Privacy policy

Version update date:[December 29, 2025]

Version effective date:[December 29, 2025]

HEPHA GmbH is committed to protecting and respecting your privacy. This document describes how your personal data will be processed when you use our website (https://hepha.com/, https://b2b.hepha.com) or using our services.

You can find below:

1. Introduction
2. Processing of Personal Data
3. What data do we collect and how do we use your personal data
4. Data for Advertising and Marketing Purposes
5. Retention period
6. Purpose limitation
7. Security of Personal Data
8. Sharing of Personal Data
9. International Transfer
10. Rights in relation to Personal Data
11. Questions and inquiries
12. How will we update this Privacy Policy

This Privacy Policy does not apply to our authorised retailers, or third parties to whom you directly provide your personal data including but not limited to, subscription services, insurance companies, or other third parties. These entities are independent of us and responsible for their own collection of information. Please refer directly to those entities and their privacy policies for more information.

1. Introduction

This Privacy Policy ("Policy") provides information on the personal data processing by HEPHA GmbH in the European region, a private company with limited liability established under applicable law, having its statutory seat in Lise-Meitner-Straße 7 a, 82216, Maisach, Germany, as well as its subsidiaries and affiliate companies (hereinafter individually and collectively referred to as "HEPHA")

HEPHA GmbH can be reached via the following contact details:

• Mailing address: Lise-Meitner-Straße 7 a, 82216, Maisach, Germany
• Telephone number: +49(0) 814 2284 4480
• Email address: service@hepha.com

Contact details of the Data Protection Officer:

PROLIANCE GmbH ()

Leopoldstr. 21

80802 Munich

datenschutzbeauftragter@proliance.ai

When contacting the Data Protection Officer, please specify the company(HEPHA GmbH) your inquiry relates to. Please refrain from including sensitive information such as a copy of your ID in your request.

This Policy applies for all personal data processed by HEPHA GmbH and/or on behalf of HEPHA GmbH, which identify or may identify a person ("Personal Data"). These persons involved are hereinafter collectively referred to as data subjects ("Data Subjects").

HEPHA reserves the right to review and/or alter the Policy periodically, in order to comply with (local and/or European) legislation, and for any other purpose deemed reasonably necessary by HEPHA GmbH.

For queries and inquiries about this Policy, please contact us at service@hepha.com.

2. Processing of Personal Data

This Policy sets out the elements necessary for HEPHA's compliance with applicable privacy legislation, principles and practice, including but not limited to applicable privacy laws ("Applicable Laws").

The Policy is an external policy and is directed towards Data Subjects whose Personal Data are being processed by HEPHA GmbH for the purpose for which information has been collected. This Policy applies to the processing of Personal Data, in which HEPHA GmbH acts as the data controller within the meaning of the Applicable Laws. This is the case when HEPHA GmbH determines the purpose for and the means for the processing of Personal Data of Data Subjects within the purposes of this policy.

For business purposes, Data Subjects may be asked to provide their Personal Data. If this is the case, HEPHA GmbH, its affiliates and partners shall be required to keep such information confidential.

Note：Your password is protected by industry-standard encryption and is never stored or accessible in plain text by our systems or personnel.

3. What data do we collect and how do we use your personal data

When we provide our services, we have a need to process personal data. We typically process the following personal data when you use our website or using our services:

• Access and Use of the Website: We automatically collect your personal identifiers (such as your device’s Internet Protocol (IP) address), and location information (such as that which may be determined from your Internet Protocol (IP) address) to provide our website to you. We do not store your IP address.

When we collect personal data from you as listed above, we do so through cookies and similar technologies. For more information on how we use cookies across our digital platforms, please refer to the Cookie Policy of our B2C Consumer-oriented Website (https://hepha.com) and Cookie Policy of our B2B Corporate-oriented Website (https://b2b.hepha.com).

