PRIVACY POLICY

QUICKS SRL — Rental Marketplace Platform

Last Updated: April 9, 2026 Effective Date: April 9, 2026

TABLE OF CONTENTS

1. Introduction and Data Controller
2. Information We Collect
3. How We Use Your Information
4. Legal Bases for Processing (GDPR)
5. Information Sharing and Third Parties
6. International Data Transfers
7. Data Retention
8. Your Rights Under GDPR
9. Cookies and Tracking Technologies
10. Children’s Privacy
11. Security Measures
12. Marketing Communications
13. Automated Decision-Making and Profiling
14. Changes to This Privacy Policy
15. Data Protection Officer
16. Contact Us

1. INTRODUCTION AND DATA CONTROLLER

1.1. QUICKS SRL (“Quicks”, “we”, “us”, or “our”) is committed to protecting your privacy and handling your personal data in compliance with Regulation (EU) 2016/679 (the General Data Protection Regulation — “GDPR”), Romanian Law No. 190/2018 (implementing the GDPR), and all other applicable data protection legislation.

1.2. This Privacy Policy explains how we collect, use, share, and protect your personal data when you use the Quicks platform, including:

• The Quicks mobile applications (iOS and Android);
• The website at quicks-app.com;
• Any future web application or service operated by Quicks;
• Any communications from Quicks (email, push notifications, social media).

1.3. Data Controller. The data controller responsible for your personal data is:

QUICKS SRL Calea Turzii 239, Cod 400495 Cluj-Napoca, Cluj County, Romania CUI: 50382896 Trade Registry: J12/3251/2024 Email: contact@quicks-app.com Phone: +40 752 012 527

1.4. By creating an account or using our Services, you acknowledge that you have read and understood this Privacy Policy. Where processing is based on consent, you provide that consent when indicated during your use of the Platform.

2. INFORMATION WE COLLECT

We collect the following categories of personal data:

2.1. Information You Provide Directly

Account Registration Data:

• Email address
• Password (stored in hashed form by our authentication provider)
• Display name, first name, and last name
• Phone number (optional)

Profile Information:

• Profile photograph/avatar
• Preferred language and currency

Billing Profile Data:

• Profile type (personal or business)
• Full name or company name
• Billing address (street address, city, state/county, postal code, country)
• Email address and phone number
• Tax identification number (CUI/VAT number, for business profiles)

Listing Data (Owners):

• Item descriptions and titles
• Photographs of Items
• Rental pricing, deposit amounts, and availability
• Pickup location (address and/or GPS coordinates)
• Rental rules and conditions

Booking Data:

• Rental dates and quantities
• Notes to the Owner or Renter
• Cancellation reasons (optional)

Communication Data:

• Messages exchanged with other Users through the Platform
• Images shared in conversations
• Dispute submissions, evidence, and communications

Review and Rating Data:

• Ratings (1-5 stars)
• Review titles and text content
• Review images

Identity Verification Data:

• Government-issued photo ID (processed by Stripe — we do not store copies)
• Selfie photograph (processed by Stripe — we do not store copies)
• Verification status and timestamp

Stripe Connect Data (Owners):

• Business type (individual or company)
• Full legal name, date of birth, address
• Banking details (processed and stored by Stripe — we do not store these)
• KYC information (processed by Stripe)

Support Communications:

• Emails and inquiries sent to our support team

2.2. Information Collected Automatically

Device and Technical Data:

• Device type (iOS or Android), device model, and device name
• Operating system and version
• App version
• Unique device identifiers
• IP address
• Browser type and version (for website access)

Usage Data:

• Pages and screens viewed
• Features used and actions taken
• Access times and dates
• Session duration
• Search queries
• Navigation paths within the app

Location Data:

• GPS coordinates (latitude, longitude) — collected only in the foreground, only with your explicit permission via the operating system’s permission prompt
• Reverse-geocoded city and country

Push Notification Data:

• Firebase Cloud Messaging (FCM) token for your device
• Notification delivery and interaction data

