This Privacy Policy applies to all our actions in collecting, using, storing, protecting, and transferring personal data of data subjects in the course of our business operations in the EU market, regardless of whether the data is processed electronically or non-electronically.

“Personal data” as used in this policy refers to any information that, alone or in combination with other information, can identify a specific natural person, including but not limited to name, contact information, email address, mailing address, payment information, identity verification information, browsing history, etc., but excluding information that cannot be identified after anonymization. “Data subject” refers to any natural person within the EU who provides us with personal data or has a business relationship with us.

We strictly adhere to the seven core principles of the GDPR in processing personal data: lawfulness, fairness, and transparency; purpose limitation; data minimization; accuracy; limited retention; integrity and confidentiality; and responsibility.

Our legal basis for processing your personal data primarily includes: (1) obtaining your explicit consent; (2) being necessary to fulfill the contract between us; (3) being necessary to comply with our legal obligations; (4) being necessary to protect the significant legitimate rights and interests of you or other natural persons; and (5) being necessary to achieve our legitimate business interests without infringing upon your fundamental rights and freedoms (the relevant legitimate interests will be explained in detail in subsequent chapters).

(I) Types of Personal Data We Collect

Based on the apparel business scenario, the personal data we collect mainly includes the following categories, and we only collect necessary data directly related to business objectives, adhering to the principle of data minimization:

• Identification Data: such as your name, gender, date of birth, etc.
• Contact Information Data: such as your email address, phone number, mailing address, social media accounts, etc.
• Transaction and Order Data: such as your order number, product model and quantity purchased, payment information (excluding sensitive information such as complete bank card passwords), delivery information, etc.
• Website Browsing and Interaction Data: such as your IP address, browser type, browsing history, page dwell time, click behavior, etc. when visiting our official website;
• Other Necessary Data: such as preference information you provide when participating in our market research, and relevant supporting documents required for handling complaints or disputes, etc.

(II) Data Collection Methods

We primarily collect your personal data through the following legal methods:

• Data you actively provide: including but not limited to personal data you voluntarily fill out or provide when registering on the official website, submitting orders, sending inquiry emails, or participating in surveys;
• Data generated during business interactions: such as records formed during your communication with our customer service personnel, and transaction data automatically generated during order fulfillment;
• Data collected by legal automated tools: such as browsing data collected through cookies and similar tracking technologies on the official website (see Section IV of this chapter for relevant explanations);
• Data legally provided by third parties: such as necessary transaction and delivery data provided by third-party payment institutions and logistics service providers authorized by you, but we will require third parties to prove the legality of their data sources and ensure that they have obtained your appropriate authorization.

(III) Use of Cookies and Similar Tracking Technologies

To ensure the normal operation of the official website and optimize user experience, we will store small data files such as cookies on your device. Cookies typically contain identifiers, product names, and related characters, which help us identify your device and record your browsing preferences to provide you with more personalized services (such as remembering your login status and displaying product information that may be of interest to you).

The cookies we use are mainly divided into the following types: (1) Strictly necessary cookies: These ensure the normal operation of basic website functions, such as order submission and page loading. These cookies can be used without your consent; (2) Performance cookies: These are used to analyze website traffic, page views, and other data to help us optimize website performance; (3) Functional cookies: These are used to remember your personalized settings, such as language preferences and browsing history.

You can manage or delete cookies through your browser's settings. Most browsers offer the option to block or disable cookies. However, please note that disabling some cookies may affect your normal use of some functions of the website.

We collect personal data solely for the following specific and explicit purposes, and will not use it for any other purpose unrelated to the original purpose without your separate consent or permission permitted by law:

• Fulfilling contractual obligations: such as processing your orders, arranging product production and delivery, and completing payment settlements;
• Providing customer service: such as responding to your inquiries, handling your complaints or suggestions, and providing after-sales support for your orders;
• Optimizing products and services: such as improving website functionality, optimizing product design, and enhancing service quality based on your browsing history and feedback;
• Legitimate marketing activities: such as pushing information about our new products and promotional activities to you, but we will provide you with a convenient unsubscribe method;
• Ensuring data security and compliance: such as identifying and preventing fraud, misappropriation, and other illegal activities, and complying with the requirements of relevant EU and member state laws and regulations;
• Other purposes with your consent: such as participating in market research, receiving gifts, and other specific activities.

(I) Storage Period

We will only store your personal data for the shortest period necessary to achieve the data processing objectives. After this period, the data will be immediately deleted or anonymized. Specific storage periods will be determined based on the data type and intended use: (1) Transaction and order data: retained for 5 years from the date of order completion to meet contract performance and dispute resolution needs; (2) Customer service related data: retained for 3 years from the date of service termination; (3) Browsing data and marketing related data: retained for 2 years from the date of collection, or until the date you explicitly request deletion; (4) Data required to comply with legal obligations: retained for the period stipulated by laws and regulations.