Our website may include social media features, such as Instagram, Facebook, YouTube and LinkedIn widgets. These features may collect identifiers (such as your Internet Protocol (IP) address) and internet activity information (such as which page you are visiting on our website). These widgets may set a cookie or utilise other tracking technologies to accomplish this. Social media features and widgets are hosted by a third party and your interactions with those features are governed by the privacy policies of the third party companies that provide them.

4. Data for Advertising and Marketing Purposes

In compliance with applicable laws and regulations, we may use certain information provided by you during registration or order placement (such as name, email address, country, or city) for advertising delivery, advertising performance analysis, and audience matching or similar audience modelling purposes.

Our customers may, at their sole discretion, choose whether or not to share data collected through our services and/or products with third-party platforms, including advertising networks, analytics providers, or other service partners (such as Google and Meta). Any such data sharing is optional, and is initiated and managed by the customer, and governed by the contractual terms between the customer and the respective third party.

To protect personal data, we will not share real names, email addresses, or other information in a directly identifiable form with third parties. Any data shared with third-party advertising platforms will be processed in accordance with the security standards of the relevant platform at the time it is provided and will be used solely for audience matching or advertising optimisation purposes.

Third-party platforms will process such data only in accordance with their applicable service terms and data processing agreements and are not permitted to use the data for independent identification of individuals or for any other unauthorised purposes.

5. Retention period

HEPHA will use and store Personal Data within the period that is necessary to fulfil the above mentioned purposes and shall remove those Personal Data after relevant purposes no longer existing, or to comply with contractual obligations or as permitted or required by the Applicable Laws.

6. Purpose limitation

The Personal Data may only be processed to the extent necessary for the described purposes. Personal Data may in principle not be processed for other purposes other than that for which the Personal Data were collected. If there is a necessity or need to process Personal Data for other purposes, it shall be investigated by HEPHA GmbH whether the purposes of the intended data processing are compatible with the original purposes. HEPHA GmbH shall provide the Data Subject prior to that further processing with information on that other purpose.

7. Security of Personal Data

We strive to maintain the highest standards of security and HEPHA has put in place robust technical and organisational measures for the protection of your data in accordance with the current, general state of technology, especially to protect the data against loss, falsification or access by unauthorised third persons. Once we have received your personal data, we will use strict procedures and security features to prevent unauthorised access. However, the transmission of information via the internet is not completely secure. So, whilst we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted via our websit. In the unfortunate event that a personal data security incident occurs, we will report it promptly and take remedial measures in accordance with the requirements of the law and regulatory authorities.

8. Sharing Personal Data

We share the information identified above:

1. within the HEPHA Group, which includes parent companies, corporate affiliates, subsidiaries, business units and other companies that share common ownership;
2. with HEPHA Dealers for sales, leasing, and customer service purposes, such as responding to quote requests, E-bike diagnosis, maintenance and repair, scheduling service appointments, and contacting you and providing the requested services.
3. HEPHA and HEPHA Dealers are separate legal entities with their own privacy policy. Please be aware that each dealer operates as a separate legal entity and you should read the dealer’s privacy statement to ensure that you understand its privacy policy and procedures. Additionally, because the HEPHA dealer often is the first contact with you, the dealer can answer any questions you may have about its privacy policy. While HEPHA encourages its dealers to ensure full compliance with all applicable privacy legislation and has provided information to our dealers relating to privacy obligations, HEPHA is not responsible for dealers’ compliance with applicable law.
4. With our suppliers and service providers, we may disclose your information to our third party service providers, agents, subcontractors and other organisations for the purposes of providing services to us or directly to you on our behalf. Such third parties may include cloud services providers (such as hosting and email management) or other third parties who provide services to us.
5. When we use third party service providers, we only share with them the personal data that is necessary for them to provide their services and we have a contract in place that requires them to keep your information secure and not to use it other than in accordance with our specific instructions.
6. With other entities for legal, security or safety purposes, we may share your information with third parties, law enforcement or other government agencies to comply with law or legal requirements; to enforce or apply our Terms of Service and other agreements; and to protect our rights and the property or safety of our users or third parties. We also may disclose information about you and your E-bike when we have reason to believe that someone is causing injury to or interference with our rights or property, other users of the website or anyone else that could be harmed by such activities.
7. With other companies in connection with a corporate transaction, if we or some or all our assets are acquired by another company, including through a sale in connection with bankruptcy, we will share the information that we hold with that company; and/or
8. With Optional Third Parties（such as Instagram, Facebook, YouTube and LinkedIn widgets) that you authorize, with your express permission, we will also share your information with selected third parties you choose (“Optional Third Parties). These services or offerings from third parties will be subject to their Terms of Service and Privacy Statement, not ours. If you have any concerns regarding the collection, use or sharing of your personal data or wish to exercise any rights that you have, please contact the Optional Third Parties directly.

