SB Design Square Co., Ltd. (the "Company"), including its group companies (as defined below), attaches great importance to the protection of personal data in accordance with the Personal Data Protection Act B.E. 2562 (2019). This Privacy Policy has been prepared to inform directors, employees, and relevant personnel of the Company regarding the collection, use, disclosure ("processing") of personal data as follows:

This Privacy Policy applies to all personal data processing activities conducted by the Company, including by any person who becomes aware of such personal data through their involvement in the Company's operations, and who must comply with this policy and applicable legal requirements.

"Data Controller" means a person or juristic person with the authority to make decisions regarding the collection, use, or disclosure of personal data.

"Data Processor" means a person or juristic person that collects, uses, or discloses personal data on behalf of or under the instructions of the data controller. Such person or entity is not a data controller.

"Personal Data" means any information relating to an individual that enables the identification of such individual, directly or indirectly, but excludes the data of deceased persons.

"Sensitive Personal Data" means personal data concerning race, ethnicity, political opinions, religious or philosophical beliefs, sexual behavior, criminal records, health data, disabilities, trade union membership, genetic data, biometric data, or any other data as specified by the Personal Data Protection Committee.

"Cookies" means small computer files that temporarily store necessary personal data on the user's computer for convenience and efficiency while accessing the website.

"Data Subject" means a natural person who is the owner of the personal data.

"Group Companies" means the Company and its subsidiaries.

"Subsidiaries" means companies in which the Company:
(1) Holds more than 50% of the voting rights, whether directly or indirectly; and/or
(2) Controls the majority of voting rights in shareholders' meetings, whether directly or indirectly; and/or
(3) Has the power to appoint or remove at least half of the board members, whether directly or indirectly.

"Executives" means the Chief Executive Officer, Managing Director, Deputy Managing Director, heads of each Business Unit and Support Unit within the Company and/or its subsidiaries.

"Employees" means executives and staff receiving monthly or daily wages from the Company or its subsidiaries, whether employed permanently, temporarily, or under a special contract.

"Personal Data Protection Law" means the Personal Data Protection Act B.E. 2562 and all applicable subordinate legislation.

The Company collects personal data directly from data subjects (e.g., through communication, quotations, recruitment, contract execution), or from other sources (e.g., government agencies, business partners, third parties), including:

• Basic information – such as name, surname, gender, date of birth, photographs, signature, national ID data, house registration, driver's license data.
• Contact information – such as current address, email, telephone number, LINE ID.
• Financial information – such as bank account details, salary payment data, welfare information.
• Sensitive information – such as criminal records, health data, biometric data, religion.
• Third-party information – such as references, emergency contacts, family members.
• Other data – such as cookie data, employment data, behavioral data, technological data, and marketing data.

If the Company receives a copy of your national ID card, which may contain sensitive data (e.g., religion, blood type), such data will not be collected unless the Company is legally permitted to do so. The Company will handle such data in accordance with best practices and applicable legal guidelines.

• The Company will provide a privacy notice to the data subject before or at the time of data collection.
• The Company will process personal data only for the purposes disclosed and based on a lawful basis.
• The Company will implement appropriate security measures to prevent data breaches, as required by the law.
• The Company will prevent unauthorized or unlawful use or disclosure of personal data.
• The Company will implement a system to delete or destroy personal data once the retention period has expired or the data is no longer necessary.
• The Company will implement measures for notification and handling of personal data breach incidents.
• The Company will enter into data processing agreements with any data processors.
• The Company will fulfill all other legal obligations under the Personal Data Protection Law.

Executives are responsible for ensuring all departments comply with this policy and promoting awareness among employees so that personal data protection is integrated into day-to-day operations.

Employees are responsible for acting in accordance with the policy, internal procedures, and applicable personal data protection laws.

Executives, employees, or other responsible individuals who neglect, omit, or act in violation of this policy or fail to perform their duties, resulting in legal violations or damages, may be subject to disciplinary action in accordance with Company regulations and may bear legal liability. If such misconduct causes damage to the Company or any third party, the Company reserves the right to pursue legal action.

For more information regarding personal data protection, please contact SB Design Square at Email: data_privacy@sb-furniture.com

This policy is effective from June 6, 2025 onward.
Issued on June 6, 2025