This Policy defines the rights and obligations of the Company’s employees, board members, external stakeholders, and witnesses in relation to reporting violations and unethical conduct within the organization. The primary objective of reporting violations is to protect the public interest and prevent unlawful activities, including but not limited to, violations of financial regulations, taxation laws, and AML compliance (§ 2(1)(d)(1-3)); consumer rights infringements (§ 2(1)(d)(4)); breach of workplace safety and product quality standards (§ 2(1)(d)(5-6)); environmental violations (§ 2(1)(d)(7)); data protection breaches and cybersecurity threats (§ 2(1)(d)(12)); violations affecting public security and order (§ 2(1)(d)(11)). Reports made solely to serve personal interests or those that do not meet the criteria set out in § 2(1) do not qualify as protected disclosures under this Policy and will not be subject to the protections outlined in § 7 of the Act.

In accordance with Act, reports regarding violations should pertain to the following areas, as outlined in § 2(1)(d) of the Act:

1. Corruption, bribery, and abuse of power
2. Public procurement violations and unfair competition
3. Financial services, products, and markets, including securities and investment fraud
4. Anti-money laundering (AML) and countering the financing of terrorism (CFT)
5. Product safety, quality standards, and compliance with regulatory requirements
6. Transport safety, including road, air, and maritime regulations
7. Environmental protection, climate regulations, and sustainable development policies;
8. Radiological protection, nuclear safety, and hazardous materials management.
9. Food and feed safety, including production, distribution, and labeling compliance.
10. Animal health, welfare, and ethical treatment.
11. Public health, occupational safety, and healthcare system compliance;
12. Consumer protection, fair trade, and prevention of deceptive business practices;
13. Protection of privacy, personal data, and cybersecurity regulations
14. Security of networks, ICT systems, and critical infrastructure
15. Protection of financial interests of the Czech Republic, local government units, and the European Union
16. Regulations governing the internal market of the European Union, including competition law, state aid, and corporate taxation
17. Fundamental human rights and constitutional freedoms in interactions between individuals, businesses, and public authorities.

The Company treats all reports of potential misconduct with the utmost seriousness, ensuring strict confidentiality and compliance with § 7 of the Act, which protects whistleblowers from retaliation. Reports that meet the legal criteria outlined in § 2(1) will be reviewed and investigated in accordance with the established internal procedures and legal obligations.

Definitions

This section defines terms used in the Company's Whistleblowing Policy.

A breach is any action or inaction, whether actual or potential, that violates Czech law or regulation.

Chief Compliance Officer (CCO) - is responsible for overseeing compliance.

A concerned person - is any individual or entity implicated in, or connected to, the reported improper conduct.

An employee - encompasses all Company personnel, irrespective of their employment type (e.g., permanent, temporary, trainee, intern), including managers, committee members, consultants, and any external parties conducting business activities for, or providing services to, the Company.

Financial Analytical Office of the Czech Republic - is referenced as a relevant regulatory authority.

The Bitflow Lab s.r.o. - refers to the Company.

Management Board - refer to the Company's respective governing body. This policy includes the primary document and any supplemental annexes.

Regulations - include all applicable Czech laws, regulations, and guidelines from competent authorities.

A reporting person - is any current or former employee who discloses information about improper conduct related to their employment.

Whistleblowing - is the act of disclosing information regarding improper practices within the Company.

Personal data - means any information of a nature that identifies or makes identifiable any natural person

Whistleblower (Oznamovatel) - means any natural person referred to in the scope of this Policy who submits a report in an individual capacity and in good faith regarding: (i) misconduct which has occurred or might be occurring, or (ii) attempted misconduct. Whistleblower is any individual who reports a breach in good faith, as defined under § 2 of Act No. 171/2023, including employees, contractors, interns, and others performing similar tasks. The identity of the whistleblower will be treated as strictly confidential and must not be disclosed to any third party without the whistleblower’s explicit consent, except as required by law.

The Whistleblowing Reporting Officer - is the designated employee responsible for receiving and processing internal disclosures; if none is appointed, this responsibility falls to the AML Compliance Officer

Confidentiality of Identity - means that the identity of the Whistleblower is known to the recipient of the information, but is kept strictly confidential – in particular, from the person concerned – and is used on a strict need-to-know basis.

If a whistleblower or any individual assisting in the reporting process suffers non-material harm as a result of retaliation, they are entitled to adequate compensation in accordance with applicable legal standards.

An Investigation or Inquiry - means any process designed to gather and analyse information to determine whether misconduct has occurred and, if so, who is the concerned person (or persons). When reference to an investigation is made, it shall also relate to an inquiry and vice versa.