2.3. Information from Third-Party Sources

Social Login Providers:

• Google Sign-In: name, email address, profile photo
• Apple Sign-In: name, email address (Apple may provide a private relay email)

Stripe (Payment Processor):

• Payment confirmation status
• Card brand and last four digits (for display purposes — we never receive full card numbers)
• Card expiration date
• Cardholder name
• Payment and refund statuses
• Identity verification status

Firebase (Google):

• Analytics data and event logs
• Push notification delivery status

2.4. Information We Do NOT Collect

We want to be transparent about what we do not collect:

• Full credit card or debit card numbers
• CVV/CVC security codes
• Bank account numbers or routing numbers (handled exclusively by Stripe)
• Biometric data (fingerprint, face scan data) — we do not process biometrics; Stripe may use liveness detection during identity verification, which is governed by Stripe’s privacy policy
• Background location data (we only access location while the app is in active use)
• Contact list or address book
• Calendar data
• Browsing history outside the Platform
• SMS or call log data

3. HOW WE USE YOUR INFORMATION

We process your personal data for the following purposes:

3.1. Providing and Operating the Platform

• Creating and managing your Account
• Facilitating Bookings between Owners and Renters
• Processing payments, refunds, deposits, and payouts
• Operating the Wallet system
• Enabling in-app messaging between Users
• Displaying Listings, search results, and recommendations
• Managing reviews and ratings
• Administering the Dispute resolution process

3.2. Identity Verification and Trust

• Verifying User identity through Stripe Identity
• Facilitating Stripe Connect onboarding for Owners
• Anti-fraud detection and prevention
• Compliance with Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations

3.3. Communication

• Sending transactional notifications (Booking confirmations, payment updates, Dispute notifications, review reminders)
• Delivering push notifications via Firebase Cloud Messaging
• Responding to support inquiries
• Sending marketing and promotional communications (with your consent)

3.4. Safety, Security, and Compliance

• Detecting and preventing fraud, abuse, and unauthorized access
• Content moderation (text and image review)
• Enforcing our Terms and Conditions and other policies
• Complying with legal obligations (tax reporting, court orders, law enforcement requests)
• Maintaining platform security (rate limiting, suspicious activity monitoring)

3.5. Improvement and Analytics

• Analyzing usage patterns and trends to improve the Platform
• Monitoring technical performance and diagnosing errors (via Sentry)
• Conducting analytics to understand user behavior (via Firebase Analytics)
• Developing new features and services

3.6. Location-Based Services

• Displaying nearby Listings on the map
• Facilitating pickup location selection
• Calculating distances for search results

4. LEGAL BASES FOR PROCESSING (GDPR)

Under the GDPR, we process your personal data based on the following legal grounds:

Legitimate Interest Assessments. Where we rely on legitimate interest, we have conducted assessments to ensure our interests do not override your fundamental rights and freedoms. You may request details of these assessments by contacting us.

5. INFORMATION SHARING AND THIRD PARTIES

5.1. Sharing with Other Users

When you participate in a Booking:

• Renters can see the Owner’s display name, profile photo, average rating, listing details, and pickup location.
• Owners can see the Renter’s display name, profile photo, average rating, and Booking details.
• Both parties can exchange messages through the Platform’s messaging system.

We do not share your full address, email, phone number, or financial details with other Users unless you voluntarily disclose them.

5.2. Third-Party Service Providers

We share personal data with the following categories of third-party service providers, who process data on our behalf or as independent controllers:

5.3. Legal and Regulatory Disclosures

We may disclose your personal data where required by law, regulation, legal process, or governmental request, including:

• Compliance with court orders, subpoenas, or legal proceedings;
• Response to requests from law enforcement or regulatory authorities;
• Protection of the rights, property, or safety of Quicks, our Users, or the public;
• Investigation of suspected fraud, policy violations, or illegal activity.

5.4. Business Transfers

In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, your personal data may be transferred to the acquiring entity. We will notify you of any such transfer and of any changes to the applicable privacy terms.

