Know Your Customer (KYC) Policy

This Know Your Customer Policy (the "Policy") describes the identity-verification and customer due-diligence framework applied by Premium Logistics SHPK, a limited liability company (shoqëri me përgjegjësi të kufizuar) incorporated and registered in the Republic of Albania, trading under the brand "Premium Auto Bid" ("Premium Auto Bid", "we", "us" or "our"). Premium Logistics SHPK is registered with the National Business Center (Qendra Kombëtare e Biznesit, QKB) under NUIS/NIPT M53004202C, with its registered office at Rruga "Dubai", Lagjia nr. 2, cadastral zone 2066, property no. 89/38, 4-storey building, 2nd floor, Entrance 1, Kamëz, Tirana, Albania.

This Policy is effective from 4 June 2026 and was last updated on 4 June 2026. It applies to every natural or legal person who registers for, requests, or uses the services of Premium Auto Bid, including persons resident or established in the markets we serve: Albania, Kosovo, North Macedonia and Montenegro.

Premium Auto Bid is an independent vehicle sourcing, bidding and import-support platform. We help our customers discover Copart auction vehicles, place their bids on Copart in real time through the Copart API after identity verification and deposit approval, and coordinate purchase, transport, customs and import support. This Policy governs how we establish and verify who our customers are; it should be read together with our Member Terms, Privacy Policy, Data Security Policy and Data Retention Policy, as well as our Anti-Money Laundering (AML), Sanctions and Anti-Corruption policies, each of which forms part of our overall compliance framework.

Premium Auto Bid is the trading brand of Premium Logistics SHPK. It is an independent platform and is not owned by, operated by, endorsed by, or officially affiliated with Copart, Inc. Copart and the Copart logo are trademarks of Copart, Inc. Premium Auto Bid places customer bids on Copart in real time through the Copart API; it is not an official Copart partner. Any vehicle inventory shown as a sample is clearly labelled demonstration/sample data shown for illustration only; such sample listings do not represent real Copart lots and are not available for bidding.

The purpose of this Policy is to set out the procedures by which Premium Auto Bid identifies and verifies its customers and assesses the risk associated with each customer relationship before and during the placing of bids on Copart and the provision of import-support services. Robust customer due diligence protects our customers, our staff, our counterparties and the integrity of the auction and import ecosystem in which we operate.

Our objectives

• To confirm, to a reasonable degree of assurance, that each customer is who they claim to be, and that legal-entity customers are validly constituted and properly represented.
• To prevent the use of our services for money laundering, the financing of terrorism, sanctions evasion, fraud, identity theft or any other unlawful purpose.
• To comply with applicable Albanian law, including Law no. 9917 dated 19.05.2008 'On the Prevention of Money Laundering and Financing of Terrorism' (as amended), and to act consistently with the recommendations of the Financial Action Task Force (FATF).
• To enable us to meet our obligations under United Nations, European Union and United States (OFAC) sanctions frameworks, and our anti-corruption commitments under the Albanian Criminal Code, with principles drawn from the US Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act for international dealings.
• To support the lawful, fair and transparent processing of personal data in accordance with Albanian Law no. 9887 dated 10.03.2008 'On the Protection of Personal Data' (as amended) and, where applicable, the EU General Data Protection Regulation (GDPR).

This Policy is risk-based: the depth of verification we apply is proportionate to the money-laundering, sanctions, fraud and reputational risk presented by a given customer, transaction or pattern of activity.

Browsing the platform and viewing demonstration inventory does not by itself require identity verification. However, identity verification (KYC) and acceptance of the Member Terms are mandatory before we will place any bid on Copart on a customer's behalf, and customer due diligence is also triggered at defined deposit and transaction thresholds and by certain risk events.

Mandatory verification points

1. Before any bid is placed. A customer must complete identity verification and accept the current Member Terms before any bid is placed on Copart on their behalf. No bid is submitted to Copart on behalf of an unverified customer.
2. At deposit thresholds. Deposits and balances are handled in US dollars (USD). A standard refundable deposit of $750 applies, and a deposit of 10% of the vehicle value applies for vehicles valued over $7,500. Because all deposits and balances are operator-confirmed, KYC must be completed and approved before a deposit is accepted and before any corresponding bid is placed on Copart.
3. Before purchase coordination, transport, customs or import support. Verified customer status is a precondition for coordinating any purchase, transport, customs clearance or import on a customer's behalf.
4. On a risk- and trigger-based basis. Additional or repeated verification may be required at any time where a trigger event occurs (see Section 7).

Bidding requires verified eligibility. Once a customer has completed KYC, accepted the Member Terms and has an approved deposit, Premium Auto Bid places their bids on Copart in real time through the Copart API. No bid is placed before these prerequisites are confirmed.

The information we request depends on whether the customer is an individual or a legal entity and on the applicable due-diligence tier (see Section 6). We collect only what is necessary, adequate and relevant for identity verification and risk assessment, in line with the principle of data minimisation.

