ZARA´S PRIVACY AND COOKIES

POLICY
Effective date: 15 September 2023

OUR PRIVACY AND COOKIES POLICY

AT A GLANCE

1. WHO WE ARE. We are ITX E-Commerce (Shanghai) Co., Ltd, ZARA Commercial
(Beijing) Co., Ltd., ZARA Commercial (Shanghai) Co., Ltd., and ZARA Fashion (Shanghai)
Co., Ltd. (hereinafter collectively referred to as "We") and we process your personal
information as "personal information processors". This means that we are jointly responsible
for how we process and protect your personal information. See more.

2. WHAT PERSONAL INFORMATION WE COLLECT AND HOW

WE USE IT. We will collect your personal information online or in person for specific
reasons (including to manage your registration as a user, to manage your purchases of
products or services, to respond to your queries, and if you ask specifically, to send you our
customised communications). The main reason is that we need to process your personal
information to perform the contract that you accept with us when you register and when you
make a purchase or enjoy any of our services or functionalities. We also use your personal
information for other purposes, for example, to respond to your queries or to send you
newsletters that you have asked to receive from us. See more.

3. WHO WE SHARE YOUR PERSONAL INFORMATION WITH. We

share your personal information with service providers who provide us with assistance or
support. See more.

4. YOUR RIGHTS. You have the right to access, rectify or delete your personal
information. In certain cases, you are also entitled to other rights, such as, for example, to
object to us using your personal information, or to transferring your personal information, as
explained in depth below. See more.

We encourage you to read our full Privacy and Cookies Policy below to understand in depth
the manner in which we will use your personal information and your rights over your personal
information.

1
BEFORE YOU START…
• In this Privacy and Cookies Policy, you will find all relevant information applicable to our use of our
users' and customers' personal information, regardless of the channel or means (online or in person)
that you use to interact with us.

• If you would like information about how we use cookies and similar devices that may be installed on the
terminals of our customers and users, we recommend you consult the Cookies Policy.

• We are transparent about what we do with your personal information, to help you to understand the
implications of the way in which we use your personal information, and the rights you are entitled to in
relation to your personal information:

o We permanently make available for you all the information included in this Privacy and Cookies
Policy, that you can check when you consider appropriate, and in addition,

o you will also find further information on how we use your personal information as you interact
with us.

• These are some terms we regularly use in this Privacy and Cookies Policy:

o When we speak about our Platform, we refer, in general, to any of the channels or means, digital
or in person, you may have used to interact with us. The main ones are:

▪ Our Website.

▪ Our App, this is, including both the mobile application you installed on your device and
others we may use in our Platform.

▪ In person, in any of our Brick-and-Mortar Stores.

1. WHO IS THE PROCESSOR OF YOUR PERSONAL INFORMATION?

The following entities are the personal information processors ("PIPs") of your personal information.

▪ ITX E-Commerce (Shanghai) Co., Ltd.:

o Registered address: Room 1, 29F, Block 1, No. 399 Kaixuan Road, Changning District, Shanghai
o E-mail of Data Protection Officer: [email protected]

▪ ZARA Commercial (Beijing) Co., Ltd.:

o Registered address: Unit L122, L216+L217, L316+L317, Building1, No.9 Guanghua Road,
Chaoyang District, Beijing
o E-mail of Data Protection Officer: [email protected]

▪ ZARA Commercial (Shanghai) Co., Ltd.:

o Registered address: Room 203, No.6, Lane 113, Changshu Road, Jing'an District, Shanghai
o E-mail of Data Protection Officer: [email protected]

2
 ▪ ZARA Fashion (Shanghai) Co., Ltd.:

o Registered address: B1, B2, GF, 1F and 2F, No.592-600, East Nanjing Road, Shanghai
o E-mail of Data Protection Officer: [email protected]

In other words, the above-mentioned companies (jointly “We”, “Us” or “the PIPs”), are PIPs of your personal
information. This means that we are jointly responsible for processing and protecting your personal information.

2. WHAT PERSONAL INFORMATION WE COLLECT AND HOW WE USE

IT?
For the purpose of this Privacy and Cookies Policy, personal information refers to all types of information, whether
recorded in electronic or other formats, relating to an identified or identifiable natural person, excluding anonymised
information. Sensitive personal information refers to personal information that, once leaked or illegally uses,
may easily cause harm to the dignity of natural persons or endanger personal or property safety, including
but not limited to biometric, religious belief, specific identity, medical and health care, financial account,
location tracks and other information, as well as personal information of minors under the age of 14.

We commit to collecting your sensitive personal information on a strictly-needed basis and to the extent possible
we highlight in bold and underline the sensitive personal information that we collect and process for your special
attention. We will always ensure that sensitive personal information to be collected is sufficiently necessary to
achieve the purposes stated in this section, sensitive personal information will be processed in such way of having
the least impact on your rights and interests, and proper security measures will be put in place to protect data
security. You acknowledge and agree that we may collect process your sensitive personal information for
the purposes stated in this Privacy and Cookies Policy. Where applicable laws and regulations require any
additional voluntary and specific consents from you in the collection of sensitive personal information with
respect to any channels of our Platforms, we commit to seeking additional standalone consents from you
at the point of collection.

When you access or interact with our Platform, we may collect and use your personal information mainly under the
following three circumstances (i) it is necessary to provide or fulfil a transaction or service by or for you in accordance
with a contract that you executed with us ("Basic Functionality"); (ii) you have given us your explicit consent for
better shopping experience or any other value-added services ("Value-Added Functionality"); and (iii) it is necessary
for other legitimate interests pursued by us in accordance with applicable laws and regulations ("Other Legitimate
Interests").

Remember that, when we ask you to fill in your personal information to give you access to any functionality
or service of the Platform, we will mark certain fields as compulsory, since this is information that we need
to be able to provide the service or give you access to the functionality in question. Please take into account
that, if you decide not to make such personal information available to us, you may be unable to complete your user
registration or may not be able to enjoy relevant services or functionalities.

