Data Retention and Deletion Policy

This Data Retention and Deletion Policy (the "Policy") explains how long personal data is kept and how it is securely deleted or anonymized within the Premium Auto Bid platform. "Premium Auto Bid" is a trading brand operated by Premium Logistics SHPK, a limited liability company (shoqëri me përgjegjësi të kufizuar) registered in the Republic of Albania with the National Business Center (QKB), NUIS/NIPT M53004202C, with its registered office at Rruga "Dubai", Lagjia nr. 2, cadastral zone 2066, property no. 89/38, 4-storey building, 2nd floor, Entrance 1, Kamëz, Tirana, Albania ("we", "us", "our", or the "Company").

The For matters relating to this Policy, the controller of your personal data is Premium Logistics SHPK.

This Policy is effective from 4 June 2026 and was last updated on 4 June 2026. It applies to all personal data we process about visitors, registered users, customers, and other individuals in connection with the Premium Auto Bid website (premlogistics.com) and related services across the markets we serve: Albania, Kosovo, North Macedonia and Montenegro.

Premium Auto Bid is an independent vehicle sourcing, bidding and import-support platform that helps customers discover Copart auction vehicles, place bids on Copart in real time through the Copart API after identity verification, Member Terms acceptance and deposit approval, and coordinate purchase, transport, customs and import support. This Policy governs the lifecycle of data only; the categories of data we collect and the purposes and legal bases for processing are described in our Privacy Policy.

Premium Auto Bid places customer bids on Copart in real time through the Copart API, after the customer completes identity verification, accepts the Member Terms and has an approved deposit. It is independent and is not owned by, operated by, endorsed by, or officially affiliated with Copart, Inc., and is not an official Copart partner. Copart and the Copart logo are trademarks of Copart, Inc. The specific vehicles shown in the sample listings on the platform are clearly-labelled demonstration samples, are not real Copart lots, and are not biddable.

This Policy should be read together with our Privacy Policy, Cookie Policy, AML/CFT Policy, KYC Policy and Data Security Policy. Where this Policy and the Privacy Policy address the same subject, the more specific provision governs the relevant point.

We retain personal data only for as long as is necessary for the purposes for which it was collected, or for as long as we are required to keep it to comply with a legal, regulatory, accounting or reporting obligation, or to establish, exercise or defend legal claims. When none of those grounds continues to apply, we delete the data or render it permanently anonymous.

Our approach reflects the storage-limitation, data-minimization and accountability principles of Albanian Law no. 9887 dated 10.03.2008 'On the Protection of Personal Data' (as amended) and, where applicable, the EU General Data Protection Regulation (GDPR).

How we set retention periods

We determine an appropriate retention period for each category of data by weighing the following factors:

• the purpose for which the data was collected and whether that purpose can still be achieved by other means;
• the amount, nature and sensitivity of the data and the potential risk of harm from unauthorized use or disclosure;
• any statutory minimum retention period, in particular under anti-money-laundering, tax and accounting law;
• any applicable limitation period during which a legal claim may be brought against or by us;
• whether the data is subject to a legal hold or to an ongoing or anticipated investigation, dispute or regulatory request; and
• whether the purpose can be met with anonymized or aggregated data instead of identifiable data.

Retention periods are governed by an internal retention schedule that the Company maintains and reviews periodically. The schedule below sets out the principal categories and the periods we apply. Where a precise period cannot be fixed in advance, we state the criteria we use to determine it.

The periods below are general retention periods. A specific item of data may be kept for longer where an overriding legal obligation or an active legal hold applies (see Section 6), or deleted earlier where it is no longer needed and no obligation requires its retention. Periods are normally measured from the triggering event identified for each category.

Account and profile data

Account registration details, profile information, contact details, login identifiers, account preferences and the audit log of actions taken in your account are retained for the duration of your registered relationship with us and, after the account is closed, for up to twenty-four (24) months, in order to handle post-closure queries, finalize any open matters and defend potential claims. After that period the account data is deleted or anonymized, except where a longer period applies under another category below (for example KYC/AML records or financial records).

Identity verification (KYC) and AML records

Identity verification (KYC) documents and data, customer due diligence and enhanced due diligence records, sanctions and politically-exposed-person screening results, source-of-funds information, bid-eligibility decisions, and records of any suspicious-activity assessment or report are retained for at least five (5) years after the end of the business relationship or, where relevant, after the date of an occasional transaction, in line with Albanian Law no. 9917 dated 19.05.2008 'On the Prevention of Money Laundering and Financing of Terrorism' (as amended).

Where the competent authority, including the General Directorate for the Prevention of Money Laundering (the Albanian Financial Intelligence Unit), lawfully requires a longer retention period, or where the records are relevant to an ongoing investigation or proceeding, we retain the records for the longer period required. KYC/AML records are held for legal-compliance purposes and are not deleted on user request before the applicable statutory period has elapsed (see Section 6).