Retaliation - means any detrimental act or omission, direct or indirect, recommended, threatened, attempted or taken by another individual or other individuals against a Whistleblower, persons who have supported a Whistleblower or persons associated to the Whistleblower and is prompted by internal or external reporting or by public disclosure. These include, but are not limited to:

• Termination or non-renewal of employment,
• Reassignment, demotion, or exclusion from professional development,
• Negative performance reviews,
• Pay cuts or denial of bonuses,
• Reputational harm or privacy breaches.

PLEASE NOTE: Protection extends not only to the whistleblower, but also to individuals assisting in the reporting process, colleagues, subordinates, and close persons, legal entities affiliated with the whistleblower.

PLEASE NOTE: Any attempt to waive protection against retaliation is null and void. Bitflow Lab s.r.o. will not request, require, or enforce such waivers under any circumstances.

Report (Oznámení) – Information about a possible unlawful act or breach falling under the scope of § 2(1) of the Act, especially those related to anti-money laundering (AML), cryptoasset regulation, data protection, services, consumer protection, and/or cybersecurity. In particular, Report means information about a potential unlawful act that:

Designated Person (Příslušná osoba) – A qualified, independent individual appointed to handle the receipt, assessment, and follow-up of reports (in our case - the MLCO/MLRO). In case if the MLRO/MLCO is the subject of Report - then the CEO. The criteria of Designated Persons are:

1. must be an adult, with a good character, and convicted of serious crimes.
2. must evaluate the report, propose corrective action, and inform the whistleblower of the outcome within 30 days (extendable).
3. must ensure confidentiality and act impartially.

General Principles

The Company encourages employees to openly discuss ethical concerns and suggestions with appropriate personnel. Serious suspicions of misconduct should be reported using the channels provided in this policy. Internal reporting is preferred when feasible and safe, allowing for internal resolution without fear of reprisal.

"Information on improper practice" includes knowledge or reasonable suspicion of current or potential misconduct or attempts to conceal such misconduct within the Company or other organizations where the reporting individual works or worked, or had contact through their work. All disclosures must be made in good faith. While evidence is not required, the reporting person should have reasonable grounds to trigger an investigation.

This policy applies to all Company personnel, regardless of their employment status or administrative position, including temporary staff, external consultants, and others providing services to the Company as specified in their contracts (hereinafter referred to as “covered individuals”).

The Whistle-blower Protection Directive (EU) 2019/1937 , adopted by the European Parliament and Council, establishes common standards for safeguarding individuals who report breaches of EU law. Its primary goal is to strengthen whistle-blower protection throughout the European Union, promote transparency and integrity within both the public and private sectors, and prevent retaliation against those who report irregularities. The directive covers a broad spectrum of violations, including those related to product safety, environmental protection, public health, consumer rights, and personal data. The Czech Republic has incorporated the requirements of Directive 2019/1937 into its national legal system through Act No. 171/2023 Sb., the Whistleblower Protection Act, adopted by the Parliament of the Czech Republic on June 2, 2023, published in Collection 86/2023, and effective from August 1, 2023. This Act ensures that whistleblower protections are fully aligned with EU standards, providing legal safeguards against retaliation and ensuring that reports of violations are handled with confidentiality and due diligence.

This Policy is based on the provisions outlined in the Act, which aims to establish a comprehensive framework for the protection of individuals who report breaches of the law, ethical misconduct, or other violations in the workplace and beyond. This legal framework ensures that whistleblowers are protected from retaliation and that their disclosures are handled with confidentiality and due diligence. The Act allows whistleblowers to submit external reports without the obligation to first submit an internal report. This ensures that individuals can bypass internal channels when they perceive such channels to be ineffective or unsafe.

The processing of personal data related to whistleblowing reports must comply with the provisions of the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and the Act, ensuring that all personal data is handled securely, lawfully, and responsibly. Personal data of whistleblowers and any individuals involved in reports must be protected from unauthorized access, disclosure, or misuse, in accordance with § 20 of the Act.

According to § 30 of the Act, whistleblowers have the right to submit external reports directly to the competent authorities without first reporting internally. The Ministry of Justice of the Czech Republic is responsible for receiving and processing external reports, providing guidance on whistleblower rights and protections, ensuring compliance with whistleblower protection regulations, preventing retaliation against whistleblowers. This policy applies to all individuals within the organization, including employees, contractors, suppliers, and any other third parties who interact with the organization and may have witnessed or become aware of any violations, misconduct, or legal breaches.