Notice that, in order to identify your device ID, prevent malicious programs and anti-fraud, improve service
security, and ensure operation quality and efficiency, we will collect your device information (including
IMEI, MEID, Android ID, IMSI, GUID or MAC address), installed application list and information about your
running processes.

3
In specific cases, a third party may have provided us with information about you by using a feature or service on
the Platform, for example by sending you a gift card or shipping an order to your address. In these cases, we only
process your personal information where relevant to this feature or service, as stated in this Privacy and Cookies
Policy.

In other cases, we may collect information passively, as we may use tracking tools like browser cookies and other
similar technology on our Platform and in communications we send you.

1) Basic Functionality

Personal information Purpose Legal standing

Mobile phone number, 1. To manage your If you decide to become a registered user of our
first name, last name, registration as user of Platform, we need to process your personal information
email address, password, the Platform to identify you as a user of the Platform and grant you
user ID, IP address, access to its various functionalities, products and
information of the device services available to you as a registered user. In other
when applicable (Android words, for you to be able to register as a user on the
ID, WeChat OpenID, etc.) Platform, we need to process your personal information,
language and market since we would otherwise be unable to manage your
from which you interact registration. We process your personal information
with us. because this is necessary on the terms regulating
the use of the Platform.

The personal information we gather regarding your

activity, which has been collected through the different
channels of the Platform and which includes your
purchases, shall remain linked to your account so that
all the information can be accessed together.

You may cancel your registered user account by

contacting us through Customer Service.

Mobile phone number, 2. To perform or execute This purpose includes processing your personal
first name, last name, the purchase or information, mainly:
email address, physical services contract that
address (street, postal you executed with us on ▪ To contact you for updates or informative
code, province, region), the Platform notices related to the contracted
user ID, bank name, functionalities, products or services.
account number,
▪ To manage potential exchanges or returns
payment information
after you have purchased and manage
(payment amount, requests of availability information for
payment ID, payment
articles, reservations of products through
institution, etc.),
the Platform, depending on the availability of
information about the
such options from time to time.
device you use to access
our Platform or type of ▪ For invoicing purposes and to make available
browser you are using, IP to you the tickets and invoices of the purchases
address, historic you have made through the Platform.
purchase, language and
▪ To ensure that you are able to use other
available functionalities or services, such as

4
 Personal information Purpose Legal standing

market from which you the purchase, receipt, management and use of
interact with us. the Gift Card or of the Gift Voucher.

We process your personal information because their

processing is necessary for us to make the purchase
or services contract with you. We consider that it is
necessary for us to make the purchase or services
contract with you, or process refund to you as needed.

Mobile phone number, 3. To meet requests or We only process the personal information that is
first name, last name, applications that you strictly necessary to verify your identity, and to
email address, physical make through the manage or resolve your request or application.
address (street, postal Customer Support
code, province, region), channels If you contact us via telephone, the call may be recorded
user ID, social networks for quality purposes and so that we can respond to your
ID, username, purchase request.
records and historical
If it is available and you choose to communicate with
transactions, Customer Support through the chat service of a social
communication records
network or another collaborator, some of your personal
with respect to purchases,
information such as your name or username, will be
IP address, language and imported from your social network or collaborator
market from which you
account. Also, bear in mind that the data you submit on
interact with us. this service will be available to your social network or
collaborator and subject to their privacy policies,
therefore We recommend you review your privacy
settings and to read the social network or collaborator
privacy policies to obtain more detailed information
about the use they make of your personal information
when using their services

We process your personal information based on your

consent or to make the purchase or services
contract with you in terms of answering the requests or
queries raised by you through the existing different
contact channels.

When you get in touch with us, in particular, for the

management of incidents related to your order or the
product/service acquired through the Platform, the
processing of your personal information is necessary to
perform the purchase contract.

2) Value-added Functionality

5
 Personal information Purpose Legal standing

Mobile phone number, 1. For marketing This purpose includes the processing of your personal
first name, last name, purposes. information, mainly, for:
email address, IP
address, user ID, ▪ If and when you subscribe to our Newsletter, we
language and market will process your personal information to manage
from which you interact your subscription, including to send subscribed
with us, preferences information on our products or services through
related to the historic various means (such as e-mail or SMS). We may
purchase and browsing also make available to you this information through
history, MAC addresses push notifications in case you have activated them
or metadata, information in your device.
of the device (i.e. Android
▪ Remember that you may unsubscribe from the
ID).
Newsletter at any time without cost through the
"Newsletter" section of the Platform, in addition to
through the instructions that we provide you with in
each notice. If you do not want to receive push
notifications, you can deactivate this option in your
device.

▪ Show you ads on the Internet which you may see

when visiting other websites and apps, for
example, on social media. The ads you see may be
random, but on other occasions they may be ads
related to your preferences or purchase and
browsing history.

▪ If you use social media, we may provide the

companies with which we collaborate certain
information so that they can show you our brand
ads and, in general, offer you and users like you
advertisements which take into account your profile
on said social media sites. If you want information
about the use of your personal information and how
advertising works on social media, we recommend
you review the privacy policies of the social media
sites on which you have profiles.

▪ We ‘ will collaborate to make general statistics

analysis with these third parties who offer us the
necessary technology (for example, cookies,
pixels, SDK) to provide ads services on some of the
collaborators’ platforms. Keep in mind that,
although we do not provide identifying personal
information to these collaborators, we do give them
some form of identifier each time (for example, the
advertising ID associated with the device, an
identifier associated with a cookie, etc.) If you
would like more information in this respect, please
review our Cookies Policy. Likewise, you can

6
Personal information Purpose Legal standing

reset your advertising ID or disable ads on your

device, adjusting your preferences in settings
section of your device.