Transaction and financial records

Records of deposits and balances (held in USD; $750 standard or 10% for vehicles over $7,500), operator-confirmed payment records, uploaded proof of payment, invoices, receipts, refund records, ledger entries and related accounting documentation are retained for the period required by applicable Albanian tax and accounting law, which is generally no less than five (5) years, and longer where a specific obligation or limitation period requires it. Inbound payments are operator-confirmed (bank transfer in USD/EUR, or cash in ALL at the Tirana office); the associated verification records follow the same retention rule.

Communications and support records

Correspondence with us (including emails to our published addresses, support tickets, in-platform messages, and bidding and transaction enquiries) is retained for up to thirty-six (36) months from the last interaction, or for longer where the communication forms part of a transaction file, a KYC/AML record, or a matter under legal hold, in which case the retention period of that underlying record applies.

Marketing-consent records

Where you have consented to receive marketing communications, we keep a record of that consent (and of any later withdrawal) for as long as we send you those communications and for up to twenty-four (24) months after you withdraw consent or otherwise become inactive, so that we can demonstrate the lawful basis of our past communications and honour your opt-out. The underlying contact details used for marketing are removed from active marketing lists promptly upon withdrawal of consent.

Cookies and similar technologies

Information collected through cookies and similar technologies is retained for the lifespan of the relevant cookie or for the period described in our Cookie Policy, whichever is shorter. Cookie-consent records are kept for up to twenty-four (24) months so that we can evidence the choices you made. Server and security logs are retained for up to twelve (12) months unless a longer period is needed to investigate a security incident or to comply with a legal obligation.

Legal, dispute and compliance files

Where personal data is contained in a file relating to a complaint, dispute, claim or regulatory matter, we retain that data until the matter is finally resolved and for the duration of any applicable limitation period thereafter, so that we can establish, exercise or defend legal claims before the competent courts of Tirana.

When a retention period ends and no other ground requires continued retention, the relevant personal data is either securely deleted or irreversibly anonymized. Anonymized data, from which an individual can no longer be identified directly or indirectly, is no longer personal data and may be retained and used for statistical, analytical or operational purposes without the limits set out in this Policy.

1. Identify: data approaching the end of its retention period is identified by reference to the internal retention schedule and the triggering event for its category.
2. Check for holds: before deletion, we verify that the data is not subject to a legal hold, an open transaction, an unresolved dispute, or an outstanding legal or regulatory obligation.
3. Delete or anonymize: data clear of any hold or obligation is securely deleted from active systems, or irreversibly anonymized where retaining anonymized data serves a legitimate purpose.
4. Propagate: deletion or anonymization is extended to copies held across our active production systems and, on the applicable cycle, to backups (see Section 7).
5. Instruct processors: we instruct our service providers acting as processors to delete or return the relevant data in accordance with their contractual obligations.
6. Record: we keep a proportionate internal record of deletion and anonymization activities to demonstrate compliance, without retaining the deleted personal data itself.

Secure deletion is carried out using methods appropriate to the medium and sensitivity of the data, so that the data cannot reasonably be reconstructed. Where data is held by a processor on our behalf, deletion is effected in accordance with our written instructions and the data-processing terms agreed with that processor.

Anonymization is irreversible: once data is anonymized we cannot re-identify the individual concerned, and we therefore cannot use anonymized data to respond to a later request to access, correct or delete personal data.

Subject to applicable law, you may ask us to delete personal data we hold about you, and you may also exercise your other data-protection rights (such as access, rectification, restriction, objection and, where applicable, portability). The rights themselves, and how to exercise them, are described in full in our Privacy Policy; this section explains how deletion requests interact with our retention obligations.

To make a deletion request, contact us at privacy@premlogistics.com. We may need to verify your identity before acting on a request, in order to protect your data and prevent unauthorized deletion. We will respond within the period required by applicable law and, where we cannot fully comply, we will explain why.

When we will delete data

We will delete or anonymize personal data on request where there is no remaining legal ground to keep it, for example where the data is no longer necessary for the purpose for which it was collected, where you withdraw the consent on which processing was based and no other basis applies, or where you successfully object to processing and no overriding legitimate or legal ground exists.

When we may keep data despite a deletion request

We may be unable to delete some or all of your data where we are required or permitted by law to keep it. In particular, we will retain data where:

• retention is required to comply with a legal obligation, including KYC/AML record-keeping under Albanian Law no. 9917 dated 19.05.2008 and tax and accounting obligations;
• the data is needed to establish, exercise or defend legal claims, including before the competent courts of Tirana;
• the data is subject to a legal hold, or to an ongoing or anticipated investigation, dispute or regulatory request (see Section 6);
• deletion would prejudice the rights and freedoms of others; or
• retention is otherwise permitted or required by applicable law.