1. Internal Reporting Mechanisms – Whistleblowers are encouraged to use internal reporting channels first, unless they have reasonable grounds to believe that such channels would not lead to an effective resolution. The internal reporting mechanism should comply with the requirements of the Act.
2. External Reporting Mechanisms – in accordance with § 30 of the Act, whistleblowers have the right to submit reports directly to the Ministry of Justice or other relevant public authorities without the obligation to report internally. The external reporting mechanisms are intended to offer an alternative when internal reporting may not be viable or when the whistleblower fears retaliation.
3. Public Sector and Private Sector Applicability – the protections and procedures outlined in the Act apply to both the public and private sectors, ensuring uniform standards of protection for whistleblowers across various industries and organizational structures.
4. Non-Retaliation – this Policy applies to ensure the protection of whistleblowers from any form of retaliation, including but not limited to discrimination, harassment, negative employment consequences, such as reduced benefits or denial of promotions, legal threats or unjustified legal action.

The Company ensures strict enforcement of non-retaliation measures in accordance with § 7 of the Act, providing whistleblowers with legal protection, confidentiality, and access to legal remedies if retaliation occurs.

Reporting Procedures

The Company ensures that all employees and associated individuals are aware of the procedures for reporting information about infringements. These procedures are designed to protect the public interest and facilitate the prevention and detection of any actions that may harm the public good.

Individuals may report information about infringements through internal whistleblowing channels or directly to the competent authority.

Reports should be made in good faith and with a reasonable belief that the information is correct. The Company will not hold individuals liable for reporting unless it is proven that they had no reasonable grounds to believe the information was correct. Anonymous reports are also subject to protection measures if the identity of the person becomes known and protection against adverse actions is necessary.

Direct reporting to the competent authority is appropriate in the following circumstances:

• The infringement is of essential importance to the public interest.
• Immediate action is required to prevent or stop the infringement due to the potential for serious harm.
• The heads of the institution or those with institutional ties are likely involved in the infringement.
• Previous reports through internal channels have not been addressed or the response has been inadequate.
• Reporting through internal channels may risk the whistleblower's anonymity or lead to attempts to conceal the infringement.
• The institution lacks a functioning internal whistleblowing channel or the individual is no longer affiliated with the institution and cannot access internal channels.

A report to the competent authority should include specific factual circumstances of the infringement, the individuals involved, and any previous reports made regarding the infringement. Where possible, written or other available evidence should be attached to the report.

No protection is given if the report is knowingly false.

Internal Whistleblowing Channels

The Company is committed to fostering an environment where concerns about misconduct can be reported securely and with confidence in the protection of the whistleblower's identity. To this end, the Company has established internal whistleblowing channels that are designed to ensure the confidentiality of the persons reporting information about infringements.

The internal whistleblowing channels are set up and operated under the oversight of the head of the institution, who bears the responsibility for their functioning. The head of the institution will ensure that all employees, civil servants, and officials are informed about the availability of these channels and will make the relevant information accessible to them.

These channels provide a secure and confidential means for reporting information about infringements, allowing for the safe disclosure of concerns without fear of identification or retaliation. The Company will ensure that these channels are not only accessible but also clearly communicated to all employees, providing them with the necessary information on how to report and what to expect after a report is made.

The CCO shall regularly review the effectiveness of the internal whistleblowing channels to ensure they are functioning as intended and make any necessary improvements. This includes ensuring that reports are received, assessed, and addressed promptly and in accordance with the guidelines provided by the Сzech Law on the Protection of Whistleblowers.

Before whistleblowing to external authorities, the internal procedures should be followed. These procedures are designed to address issues internally while protecting the whistleblower.

• AML Compliance Officer or CCO: The Company appoints a specific person (AML compliance officer/ Chief Compliance Officer) to handle whistleblowing reports. This person is responsible for receiving and investigating reports of misconduct, including violations of AML laws, financial crimes, or unethical practices. The AML compliance officer/ Chief Compliance Officer is designated to handle issues related to non-compliance, including AML violations or fraudulent activities. Reporting to him is an effective internal whistleblowing channel.
• Human Resources (HR): If the issue relates to employee behavior, such as discrimination or retaliation against other whistleblowers, the HR team might be the appropriate internal channel to pursue.
• CEO: If the AML Compliance Officer is involved in a breach (e.g., facilitating money laundering, failing to report suspicious transactions, providing false information, or breaching confidentiality), and this is an issue of concern or there is a serious issue, the whistleblower should consider reporting the issue to the CEO or other senior management. In this case, the CEO or the management team should act independently from the compliance officer.