5.5. No Sale of Personal Data

Quicks does not sell, rent, or trade your personal data to third parties for their own commercial or marketing purposes.

6. INTERNATIONAL DATA TRANSFERS

6.1. Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where some of our third-party service providers are headquartered.

6.2. Where personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place, including:

• European Commission adequacy decisions for countries deemed to provide an adequate level of data protection;
• Standard Contractual Clauses (SCCs) approved by the European Commission;
• Data Privacy Framework (DPF) certifications where applicable (e.g., certain US providers);
• Binding Corporate Rules where applicable.

6.3. The following transfers outside the EEA are relevant:

6.4. Transfer Impact Assessments. In compliance with the CJEU Schrems II ruling (Case C-311/18), Quicks has conducted Transfer Impact Assessments (TIAs) for each international data transfer to evaluate whether the legal framework of the destination country provides essentially equivalent protection to that guaranteed within the EEA. These assessments take into account the nature of the data, the transfer mechanism, and any supplementary technical measures (e.g., encryption, data minimization, ephemeral processing). TIAs are maintained as part of our GDPR accountability documentation.

6.5. You may request a copy of the safeguards in place, including relevant TIA summaries, by contacting us at contact@quicks-app.com.

7. DATA RETENTION

7.1. We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law.

7.2. When data is no longer needed, it is securely deleted or anonymized so that it can no longer be attributed to an identified or identifiable natural person without additional information, meeting the irreversibility standard of the Article 29 Working Party Opinion 05/2014 on Anonymisation Techniques. Where we refer to “anonymized” data throughout this Privacy Policy and our Terms and Conditions, this means data processed to this standard.

7.3. Erasure Requests During Active Disputes. If you submit a GDPR Article 17 erasure request while you have an active Dispute, we will acknowledge the request and explain the applicable exception (Art. 17(3)(e) — establishment, exercise, or defense of legal claims). Your erasure request will be processed promptly once the Dispute is resolved and no further legal basis for retention applies.

8. YOUR RIGHTS UNDER GDPR

8.1. As a data subject under the GDPR, you have the following rights:

Right of Access (Art. 15): You have the right to obtain confirmation of whether we process your personal data and, if so, access to that data and information about how it is processed.

Right to Rectification (Art. 16): You have the right to have inaccurate personal data corrected and incomplete data completed.

Right to Erasure / “Right to Be Forgotten” (Art. 17): You have the right to request deletion of your personal data, subject to exceptions under Art. 17(3), including: (b) compliance with a legal obligation (e.g., tax record retention), (e) establishment, exercise, or defense of legal claims (e.g., active Disputes). You may request erasure of specific data categories without deleting your Account. If you wish to delete your Account entirely, see Section 27 of our Terms and Conditions for the Account deletion process and its effects on your data.

Right to Restriction of Processing (Art. 18): You have the right to request that we restrict processing of your data in certain circumstances (e.g., while verifying the accuracy of contested data).

Right to Data Portability (Art. 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller, where processing is based on consent or contract performance and is carried out by automated means.

Right to Object (Art. 21): You have the right to object to processing based on legitimate interest. Upon objection, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests, or the processing is necessary for the establishment, exercise, or defense of legal claims.

Right to Withdraw Consent (Art. 7(3)): Where processing is based on consent, you may withdraw your consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

Right Not to Be Subject to Automated Decision-Making (Art. 22): You have the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects concerning you or similarly significantly affect you (see Section 13).

8.2. How to Exercise Your Rights. You may exercise your rights by:

• Contacting us at contact@quicks-app.com;
• Using the relevant features within the Platform (e.g., Account settings, notification preferences);
• Writing to us at: QUICKS SRL, Calea Turzii 239, Cod 400495, Cluj-Napoca, Romania.

8.3. Response Time. We will respond to your request within one (1) month. This period may be extended by two (2) further months if necessary, taking into account the complexity and number of requests.

