1. Definitions and Interpretation

1.1 In this DPA, the following terms shall have the meanings set out below:

1.2 Terms not defined in this DPA have the same meaning as in Applicable Data Protection Law or the Terms of Service.

1.3 References to "Article" are references to articles of the UK GDPR. References to legislation include all subordinate legislation and any amendments or re-enactments.

2. How This Agreement Is Accepted

2.1 This DPA is accepted without the need for a handwritten or electronic signature. The Customer is deemed to have accepted this Agreement by one or more of the following acts:

• completing the account registration process on the AnyWaste platform and ticking the acceptance checkbox presented during registration;

• accessing or using the Platform after this DPA has been made available or updated; or

• entering into an Order Form or other written agreement with AnyWaste that incorporates this DPA by reference.

2.2 The person completing the registration process represents and warrants that they have the authority to bind the Customer (the business entity) to the terms of this Agreement. Where a business entity uses the Platform through multiple Authorised Users, each such user's access and use of the Platform constitutes the business entity's continued acceptance of this Agreement.

2.3 AnyWaste may update this DPA from time to time. Where material changes are made, AnyWaste will provide not less than 30 days' notice by email to the registered account holder and/or by a prominent notice on the Platform. The Customer's continued use of the Platform following the effective date of any updated DPA constitutes acceptance of the revised terms. Where a Customer does not accept the updated terms, they may terminate their subscription in accordance with the Terms of Service.

2.4 A copy of this DPA is available at all times on the AnyWaste website. Customers may download or print this DPA for their own records. AnyWaste will provide a copy by email on request to privacy@anywaste.com.

3. Scope and Purpose of Processing

3.1 The Processor shall process Personal Data only to the extent necessary to provide the Services and strictly in accordance with the documented instructions of the Controller as set out in this DPA and the Terms of Service.

3.2 The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are set out in Schedule 1 (Processing Activities) to this Agreement.

3.3 The Controller is responsible for determining the lawful basis for processing under Article 6 UK GDPR (and Article 9 where special category data is involved) and for ensuring that its instructions to the Processor are lawful.

3.4 If the Processor considers that any instruction from the Controller infringes Applicable Data Protection Law, the Processor shall notify the Controller immediately and shall not be required to follow that instruction.

4. Controller's Obligations

4.1 The Controller shall:

• ensure that there is a valid lawful basis under Applicable Data Protection Law for all Personal Data provided to the Processor;

• ensure that all necessary privacy notices have been provided to Data Subjects and all required consents obtained before providing Personal Data to the Processor;

• comply with its obligations under Applicable Data Protection Law in its role as Controller;

• ensure that all instructions given to the Processor comply with Applicable Data Protection Law;

• notify the Processor promptly of any changes to its instructions that may affect the Processor's obligations;

• maintain accurate records of processing activities in accordance with Article 30 UK GDPR;

• ensure that any Personal Data provided to the Processor is accurate, complete, and relevant to the lawful purpose for which it is shared.

5. Processor's Obligations

5.1 The Processor shall:

• process Personal Data only on documented instructions from the Controller, except where required to do so by applicable law, in which case the Processor shall notify the Controller of that legal requirement before processing (unless prohibited by law);

• ensure that all persons authorised to process Personal Data are subject to appropriate confidentiality obligations or statutory obligations of confidentiality;

• implement and maintain appropriate Technical and Organisational Measures as set out in Schedule 2, in accordance with Article 32 UK GDPR;

• not engage any Sub-processor without prior authorisation of the Controller, save as provided in clause 8 of this DPA;

• assist the Controller, insofar as reasonably possible, in fulfilling its obligations to respond to Data Subject rights requests under Chapter III UK GDPR;

• assist the Controller in ensuring compliance with its obligations under Articles 32 to 36 UK GDPR, taking into account the nature of the processing and the information available to the Processor;

• at the choice of the Controller, delete or return all Personal Data after the end of the provision of the Services, and delete existing copies unless applicable law requires their retention;

• make available to the Controller all information necessary to demonstrate compliance with Article 28 UK GDPR obligations and allow for audits in accordance with clause 13 of this DPA;

• notify the Controller without undue delay upon becoming aware of a Personal Data Breach in accordance with clause 10 of this DPA.

