CONSENT TO CROSS-BORDER TRANSFER OF PERSONAL DATA

This Consent to Cross-Border Transfer of Personal Data (the "Consent") is provided in accordance with Article 12(4)(1) and Article 9 of Federal Law of the Russian Federation No. 152-FZ of 27 July 2006 "On Personal Data" (the "Russian Personal Data Law") and is presented as a separate document in accordance with Article 9(1) of that law (as amended by Federal Law No. 156-FZ of 24 June 2025).

Where applicable, this Consent also constitutes the data subject's explicit consent to international transfer of personal data under Article 49(1)(a) of Regulation (EU) 2016/679 (the "GDPR") for data subjects within the territorial scope of the GDPR, after having been informed of the possible risks of such transfer in the absence of an adequacy decision and appropriate safeguards.

This Consent is specific, predetermined, informed, conscious and unambiguous. It is given by the Data Subject freely, by their own will and in their own interest.

Provision of this Consent is not a condition for use of the Operator's website. The Data Subject may decline to provide this Consent without any adverse consequences for their ability to use the Site.

1. About the Operator (Data Controller)

• Full name: Limited Liability Company "MAOMBI RU"
• Short name: LLC "MAOMBI RU"
• Tax identification number (INN): 7703428642
• Registered address: Russia, Moscow
• Contact email: support@maombi.com

(the "Operator")

For Users covered by the GDPR, the Operator is the Data Controller within the meaning of GDPR Art. 4(7).

2. About the Data Subject

This Consent is provided by the natural person (the "Data Subject") using the Operator's website at https://maombi.com (the "Site").

The Data Subject is identified by the Operator using a combination of the following information recorded at the time of consent:

• IP address of the device used to perform the action;
• the Data Subject's account identifier on the Site (where applicable);
• cookie identifiers of the Data Subject's device;
• date and time of the action constituting consent.

In accordance with Article 9(1) of the Russian Personal Data Law, this Consent is provided in a form that allows the fact of its receipt to be confirmed — by marking the dedicated checkbox in the cookie information interface on the Site and confirming the corresponding choice.

3. Categories of personal data transferred

The Data Subject consents to the cross-border transfer of the following categories of their personal data:

1. IP address;
2. Cookie identifiers and device identifiers;
3. Information about the browser, operating system, screen resolution and other technical parameters of the device;
4. Information about pages visited on the Site, time of visit, referral sources;
5. Information about actions performed on the Site (clicks, scrolling, interaction with elements);
6. Geolocation derived from the IP address (country, region, city) — without precise positioning.

The Operator does not transfer through cross-border transfer:

• the Data Subject's name, surname or patronymic;
• passport or identification document data;
• contents of forms filled out by the user (login, password, phone number, content of enquiries, content of reviews);
• payment data;
• contents of messages or other user materials;
• special categories of personal data (GDPR Art. 9);
• biometric data.

4. Recipients of personal data outside the Russian Federation

The Data Subject consents to the transfer of personal data specified in Section 3 to the following foreign recipient:

Google LLC

• Name: Google LLC
• Country of establishment: United States of America
• Address: 1600 Amphitheatre Parkway, Mountain View, California 94043, USA
• Services used:
  • Google Analytics — web analytics service;
  • Google Tag Manager — tag management service.
• Purpose of transfer: web analytics of Site traffic, tag management on the Site, improvement of Site operation.
• Country category (Russian law): state not included in the list of foreign countries providing adequate protection of data subjects' rights approved by Roskomnadzor.
• Country status (GDPR): the United States is a third country. Transfer to the US is, where applicable, made on the basis of the EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795) and the Data Subject's explicit consent under GDPR Art. 49(1)(a).
• Protection measures applied by the recipient: Google LLC declares compliance with international data protection principles, including the General Data Protection Regulation of the European Union (GDPR) and the California Consumer Privacy Act (CCPA). Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Google LLC is certified under ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 2, SOC 3. Detailed information on Google LLC's data processing practices is available at https://policies.google.com/privacy.

5. Purposes of cross-border transfer

Cross-border transfer of the Data Subject's personal data is carried out for the following purposes:

1. Collection and analysis of anonymised statistics on Site traffic.
2. Management of tags and scripts on the Site for purposes of its operation and improvement.
3. Optimisation of Site operation, improvement of quality and convenience of its use.

Cross-border transfer of the Data Subject's personal data for marketing, advertising or other commercial purposes unrelated to Site operation is not carried out on the basis of this Consent.

6. Legal basis for cross-border transfer

The legal basis for cross-border transfer of the Data Subject's personal data is:

• this Consent of the Data Subject to cross-border transfer of their personal data (Article 12(4)(1) of the Russian Personal Data Law; GDPR Art. 49(1)(a), where applicable — explicit consent to international transfer after being informed of the possible risks);
• the Operator's notice to Roskomnadzor of its intent to carry out cross-border transfer of personal data, submitted in the manner provided by Article 12(5) of the Russian Personal Data Law.