8.4. Complaints. If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the Romanian National Supervisory Authority for Personal Data Processing (ANSPDCP):

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336, Bucharest, Romania Website: www.dataprotection.ro Email: anspdcp@dataprotection.ro Phone: +40 318 059 211

9. COOKIES AND TRACKING TECHNOLOGIES

9.1. Website Cookies

Our website (quicks-app.com) may use the following categories of cookies:

Strictly Necessary Cookies: Essential for the website to function properly (e.g., session management, security). These cookies do not require consent.

Analytics Cookies: Used to collect information about how visitors use our website (e.g., pages visited, time spent). We use analytics services to understand website traffic and improve our services. These cookies are placed only with your consent.

Functionality Cookies: Used to remember your preferences (e.g., language selection). These cookies are placed only with your consent.

9.2. Mobile App Tracking

Our mobile applications use the following tracking technologies:

Firebase Analytics: Collects usage data (events, user properties, session data) to help us understand how Users interact with the app. Essential analytics (crash-related events, core feature usage metrics necessary for platform stability and security) are processed based on legitimate interest (Art. 6(1)(f)). Non-essential analytics (behavioral tracking, funnel analysis, marketing attribution) are processed based on your consent (Art. 6(1)(a)), which you can manage through your device settings.

Sentry: Collects error reports, crash data, and performance metrics to help us identify and fix technical issues. Processing is based on our legitimate interest in maintaining Platform stability.

Firebase Cloud Messaging (FCM): Uses device tokens to deliver push notifications. This is necessary for providing the notification service you have opted into.

9.3. Managing Cookies and Tracking

You can manage your cookie and tracking preferences through:

• Website: Cookie consent banner (displayed on first visit and accessible via footer link);
• Mobile App: Device settings for analytics and notification permissions;
• Browser settings: Blocking or deleting cookies via your browser’s privacy settings.

Note that disabling certain cookies or tracking may affect the functionality of the Platform.

9.4. Do Not Track

We currently do not respond to “Do Not Track” (DNT) browser signals due to the lack of a universal standard. We will update this policy if a standard is adopted.

10. CHILDREN’S PRIVACY

10.1. The Platform is not intended for use by anyone under the age of eighteen (18). We do not knowingly collect personal data from children under 18.

10.2. If we become aware that we have collected personal data from a child under 18, we will take immediate steps to delete that data and, if applicable, terminate the associated Account.

10.3. If you believe that a child under 18 has provided us with personal data, please contact us at contact@quicks-app.com.

11. SECURITY MEASURES

11.1. We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction, including:

Technical Measures:

• Encryption of data in transit (TLS/SSL);
• Encryption of sensitive data at rest;
• Secure authentication via Supabase Auth (hashed passwords, JWT tokens);
• Encrypted storage of authentication tokens on device (via Flutter Secure Storage);
• Row-Level Security (RLS) enforced at the database level, ensuring Users can only access their own data;
• Rate limiting on sensitive API endpoints;
• PCI DSS compliance through Stripe (Quicks never handles raw payment card data);
• Regular security updates and dependency patching.

Organizational Measures:

• Principle of least privilege for data access;
• Regular review of access controls;
• Incident response procedures;
• Secure development practices.

11.2. Despite our efforts, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security and encourage you to take your own precautions (e.g., strong passwords, not sharing credentials).

11.3. Breach Notification. In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the ANSPDCP within 72 hours of becoming aware of the breach, as required by GDPR Article 33;
• Notify affected Users without undue delay where the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34;
• Document the breach, its effects, and the remedial actions taken.

12. MARKETING COMMUNICATIONS

12.1. Consent-Based Marketing. We will only send you marketing and promotional communications if you have provided your explicit consent. Marketing may be delivered via:

• Email;
• Push notifications;
• Social media (targeted advertisements or sponsored content).

12.2. Opt-Out. You may withdraw your consent and opt out of marketing communications at any time through:

• Your Account notification settings within the Platform;
• The unsubscribe link included in every marketing email;
• Your device’s push notification settings;
• Contacting us at contact@quicks-app.com.

