Data Protection Policy

Bluesquare SA

Hive5 – Rue des Francs 79, 1040 Brussels, Belgium

Version: 1.0

Effective Date: 28 January 2026

Review Date: 28 January 2027

1. WHO WE ARE AND WHAT THIS POLICY COVERS

1.1 Who Are We?

We are Bluesquare (legally known as Blue Square SA), located at Hive5 – Rue des Francs 79, 1040 Brussels, Belgium.

1.2 We Know That Privacy Is Important and Should Be Respected

We value individuals’ right to privacy and strive to protect personal data in accordance with applicable data protection legislation, and more specifically with the EU General Data Protection Regulation (“GDPR”) and its national implementing legislation.

At Bluesquare, we adhere to the following GDPR principles:

• Lawfulness, Fairness, and Transparency
• Purpose Limitation
• Data Minimization
• Accuracy
• Storage Limitation
• Integrity and Confidentiality
• Accountability

1.3 Who Does This Policy Apply To?

This policy applies to all employees, contractors, and third parties who process personal data on behalf of Bluesquare.

1.4 Updates to This Policy

From time to time, we need to update this Data Protection Policy. The most recent version is available on our website. You may also ask us to send you a copy of the most recent version.

---

2. WHEN WE ACT AS DATA PROCESSOR VS. DATA CONTROLLER

In the context of our activities, we collect and process certain personal data. Pursuant to EU data protection and privacy legislation, we sometimes act as a ‘data processor’, and sometimes as a ‘data controller’:

2.1 We Act as Data Processor

We act as a data processor on behalf of our clients/customers (who act as data controllers) in the following scenarios:

• When our clients/customers carry out surveys, for example using our web or mobile application. In this case, our clients/customers determine the information to collect via the surveys and the purposes for which this information will be used, such as the follow-up of grants and subsidies to hospitals, healthcare service providers, and schools.
• When we are hosting the data collected via the surveys on our cloud-based platform, anonymizing and making this information accessible to our clients/customers via this platform, on their request and under their instructions.

Important: For those activities for which we only act as a ‘data processor’, our clients/customers are responsible for providing adequate data processing information to all individuals whose personal data are collected.

2.2 We Act as Data Controller

We act as a data controller in the following scenarios:

• When we anonymize and aggregate the collected patient data for our own statistical and research purposes, which may include generation of geographical maps indicating with geo-codes where interviews have been conducted.
• When we collect certain data via access to government databases with their consent.
• When we collect customer and supplier data such as name, function, and contact details.

Important: For those activities for which we act as ‘data controller’, this Data Protection Policy sets forth how we collect personal data, how and for what purposes we may use personal data, and to whom personal data may be disclosed by us. Further, this Policy includes important information regarding individuals’ rights with respect to the processing of their personal data.

---

3. HOW DO WE COLLECT PERSONAL DATA?

In the context of the services we provide to our clients/customers, we collect personal data relating to individuals who participate in surveys about services received through government or NGO programs in countries around the world.

3.1 Information Generally Collected and Processed

The following information is typically collected and processed:

• Location data: GPS coordinates of the location where the data is inputted by the person interviewing the patient
• Name and surname
• Gender and age
• Village/District/Province/Country
• Information about the hospital, health center, or school that was visited by the person
• Type of services the person has received (this might include health services)
• Level of satisfaction indicated by the person, and answers to other questions (e.g., relating to bribes or sexual violence)

3.2 How This Information Is Collected

This information is generally collected via mobile questionnaires. Local interviewers are requested to complete these questionnaires together with the person and to duly inform the person on the collection and processing of their data, so that they can validly consent hereto. Such consent is then confirmed before the actual survey starts.

Other information can also be collected by us through access to health facilities or other public registries and government databases, subject to the legal requirements governing access to such databases.

---

4. FOR WHAT PURPOSES DO WE USE PERSONAL DATA?

4.1 When We Act as Data Processor

We collect information from interviewees, as described above, for the purposes specified by our clients/customers, generally relating to the administration and follow-up of grants and subsidies to hospitals, healthcare service providers, and schools.

4.2 When We Act as Data Controller

For statistical and research purposes: We aggregate and anonymize interviewees’ information for statistical and research purposes (e.g., to generate geographical maps indicating with geo-codes where interviews have taken place).

We rely on grounds of public interest and statistical research for the anonymization process. Insofar as this would not suffice, we have also put in place an opt-in consent mechanism. In any case, as soon as it is fully anonymized, the information can no longer be linked back to the patients concerned and is not ‘personal data’ anymore.