▪ Data enrichment: When we gather your personal

information from a variety of sources, we may
consolidate them under certain circumstances for
the purpose of improving our understanding of your
needs and preferences related to our products and
services (including for the purposes of analyses,
generating user profiles, marketing studies, quality
surveys and improving our interactions with our
customers). This refers, for example, to the way we
may combine your information if you have a
registered account and, using the same email or
mobile phone number linked to your account, you
make a purchase as a guest, or to information
which is automatically compiled (such as IP, MAC
addresses or metadata) which we may link with
the information you have provided us directly
through your activity on the Platform or in any of our
stores (for example, information related to your
purchases, whether in brick and mortar stores
or online, your preferences, etc.).

▪ To perform promotional actions (for example, for

the organization of competitions or to send the list
of items stored to the e-mail you designate). On
participating in any promotional action, you
authorise us to process the personal information
that you have shared with us depending on the
promotional action and disclose them through
different media such as social networks or the
Platform itself. In each promotional action in which
you participate you will have available the terms
and conditions where we will be providing more
detailed information about the processing of your
personal information.

▪ To disseminate in the Platform or through our

channels in the social networks photographs or
pictures that you shared publicly, provided that you
expressly give us your consent for the purpose.

We are legally permitted to process your personal

information for marketing purposes due to the consent
that you give us, for example when you accept receiving
subscribed information through multiple channels, when
you accept receiving push notifications on your device,

7
 Personal information Purpose Legal standing

when you configure it in the privacy settings of your

device, when you consent through the cookies settings
or when accepting the legal terms and conditions to
participate in a promotional action or to publish your
pictures on the Platform or on our social networks'
channels.

Behaviour data when 2. Personalized In order to provide you with products or services that are
visiting or using the Content more in line with personal needs and interests, and
WeChat Mini Program Recommendations improve the shopping efficiency and experience, we will
(including skip, click, (WeChat Mini Program) conduct statistical analysis based on the previous
like/dislike, share, add to personal information, and extract your user preference
cart, buy, return goods characteristics to recommend or display information
and search), product tags, about products or services that you may interested in.
emotional labels, style,
and hashtags We are legally permitted to process your personal
information due to the consent you give us. Through
WeChat Mini Program “My Account – Personalized
Content Recommendation”, you can turn this
feature on or off at your discretion.

Please note, the Personalized Content

Recommendation service is only provided through Zara
WeChat Mini Program, but is not applicable for Zara
website or Zara App.

User ID, preferences 3. Analysis of usability If you access our Platform, we inform you that we will
related to the historic and quality, and treat your browsing data for analytic and statistic
purchase and browsing satisfaction survey to purposes, i.e., to understand the manner in which users
history, satisfaction rate improve our services interact with our Platform and with the actions we
and suggestions (if implement on other websites and Apps, so we can
provided), language and improve our services.
market from which you
interact with us. In addition, we occasionally perform quality surveys or
customer satisfaction surveys and relevant actions
to know the degree of satisfaction of our customers and
users and detect those areas in which we may improve.

We are legally permitted to process your personal

information for the purposes of analysing the Platform
usability and the user's satisfaction degree due to the
consent that you give us.

Payment data, device 4. Better shopping Certain processing of data related to the purchase
location, and contact experience to improve process is activated only because you request or
data customer satisfaction authorise it, as is the case of the storage of payment
data for future purchases or the processing of data
necessary to provide you with the Coming Soon / Back
Soon functionalities (where these functionalities are
available).

8
 Personal information Purpose Legal standing

In addition to this, to be able to offer you through the App

specific services (such as item finder, reserve a fitting
room, etc.) available in some Brick-and-Mortar
Stores, we may collect and process your device
location and contact data.

In these cases, our processing of your personal

information is supported by your own consent.

3) Device Access Permissions

In order to ensure the normal implementation of relevant business functions, we need to request the corresponding
necessary device permissions according to the specific service scenarios, and ask for you consent with a
permission alert before collecting the data. For specific permission requests, please refer to the following <Device
Access Permission List>:

iOS Access Permissions

App Permission Purpose Permission Alert? Allow to Revoke?

Camera To scan products or When using the Yes

purchase receipts, “Camera” function
search products, for specific services
and for virtual
experience

Microphone To enable the When using the Yes

voice-searching “Microphone”
functionality function for specific
services

Location To provide specific When using the Yes

services (such as App for the first
item finder, reserve time; or
Zara App a fitting room, etc.)
available in some When using the
Brick-and-Mortar specific services
Stores available in Stores

Photo To search products When using the Yes

by image, and for “Photo” function for
virtual experience specific services

Siri To appear the Zara When enabling Yes

App in “Searches” “Siri”
of the iOS devices

Speech Recognition To enable the When enabling Yes

dictation “Speech
functionality to Recognition”

9
 transform voice into
text

Camera To scan products or When using the Yes

purchase receipts, “Camera” function
search products, for specific services
and for virtual
experience

Photo To search products When using the Yes

by image, and for “Photo” function for
virtual experience specific services

Location To provide specific When using “Store Yes

services (such as locator” function
item finder, reserve
Zara WeChat Mini a fitting room, etc.)
Program available in some
Brick-and-Mortar
Stores

Microphone To enable the When using the Yes

voice-searching “Microphone”
functionality function for specific
services

Speech Recognition To enable the When enabling Yes

dictation “Speech
functionality to Recognition”
transform voice into
text

Android Access Permissions

App Permission Purpose Permission Allow to

Alert? Revoke?

