Marinion International OÜ, Järvevana tee 9, Tallinn, 11314, Estonia, Registry code (EE): 17372214, as the operative company and franchising entity of MARINION INTERNATIONAL™ (hereinafter: the Company), hereby establishes and adopts the following Privacy Policy.

1. GENERAL PROVISIONS

1.1 This Privacy Policy explains how the MARINION INTERNATIONAL™ brand network collects, uses, discloses, and processes the personal data of its Service Providers, Clients, prospective Clients, and website Visitors (collectively, Data Subjects), in accordance with the General Data Protection Regulation (GDPR).

1.2 The MARINION INTERNATIONAL™ brand network consists of the Company and the independent franchised or licensed Service Providers, i.e. legal entities or individual consultants, each of which is a legally separate and independent person or entity, with whom the Client contracts. Accordingly, both the Company and the Service Providers are bound by the provisions of this Privacy Policy.

1.3 For the purposes of this Privacy Policy, the Clients or Data Subjects, are strictly defined as natural persons whose personal data is collected and/or processed by the Company or a Service Provider, including but not limited to individual clients, corporate representatives, and third parties involved in the provision of services.

1.4 The role of the Company in the MARINION INTERNATIONAL™ brand network is primarily of administrative and franchising nature. Operatively, the Company may act as a Service Provider in specific engagements, and in such instances, all provisions of Section 3 shall apply to the Company accordingly, in addition to Section 2 of this Privacy Policy.

1.5 This Privacy Policy applies to all data processing activities related to the provision of Business Consulting and Conciliation services provided by the MARINION INTERNATIONAL™ brand network, including data collected via the website www.marinionint.com (hereinafter: the Site) and during the execution of any Services Contract. 

1.6 For details on Site tracking technologies, please see the separate Cookie Policy. The Cookie Policy is hereby incorporated into this Privacy Policy by reference, and constitutes an integral part hereof.

1.7 The Company and the Service Providers are independently committed to protecting your privacy under this Privacy Policy as a common transparency framework.

1.8 The Company and each Service Provider act as INDEPENDENT DATA CONTROLLERS. They do not process data jointly. Each entity, meaning the Company or any particular Service Provider, is exclusively responsible for its own data processing activities and shall be liable only for its own acts or omissions. The Company is the controller for brand-wide administration, while the individual Service Provider is the sole controller for the substantive execution of specific contractual Client files and data.

1.9 Data may be transferred outside the EEA. Such international transfers are protected by Adequacy Decisions, the EU-U.S. Data Privacy Framework, or Standard Contractual Clauses (SCCs) with supplementary security measures (TIA).

1.10 Data Subjects, under GDPR, have the following rights regarding their personal data: right of access, right to rectification, right to erasure, right to restriction of processing, right to data portability, right to object, right to withdraw consent, and right to lodge a complaint with a competent data protection authority, as well as any other rights explicitly granted by GDPR and/or applicable law. Data Subjects have the right to withdraw their consent for personal data processing at any time.

1.11 When processing personal data, sensitive data, and confidential data, appropriate technical and organizational measures (TOMs) are implemented to protect personal data from loss, unauthorized access, disclosure, alteration, and destruction, including, but not limited to, data encryption, access controls, and regular data backup procedures.

1.12 In order to prevent unauthorized personal data disclosure, before any specific engagement with any Service Provider, the Client may request the Company to confirm whether the particular Service Provider has good standing, i.e. a valid franchise or license status with the MARINION INTERNATIONAL™ brand network. Such requests and the Company’s response shall be governed by Section 11. NOTICES AND COMPLAINTS of the General Terms of Service (TOS).

2. PROVISIONS SPECIFIC TO THE COMPANY

2.1 The Company collects and processes personal data of Data Subjects based on the following legal grounds:

A. Contractual Necessity

Processing of this data is necessary for the performance required per Client’s request, before or after entering into any particular Services Contract.

Purpose of such data processing: communication, presenting the Client’s request to the relevant Service Providers, establishing the connection between the Client and the Service Providers, entering into and performance of contracts, deliveries subject to contracts, billing and invoicing.

Categories of data processed are: contact and identification data (including: name, surname, e-mail address, telephone number, position within the company or entity, address, personal identification number, date of birth, place of birth, identification document number, identification document issuer, identification document validity period), and other specific case or contract required data (including: credentials, references, proof of facts).

B. Legal Obligation

Processing of this data is necessary for compliance with legal obligations to which the Company is subject.

Purpose of such data processing: fulfillment of accounting, tax reporting, anti-money-laundering, and other legal obligations.

Categories of data processed: identification data (including: tax number, information on tax residency), financial and transaction data (including: quotes, invoices, payment history, bank account details, source of funds information), other data specifically required by law in specific cases.

C. Legitimate Interest

Processing of this data is necessary for the purposes of the legitimate interests pursued by the Company or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject. The Company may also collect such personal data from publicly available sources (OSINT), such as professional social networks, commercial registries, and public databases. The Company may also use artificial intelligence (AI) tools for such data processing.