Individual customers

• Full legal name, date of birth, nationality and country of residence.
• A valid government-issued photographic identity document, such as a national identity card, biometric passport or driving licence, including its number, issuing authority and expiry date.
• Proof of current residential address dated within the period we specify at the time of the request (for example, a recent utility bill, bank statement, tax notice or official correspondence).
• Contact details, including email address and telephone number.
• Where required for enhanced due diligence, the source of the funds to be used and, where relevant, the source of wealth.

Business and other legal-entity customers

• The full legal name, legal form, registration number and registered address of the entity.
• A current company registration extract or equivalent constitutional document (for Albanian entities, a QKB extract).
• Identification of the directors and authorised representatives, together with evidence of their authority to act for the entity.
• Identification of all ultimate beneficial owners (UBOs), being the natural persons who ultimately own or control the entity, applying the ownership/control thresholds required by applicable AML law, with identity verification of each such person on the same basis as an individual customer.
• Information on the entity's business activity and, where required, the expected nature and purpose of the relationship and the source of funds.

We may also collect verification metadata generated during onboarding (for example, timestamps, the result of document checks, and screening results against sanctions and politically-exposed-person lists). We do not request payment-card data, and no third-party card processors operate in this flow; inbound payments are made by bank transfer in USD/EUR or in cash in ALL at our Tirana office and are independently confirmed by an operator against uploaded proof.

Premium Auto Bid verifies the information and documents it collects using a combination of documentary and non-documentary methods, applied proportionately to the assessed risk.

• Document authenticity checks: review of the integrity, validity and expiry of identity and address documents, including checks for signs of alteration or forgery.
• Identity matching: comparison of the data provided by the customer against the submitted documents and, where appropriate, a likeness or liveness check between the customer and the photographic identity document.
• Independent and reliable sources: corroboration against independent registers and reliable data sources where available, including the QKB for Albanian legal entities and the relevant company register for other supported jurisdictions.
• Sanctions and PEP screening: screening of customers, representatives and beneficial owners against United Nations, European Union and United States (OFAC) sanctions lists and against politically-exposed-person and adverse-media data sources, with re-screening on an ongoing basis.
• Operator review: a trained operator reviews the verification file and approves, queries or refuses the customer; verification outcomes are recorded.

Where any document is unclear, expired, inconsistent or insufficient, we will request clarification or additional documentation, and the relationship will not progress to bidding on Copart until verification is satisfactorily completed. We may use carefully selected third-party identity-verification and screening providers; any such provider acts under contract and consistently with our Privacy Policy.

We apply a tiered, risk-based approach to customer due diligence. The tier determines the scope of information collected and the intensity of verification and ongoing monitoring.

Standard (basic) due diligence

Standard due diligence applies to the general customer population and to lower-risk relationships. It includes identification and verification of the customer (and, for entities, of their representatives and beneficial owners), basic sanctions and PEP screening, and acceptance of the Member Terms before any bid is placed on Copart.

Enhanced due diligence (EDD)

Enhanced due diligence applies to higher-risk customers and situations and involves additional information, verification and senior review. EDD is applied, for example, where:

• the customer, a representative or a beneficial owner is a politically exposed person (PEP), a family member or a known close associate of a PEP;
• the customer or a connected party is established in, or the transaction involves, a higher-risk jurisdiction or a jurisdiction subject to sanctions or enhanced monitoring;
• the transaction value, deposit size or pattern of activity is unusually large or otherwise inconsistent with the customer's profile;
• the ownership or control structure of an entity is opaque or unusually complex;
• any indicator of higher money-laundering, sanctions or fraud risk is identified during onboarding or the relationship.

Enhanced due diligence may include obtaining and verifying additional identity and address documentation, establishing and corroborating the source of funds and source of wealth, obtaining senior management approval to establish or continue the relationship, and applying more frequent and more intensive ongoing monitoring.

We do not offer anonymous accounts and we do not place bids on Copart for any customer whose identity we have been unable to verify to our satisfaction, or whom we are prohibited from serving under applicable sanctions law.

Customer due diligence is not a one-off exercise. We keep the information we hold about our customers current and we monitor relationships on a risk-sensitive basis throughout their lifetime.

Periodic review

We periodically review and, where necessary, refresh the identity information and documents we hold, with the frequency determined by the customer's risk rating; higher-risk relationships are reviewed more frequently.

Trigger-based re-verification

We will re-verify a customer, in whole or in part, when a trigger event occurs, including where:

• an identity or address document we hold has expired or is about to expire;
• the customer's name, address, ownership, control structure or beneficial ownership changes;
• the customer requests a transaction or deposit above their previously assessed range or thresholds;
• activity is inconsistent with the customer's known profile or appears unusual;
• a sanctions, PEP or adverse-media match is identified through ongoing screening;
• we have any reason to doubt the accuracy or adequacy of previously obtained identification information.

Where re-verification is required, the placing of further bids on Copart, deposit acceptance or import support may be suspended until the re-verification is satisfactorily completed.