Camera To scan products or When using Yes

purchase receipts, search the “Camera”
camera.autofocus
products, and for virtual function for
FLASHLIGHT experience specific
services

Zara App
Microphone To enable the voice- When using Yes
searching functionality the
RECORD_AUDIO
“Microphone”
function for
specific
services

10
Location To provide specific When using Yes
services (such as item the App for
ACCESS_COARSE_LOCATION
ACCESS_FINE_LOCATION finder, reserve a fitting the first time;
room, etc.) available in or
some Brick-and-Mortar
Stores When using
the specific
services
available in
Stores

Photo To search products by When using Yes

image, and for virtual the “Photo”
experience function for
specific
services

NFC To read the NFC tags that When Yes

are present on some enabling the
garments NFC function

External Storage To read images from When writing Yes

SDCard invoices to
READ_EXTERNAL_STORAGE the SDCard;
WRITE_EXTERNAL_STORAGE or

When asking
for picture
search

Device Sensors To identify whether you are No No

a real user or to meet
information security
requirements, orientation
sensor, gyroscope sensor,
gravity sensor, and
accelerometer sensor
information is obtained.

Please understand that

device sensor data alone
does not involve any
personal location
information and cannot be
combined with other
information to identify a
specific natural person.

Network To enable the Internet No No

connection and read the
ACCESS_NETWORK_STATE connection status

11
 CHANGE_WIFI_STATE

ACCESS_WIFI_STATE

Foreground service To enable Android’s No No

foreground service
FOREGROUND_SERVICE

WAKE_LOCK

VIBRATE (if applicable) To vibrate buttons upon No No

press

Writing To adjust the screen No No

brightness
WRITE_SETTINGS

App Push To receive pushes from No No

Huawei market and/ or
permission.RECEIVE Baidu market
permission.PROCESS_PUSH_MSG

permission.PUSH_PROVIDER

permission.GETCOMMON_DATA

baidu.push.permission

Camera To scan products or When using Yes

purchase receipts, search the “Camera”
products, and for virtual function for
experience specific
services

Photo To search products by When using Yes

image, and for virtual the “Photo”
experience function for
specific
services
Zara WeChat Mini To provide specific When using
Location Yes
Program services (such as item “Store
finder, reserve a fitting locator”
room, etc.) available in function
some Brick-and-Mortar
Stores

Microphone To enable the voice- When using Yes

searching functionality the
“Microphone”
function for
specific
services

12
 Speech Recognition To enable the dictation When Yes
functionality to transform enabling
voice into text “Speech
Recognition”

You can choose to turn off some or all the permissions in “Settings” of the device, however, it may cause the
corresponding business functions to not be displayed or to achieve the expectations.

4) Other Legitimate Interests

In accordance with the applicable laws, regulations and national standards, in order to pursue public interests and
other legitimate interests, we may collect and use your personal information without obtaining your consent under
the following circumstances:

(1) It is necessary in order to perform a statutory duty or legal obligation;

(2) It is necessary in order to respond to an unexpected public health incident or, in an emergency, to protect the
lives, health or property of natural persons;

(3) It is done in the public interest for purposes such as providing news reports and monitoring public opinion, and
the extent of the processing is reasonable;

(4) The personal information has been made public by you or has otherwise been lawfully made public, and we
will conduct reasonable processing of your personal information to the extent permissible under applicable
laws and regulations; and

(5) Other circumstances provided under laws and regulations.

For instance, we may collect and use your personal information to activate the mechanisms necessary to prevent
and detect unauthorised uses of the Platform (for example, during the purchase and returns process) as well as
potential fraud being committed against you and/or against us. If we consider that the transaction may be fraudulent
or we detect abnormal behaviour which indicates attempted fraudulent use of our features, products or services,
this processing may result in consequences such as the blocking of the transaction or the deletion of your user
account. We understand that the processing of these data is positive for all the parties involved: for you, as it allows
us to put in place measures to protect you against attempted fraud perpetrated by third parties; for us, as it allows
us to avoid unauthorised uses of the Platform; for all our customers and society, as it also protects their interest by
ensuring that fraudulent activities are discouraged and detected when they do occur.

3. HOW LONG WILL WE KEEP YOUR PERSONAL INFORMATION AND

WHERE?
The time for which we will keep your personal information will depend on the purposes for which we process
them, as explained below:

13
 Purpose Time for which the data are kept

1. To manage your Platform We will process your personal information for the time during which you
user registration remain a registered user (meaning, until you decide to delete the account ).

2. Development, performance We will process your personal information for the time necessary to manage
and execution of the purchase the purchase of the products or services that you buy, including potential
or services contract returns, complaints or claims related to the purchase of the product or
service in question.

Sometimes, we will only process the data until the time when you decide,
as is the case of payment data that you requested us to store for future
purchases (where this feature is available).

3. Customer Support We will process your personal information for the time necessary to meet
your request or application.

4. Marketing We will process your personal information until you unsubscribe or cancel
your subscription to the newsletter.

Likewise, we will show you ads until you change your device, browser and/or
cookies settings so that permission to do so is revoked.

If you participate in promotional actions, we will keep the data during a six
(6) months period from the end of the action.

5. Personalized content We will process your personal information for the time during which you
recommendations keep turning on the functionality of personalized content recommendations
as a registered user (meaning, until you decide to delete the account).

6. Analysis of usability and We will process your personal information occasionally for the time during
quality which we proceed to carry out a specific quality action or survey or until we
anonymise your browsing data.

Notwithstanding the fact that we will process your personal information for the time strictly necessary to achieve the
purpose in question, we will subsequently keep them duly stored and protected for the time during which liability
may arise for their processing, in compliance with applicable laws and regulations. Once each of the potential
actions is time-barred we will proceed to delete or anonymize the personal information.

Our Platform is located within People's Republic of China and the personal information you provide through
the Platform is stored on severs located in the People's Republic of China. We always strictly follow the
applicable regulatory requirements of data cross-border transfer and compliance requirements from
monitoring authorities, to process your personal information. If under those data cross border transfer
and/or access of your personal information, and where applicable laws and regulations require any
additional voluntary and specific consents from you, we commit to seeking additional standalone consents
from you at the appropriate time.

14
4. HOW WE ENTRUST THE PROCESSING, SHARING, TRANSFER AND
PUBLIC DISCLOSUREOF YOUR PERSONAL INFORMATION?
To achieve the purposes mentioned in this Privacy and Cookies Policy, we must give access to your personal data
to entities of the Inditex Group and to third parties that provide us with support as entrusted processors in the
services that we offer you.