Step	Timeline
Acknowledgement of receipt	Within 7 days
Initial assessment	Within 30 days (extendable twice by 30 days)
Feedback to whistleblower	Provided with outcome and rationale
Action (if applicable)	Remedial or preventive action taken

In case the report is clearly outside the scope of the Act or unfounded, the whistleblower will be informed without undue delay.

All reports and related documents are securely stored for 5 years (§ 21). Only the designated person has access to the information. All personal data is processed in accordance with GDPR and Czech privacy law.

The Company ensures that all staff are trained and informed about:

1. The existence of the whistleblowing system
2. Their right to report misconduct
3. The protections available under the law Training is mandatory for new hires and refreshed annually.

Procedure for internal disclosure

The Company encourages employees to address concerns about misconduct with their head of the unit as a first step. However, if the matter involves the head of the unit, and the employee feels uncomfortable reporting to their head of the unit, or for any other reason, they may instead contact the designated AMLRO/CCO. The relevant person is responsible for handling the report in accordance with the guidelines of the Czech Law on the Protection of Whistleblowers.

Direct reporting to the CEO is appropriate if the employee reasonably believes:

• The AMLRO/CCO is involved in the alleged misconduct.
• The AMLRO/CCO's relationship with someone involved in the misconduct compromises their impartiality.
• The employee is dissatisfied with the AMLRO/CCO's response or lack thereof.

The Company shall establish and maintain effective internal whistleblowing channels that allow for the confidential reporting of suspected or actual misconduct. These channels shall be designed to ensure the anonymity of whistleblowers and to facilitate the secure submission of reports.

Reporting Methods

Employees may submit reports to the Company verbally or in writing using the following methods:

• Telephone:
• Email:
• Mail:

The Company guarantees the protection of the whistleblower's identity, ensuring confidentiality and, where possible, anonymity throughout the process. Reports will only be disclosed to authorized personnel who are involved in investigating the matter, and any information provided will be handled with the utmost care to protect the whistleblower from retaliation.

The Company ensures that no retaliatory actions will be taken against individuals who report concerns in good faith through the established reporting channels. Any acts of retaliation will be treated as serious violations of the Company's policies and will be investigated promptly. Employees who experience retaliation have the right to seek legal protection under § 7 of the Act.

Whistleblowers can seek guidance from the Compliance Department on how to report a concern or obtain further clarification on the process. In addition, support services, including legal and psychological assistance, will be provided where necessary to ensure the well-being of the whistleblower during the reporting process. The Company is committed to fostering a transparent, ethical, and secure environment where individuals can report violations without fear of retaliation.

Alternative Internal Reporting Channels

If established channels are deemed unsuitable due to the circumstances or sensitivity of the information, covered individuals may also submit reports to:

• The Chief Executive Officer (contact details)

External Whistleblowing Channels

If internal reporting mechanisms are ineffective, or if the whistleblower feels that their concerns are not being properly addressed or investigated, they may escalate the matter to external authorities.

• Ministry of Justice:

  In accordance with § 16 of the Act, whistleblowers may submit reports to the Ministry of Justice (Ministerstvo spravedlnosti).

  Website: https://oznamovatel.justice.cz

  The Ministry of Justice appoints authorized officials to handle such reports. They can accept reports verbally or in writing, assess them, and refer to other competent authorities. They must respond within 30 days, inform whistleblowers of outcomes, and may refuse to investigate repeated reports with no new information.

• Financial Analytical Unit (FAU):

  The FAU (Finanční analytický úřad) is the main authority responsible for overseeing compliance with Anti-Money Laundering (AML) and Counter-Terrorism Financing (CFT) regulations in the Czech Republic.

  If the employee has knowledge of money laundering or terrorist financing, or if you become aware of AML violations, the employee should report the issue to the FAU.

  Contact: https://fau.gov.cz/en

• Czech National Bank (ČNB):

  The Czech National Bank (ČNB) is the financial regulatory body responsible for overseeing financial institutions, including CASPs, and ensuring that they comply with Czech regulations, including AML and market conduct rules.

  If the issue pertains to broader financial misconduct, market abuse, or non-compliance with ČNB regulations, you can file a whistleblower report with the ČNB. Contact: Czech National Bank (ČNB)

  Website: https://www.cnb.cz/

• Police:

  If the misconduct involves criminal activities, such as fraud, money laundering, or terrorist financing, the Czech Police can investigate the issue.

  Reporting directly to law enforcement may be appropriate in the case of clear criminal offenses or financial crimes.