KYC information is personal data and frequently sensitive. We process it lawfully, fairly and transparently, for the specified compliance and verification purposes set out in this Policy, in accordance with Albanian Law no. 9887 dated 10.03.2008 'On the Protection of Personal Data' (as amended) and, where applicable, the EU General Data Protection Regulation (GDPR).

• We collect only the data necessary for identity verification and risk assessment, and we use it only for those purposes and for meeting our legal and regulatory obligations.
• Access to KYC data is restricted to authorised personnel on a need-to-know basis, subject to confidentiality obligations.
• We apply appropriate technical and organisational security measures to protect KYC data against unauthorised access, loss, alteration or disclosure, as further described in our Data Security Policy.
• Where we engage third-party verification or screening providers, they are bound by contract to process data only on our instructions and to maintain appropriate safeguards, including for any transfer of data outside the customer's jurisdiction.

Customers have rights in respect of their personal data, including, subject to legal limits, rights of access and rectification. These rights, the legal bases on which we rely, international-transfer safeguards and complaint routes are described in detail in our Privacy Policy. The supervisory authority for data protection in Albania is the Information and Data Protection Commissioner (IDP). For data-protection enquiries relating to KYC, contact our data protection function at privacy@premlogistics.com.

This section summarises how KYC data is protected. It must be read together with, and is supplemented by, our Privacy Policy, our Data Security Policy and our Data Retention Policy, which govern lawful bases, security controls and retention in full.

We may decline to establish or continue a customer relationship, decline to place a bid, refuse or return a deposit, or suspend or terminate services where we are required to do so by law or where doing so is necessary to manage money-laundering, sanctions, fraud or reputational risk.

Grounds for refusal or suspension

• the customer fails or refuses to provide the required information or documents, or provides information we cannot verify to our satisfaction;
• we suspect the information or documents provided are false, forged or misleading;
• the customer, a representative or a beneficial owner appears on, or is connected to a party on, an applicable sanctions list, or serving the customer would breach applicable sanctions;
• we suspect that the relationship or a transaction is connected to money laundering, terrorist financing, corruption, fraud or other unlawful activity.

Escalation and reporting

Matters that cannot be resolved at operator level are escalated to our compliance function. Where we form a suspicion that a transaction or activity is connected to money laundering or terrorist financing, we will, in accordance with Albanian Law no. 9917 dated 19.05.2008 (as amended), make the required report to the General Directorate for the Prevention of Money Laundering (the Albanian Financial Intelligence Unit) and cooperate with the competent authorities.

Where the law requires confidentiality of a report or prohibits disclosure ("tipping off"), we will comply with that requirement, and we may be unable to inform the customer of the reason for a refusal, delay or other action.

We retain customer identification and verification records, supporting documents, screening results and records of the due-diligence steps we have taken for the periods required by applicable law, and in particular for the minimum period prescribed by Albanian anti-money-laundering legislation following the end of the customer relationship or the completion of an occasional transaction.

Where personal data is no longer required to be retained for a legal, regulatory, accounting or legitimate business purpose, it is securely deleted or anonymised. Retention periods, criteria and the secure disposal of records are set out in full in our Data Retention Policy, which this Policy cross-references and does not override.

Completion of KYC confirms that we have verified a customer's identity to the standard set out in this Policy; it is not an endorsement of any vehicle, lot, transaction or outcome and does not alter the basis on which vehicles are sold.

Vehicles are sold AS-IS by third-party auction sources. Premium Auto Bid does not guarantee the condition, title, mileage, damage, history or availability of any vehicle, nor the outcome of any auction, nor any shipping or customs timeline. Deposits may be required, are handled in USD, and are separate from the final purchase payment.

Premium Auto Bid holds no certification or status it does not in fact possess. We do not represent ourselves as an official Copart partner, as a licensed motor-vehicle dealer, or as holding any particular information-security or payment-industry certification. The word "guarantee" is used in this Policy only to disclaim guarantees.

We may update this Policy from time to time to reflect changes in our services, our compliance framework, or applicable law and regulatory guidance. When we make a material change, we will revise the "Last updated" date above and, where appropriate, take additional steps to bring the change to customers' attention.

The version of this Policy published on premlogistics.com is the current version. Continued use of our services after an update takes effect constitutes acceptance of the updated Policy. We encourage customers to review this Policy periodically.

Questions about this Policy, about the verification of your identity, or about a due-diligence decision should be directed to our compliance function.

• Compliance (KYC/AML): compliance@premlogistics.com
• Data protection / DPO (KYC data and privacy rights): privacy@premlogistics.com
• General support: support@premlogistics.com
• General enquiries: info@premlogistics.com
• Legal: legal@premlogistics.com

Premium Logistics SHPK (trading as Premium Auto Bid), NUIS/NIPT M53004202C. Registered office: Rruga "Dubai", Lagjia nr. 2, cadastral zone 2066, property no. 89/38, 4-storey building, 2nd floor, Entrance 1, Kamëz, Tirana, Albania. Website: premlogistics.com. This Policy is governed by the law of the Republic of Albania, and the competent courts of Tirana have jurisdiction over any dispute arising out of or in connection with it.