1) Entrustment of processing

Certain specific modules or sub-functions of our business are provided by our entrusted service providers external
vendors. We will sign strict confidential agreements with the companies, organizations and/or individuals to whom
we entrust the processing of PI, which will bind them to processing the PI in accordance with our requirements, this
Privacy Policy and other relevant confidentiality and security measures. Such scenarios include but not limited to:

▪ financial institutions (with these entities we may share identification data and economic and
transaction data),

▪ anti-fraud detection and prevention entities (with these entities we share identification data,
economic and transaction data, and connection, geolocation and/or browsing data),

▪ technological and analytical service providers (with these entities we may share identification data,
economic and transaction data, connection, geolocation and/or browsing data, and commercial
information),

▪ providers and partners of services related to logistic, transport and delivery and/or their partner
establishments (with these entities we may share identification data and economic and transaction
data),

▪ providers of customer support related services (with these entities we may share identification data,
economic and transaction data, and commercial information),

▪ service providers and collaborators related to marketing and publicity, such as advertising agencies,
advertising partners or social media (with these entities we may share identification data, connection,
geolocation and/or browsing data, commercial information and information about your tastes and
preferences).

▪ legal entities in China, who are parts of Inditex Group (As a member of Inditex Group, we closely
collaborate with our parent company in various aspects including improving management efficiency,
customer satisfaction as well as risk management. For the necessary internal management purposes,
we may entrust these legal entities to process internal management data).

2) Sharing

If you choose to use the Platform in different markets (i.e. by creating registered user accounts in different markets
with the same e-mail address), We may need to disclose or transfer the information linked to your account or your
activity to the companies of the brand operating in those markets, to the extent they are directly involved in the
achievement of any of the purposes described in the section 2. We consider this is necessary in accordance with
our mutual interests and preferences.

In case you interact with the Platform via the App or WeChat Mini Program, we have installed SDKs of external
service providers. To review this information, please refer to the Appendix

Only in case you purchase products of Zara Home through the ZARA Platform, we will disclose the necessary
personal information to the companies currently operating in Mainland China the sale of ZARA HOME, ITX E-

15
Commerce (Shanghai) Co., Ltd. (registered address: Room 1, 29F, Block 1, No. 399 Kaixuan Road, Changning
District, Shanghai), and ZARA Home Commercial and Trading (Shanghai) Co., Ltd. (registered address: Unit
202C, No.21, Lane 596 Middle Yan'an Road, Jing'an District, Shanghai) for the development, performance and
execution of the purchase. The email address of the Data Protection Officer of these companies currently operating
in Mainland China the sale of ZARA HOME is [email protected]. The legal basis for this disclosure
of data is the execution of the purchase agreement as explained in section 2 of this Privacy and Cookies Policy.
The period established for the conservation of the data is also explained in section 3 of this Privacy and Cookies
Policy and the information about the disclosure of your personal information and how to exercise your personal
information rights is detailed in this section 4 and 5 respectively.

3) Transfer

We will not transfer your personal information to any other PIP, except in the following cases:

(1) Obtaining your explicit consent in advance;

(2) In accordance with the laws and regulations or mandatory administrative or judicial requirements;

(3) In the case of asset transfer, acquisitions, mergers, reorganization or liquidation, if the transfer of personal
information is involved, we will inform you of the situation and require new companies and organizations holding
your personal information to continue to be bound by this Privacy and Cookies Policy. If the purpose of the
collection and use of your personal information is changed, we will require the new company and organization
to regain your explicit consent.

4) Public Disclosure

In principle we will not disclose your personal information publicly. In the event of public disclosure, we will inform
you of the purpose and type of the disclosure, and the sensitive personal information that may be involved and seek
your explicit consent prior to such disclosure.

5) In accordance with the applicable laws, regulations, and national standards, we may share, transfer, or
publicly disclose your personal data without obtaining your consent in the following cases:

(1) Directly related to national security and defence security;

(2) Directly related to public safety, public health and major public interests;

(3) Directly related to criminal investigation, prosecution, trial and execution of judgments;

(4) For the maintenance of your or other people's life, property and other important legitimate rights and interests,
but it is difficult to get your own consent;

(5) The personal data collected is disclosed to the public by yourself;

(6) The personal data is collected from lawful and publicly disclosed information, such as: legal news reports,
government information disclosure and other channels.

5. WHAT ARE YOUR RIGHTS WHEN MAKING YOUR PERSONAL

INFORMATION AVAILABLE TO US?
We undertake to keep your personal information confidential and to ensure that you may exercise your rights.
Bearing that in mind, We have agreed that you may exercise your rights free of charge by writing us an e-mail to

16
a single e-mail address ([email protected]), simply informing us of the reason for your request and the
right that you wish to exercise. If we consider this necessary to be able to identify you, we may request you to
provide a copy of a document evidencing your identity, and will respond to your requests within fifteen (15)
working days.

In addition, we may offer you with the possibility to exercise your rights and setting your privacy preferences when
using some of our services, or by making available specific channels within our Platform.

In particular, notwithstanding the purpose or legal basis we use to process your personal information, you have the
following rights:

• To request access to your personal information that we hold. We remind you that where you are a
Platform registered user you may also consult this information in the relevant section of your online
account.

• To request that we rectify the personal information that we hold. Please bear in mind that if you are a
registered user on the Platform, you may also access the relevant personal information section of your
online account to change or update your personal information. In any case, please take into account
that, on actively making your personal information available to us through any procedure, you guarantee
that they are true and accurate, and you undertake to notify to us any change or modification of your
personal information. You will be liable for any loss or damage caused to the Platform or to the person
responsible for the Platform or to any third party by reporting erroneous, inaccurate or incomplete
information in the registration forms. Please remember that, as a general rule, you must provide us only
with your own data, not with those of third parties, other than to the extent otherwise permitted in this
Privacy Policy.