• Public Prosecutor:

  If the case involves serious criminal offenses or if you believe that the authorities have not taken sufficient action, you can also report the issue to the Public Prosecutor's Office.

Handling of Reports

Upon receipt of a report, the designated personnel shall promptly assess and, if necessary, investigate the report in accordance with the guidelines of the Czech Law on the Protection of Whistleblowers. The whistleblower shall receive an acknowledgment of receipt of the report within a reasonable timeframe, and shall be informed about the progress and outcome of any investigation, moreover, the AMLRO/CCO will:

• confidentially assess and/or investigate the report promptly.
• determine appropriate next steps, including whether a formal investigation is warranted and its scope. This will be done in accordance with the Czech Law.
• document the assessment, including findings and rationale.
• inform the concerned individual(s) of the report and their rights within an indicated in legal procedures timeframe.
• escalate the matter to relevant managers, the Management Board, as appropriate, considering the nature of the misconduct and its potential impact on the Company.
• maintain confidentiality and anonymity as required by the Czech law and the reporter's wishes.
• provide the reporter with acknowledgement of receipt within seven days, including information on their rights and procedures.
• provide feedback on the investigation's progress and outcome within a reasonable timeframe (not exceeding three months from acknowledgement, or seven days from the report if no acknowledgement was provided).
• maintain thorough records of the evaluation/investigation and its outcomes as per company guidelines, in compliance with Czech legal requirements.

The Company accepts anonymous reports, provided they meet the criteria for handling as outlined in this procedure. Anonymous reports will be processed with the same care and attention as non-anonymous reports, ensuring the confidentiality of the whistleblower is maintained. If a report is deemed insufficient for further investigation, the whistleblower’s anonymity will remain protected during the decision-making process.

The report will be analyzed to determine whether it is credible and falls within the scope of the Company policies and relevant laws. The AMLRO/CCO will assess the validity of the report, gather additional facts if necessary, and decide whether an investigation is warranted. If the report is verified as valid, it will proceed to the next stage of investigation. If not, the whistleblower will be informed of the decision (if possible), and the report will be archived.

If the report passes the initial verification, an internal investigation will be initiated by the designated team or department. The investigation will follow the Company’s standard procedures, ensuring fairness, impartiality, and confidentiality for all parties involved, including the whistleblower and the reported person. The investigative team will gather evidence, interview witnesses, and review relevant documentation to confirm or refute the allegations made in the report. Based on the findings, corrective actions or other necessary measures will be implemented. The investigation will be completed within a reasonable timeframe, and all parties involved will be kept informed of its progress.

The whistleblower will be informed about the acceptance of their report and the initiation of an investigation (if applicable). Throughout the investigation, the whistleblower will receive periodic updates on the status, provided that confidentiality and legal requirements permit. Once the investigation is concluded, the whistleblower will be informed of the final outcome, including any actions taken or decisions made based on the findings.

All actions taken throughout the process will prioritize the protection of the whistleblower’s identity and ensure that retaliation is prevented in accordance with § 7 and § 20 of the Act. If retaliation or discrimination against the whistleblower is reported, the Company will take immediate corrective action to address the issue.

Violations of whistleblower protection provisions will be considered serious misconduct and may result in disciplinary or legal consequences for the responsible parties. The Company recognizes the importance of allowing whistleblowers to submit reports anonymously to encourage the reporting of violations without fear of retaliation. Anonymous reports will be accepted and processed with the same level of diligence and confidentiality as non-anonymous reports, provided they contain sufficient detail for investigation.

The company ensures that any anonymous report of a violation will be accepted and registered for further investigation. Th AMLRO/CCO will review each anonymous report to determine if it contains enough details (e.g. Specific incidents, involved parties, supporting evidence) to proceed with an investigation.

In cases where an anonymous report is accepted, the investigation will proceed without revealing the identity of the whistleblower. If additional information is needed, the Company may attempt to gather further details without compromising the anonymity of the reporter. Should the anonymity be at risk, no further clarification will be sought. Due to the anonymous nature of the report, providing feedback to the whistleblower is not always possible. However, the company will ensure that the investigation is conducted thoroughly, and any actions taken will be documented internally.

The company guarantees that the anonymity of the whistleblower will be protected throughout the investigation process. All reports, including anonymous ones, will be handled with the utmost care to prevent any potential retaliation or breaches of confidentiality.