12.3. Transactional Communications. Opting out of marketing does not affect transactional communications (e.g., Booking confirmations, payment receipts, security alerts), which are necessary for the performance of our contract with you.

12.4. Social Media. If you interact with our social media accounts (e.g., Facebook, Instagram), the respective platform’s privacy policy applies to any data collected through those interactions. Quicks may use social media advertising features to reach potential users. You can manage your ad preferences through the respective social media platform’s settings.

13. AUTOMATED DECISION-MAKING AND PROFILING

13.1. Content Moderation. We use automated systems (powered by Google Vision API and OpenAI Moderation API) to review listing photographs and text for compliance with our policies. Content flagged by automated systems is placed in a pending state (not permanently deleted) and may be subject to the following safeguards under GDPR Article 22(2)(a) (necessary for contract performance) and Article 22(3):

• Notification: You are notified immediately with specific reasons why your Content was flagged.
• Appeal Right: You may request human review of any automated moderation decision through the Platform or by contacting contact@quicks-app.com.
• Human Review: Appeals are processed within ten (10) business days by a human reviewer. Pending appeal, your existing Listings remain active.
• Reversibility: If the automated decision is overturned on review, the Content is approved and published.

13.2. Fraud Detection. We use automated monitoring systems to detect potentially fraudulent activity (e.g., unusual transaction patterns, rate limit violations). Automated flags may result in temporary restrictions on your Account pending human review. You have the right to contest automated fraud flags and to obtain human intervention.

13.3. Search Ranking. Listing ranking in search results is determined by algorithms that consider factors such as relevance, price, availability, ratings, and user preferences. This ranking does not constitute automated individual decision-making within the meaning of GDPR Article 22, as it does not produce legal effects or similarly significantly affect you.

13.4. No Solely Automated Decisions with Legal Effect. We do not make decisions based solely on automated processing that produce legal effects or similarly significantly affect you without the safeguards described above. For all automated decisions described in this Section, you have the right to obtain human intervention, to express your point of view, and to contest the decision.

14. CHANGES TO THIS PRIVACY POLICY

14.1. We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or Platform features.

14.2. Notification of Changes. Material changes will be communicated to you at least thirty (30) days before the effective date through:

• Email notification;
• In-app notification;
• Publication of the updated Privacy Policy on the Platform.

14.3. The “Last Updated” date at the top of this Privacy Policy indicates when the most recent revision was made.

14.4. Continued use of the Platform after the effective date of changes constitutes acknowledgment of the updated Privacy Policy. For changes that require consent under GDPR, we will request your explicit consent before applying the changes.

15. DATA PROTECTION OFFICER

15.1. At this time, Quicks has not appointed a Data Protection Officer (DPO) as the conditions specified in GDPR Article 37 (large-scale processing of special categories of data, large-scale systematic monitoring) are not met based on our current operations and user base.

15.2. Reassessment Commitment. Quicks will reassess the need for a DPO annually, or upon reaching 10,000 active users, or upon any material change in data processing activities. The assessment is documented as part of our GDPR accountability records.

15.3. For all data protection inquiries, you may contact us directly:

• Email: contact@quicks-app.com
• Subject line: “Data Protection Inquiry”
• Postal address: QUICKS SRL, Calea Turzii 239, Cod 400495, Cluj-Napoca, Romania

15.4. If our operations change such that the appointment of a DPO becomes required, we will update this Privacy Policy accordingly and publish the DPO’s contact details.

16. CONTACT US

If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, please contact us:

QUICKS SRL Calea Turzii 239, Cod 400495 Cluj-Napoca, Cluj County, Romania

Email: contact@quicks-app.com Phone: +40 752 012 527

CUI (Tax ID): 50382896 Trade Registry: J12/3251/2024

For data protection complaints, you may also contact the Romanian supervisory authority:

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336, Bucharest, Romania Website: www.dataprotection.ro

This Privacy Policy was last updated on April 9, 2026.