• To request that we delete your personal information to the extent that they are no longer necessary for
the purpose for which we need to keep processing them, as we have explained above, or when we are
no longer legally permitted to process them.

• To request us to limit the processing of your personal information, implying that in certain cases you
may request us to suspend provisionally the processing of the personal information or to keep them
longer than the time necessary when you may need this.

• To request us to withdraw the consent of your personal information processing activities. However,
we may not be able to respond to your requests for information, which is necessary to realize the basic
functions of our products and services or is necessary for us to perform our obligations under applicable
laws and regulations. Except for such scenarios that we are unable to respond, when you withdraw
your consent or authorization, we will no longer process the corresponding personal information.
Please notice, your decision to withdraw your consent or authorization will not affect our
previous personal information processing activities based on your consent or authorization.

• To request that we cancel your account, as a consequence of which, we will cease the offering of the
goods or services to you and delete or anonymize your personal information according to applicable
laws and regulations. You can cancel your account through the following methods:

(1) Self-cancellation: through Zara website, App or WeChat Mini Program, “ACCOUNT – CANCEL
ACCOUNT” to complete the cancellation

(2) Contact us: [email protected]

• To request that we transmit the personal information you have provided to us in a commonly used and
machine-readable format to another PIP subject to technical feasibility.

17
Should you not wish us to send information to third parties to show you ads, you can do it through several means
such as changing your preferences on your device changing your preferences on your device, browser and/or
cookies settings, reviewing the privacy policies and settings of the social media sites on which you have profiles or
sending us an email to the above mentioned email address informing us of your request.

6. HOW DO WE PROTECT YOUR PERSONAL INFORMATION?

We are committed to protecting the security of your personal information. We use a variety of security technologies
and procedures to help protect your personal information from unauthorized access, use or disclosure. For example,
we store the personal information you provide on computer systems that have limited access and are in controlled
facilities. When we transmit highly confidential data (such as card number or password) over the Internet, we protect
it through the use of encryption.

In the event of a personal information security incident, we will promptly inform you, as required by applicable laws
and regulations, of the basic situation and possible impacts of the security incident, the measures that we have
taken or will take, the suggestions you may be able to prevent and mitigate the risks, and the remedies for your
actions. We will timely inform you of the event through email, SMS and other channels. If it is difficult to inform the
personal information subject individually, we will take a reasonable and effective way to publish the announcement.
At the same time, we will take the initiative to report the disposal of information security incidents according to the
requirements of local authorities.

Please take good care of your login account and password. When you use our service, we will identify you through
your login account and password. Once you have disclosed the foregoing information, you may suffer loss and may
have legal consequences that are unfavourable to you. If you find that your login account and/or password may or
have been compromised, please contact us immediately so that we can take appropriate measures to avoid or
reduce the related loss.

We have established a public user management mechanism, including the tracking procedure. If you have any
questions, opinions, suggestions, or complaints on this Privacy and Cookies Policy, you may contact us through
the postal addresses listed in the Article 1 of this Privacy and Cookies Policy. We also set up a full-time personal
information protection department (or personal information protection officer) and you may contact by emailing to
[email protected]. For security purpose, we may require you to submit written application or use other
methods to prove your identity. In general, after the validation of your identity, we will reply to your request within
fifteen (15) working days or within the time limit stipulated in the laws and regulations.

If you are not satisfied with our reply, especially our processing of your personal information infringes your rights
and interests, you may complain or report to relevant regulatory authorities, or bring a lawsuit before the competent
court.

In principle, we won’t charge you for your reasonable request. However, we will charge a certain amount of cost for
repeated requests that exceed a reasonable limit. We may reject those requests that are duplicative, require
excessive technical means (for example, developing new systems or fundamentally changing current practices),
pose risks to the legitimate rights and interests of others, or are very unrealistic.

Notwithstanding the above agreement, we may not be able to respond your request in the following cases in
accordance with the applicable laws, regulations and national standards:

(1) Directly related to national security and defence security;

(2) Directly related to public safety, public health and major public interests;

(3) Directly related to criminal investigation, prosecution, trial and enforcement of sentences;

18
 (4) There is sufficient evidence that you may maliciously abuse your rights;

(5) Responding to your request will cause serious damage to the lawful rights and interests of other individuals
and organizations;

(6) Involving business secrets.

7. WHAT HAPPENS WHEN YOU PROVIDE US WITH DATA OF THIRD

PARTIES OR IF A THIRD PARTY HAS PROVIDED US WITH YOUR
PERSONAL INFORMATION?
We offer functionalities or services that require us to process the personal information of a third party that you, as
a user or as a customer, must provide us with, such as in the case of activation and sending of the Gift Card or the
management of the application for the Gift Voucher (where these features are available), or when you authorise a
third party to collect an order in our stores or partner establishments. If you provide us with personal information of
third parties or if it is necessary that we request them for a third party to collect an order in your name, you confirm
that you informed them of the purposes and of the manner in which we need to process their personal information,
and that you have obtained their relevant express consent.

If a third party has provided us with your personal information or you have provided them yourself as a result of a
feature or service requested by one of our users, we will use them to manage the feature or service in question in
each case, within the limits of the purposes listed in this Privacy and Cookies Policy, a link to which is always
included in our communications.

8. HOW DO WE PROCESS CHILDREN’S PERSONAL INFORMATION?

Our products, websites and services are mainly adults oriented. A child shall not create his or her own user account
without the consent of his or her parents or guardians.

Although the laws in different countries or regions have different definitions for children, we treat anyone under the
age of 14 as a child. However, since the birthday is not the necessary information for us to provide basic services
or functions, in some cases, we cannot identify the user's age. Therefore, we ask children under the age of 14
NOT to provide us with your names, contact addresses, mobile phone numbers and/or other personal
information by yourselves. If we find ourselves collecting the child's personal information without prior consent of
the parents or guardians, or if we have evidence to prove that you have violated the above agreement, we have the
right to stop providing services to you, and we will try to delete the relevant data as soon as possible.