Storage of information

The Company is committed to ensuring the protection of whistleblowers' personal data, including their identity, throughout the entire reporting and investigation process. All personal data submitted by whistleblowers, whether through internal or external channels, will be handled with the utmost care and in compliance with applicable data protection laws and the Company’s policies.

Personal data, including any information that could potentially identify the whistleblower, is subject to strict confidentiality and will only be accessible to those involved in the management of the report, in accordance with the Company's internal procedures. This includes the Report Manager, Compliance Officer, AMLRO, investigative teams, and other relevant personnel, all of whom are bound by confidentiality obligations.

In cases where the disclosure of the whistleblower’s identity is legally required in the context of proceedings conducted by public authorities, the Company will inform the whistleblower about this requirement and explain the reasons for such disclosure. This will only occur if such a legal obligation exists, and the Company will ensure transparency in the process.

Personal data collected in connection with the acceptance of a whistleblower report will be retained for a period of up to three years after the completion of the follow-up actions, or one year from the conclusion of the investigation or corrective measures. The retention period ensures that any necessary records are available for audit or review, while respecting the whistleblower's right to privacy.

The Company guarantees that all measures are taken to ensure the security of stored personal data, with access granted only to authorized individuals who require it for legitimate purposes. Any data retention or processing will be in line with the company's data protection policy and applicable legislation on personal data protection.

Archiving of reports

The Company is committed to maintaining an internal register of all whistleblower reports, ensuring proper administration of the data contained within the register in compliance with our policies and applicable legal requirements. This register will be securely stored and managed, with access granted only to authorized personnel involved in the handling and processing of reports.

The internal register will include the following essential details for each whistleblower report:

• A unique reference number for the report.
• A brief description of the alleged breach or issue.
• The personal and contact details of the whistleblower (if provided).
• The date the report was received.
• Information regarding any follow-up actions taken during the investigation process.
• The date on which the report was closed, including the outcome of any actions taken.

The Company recognizes the importance of maintaining transparency in the whistleblowing process. As such, all records will be kept in accordance with the data retention policy, which ensures that the information is securely stored for the required period. The mandatory retention period for the whistleblower report records is three years, starting from one year after the completion of follow-up actions or closure of the investigation.

During this retention period, all records will be easily accessible for audit, review, or further legal purposes if required. After the retention period has elapsed, all records will be securely archived or destroyed in accordance with the Company's data protection policy, ensuring that personal data is handled with care and in compliance with relevant privacy regulations.

This archiving process allows the Company to maintain a comprehensive and secure record of all whistleblower reports, ensures compliance with legal and regulatory obligations, and protects the confidentiality of the whistleblower and all parties involved in the process. The Company is committed to upholding the highest standards of transparency and security while safeguarding the privacy of all individuals involved in the whistleblowing procedure.

Protection for Public Disclosures

Protection extends to public disclosures of breaches if either of the following conditions applies.

Ineffective Internal/External Reporting: The individual reported internally and/or externally, but no appropriate action was taken within a reasonable timeframe. The specifics of a reasonable timeframe and the definition of appropriate action will be clearly stated in the policy, aligned with Czech legal requirements.

Imminent Public Danger: Using internal or external channels was not reasonably feasible due to imminent or significant risk to public interest, compelling circumstances, or risk of irreversible damage. This would include situations where immediate action is crucial to prevent harm, as defined by relevant Czech regulations.

Maximum period for feedback to the complaint

The Company is committed to providing timely responses to internal complaints in accordance with legal requirements and best practices. The following procedure outlines the maximum period for providing feedback to the complainant:

Upon receiving an internal complaint, the company is required to acknowledge receipt of the complaint within 7 days. The acknowledgment will confirm the receipt of the complaint and provide an overview of the next steps in the process.

The maximum period for providing feedback to the complainant regarding the outcome of the internal complaint is 3 months. This period starts from the date of acknowledgment of receipt of the internal complaint.

If the acknowledgment is not sent to the complainant within 7 days (due to a lack of provided contact information), the 3-month period for feedback will begin after 7 days have elapsed from the date of the internal complaint.

In cases where the complainant has not provided the necessary contact details (postal address or email address), the company will make reasonable efforts to contact the complainant. However, feedback may be delayed if no contact information is available, and it will not be considered the Company’s responsibility if the complainant does not provide such details.

The Company will make every effort to ensure that feedback is provided within the 3-month period. In cases where additional time is required, the complainant will be informed promptly and provided with an explanation for the delay

Whistleblowing and liability

The Company is committed to providing protection for whistleblowers who report misconduct or violations in good faith. In line with the Company’s internal policies and relevant legal frameworks, whistleblowers are protected from retaliation and should they face any adverse actions as a result of their report, they are entitled to appropriate compensation.