Purpose of such data processing: ensuring Site security, credibility and functionality, diagnostics of technical errors, due diligence and professional verification of Service Providers and Clients, verifying the identity and authority of Client representatives, market analysis, case analysis, management of professional and legal risks related to services and Client requests, internal optimization, translation of documents and communications, research, and improving service quality.

Categories of data processed: technical and logging data (including: IP address, web browser type, device information, server log data), case-specific data (including: conflict-of-interest checks and strategic analysis data), verification data, professional & public profile data (including: professional titles, employment history, certifications, public identifiers, ownership data, personal connections, and other relevant data found in commercial registries and other public registries, or via professional networks, including data obtained by exercising the right of access to information).

D. Consent

The Company will process this personal data only upon the Data Subject’s explicit written consent.

Purpose of such data processing: marketing and sending professional updates (including: newsletters, subscriptions, marketing materials, preferences), publishing (including: publishing on Site, other websites and social media platforms, creation and public distribution of materials and promotional materials).

Categories of data processed: contact and identification data (including: name, surname, e-mail address, telephone number, position within the company or entity, professional title, address, date of birth, place of birth), photographs and/or other images depicting the Data Subject, education and professional CV (including: credentials, CV in any form), other voluntarily delivered personal data.

2.2 The Company shall collect and process Data Subjects’ personal data only to the reasonable and necessary extent, in the scope required, and shall retain such personal data for no longer than necessary for the purposes for which it was collected (or as required by law), including statutory limitation periods for legal claims and compliance with financial/tax reporting obligations, for each individual case of Company engagement, adhering to the principles of data minimization and storage limitation. Personal data processed on consent basis is retained until the Data Subject withdraws their consent or requests erasure.

2.3 The Company may share personal data with the following categories of recipients:

a) Service Providers (MARINION INTERNATIONAL™ brand network)

When data sharing is necessary for the performance of specific Data Subject’s requests, negotiating, entering into or performance of a contract, or upon legal obligation. Service Providers are bound by confidentiality agreements with the Company.

b) IT and web-hosting providers, legal and financial advisors, banks and financial institutions, public authorities

When utilizing cloud or web-based storage, utilizing online communication, exercising the rights or fulfilling financial, contractual and/or legal obligations of the Company.

c) AI processing tools

Personal data may be processed using AI tools, including Google AI services, for purposes including: internal operational optimization, translation of documents and communications, research, and improving service quality. The Company maintains human oversight over all AI-generated outputs to ensure professional integrity. The Company ensures strict processing agreements are in place with providers of used AI tools.

d) Other institutions, public and private entities

Personal data may be shared with third parties, institutions, public and private entities, when it is necessary for the performance required per Client’s request and/or contract, when required by law, for the purpose of internal research and/or due diligence, or when other legitimate interests are pursued.

2.4 The Company shall receive any inquiries, questions about the role of the Company per this Privacy Policy, as well as receive any Data Subjects’ requests to exercise their Data Subjects’ rights, exclusively via e-mail address: info@marinionint.com.

3. PROVISIONS SPECIFIC TO THE SERVICE PROVIDERS

3.1 The Service Providers act as independent professionals within the MARINION INTERNATIONAL™ brand network. According to this Privacy Policy, the Service Providers are independent data controllers. This Privacy Policy sets the general standards for personal data processing the Service Providers must adhere to. Since the Service Providers may operate internationally, in different jurisdictions, and may provide substantially different services, each Service Provider is permitted to establish and adopt its own individual policy on data processing, whether as a general document or implemented into specific Services Contract with any particular Client, in order to comply with the applicable laws and regulations, as well as professional standards. It is the sole Service Provider’s duty to inform the Client of any applicable policy on data processing that differs from this Privacy Policy. Each Service Provider is independently responsible and liable for its compliance with the applicable laws and regulations concerning data processing, as well as compliance with this Privacy Policy.

3.2 The Service Providers may collect and process personal data of Data Subjects based on the following legal grounds:

A. Contractual Necessity

Processing of this data is necessary for the performance required per Client’s request, before or after entering into any particular Services Contract.

Purpose of such data processing: communication, acting upon the Client’s request, establishing the connection between the Client and the Service Providers, entering into and performance of contracts, deliveries subject to contracts, billing and invoicing.

Categories of data processed are: contact and identification data (including: name, surname, e-mail address, telephone number, position within the company or entity, address, personal identification number, date of birth, place of birth, identification document number, identification document issuer, identification document validity period), and other specific case or contract required data (including: credentials, references, proof of facts, and substantive data required for specific contractual service and/or case execution).

B. Legal Obligation

Processing of this data is necessary for compliance with legal obligations to which the Service Provider is subject.

Purpose of such data processing: fulfillment of accounting, tax reporting, anti-money-laundering, service and/or case specific, and other legal obligations.

Categories of data processed: identification data (including: tax number, information on tax residency), financial and transaction data (including: invoices, payment history, bank account details, source of funds information), service and/or case specific data (including: conciliation case-related and procedural legally required data), other data specifically required by law in specific cases.