In cases where a child's personal information is collected with the consent of the parent or guardian, we will only
use or disclose this information in a case where the law allows, the explicit consent of the parents or guardians has
been obtained, or it is necessary to protect the children.

9. CHANGES TO THE PRIVACY AND COOKIES POLICY

We may amend the information contained in this Privacy and Cookies Policy when we consider this appropriate.
Should we do so, we will notify you by various procedures through the Platform (for example, through a banner, a
pop-up or a push notification), or we may even send you a notice to your e-mail address when the change in
question is relevant to your privacy, for you to be able to review the changes, assess them and, as the case may
be, object or unsubscribe from ay service or functionality. If major and substantive changes are involved, we will

19
notify you in a significant way according to the specific situation. Major and substantial changes include but are not
limited to:

1) Significant changes have taken place in our service model. Such as the purpose of processing personal
information, the type of personal information processed, the use of personal information, etc;

2) Significant changes have taken place in our ownership structure and organizational structure. Such as the
owner change caused by business adjustment, bankruptcy and Merger & Acquisition;

3) The main objects of personal information sharing, transfer or public disclosure have changed;

4) Your rights of personal information processing activities have changed significantly;

5) When the responsible department of personal information protection, contact information and complaint
channels change;

6) When the Personal Information Protection Impact Assessment (PIA) report indicates that there is a high
risk.

In any case, we suggest you review this Privacy and Cookies Policy from time to time in case minor changes are
made or we make any interactive improvement, taking the opportunity that you will always find it as a permanent
point of information on our Website, our App, and our WeChat Mini Program.

10. INFORMATION ON COOKIES

We use cookies and similar devices to facilitate your browsing in the Platform, understand how you interact with us
and, in certain cases, to be able to show you advertisements in accordance with your browsing habits. Please read
our Cookies Policy to understand with greater detail the cookies and similar devices that we use, their purpose, how
to manage your preferences, as well as other information of interest.

20
 COOKIES POLICY

BEFORE YOU START...

In this Cookies Policy you will find information on how we use cookies and similar devices installed on the terminals
of our customers and users. The use of cookies may sometimes be related to personal information processing,
therefore we recommend you consult our Privacy Policy, available on our Platform, if you would like information on
how we use the personal information of our customers and users, how to exercise your rights, or the terminology
we use to refer to our Platform (Website, App or Physical Stores).

INFORMATION ABOUT COOKIES

What is a Cookie?
A cookie is a small text file that a website, app or other platform stores on your computer, tablet, smartphone or any
other similar device, with information on your browsing and use, like a tag that identifies your device. Cookies are
necessary, for example, to facilitate browsing and understand how users interact with platforms so they can be
improved. They are also useful to provide advertising according to user preferences, as well as for other purposes
detailed below. Cookies do not damage your computer or device.

By “Cookies” we are also referring to other, similar technologies used to install and/or collect information on or from
your device such as flash cookies, web beacons or bugs, pixels, HTML5 (local storage), and SDK technologies for
apps. The term Cookies also applies to the use of fingerprinting, in other words, techniques used to combine
information that help us identify your device. These technologies sometimes run alongside cookies to collect and
store information, either to provide you with certain features or services on our Platform, or to display third-party
advertising according to your browsing.

This explanation is a general overview of what Cookies means and is for informational purposes only. The specific
Cookies we use are detailed in the cookies settings panel on our Platform.

What type of Cookies are there?

Please check this section which provides an overview of the type of Cookies that can be used in an online
environment.
Cookies can be classified as follows, depending on the owner:

a. First-party cookies: Are sent to the user’s computer or device from a computer or domain managed by the
editor, and which provides the platform or service requested by the user.

b. Third-party cookies: Are sent to the user’s computer or device from a computer or domain not managed by
the editor, but rather by another entity that processes data obtained from the cookies.

Cookies can be classified as follows, depending on the purpose:

a. Strictly necessary cookies (technical): The cookies that allow the user to browse a website, platform or app,
and use the various options or services on it. For example, control traffic, identify data or session, access
restricted access sections or content, remember the elements of an order, complete an order purchase
process, manage payment, control fraud related to service security, use security elements during browsing,
complete an application to register or participate in an event, store content for publishing videos and audio,
enable dynamic content (for example, loading animation of a text or image) and share content on social
media. As they are strictly necessary, technical cookies are downloaded by default when they are needed
to display the platform or provide the service requested by the user.

21
 b. Functionality or customisation cookies: These cookies are needed to remember information so that the user
can access the service or platform with specific characteristics that can differentiate their experience from
that of other users. For example, language, number of results displayed when the user runs a search,
appearance or content of the service based on the type of browser used, or the region from where the
service is accessed, etc. Not accepting cookies may cause slow website performance or poorly adapted
recommendations.

c. Analysis cookies: These cookies can quantify the number of users, sections visited on the platform and
how users interact with it to carry out statistical measurement and analysis on use, in order to implement
improvements based on the analysis of data on how users use the platform or service.

d. Behavioural advertising cookies: Are those which store information on user behaviour obtained from
continuous observation of their browsing habits, which allows us to develop a specific profile for displaying
advertising adapted to these habits. These cookies allow for the most effective management possible of
any advertising space the editor has included directly or in collaboration with third parties.

What are Cookies used for on our Platform?

Cookies are an essential part of our how Platform works. The main goal of our Cookies is to make your browsing
experience as easy and efficient as possible. For example, they are used to remember your preferences (language,
country, etc.) when browsing and during future visits. We also use our Cookies to continuously improve our services
and Platform, and to offer customised advertising according to your browsing habits.

