Data Protection Policy

Definitions

For the purposes of this Privacy Policy, the following terms shall have the meanings set forth below:

"Applicable Data Protection Law" shall mean all legislation and regulations relating to the protection of personal data and privacy as may be applicable to the parties from time to time, including but not limited to Regulation (EU) 2016/679 (General Data Protection Regulation or GDPR), the UK GDPR, and any national implementing laws, such as the Spanish Organic Law 3/2018 (LOPDGDD), together with any other binding codes of practice or statutory instruments issued by relevant supervisory authorities that govern the processing of personal data.

"Personal Data", "Processing", "Controller", "Processor", and "Data Subject", as well as any other technical terms used in this Policy and not otherwise defined herein, shall have the same meaning as attributed to them under the Applicable Data Protection Law.

Controller Information

Data Controller:

hank.parts S. L.

NIF: B23862170

Calle Callejoncillo 4

11130 Chiclana de la Frontera, Cádiz, Spain

(hereinafter referred to as "we", "our" or "the Controller")

Data Protection Contact: help@support.hank.parts

Age Requirement

Our Service is only available to users who are at least 18 years of age.

While Applicable Data Protection Law may allow individuals aged 13 and above to provide valid consent for data processing, depending on the country of residence, our Service requires, as an internal policy, to be at least 18 years of age. Therefore, we do not knowingly collect personal data from individuals under 18.

If you are under 18, do not use our Service or provide any personal data. If we detect that we have collected personal data from someone under 18, we will delete that information immediately and, where appropriate, deactivate the associated account.

Data We Collect

We may collect and process the following data:

1) In case of contacting us:

• Identifying and contact data
• Data you voluntarily provide in communications you send us

2) In case of creating an account and using our Services:

• Account and contact data: email address, username and password. If you choose to register and/or log in using credentials provided by third-party services, such as Google (Google Sign-In) or other specific social networks, the service provider (e.g., Google) provides us with the basic information for managing your user account according to your privacy settings on that platform. Generally, this information includes your unique user identifier, name, email address, and, if you have consented, your profile picture.
• Profile images: avatar photos you upload to your profile (if applicable)
• Content images: photos you upload for part requests and offers.
• User-generated content: part requests, offers, comments and other platform interactions
• Conversations and interactions carried out through communication tools such as chats, forums or comments.

The following data is also automatically collected:

• Technical data: IP address, browser type, device information.
• Usage data: logs of your activity on our platform

Legal Basis for Processing

We process your data for specific purposes under the following legal bases, as provided under the Applicable Data Protection Law (Article 6 GDPR):

1) In case of contacting us:

The personal data identified in the previous section will be processed to answer your requests and follow up on them.

The legal basis is user consent, granted when you voluntarily contact us through the means available to you.

2) In case of creating an account and using our Services:

The personal data identified in the previous section will be processed for:

Regarding purposes based on our legitimate interests, we have assessed that these interests do not override your fundamental rights and freedoms. If you wish to obtain more information about such assessments, you can request it by writing to help@support.hank.parts.

Mandatory vs. Optional Data

All personal data requested as mandatory will be indicated with an asterisk (*) or equivalent sign. Failure to provide such data (such as contact data) will prevent continuation of the corresponding process (such as creating a user account), since without such information it is not possible to provide the Services offered through the Platform.

Fields not marked as mandatory are requested to improve user experience (for example, profile image) and, therefore, may be completed voluntarily, and their absence will not prevent you from using the Platform, although it may reduce functionality or user experience.

Data Retention

We retain your personal data according to specific retention periods based on data type and legal requirements:

1) Contact with the Controller

Data provided through inquiries, forms or support communications will be kept as long as necessary to address the request or resolve the incident, and subsequently for the statute of limitations period for possible liabilities.

Indicative period: 3 years from resolution of the inquiry.

2) Creating an account and using our Services

Data will be kept while the account remains active.

If the user requests account cancellation, associated personal data will be permanently deleted, except for those that must be kept blocked during legally established periods to address possible liabilities or requests from authorities.

Notwithstanding the above, you can request restoration of your account within the sixty (60) day window through help@support.hank.parts. During this period, personal data associated with the account will remain blocked and will not be visible to other users or used for any purpose other than possible account restoration at the user's own request.

Indicative period: until cancellation request + 60 days recovery + up to 5 years blocked from cancellation request.

Technical, usage or connection data will be kept as long as necessary to ensure operation, security and service improvement, and will subsequently be anonymized or deleted.

Indicative period: session and usage data, up to 180 days from collection; afterwards, only aggregated or anonymized information.

Recipients of your personal data

User personal data will not be communicated to third parties, except in the following cases:

1) Between Platform users:

Certain user profile information (such as username, profile image, approximate location or published part descriptions) may be visible to other registered users, solely to allow interaction, communication or part exchange within the functional framework of the Service.

2) Service providers necessary for Service operation:

Data may be processed by service providers (data processors) who need to access your data to provide their services (for example, technological, web hosting, maintenance, IT support, electronic communications or other services). Such providers act under contracts that guarantee confidentiality, security and GDPR compliance.