A deletion request does not override mandatory record-keeping. For example, identity-verification and anti-money-laundering records are kept for at least five years after the end of the business relationship even if you ask us to delete your account, because the law requires us to retain them.

Where we cannot delete data immediately, we will restrict its processing so that it is kept only for the permitted purpose (for example, legal compliance or defence of claims) and is not used for any other purpose, and we will delete it once the relevant period or hold ends. Closing your account does not by itself delete data that we are required to retain.

A legal hold is a temporary suspension of normal deletion that we apply when personal data may be relevant to an actual or reasonably anticipated legal claim, dispute, audit, regulatory inquiry, sanctions matter or investigation. While a legal hold is in place, the affected data is preserved and excluded from routine deletion, even if its ordinary retention period has expired, and even where a deletion request has been received.

We may also retain or disclose personal data beyond ordinary periods where this is necessary to comply with a binding legal obligation or a lawful request from a competent authority, including the Information and Data Protection Commissioner of Albania (IDP), the General Directorate for the Prevention of Money Laundering (the Albanian Financial Intelligence Unit), tax authorities, courts, or other supervisory or law-enforcement bodies, and to give effect to applicable UN, EU and US (OFAC) sanctions frameworks and applicable anti-corruption laws.

When the matter giving rise to a legal hold is resolved and no other ground for retention remains, the affected data is returned to the normal retention and deletion cycle and is deleted or anonymized accordingly.

We keep encrypted backups of our systems for disaster-recovery, business-continuity and integrity purposes. Backups are kept separate from live systems and are retained only for a limited backup-retention period before being overwritten or securely destroyed in the ordinary backup cycle.

When we delete or anonymize personal data from our active systems, that data may persist in backups until the relevant backup is rotated out and destroyed in the normal cycle. During that interval, backup data is access-controlled and is not used for ordinary operational purposes; it is restored only where strictly necessary, for example to recover from a system failure.

If a backup containing data that should have been deleted is restored for any reason, we re-apply the deletion or anonymization to the restored data so far as practicable, unless an overriding legal obligation or legal hold then requires its retention.

Some personal data is processed on our behalf by service providers acting as processors (for example, hosting, infrastructure and communications providers). We require those providers, by contract, to process personal data only on our documented instructions, to apply appropriate security measures, and to delete or return the data at the end of their engagement, subject to any retention they are independently required by law to maintain.

Where personal data is transferred outside Albania or the European Economic Area, we take steps to ensure an adequate level of protection in accordance with applicable Albanian data-protection law and, where relevant, the GDPR. The categories of recipients and the safeguards applied to international transfers are described in our Privacy Policy. This Policy governs how long such data is retained by us and by our processors.

Vehicle and lot information presented on the platform originates from third-party auction sources, and any sample listings are clearly-labelled demonstration samples shown for illustration only. Such information is not personal data about you and is outside the scope of this Policy, save where it is incorporated into your account records, a bid request or a transaction file, in which case the relevant retention period for that record applies.

Vehicles are ultimately sold as-is by third-party auction sources. Premium Auto Bid does not guarantee the condition, title, mileage, damage, history, availability, auction outcome, or shipping or customs timelines of any vehicle, and no outcome is guaranteed. Premium Auto Bid places customer bids on Copart in real time through the Copart API; the auction result, however, is determined by Copart and is outside our control.

We may update this Policy from time to time to reflect changes in our services, our retention practices, or applicable legal and regulatory requirements. When we make a material change, we will update the "Last updated" date above and, where appropriate, provide a more prominent notice.

The version of this Policy published on premlogistics.com at any given time is the version that applies. We encourage you to review this Policy periodically. Your continued use of the platform after an update takes effect indicates that you have read and understood the updated Policy.

If you have any questions about this Policy, our retention periods, or a request to delete your personal data, please contact our data-protection function (DPO) at privacy@premlogistics.com. General privacy matters may also be addressed to this address.

• Data protection / DPO: privacy@premlogistics.com
• Legal: legal@premlogistics.com
• Compliance: compliance@premlogistics.com
• General support: support@premlogistics.com
• General enquiries: info@premlogistics.com

Postal address: Premium Logistics SHPK, Rruga "Dubai", Lagjia nr. 2, cadastral zone 2066, property no. 89/38, 4-storey building, 2nd floor, Entrance 1, Kamëz, Tirana, Albania. This Policy is governed by the laws of the Republic of Albania, and the competent courts of Tirana have jurisdiction over any dispute arising from it.

You also have the right to lodge a complaint with the Information and Data Protection Commissioner of Albania (IDP) if you believe that our processing of your personal data infringes applicable data-protection law.