Information collected on Cookies also allows us to improve our Platform by making estimates on statistical data and
patterns of use (number of visits, most visited sections, visit time, etc.), gain a statistical understanding of how users
interact with the Platform so as to improve our services, and to adapt the Platform to your individual interests,
accelerate searches, etc.

We may sometimes use Cookies to obtain information that enables us to display advertising, from our Platform,
third-party platforms or any other means, based on an analysis of your browsing habits (products visited, sections
consulted, etc.).

In any case, the Cookies we use never store sensitive information such as passwords, credit or debit card details,
etc.

How can I manage the use of Cookies on this Platform?

In the Cookies settings panel, available at all times on our Platform, you can find all the information on the Cookies
used by this Platform, along with information on the purpose, duration and management (first or third-party) of each
Cookie, so you can enable or disable the use of Cookies that are not strictly necessary for Platform functioning.

Alternatively, if you are browsing the Internet, you can disable the use of Cookies on your browser. Here is how to
do this on the most popular browsers:
• Google Chrome

• Internet Explorer

• Mozilla Firefox

• Safari

You can prevent the use of Cookies at any time.

Please remember that both managing the Cookies settings panel and opting to reject Cookies is specific to each
browser you are using. Therefore, if you configure Cookies one way on one device and want your option to apply
equally to another device, you must enable the same option on the other device.

22
Additionally, regarding third-party Cookies used to provide advertising based on your interests, please note that
certain third parties may be members of some of the following self-regulatory programmes for online behavioural
advertising, with the relevant voluntary exclusion options:
• Network Advertising Initiative (NAI) - http://www.networkadvertising.org/choices/

• Google Analytics - https://tools.google.com/dlpage/gaoptout

Who uses the information stored on Cookies?

The information stored on our Platform Cookies is only used by us, except those identified in section 2 as “Third-
party cookies”, which are used and managed by external entities to provide us services aimed at improving our
services and the user experience when browsing on our Platform. More information in the Cookies settings panel
available at all times on our Platform.

For more detailed information on how we process your personal information in collaboration with third parties and
on data subject to international data transfers, please read our Privacy Policy available on our Platform, and the
privacy policies/privacy settings of these third-party collaborators, available on their platforms.

23
 APPENDIX: SDK INFORMATION

OPERATING PERSONAL INFORMATION SERVICE WHY CANNOT

# SDK NAME FUNCTION/ PURPOSE
SYSTEM COLLECTED PROVIDER BE STOPPED?

Performance or
execution of the
1 AdMob ANDROID User information Alibaba Group
purchase or services
contract

Performance or
ANDROID / execution of the
2 Alipay Payment information Alipay
iOS purchase or services
contract

It’s mandatory for

ANDROID / Ensuring security Android ID; information
3 Akamai Device information; Akamai
iOS requests security
Network type protection

AGConnect Used to detect Device information;

4 ANDROID Connection Type; Huawei
Crash crashes of the app
Approximate location

Used to analyze the Device information;

AGConnect
5 ANDROID performance of the Connection type; Huawei
Apms
application Approximate location

Used to receive
6 Baidu push ANDROID Android ID Baidu
personalized messages

Performance or
ANDROID/ execution of the CardinalComme
7 Cardinal Payment information;
iOS purchase or services rce
contract

24
 Facebook Device information;
8 ANDROID Analytics Facebook
Analytics Network information

Analytics. Track app

events, screens.
Firebase Device information;
ANDROID / Used to send
9 Analytics Network information; Google
iOS analytics of how the
(Google) Approximate location
user is interacting
with the app

ANDROID / Better shopping

10 Fit Analytics User measurements Fit Analytics
iOS experience

Firebase ANDROID / Cybersecurity (detect Device information;

11 Google
Crashlytics iOS incidents), Analytics. Connection type;
Approximate location

Used to analyze the

performance of the
Firebase ANDROID / Device information;
12 application. Google
performance IOS Approximate location
Marketing

Performance or
execution of the
Firebase purchase or services Device information;
13 ANDROID Google
Push contract Approximate location

Marketing

Github EMV Used to read credit

Github
14 NFC Paycard ANDROID card data through Device information
community
Enrollment NFC sensor

Used to send
Huawei analytics of how the Network information;
15 ANDROID Huawei
Analytics user is interaction Approximate location
with the App

25
 Performance or
Huawei App Device information;
execution of the
16 gallery ANDROID Connection type; Huawei
purchase or services
connect Approximate location
contract

Performance or
Huawei Device information;
execution of the
17 Mobile ANDROID Connection type; Huawei
purchase or services
services Approximate location
contract

ANDROID / Better shopping

18 Kakao Phone number Kakao
iOS experience

Performance or
ANDROID / execution of the
19 Klarna SDK Payment information Klarna
iOS purchase or services
contract

If this SDK is
disabled, the
kotlin.corouti Asynchronous
20 ANDROID Installed APP information jetbrains codes cannot
nes programming
be executed
correctly

OpenStreetM Better shopping Openstreetmap

21 ANDROID Precise location information
ap experience community

ANDROID / Analytics
22 Optimizely Device information Optimizely
iOS Test A/B

PLCrashRep Used to detect Device information; https://www.plcr

23 iOS Connection type;
orter crashes of the app ashreporter.org
Approximate location

Performance or
ANDROID / execution of the
24 RatePay Payment information Riskident
iOS purchase or services
contract

26
 Performance or
RiskifiedBea ANDROID / execution of the Payment information;
25 Riskified
con SDK iOS purchase or services Approximate location;
contract Device information

WeChat Mini Better shopping

26 Tencent Map Precise location information Tencent
Program experience

Performance or
ANDROID / execution of the
27 WeChat SDK Payment information Tencent
iOS purchase or services
contract

WeChat Mini
28 Youshu SDK Analytics Device information Youshu
Program

Better shopping
29 BaiduLBS ANDROID Precise location information Baidu
experience

App development Package Manager (Version

30 HMS Core ANDROID management Name); Huawei
Remote configuration Installed application list

27