3) Compliance with legal obligations and authority requests:

The Controller may communicate your personal data when necessary to comply with legal obligations (for example, tax, security or information retention under LSSI), or when required by administrative, judicial or police authorities in the exercise of their powers.

4) In case of a corporate transaction:

In case of a merger, acquisition, sale of all or part of its assets or any other type of corporate transaction involving a third party, we may share, disclose or transfer user data to the successor entity (even during the pre-transaction phase).

We also inform you that this Privacy Policy only refers to the collection, processing and use of information (relating to personal data) by the Controller. Access to third-party websites that you may access through links from the Platform have their own privacy policies over which we have no control. Therefore, before providing them with any personal information, we recommend that you read their Privacy Policies.

International Data Transfers

Your data is stored and processed primarily within the European Economic Area (EEA).

For United Kingdom (UK) residents, the transfer of data to the EEA is covered by the current adequacy decision, which recognizes the EEA as providing an equivalent level of data protection.

However, some of our service providers are located in countries outside the European Economic Area ("EEA") and/or the United Kingdom.

The location of these companies outside the EEA/UK implies the existence of an international transfer of your personal data. To ensure that these transfers do not result in a lower degree of protection than that established under the Applicable Data Protection Law, hank.parts utilizes valid transfer mechanisms in accordance with legal requirements. These mechanisms include: (i) transfer to a country or territory that has been declared to have an adequate level of protection by the European Commission or the UK Secretary of State, including entities in the United States certified under the EU-U.S. Data Privacy Framework (DPF); or (ii) the execution of the corresponding standard contractual clauses approved by the European Commission ("SCC"), or the International Data Transfer Agreement/Addendum, as applicable, supplemented by any necessary technical and organizational measures to guarantee that the service provider adheres to data protection standards equivalent to those required within the European Union or the United Kingdom.

Consequently, the engagement of these international providers is managed to ensure that the security and integrity of your personal data remain protected at a level consistent with the requirements of the Applicable Data Protection Law.

You can request copies of the safeguards through help@support.hank.parts.

Your GDPR Rights

The rights that correspond to you as a data subject are as follows:

How to Exercise Your Rights

You can exercise the rights that the law guarantees you in relation to the processing of your personal data by contacting us at the following addresses:

• help@support.hank.parts
• Postal mail: hank.parts S. L., Calle Callejoncillo 4, 11130 Chiclana de la Frontera, Cádiz, Spain
• We will respond to your request within one month (extendable to two months for complex requests)

Right to Complain

If you consider that the processing of your personal data infringes the provisions of the Applicable Data Protection Law, you have the right to lodge a complaint with a competent supervisory authority. If you are not satisfied with our response, you have the right to file a complaint with the competent data protection authority.

For residents in Spain, the competent authority is:

For residents in the United Kingdom, the competent authority is:

If you reside in another Member State of the European Union, you may also file your complaint before the relevant supervisory authority in the country of your habitual residence, place of work, or the place of the alleged infringement.

Notwithstanding the foregoing, we invite you to contact us directly so that we may address your concerns and resolve any potential issues in an amicable manner prior to the filing of any formal complaint.

Rights of Deceased Persons (Spanish Law)

Under Spanish data protection law (LOPDGDD Article 3), the following persons may exercise rights over the data of a deceased user:

• Persons designated by the deceased for this purpose
• Heirs or legal representatives
• Family members

To exercise these rights, contact through help@support.hank.parts with appropriate documentation proving your relationship with the deceased.

Data Security

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure or destruction. These include encryption, access controls and regular security assessments.

Cookies and Similar Technologies

We use strictly necessary cookies essential for website operation. These cookies do not require consent as they are essential for service provision under the Applicable Data Protection Law and Electronic Communications Regulations in the EU/UK, specifically in accordance with the exemptions provided for technical storage or access for the sole purpose of carrying out the transmission of a communication or as strictly necessary to provide an information society service explicitly requested by the user.

Essential Cookies We Use:

• Authentication (Hanko JWT): Maintains your login session and identity (expires after 14 days or when you log out)
• CDN Session (Bunny.net): Optimizes content delivery and caching (expires after session ends)
• Language preference (i18n): Remembers your language selection (persists until changed)

We do not use marketing, analytics or tracking cookies. If we add such cookies in the future, we will request your explicit consent before placing them.

For more information about cookies and how to manage them, visit: www.aboutcookies.org

Changes to this Policy

We may update this policy from time to time to reflect changes in our processing activities, technical improvements, or updates to the Applicable Data Protection Law. In the event of material changes that significantly affect your rights or the way we process your personal data, we will provide you with reasonable advance notice, prior to the changes taking effect. Such notification will be made via a prominent notice on our website or, where appropriate, by direct communication to the contact details provided by you.

We encourage you to review this Policy periodically to remain informed about our data protection practices. If we make significant changes, we will notify you through our website or by email.

Contact

If you have questions about our data processing, contact us through help@support.hank.parts.

Our goal is to acknowledge all data protection inquiries within 72 hours and provide a substantive response within the legal period of one month.

Version History

• January 23rd, 2026: Updates to reporting and changes for UK users
• December 11th, 2025: Added information about third-party login services (Social Login)
• October 1st, 2025: Initial version