If a whistleblower faces retaliatory actions—such as demotion, harassment, discrimination, or termination of employment—due to their report, they are entitled to compensation. The amount of compensation will be no less than the average monthly remuneration in the national economy for the previous year. This ensures that whistleblowers are protected and not penalized for their decision to report violations in the workplace. Compensation claims may be submitted through relevant authorities, including the Ministry of Justice.

While the Company encourages the reporting of any potential violations or misconduct, it is also essential that whistleblowers ensure the accuracy of the information they provide. In cases where a whistleblower intentionally submits false or misleading reports, or makes false public disclosures, the person who has suffered harm due to the false report or disclosure is entitled to compensation for the damage done to their personal rights. This compensation may be sought directly from the whistleblower responsible for making the false report.

In the event that a whistleblower claims retaliation, it is presumed that any action taken by the Company, such as disciplinary measures or adverse changes to their work conditions, may constitute retaliation. The burden of proof then shifts to the Company. The Company must demonstrate that the action was taken for objective and justifiable reasons, unrelated to the whistleblower’s report.

The Company is committed to ensuring that all whistleblowers can report in good faith without fear of retaliation. Any retaliation is not tolerated and will be met with corrective action. At the same time, the Company acknowledges the potential risks involved in false reporting and emphasize that malicious, false reports may result in legal and financial consequences for the whistleblower.

The Company ensures that any claims of retaliation or false reporting will be thoroughly investigated with the highest level of impartiality, and the Company will uphold both the rights of the whistleblower and those potentially affected by the report. By implementing these measures, the Company guarantees a transparent, legally compliant, and fair whistleblowing framework, ensuring protection for whistleblowers while preventing abuse of the system.

Confidentiality

Confidentiality is a cornerstone of the whistleblowing process, ensuring that individuals who come forward with information about misconduct can do so without fear of exposure or retribution. The identity of the whistleblower, as well as any information that could indirectly reveal their identity, is treated with the utmost discretion and is only used for the purpose of addressing the reported misconduct.

In cases where it is legally required for the purposes of an investigation by competent authorities or during judicial proceedings, confidentiality may be waived to protect the rights of individuals implicated in the alleged misconduct. However, such instances will be handled with due care, and the whistleblower will be notified in advance whenever possible, unless doing so would jeopardize the integrity of the investigation or legal proceedings. Every individual that receives or examines information about an infringement is obligated to ensure the confidentiality of the reporting person. The identity of the whistleblower will only be disclosed to those directly engaged in the examination of the reported infringement and only as necessary to conduct the investigation

It is important to note that confidentiality does not extend to reports that are determined to contain deliberately false information. Furthermore, any information about whistleblowers must not be provided to individuals who are not involved in the investigation

This approach to confidentiality is in strict adherence to the principles outlined in the Czech Law on the Protection of Whistleblowers, which mandates the protection of whistleblowers' identities during public administration, official (disciplinary) infringement investigation procedures, or administrative or criminal proceedings, to the extent that such confidentiality is objectively possible in light of the reported information and its relationship with the whistleblower.

Retaliation

If an external party commits retaliation against the Company, the Company will review its business relationship with that party and take appropriate action. This may include terminating the relationship, avoiding future business, exercising contractual remedies, or pursuing legal action.

Anyone who believes they have been retaliated against or are at risk of retaliation for supporting a whistleblower, should immediately report it to the AMLRO/CCO. If the alleged retaliator is the AMLRO/CCO, the report should go to the CEO. The report must include supporting evidence. Retaliation complaints will be treated confidentially and will not impede the investigation of the original misconduct unless the retaliation itself constitutes obstruction. The burden of proof lies with the alleged retaliator to demonstrate that there is no causal link between the whistleblowing report and the alleged retaliatory action.

Upon receiving a retaliation report, the AMLRO/CCO will promptly assess the situation and may launch an inquiry. Whistleblowers will retain protection even if their original report cannot be fully substantiated.

If a whistleblower, or someone who supported them, reasonably believes they are threatened with or have experienced retaliation, the AMLRO/CCO (or the CEO if AMLRO/CCO is the alleged retaliator) will provide assistance to ensure protection. Specific measures may include, but are not limited to:

• temporarily suspending allegedly retaliatory actions pending verification.
• offering temporary or permanent reassignments for the whistleblower or the retaliator, considering individual profiles and service needs.
• placing the whistleblower or retaliator on paid administrative leave, initially for a set period, with possible extensions as needed.
• transferring the manager responsible for the whistleblower's performance management.
• other appropriate steps to mitigate potential retaliation and its effects.