(II) Storage Location and Security Measures

Our personal data storage servers may be located within or outside the EU, but regardless of the storage location, we will ensure that data processing complies with GDPR requirements. For data transfers outside the EU, we will ensure security during the transfer process through legal means such as signing standard data protection clauses and obtaining explicit consent from the data subject.

We employ industry-standard security measures to protect your personal data from unauthorized access, use, modification, disclosure, damage, or loss: (1) Technical aspects: Encrypting critical data, using firewalls and intrusion detection systems to prevent network attacks, and regularly scanning the system for security vulnerabilities; (2) Management aspects: Establishing a strict data access permission management system, providing data protection training to employees, and signing confidentiality agreements with relevant service providers; (3) Emergency response aspects: Developing a data breach emergency response plan, and in the event of a high-risk data breach, notifying the relevant EU data protection authorities and affected data subjects within 72 hours of discovery.

We are committed to strictly protecting your personal data privacy and will not share, transfer, or publicly disclose your personal data to any third party except in the following specific circumstances:

• With your explicit consent: Sharing with designated third parties within the scope of your authorization;
• Necessary for fulfilling contracts: Such as providing your delivery address and contact information to logistics service providers to complete product delivery; providing necessary transaction data to third-party payment institutions to complete payment settlement;
• Legal and regulatory requirements: Disclosure of necessary personal data as required by relevant EU and member state laws, court judgments, or mandatory requirements of government authorities;
• Protection of legitimate rights and interests: To protect your or other natural persons' life, property, or other significant legitimate rights and interests, and when we are unable to obtain your consent in a timely manner;
• Business mergers or reorganizations: In the event of a business merger, acquisition, bankruptcy liquidation, or other similar circumstances, personal data may be transferred to relevant third parties as part of our business assets, but we will require the transferee to continue to comply with the requirements of this Privacy Policy and will notify you in advance;
• Anonymous Data Sharing: Sharing anonymized statistical data that cannot identify specific data subjects with third parties without your consent.

For any third party's data processing activities, we will clarify their data protection obligations through data processing agreements and other means, and supervise their data processing activities to ensure the security of your personal data.

According to the GDPR, you, as a data subject, enjoy the following core rights, and we will provide you with convenient channels to exercise these rights:

• Right of Access: You have the right to request us to confirm whether we are processing your personal data and to obtain details of the data processing (including data type, purpose of use, storage period, and shared recipients);
• Right of Correction: If you find that the personal data we process for you is inaccurate or incomplete, you have the right to request us to correct or supplement it promptly;
• Right of Erasure (Right to Be Forgotten): Under statutory circumstances (such as the data processing purpose has been achieved, you withdraw your consent, or we no longer need the data), you have the right to request us to delete your personal data, except where retention is required by laws and regulations;
• Right to Restrict Processing: In specific circumstances (such as you object to the accuracy of the data, the data processing is illegal but you do not agree to deletion, etc.), you have the right to request us to restrict the processing of your personal data;
• Right to Data Portability: You have the right to request that we provide your personal data in a structured, commonly used, and machine-readable format, and the right to transfer such data to other data controllers, provided that data processing is based on your consent or is required by contract.
• Right to Withdraw Consent: If your personal data processing is based on your consent, you have the right to withdraw that consent at any time, without affecting the legality of the data processing conducted based on your consent prior to the withdrawal.
• Right to Complain: If you believe that our personal data processing violates GDPR regulations, you have the right to file a complaint with the data protection authority of your Member State.

You can exercise the above rights by sending an email to partner@icarustechco.com. We will respond within one month of receiving your request (this may be extended to three months in complex cases, but you will be notified in advance). To protect your legal rights, we may require you to provide necessary identity verification information to confirm the authenticity of your request.

If our principal place of business is located outside the EU, to ensure GDPR compliance, we have designated a legal representative within the EU as the contact point for data processing-related matters. The details of the EU representative are as follows: [Please fill in the name, address, telephone number, and email address of the EU representative here. If no representative has been designated yet, please indicate "Our company is actively working on the designation of an EU representative, and relevant information will be updated on our official website in a timely manner"].

Data subjects within the EU can communicate with us regarding personal data protection matters or submit relevant rights requests through the aforementioned EU representative.

We will update this Privacy Policy in a timely manner based on changes in EU and member state data protection laws and regulations, business development needs, etc. Updated policies will be published on our official website icarustechco.com, and we will also notify you via email (if you have provided a valid email address).

By continuing to do business with us after this policy is updated, you agree to the updated Privacy Policy. We recommend that you visit our official website regularly to check for policy updates.

If you have any questions, suggestions, or need to exercise your data subject rights regarding this Privacy Policy, please contact us through the following methods:

We will carefully process each of your requests within the legally stipulated time limits and do our utmost to protect your personal data rights.

This Privacy Policy is effective from the date of its publication.