C. Legitimate Interest

Processing of this data is necessary for the purposes of the legitimate interests pursued by the Service Provider or a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject. The Service Providers may also collect such personal data from publicly available sources (OSINT), such as professional social networks, commercial registries, and public databases. The Service Providers may use artificial intelligence (AI) tools for such data processing.

Purpose of such data processing: ensuring data security, credibility and functionality, diagnostics of technical errors, due diligence and professional verification of Clients, verifying the identity and authority of Client representatives, market analysis, case analysis, management of professional and legal risks related to services and Client requests, internal optimization, translation of documents and communications, research, and improving service quality.

Categories of data processed: technical and logging data (including: IP address, web browser type, device information, server log data), case-specific data (including: conflict-of-interest checks and strategic data analysis, substantial service and/or case related data), verification data, professional & public profile data (including: professional titles, employment history, certifications, public identifiers, ownership data, financial data, personal connections, and other relevant data found in commercial registries and other public registries, or via professional networks, including data obtained by exercising the right of access to information).

D. Consent

The Service Provider may process this personal data only upon the Data Subject’s explicit written consent.

Purpose of such data processing: marketing and sending professional updates (including: newsletters, subscriptions, marketing materials, preferences), publishing (including: publishing on websites and social media platforms, creation and public distribution of promotional materials).

Categories of data processed: contact and identification data (including: name, surname, e-mail address, telephone number, position within the company or entity, professional title, address, date of birth, place of birth), photographs and/or other images depicting the Data Subject, education and professional CV (including: credentials, CV in any form), other voluntarily delivered personal data.

3.3 The Service Providers shall collect and process Data Subjects’ personal data only to the reasonable and necessary extent, in the scope required, and shall retain such personal data for no longer than necessary for the purposes for which it was collected (or as required by law), including statutory limitation periods for legal claims and compliance with financial/tax reporting obligations, for each individual case of Service Provider engagement, adhering to the principles of data minimization and storage limitation. Personal data processed on consent basis is retained until the Data Subject withdraws their consent or requests erasure.

3.4 The Service Providers may share personal data with the following categories of recipients:

a) The Company and other Service Providers (MARINION INTERNATIONAL™ brand network)

When data sharing is necessary for the performance of specific Data Subject’s requests, negotiating, entering into or performance of a contract, or upon legal obligation. Service Providers are bound by confidentiality agreements with the Company, and each joint venture for provision of services by any two or more Service Providers must be authorized by the Company in order to prevent franchise violations and ensure responsible data use. In case of a joint venture for provision of services by any two or more Service Providers, each Service Provider is considered as independent data controller with limited access to personal data (need-to-know basis only), bound by the terms of this Privacy Policy. The Service Providers shall not request nor share data exceeding the need-to-know level.

b) IT and web-hosting providers, legal and financial advisors, banks and financial institutions, public authorities

When utilizing cloud or web-based storage, utilizing online communication, exercising the rights or fulfilling financial, contractual and/or legal obligations of the Service Provider.

c) AI processing tools

Personal data may be processed using AI tools, including Google AI services, for purposes including: internal operational optimization, translation of documents and communications, research, and improving service quality. The Service Providers must maintain human oversight over all AI-generated outputs to ensure professional integrity. The Service Providers must ensure strict processing agreements are in place with providers of used AI tools. If AI processing tools other than those listed herein are being used by a specific Service Provider, those must be listed within that Service Provider’s individual policy on data processing, accordingly to Article 3.1. of this Privacy Policy.

d) Other institutions, public and private entities

Personal data may be shared with third parties, institutions, public and private entities, when it is necessary for the performance required per Client’s request and/or contract, when required by law, for the purpose of internal research and/or due diligence, or when other legitimate interests are pursued.

3.5 The Service Providers shall make available for the Data Subjects, and for the Company, to directly submit any inquiries, questions, and requests to exercise Data Subjects’ rights, by regular means of communication with the specific Service Provider, or by other means of communication, of which the Service Providers must inform the Data Subjects and the Company. The Company is not obliged to act upon inquiries, questions, and requests regarding Service Providers, but if received, it may forward such to the Service Provider concerned, without any warranty or liability on the part of the Company.

4. FINAL PROVISIONS

4.1 This Privacy Policy is drafted equally in both English and Croatian language. In the event of any language dispute regarding the content of this Privacy Policy, the English language version shall prevail.

4.2 The Company reserves the right to amend this Privacy Policy at any time. Any changes will be posted on the Site, and become effective immediately upon publication, unless a later date has been set.

4.3 Adopted and effective as of the date designated herein, this Privacy Policy constitutes the governing document for data processing standards across the brand network, fully superseding and replacing any prior acts or policies on this subject matter. This Privacy Policy constitutes an integral part of, and is incorporated by reference into, the General Terms of Service (TOS).

4.4 This Privacy Policy will be made publicly available on the Site, without delay.

In Tallinn, this 14 March 2026.

Marinion International OÜ

Original document download link.