) settings.
      
      Advertising and Functional and Analytical cookies placed on the end device of the website User may also originate from the Administrator’s partners and be used for analytical and marketing purposes. Further details can be found in the respective partner’s Privacy Policy. The Administrator utilizes the following partner-provided analytical and marketing tools:
      
      a.   Google Ads: Files used by Google to personalize ads across its services, such as search engine or Internet advertising. Learn more: https://policies.google.com/technologies/partner-sites
      b.   Facebook Pixels: Files used to match ads on Facebook services with users’ preferences. Learn more: https://www.facebook.com/privacy/policies/cookies/
      с.   Google Analytics: Files used to analyze how users use the website, generate statistics, and create reports. Learn more: https://policies.google.com/technologies/partner-sites
4. 13
   BLOCKING COOKIES

   1. 13.1
      In many cases, web browsers allow cookies to be stored on the User's end device by default. Website users can adjust their cookie settings at any time, for example, to block cookies automatically or to receive a notification whenever a cookie is placed on their device. Detailed information about cookie management options can be found in the browser settings or on the following websites:
      
      A.   Internet Explorer browser;
      B.   Mozilla Firefox browser;
      C.   Chrome browser;
      D.   Safari browser;
      E.   Opera browser;
   2. 13.2
      However, the Administrator informs you that restricting cookies may affect certain features available on the Website.
5. 14
   CHATBOT

   1. 14.1
      Our website uses the Binotel Online Chat chatbot, which enables Customers to communicate with the Company’s support team. Through the chatbot, Customers can submit inquiries, send messages, attach files, download chat history, and use the "Call Me Back" feature by leaving their phone number for a callback.
   2. 14.2
      The chatbot provider is Binotel LLC (7d Zdolbunivska St., Kyiv, Ukraine, contact phone number: +380 (44) 303-99-13), which acts as a personal data processor under Article 3 of the Law. It does not have direct access to the content of chat conversations or attachments sent by Customers. The Company remains the controller of Customers’ personal data.
   3. 14.3
      Personal data is processed through the chatbot under Article 5(2) of the Law, based on implied consent (when a Customer chooses to send a message via the chatbot or provides his/her phone number to receive a callback from the support team).
   4. 14.4
      The chatbot processes several categories of personal data:
      
      1)   Technical information collected automatically:
      
      ■   IP address, device type, browser type and version, interface language, time zone;
      ■   Data about the page where the chat was initiated (including the page hosting the chatbot widget) and the number of conversations;
      ■   Selected communication channel (if switching to Viber or Telegram);
      ■   Session identifiers (cookies storing current chat session data; unique tokens or user IDs to preserve interaction history).
      
      This data is collected to ensure the service functions properly.
      
      2)   Information provided by the Customer:
      
      ■   Chat messages and attached files (images, documents, etc., if applicable);
      ■   Phone number (when using the "Call Me Back" feature).
      This data is collected to respond to Customers' inquiries and resolve issues they report.
      
      3)   Analytical data:
      
      ■   Website activity data (pages the Customer visits before or during interaction with the chatbot; session duration; page views, navigation paths), data from third-party analytics services (Google Analytics 4, Facebook Pixel) – only if the Customerhas consented to the relevant cookies.
      This data is collected for analytics processing and chatbot performance optimization.
      Third parties with access to chatbot data
      ■   Telegram and Viber may be used by the Customer at their discretion. Interaction is facilitated through open APIs with unique tokens, and data protection within these services is governed by their respective personal data processing policies.
      ■   Analytics platforms (for example, Google) collect data only if the Customer consents to the use of cookies.
      ■   Cloud solutions (for example, Amazon Web Services) are used for secure data storage.
      Data retention period
      ■   Text messages and chat history are stored for up to 4 years;
      ■   Attached files are retained for up to 180 days;
      ■   Analytics data is stored according to the policies of the respective analytics services
   5. 14.5
      If the Customer wishes to delete his/her data processed by the chatbot, he/she may contact the Company by emailing reclamatii@novaposhta.md or dpo@novapost.com, or directly to the chatbot provider BINOTEL LLC by phone +380 (44) 303-99-13 or email info@binotel.ua.
   6. 14.6
      Data is transmitted and stored using modern encryption methods (TLS/SSL). Only authorized personnel are allowed to access it according to internal security policies. AWS cloud services that meet modern security standards are used for data storage.
6. 15
   COMPLAINTS

   1. 15.1
      If you have a complaint regarding how New Post processes your personal data, please submit it in writing with as much detail as possible, using the contact details provided in Section I of this policy above. New Post will cooperate with you to resolve any issues without undue delay.
   2. 15.2
      If you believe your rights under the Law have been violated, you have the right to file a complaint with the National Center for Personal Data Protection of the Republic of Moldova. Information and contact details can be found on their website (https://datepersonale.md/en/).
7. 16
   CHANGES TO THIS POLICY

   1. 16.1
      Any changes New Post may make to this Privacy Policy in the future will be published on www.novapost.com. Updated terms may be displayed on-screen, and you may need to read and accept them to continue using any/all of New Post’s Services.