The whistleblower will be notified in writing of the outcome of any measures taken. All actions taken will be documented and in line with Czech Law on the Protection of Whistleblowers.

Protection of personal data

The Company's handling of personal data related to this policy will adhere to its data protection policy, complying fully with the Czech Law on the Protection of Whistleblowers and the General Data Protection Regulation (GDPR). This ensures the protection of all individuals mentioned in reports of misconduct, including reporters, implicated parties, and witnesses.

Personal data collected through the whistleblowing process will be handled with the highest level of care and security, ensuring that the information is used solely for the purpose of addressing the reported misconduct.

Personal data related to a report will be accessible only to those who are authorized and have a legitimate need to know in order to perform their duties related to the investigation and resolution of the report. The Company will implement appropriate technical and organizational measures to safeguard personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.

The Company will maintain a clear data retention schedule that complies with the requirements set out in the GDPR and the Czech Law, ensuring that personal data is not kept longer than necessary in relation to the purposes for which it was collected or processed. Procedures for the secure deletion of personal data that is no longer required will be established, and regular reviews will be conducted to ensure that the data is purged in a timely and secure manner.

In the event of a legal obligation to disclose personal data, such as for investigations by competent authorities or judicial proceedings, the Company will comply with such requirements while ensuring that appropriate safeguards are in place to protect the rights of the individuals involved. The whistleblower will be informed of any such disclosure in advance, unless doing so would compromise the investigation or legal process.

This policy affirms the Company's commitment protecting the rights of individuals and upholding the principles of data protection as set forth by the GDPR and Czech legislation. Specific procedures for data handling and storage will be detailed separately in accordance with all applicable Czech and EU data protection laws. The policy will be regularly reviewed and updated to reflect changes in Czech and EU regulations on data privacy.

Record keeping

The Company is committed to maintaining accurate and secure records of all reports of misconduct and the subsequent actions taken. These records are essential for tracking the progress and outcomes of reports, as well as for ensuring accountability within the Company's whistleblowing framework.

When a report is made, the Company will document the date and time of the report, the method by which it was made, a summary of the allegations, and the identity of the reporter, if disclosed. All subsequent actions taken in response to the report, including any investigations launched and their outcomes, will also be meticulously recorded.

The confidentiality of the whistleblower will be preserved throughout this process, with the identity of the reporter and any other sensitive information being accessible only to those with a legitimate need to know.

Records will be stored securely in a secure document management system, with access strictly controlled and limited to authorized personnel. The Company will implement appropriate technical and organizational measures to prevent unauthorized access, alteration, or destruction of records.

In compliance with Czech data protection laws, a defined retention schedule will be established for all records related to whistleblowing reports. This schedule will ensure that records are kept for as long as legally required or necessary for the purposes for which they were collected. Once the retention period has expired, records will be securely purged from the Company's systems.

The Company's data protection officer (DPO) and the CCO will oversee the record-keeping process, ensuring that it adheres to all applicable laws and regulations. Regular audits will be conducted to verify the integrity and security of the record-keeping system, and all personnel involved in record-keeping will be trained on the importance of data protection and compliance with Czech law. The Company’s data protection officer (DPO) will oversee these processes to ensure ongoing compliance.

Review and amendments

The Company is committed to ensuring that this Whistleblowing Policy remains up-to-date and reflective of the latest legal requirements and best practices. To this end, the Chief Compliance Officer is charged with the responsibility of regularly reviewing and, if necessary, amending this Policy to maintain alignment with the evolving legal landscape and the Company's operational context.

The Policy will undergo a formal review at least annually to assess its effectiveness and compliance with applicable laws, including any changes to the Czech Law on the Protection of Whistleblowers. This review process will be thorough and documented, with the findings and any proposed amendments presented to the Management Board for consideration and approval.

In addition to scheduled reviews, the Policy may be amended in response to significant changes in the Company's business model, risk profile, or in the wake of material shifts in the regulatory environment. Any such amendments will be made with the intent of preserving the integrity of the whistleblowing framework and ensuring the continued protection and support of whistleblowers.

The Company recognizes the importance of transparency in the amendment process and will ensure that all changes to the Policy are communicated effectively to all employees and relevant stakeholders. The version control table will be updated to reflect the history of amendments, providing a clear record of the Policy's evolution and ensuring that all personnel are aware of the current provisions.

Furthermore, the CCO will ensure a review is conducted no later than twelve months after the last assessment.