When third parties are given access to your personal data, we will take the required contractual, technical and organisational measures to ensure that your personal data are only processed to the extent that such processing is necessary.

In all cases, HEPHA will expressly state why such information is necessary, so that Data Subjects may provide the information at their own discretion. HEPHA will not disclose Personal Data provided by Data Subjects to any party, other than HEPHA itself, without prior permission from the Data Subjects.

9. International Transfer

In principle, the personal data we collect is stored within the countries of your place of residence, within the European Economic Area (EEA). However, In some cases, your personal data may be processed outside your country of residence when remote access from China is involved during maintenance and operation. Regardless of where your personal data is processed, we apply the same protections as described in this Policy. We transfer your personal data in accordance with the legal frameworks required by different jurisdictions. Recipients of your personal data are required to adhere to the same level of privacy safeguards as mandated by applicable data protection laws. These include, but are not limited to:

a. Adequacy decisions, such as:

• European Commission adequacy decisions
• UK adequacy regulations

b. Agreements, such as:

• EEA Standard Contractual Clauses (SCCs)
• UK International Data Transfer Agreement (IDTA)

10. Rights in relation to Personal Data

You generally have the right to ask us:

• for access to and a copy of your personal data that we hold.
• that some of your personal data is provided to you or sent to another data controller in a commonly used, machine readable format.
• to update or correct your personal data in order to make it accurate.
• to delete your personal data from our records in certain circumstances.
• to restrict the processing of your personal data in certain circumstances.
• to object to us processing your personal data in certain circumstances.

To exercise these rights, please contact us using the contact information provided in Section 1. To ensure the security of your data, we may require you to provide necessary information for identity verification. We will respond to your request within one month of receipt. If the request is complex or numerous, we may extend this period where necessary and will inform you in advance.

These rights may be limited in some situations – for example, where we can demonstrate that we have a legal requirement to process your data or if making the information available to you would reveal personal data about another person or if we are legally prevented from disclosing such information. In some instances, this may mean that we are able to retain data even if you withdraw your consent.

We hope that we can satisfy any queries you may have about the way we process your data. If you have any concerns about how we process your data you can contact us as described below in the section “10 Questions and inquiries”.

In the event you still have unresolved concerns, you also have the right to lodge a complaint with a supervisory authority.

Finally, please note that where we require personal data to comply with legal or contractual obligations, then provision of such data is mandatory: if such data is not provided, then we will not be able to manage our contractual relationship, or to meet obligations placed on us. In all other cases, provision of requested personal data is optional.

11. Questions and inquiries

If you have any questions about the processing of your personal data, please read this Privacy Policy first. For additional questions, please feel free to contact us. Please note that we take your satisfaction very seriously. Should you have a complaint, please also direct it to the same email address and we will respond to you as soon as we can.

You can of course also lodge a complaint with the data protection authority of the country in which you live.

12. How will we update this Privacy Policy

We may update this Privacy Policy according to changes in our business functions and measures concerning the protection of personal data. If we make changes to this Privacy Policy, we will update it on our website. We therefore recommend that you check this website regularly to keep updated of any changes. Where changes to this Privacy Policy will have a fundamental impact on the nature of the processing or otherwise have a substantial impact on you, we will give you sufficient notice so that you have the opportunity to exercise any rights you have.