7. Actions performed on personal data

The Data Subject consents to the performance of the following actions on their personal data in the framework of cross-border transfer:

transfer (provision) of personal data to the foreign recipient specified in Section 4, as well as subsequent collection, recording, systematisation, accumulation, storage, use, deletion and destruction of personal data by that recipient in accordance with the purposes specified in Section 5.

Processing is carried out by automated means, with transmission over the Internet using a secure connection with encryption (TLS).

8. Duration of consent

This Consent is effective from the moment it is provided by the Data Subject and remains in force until withdrawn by the Data Subject in one of the ways set out in Section 9.

If the Data Subject deletes their account on the Site (for Registered Users) or expressly declines the use of analytical cookies, this Consent is also deemed withdrawn.

9. Rights of the Data Subject. Withdrawal of Consent

The Data Subject has the right to:

1. Withdraw this Consent at any time without any adverse consequences for their ability to use the Site, in one of the following ways:

   • by changing their preferences in the cookie information interface on the Site (the "Necessary cookies only" button or equivalent);
   • by deleting cookies through their browser settings;
   • by sending a written notice to the Operator at support@maombi.com.

2. Obtain information about cross-border transfer of their personal data, including information about the actual or intended transfer, by sending a request to the Operator.

3. Request termination of cross-border transfer of their personal data on the grounds provided by the Russian Personal Data Law or applicable law.

4. Appeal the actions or omissions of the Operator to the Russian regulator Roskomnadzor, or, where applicable, to the competent supervisory authority of the European Union Member State of their habitual residence, place of work or place of the alleged infringement (GDPR Art. 77); or in court.

Upon receipt of a withdrawal notice, the Operator will cease cross-border transfer of the Data Subject's personal data within a period not exceeding 10 (ten) business days from receipt of the notice.

After withdrawal of Consent, the Operator cannot guarantee the deletion by the foreign recipient of personal data previously transferred, the processing of which is carried out by such recipient as an independent controller in accordance with its own policies. Information on the recipient's data deletion procedure is contained in its privacy policy at the address specified in Section 4.

10. Information about risks of cross-border transfer

The Data Subject confirms that they are aware that:

1. Foreign countries may provide a level of protection of data subjects' rights different from the level established by the laws of the Russian Federation or by the GDPR.

2. The United States of America is not included in the list of foreign countries providing adequate protection of data subjects' rights approved by Roskomnadzor.

3. Although the European Commission has adopted an adequacy decision in respect of the United States under the EU-US Data Privacy Framework (Commission Implementing Decision (EU) 2023/1795), the protection of personal data in the US under that framework is more limited than under the GDPR. The European Court of Justice has historically invalidated previous frameworks (Safe Harbour, Privacy Shield), and the validity of the current framework may be subject to challenge.

4. Authorities of foreign countries (including national security and law enforcement agencies of the United States) may, in accordance with their national law, request access to personal data transferred to that country, in some cases without prior notice to the data subject and without effective rights of redress equivalent to those provided under European or Russian law.

5. After cross-border transfer of personal data to the foreign recipient, the application of protective measures provided by the laws of the Russian Federation or the GDPR may be limited.

6. The Operator does not bear responsibility for the actions of the foreign recipient of personal data carried out by such recipient as an independent controller in accordance with the laws of the country of its establishment.

Notwithstanding the foregoing, the Data Subject confirms their free, conscious and voluntary consent to cross-border transfer of personal data in the scope and for the purposes specified in this Consent.

11. Confirmations and statements of the Data Subject

By marking the consent checkbox, the Data Subject confirms that:

1. They are a natural person who has reached the age of 18 and has full legal capacity.
2. They have read and agree to the Operator's Privacy Policy, available at https://maombi.com/pages/privacy-policy/.
3. They have read the privacy policy of the foreign recipient specified in Section 4 and understand the conditions of personal data processing by that recipient.
4. This Consent is provided freely, by their own will and in their own interest.
5. They understand the content of the action being taken, its legal consequences, including the risks specified in Section 10.
6. Consent is provided separately from any other consents and documents signed or confirmed by the Data Subject, in accordance with Article 9(1) of the Russian Personal Data Law.
7. Where applicable, this constitutes the Data Subject's explicit consent under GDPR Art. 49(1)(a) to international transfer of personal data to the United States after having been informed of the possible risks of such transfers.

12. Final provisions

The Operator may amend this Consent, including in connection with changes in the list of foreign recipients or categories of data transferred. The current version of the document is published on the Site at https://maombi.com/pages/pdn-tgp/.

In the event of material changes (changes to the list of recipients, countries of transfer, categories of data transferred or purposes of transfer), the Operator will request Consent from the Data Subject again. Until new Consent is obtained, cross-border transfer in the new scope will not be carried out.

For matters not regulated by this Consent, the relationship between the Data Subject and the Operator is governed by the Operator's Privacy Policy and the laws of the Russian Federation, and, where applicable, by the GDPR.