For client and partner communications: We collect information from clients, partners, and suppliers (name, function, organization, contact details) in order to (i) share news and updates about what we do and (ii) ask about their level of satisfaction with our product and services. We do not share clients’ information to third parties without their explicit consent.

---

5. WITH WHOM DO WE SHARE PERSONAL DATA?

In the context of the purposes listed above, we may share personal data with third parties, such as:

• Our clients/customers (as they are ‘data controller’)
• Independent developers working for us
• Any IT service providers that would be engaged by us to perform some of the processing operations or to host any data sets

The anonymous/aggregated data sets generated by us may also be shared with third parties. These data sets do not, however, contain any personally identifiable information.

5.1 Contractual Safeguards

Where relevant, we will ensure that contractual safeguards (Data Processing Agreements) are implemented to ensure the protection of personal data in case of disclosure to a third party.

5.2 International Data Transfers

If any party to whom we may disclose personal data would be located outside the European Economic Area (EEA), we will ensure that measures are taken to ensure adequate protection of personal data in accordance with applicable data protection legislation.

These measures include:

• Standard Contractual Clauses (SCCs): Use of approved contract templates
• Binding Corporate Rules: If applicable for intra-group transfers
• Transfer impact assessments for high-risk jurisdictions

---

6. HOW LONG DO WE STORE PERSONAL DATA?

Your personal data will not be stored for longer than is necessary in relation to the purposes for which we process them.

6.1 Our Commitment to Anonymization

Insofar as we would act as data controllers ourselves, we will anonymize any personal data obtained from patients via the surveys we perform as soon as possible, so that we do not retain any personal data in our data sets.

6.2 Retention Periods

Data Type	Retention Period
Survey participant data (as processor)	As determined by our clients/customers (data controllers)
Patient data (as controller)	Anonymized as soon as possible; no retention of personal data
Customer/supplier contact data	Duration of relationship + 3 years
Financial/billing records	7 years
Application logs	90 days (unless needed for investigation)

---

7. HOW DO WE PROTECT PERSONAL DATA?

We will implement the necessary administrative, technical, and organizational measures for ensuring a level of security appropriate to the risks that we have identified.

7.1 Technical and Organizational Measures

• Our data warehouse is only accessible to authorized (internal or external) users who have a login and password
• Encryption of data at rest and in transit (TLS 1.2+)
• Role-based access control with least privilege principle
• Multi-factor authentication for sensitive systems
• Regular security updates and patching
• Logging and monitoring of access to sensitive data

We also protect personal data against destruction, loss, alteration, unauthorized disclosure of or access to personal data transmitted, stored, or otherwise processed.

7.2 Operational Security Requirements

• Strong unique passwords with password manager
• Regular security awareness training for all team members
• Secure remote work practices

7.3 Development and Testing Practices

• Security by design in all features
• Use of anonymized/synthetic data for testing
• Regular security testing and code reviews
• Secrets management (no credentials in code)

---

8. WHICH RIGHTS DO INDIVIDUALS HAVE AND HOW CAN THEY EXERCISE THEM?

Individuals have the following rights:

• Information about and access to their personal data
• Rectify their personal data
• Erasure of their personal data (‘right to be forgotten’)
• Restriction of processing of their personal data
• Object to the processing of their personal data (‘withdraw their consent’)
• Receive their personal data in a structured, commonly used and machine-readable format and to (have) transmit(ted) their personal data to another organization

Finally, individuals also have the right to lodge a complaint with the Belgian (or any other competent) Data Protection Authority.

To read more about these rights, and circumstances under which they can be exercised, see the Annex below.

---

9. DATA BREACH MANAGEMENT

A data breach is unauthorized access, loss, or disclosure of personal data.

9.1 If You Discover a Breach

Immediately:

1. Alert the Data Protection Contact and your manager

2. Email: security@bluesquarehub.com

3. Don’t delay – report within 2 hours for serious incidents

Include:

• What data was affected
• How it happened
• When you discovered it
• Whether it’s still ongoing

9.2 Our Response

Within 24 hours: Assess severity and risk, contain breach (isolate systems, revoke access), preserve evidence

Within 72 hours (if required): Notify data protection authority for breaches posing risk to individuals; notify affected individuals directly if high risk to their rights

Documentation: Record all breaches in our breach register, document actions taken and lessons learned

---

10. ROLES AND RESPONSIBILITIES

10.1 Leadership Team

• Overall accountability for data protection compliance
• Approving this policy and major data processing activities
• Ensuring adequate resources for data protection

10.2 Data Protection Contact

Contact: Martin De Wulf, Rue des Francs 79 – 1040 Etterbeek

Email: info@bluesquarehub.com

Responsibilities:

• Advising on data protection obligations
• Monitoring compliance with this policy
• Handling data subject requests and complaints
• Coordinating data breach responses
• Liaison with data protection authorities
• Conducting privacy impact assessments

10.3 All Team Members

• Handle personal data only for legitimate work purposes
• Complete annual data protection training
• Report suspected data breaches immediately
• Respect data subject rights
• Follow security procedures (strong passwords, MFA, device encryption)
• Anonymize patient data at earliest opportunity when acting as controller

---

11. TRAINING, COMPLIANCE AND POLICY REVIEW

11.1 Mandatory Training

All team members must:

• Complete data protection training within first week
• Annual refresher training (30-45 minutes)

Topics covered: This policy and GDPR principles, recognizing sensitive data (especially health data), handling data subject requests, reporting breaches, secure data handling practices and anonymization procedures.

11.2 Policy Review

This policy will be reviewed periodically and updated as necessary to reflect changes in data protection laws, best practices, and business operations.

Quarterly: Review data subject requests, breaches, training completion

Annual: Comprehensive policy review, external security assessment

---

12. ENFORCEMENT

Non-compliance with this policy may result in:

• Warning and additional training (minor violations)
• Written reprimand (moderate violations)
• Termination of employment or contract (serious violations)

We protect those who report violations in good faith. Retaliation is prohibited.

---

13. ANY QUESTIONS? CONTACT US!

If you have any questions, comments or complaints in relation to this Data Protection Policy or the processing of your personal data by us, please feel free to contact us:

By mail: Attention of Martin De Wulf, Rue des Francs 79 – 1040 Etterbeek, Belgium

By email: info@bluesquarehub.com

Security issues: security@bluesquarehub.com

To file a complaint with authorities:

• Belgium: Commission for the Protection of Privacy (gegevensbeschermingsautoriteit.be)
• UK: Information Commissioner’s Office (ico.org.uk)
• Other EU/EEA: Your local Data Protection Authority

---

QUICK REFERENCE

DO:

• Anonymize patient/participant data at earliest opportunity
• Inform survey participants about data collection and obtain consent
• Encrypt all devices and use MFA everywhere
• Use strong unique passwords (password manager)
• Lock screen when away from device
• Report security concerns immediately
• Only access data needed for your work
• Follow client instructions when acting as processor

DON’T:

• Share passwords or use shared accounts
• Store survey data with personally identifiable information longer than necessary
• Use personal email for work communications containing personal data
• Store sensitive data in unauthorized tools or locations
• Screenshot or download participant data unnecessarily
• Ignore security updates or patches

REPORT IMMEDIATELY:

• Lost/stolen device with work access
• Suspicious emails or phishing attempts
• Unauthorized system access
• Accidental sharing of participant/patient data
• Any suspected breach or security incident

---

ANNEX – RIGHTS OF DATA SUBJECTS

Right	Description
Right to Information and Access	You may at any time request more information on our processing activities and the personal data that we are keeping from you. Response provided within 30 days, free of charge (reasonable fees for excessive requests).
Right to Rectification	You have the right to require us to, without undue delay, rectify or complete any of your personal data that is inaccurate or incomplete.
Right to Deletion (‘Right to be Forgotten’)	You may request us to delete (part of) your personal data in the following situations:- When the processing is no longer necessary for achieving the purposes- When the processing was based on your consent and you have decided to withdraw that consent- When you have other reasonable grounds to object to the processing- When we would unlawfully process your personal data- When your personal data have to be erased in compliance with a legal obligationWe may refuse deletion for: (i) exercising freedom of expression; (ii) legal obligations; or (iii) legal claims. As far as deletion applies, we will anonymize your personal data.
Right to Restriction of Processing	You may request us to (temporarily) restrict the processing of your personal data in the following situations:- When you have contested the accuracy, for a period enabling us to verify- When processing appears unlawful and you request restriction instead of deletion- When we no longer need the data but you need them for legal claims- Pending verification whether our legitimate grounds override yours
Right to Object	You may under certain circumstances object to the processing of your personal data, in particular if you choose to withdraw the consent on which our data processing activity is based. You can revoke your consent at any time, by sending written notice to us at the address indicated above. Once you have revoked your consent, your data will be anonymized, so that we can no longer make a connection between you and the data.
Right to Data Portability	In some cases, you have the right to receive all your personal data in a structured, commonly used and machine-readable format (CSV, JSON) and have the right to transmit that data to another controller. This right applies: (i) when processing is based on consent or contract; and (ii) when processing is carried out by automated means.

---

By adhering to this Data Protection Policy, Bluesquare is committed to safeguarding personal data and upholding the privacy rights of all individuals. All team members must read and comply with this policy. Acknowledgment required during onboarding.