6. Data Subject Rights

6.1 The Processor shall, to the extent reasonably practicable, assist the Controller in responding to requests from Data Subjects exercising their rights under Chapter III UK GDPR, including:

• right of access (Article 15);

• right to rectification (Article 16);

• right to erasure (Article 17);

• right to restriction of processing (Article 18);

• right to data portability (Article 20);

• right to object (Article 21).

6.2 The Processor shall promptly forward to the Controller any request received directly from a Data Subject that relates to the Controller's processing activities, and shall take no action on such a request without the Controller's written instruction.

6.3 The Controller is solely responsible for responding to Data Subject requests. The Processor shall provide the necessary technical assistance to facilitate such responses within a reasonable timeframe agreed between the parties.

7. Security of Processing

7.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, the Processor shall implement and maintain appropriate Technical and Organisational Measures to ensure a level of security appropriate to the risk, including as appropriate:

• pseudonymisation and encryption of Personal Data where appropriate;

• the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;

• the ability to restore availability and access to Personal Data in a timely manner following a physical or technical incident;

• a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures.

7.2 The Technical and Organisational Measures in place as at the date of this Agreement are set out in Schedule 2. The Processor may update such measures from time to time, provided that updates shall not materially reduce the level of protection afforded.

8. Sub-processors

8.1 By accepting this DPA, the Customer provides general written authorisation for the Processor to engage Sub-processors. The current list of authorised Sub-processors is set out in Schedule 3 and will be updated as Sub-processors change.

8.2 Prior to engaging any new Sub-processor, the Processor shall notify the Controller by updating Schedule 3 on the AnyWaste website and providing not less than 30 days' prior written notice to the registered account holder by email ("Sub-processor Change Notice").

8.3 The Controller may object to any new Sub-processor on reasonable grounds relating to data protection by notifying the Processor in writing within 14 days of the Sub-processor Change Notice. If the parties cannot resolve the objection within 30 days, either party may terminate the Services on written notice without liability for such termination.

8.4 Where the Processor engages a Sub-processor, it shall impose data protection obligations on that Sub-processor by way of a written agreement that provides at minimum the same level of protection as this DPA. The Processor shall remain fully liable to the Controller for the Sub-processor's performance of those obligations.

9. International Transfers

9.1 The Processor shall not transfer Personal Data outside the United Kingdom or the European Economic Area without the prior written consent of the Controller, save where such transfer is permitted under Applicable Data Protection Law.

9.2 Where transfers to third countries are agreed, the Processor shall ensure that an appropriate safeguard is in place in accordance with Chapter V UK GDPR, including:

• an adequacy decision by the UK Secretary of State under Article 45 UK GDPR;

• appropriate safeguards under Article 46 UK GDPR, such as UK International Data Transfer Agreements (IDTAs) or UK Addendum to the EU Standard Contractual Clauses;

• a derogation under Article 49 UK GDPR where applicable.

9.3 The Processor shall promptly notify the Controller if any safeguard in place for an international transfer is no longer valid.

10. Personal Data Breaches

10.1 The Processor shall notify the Controller without undue delay and, where feasible, within 48 hours of becoming aware of a Personal Data Breach affecting Personal Data processed under this Agreement.

10.2 Such notification shall include, to the extent available at the time:

• a description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned;

• the contact details of the relevant privacy contact at AnyWaste;

• a description of the likely consequences of the breach;

• a description of the measures taken or proposed to address the breach.

10.3 The Processor shall cooperate fully with the Controller to enable the Controller to comply with its obligations under Articles 33 and 34 UK GDPR in respect of notifying the ICO and, where required, Data Subjects.

10.4 The Processor shall not make any public announcement or notification to Data Subjects regarding a Personal Data Breach without the Controller's prior written consent, except as required by applicable law.

11. Data Protection Impact Assessments

11.1 The Processor shall provide reasonable assistance to the Controller in carrying out Data Protection Impact Assessments (DPIAs) required under Article 35 UK GDPR, where such assessments concern processing activities carried out by the Processor.

11.2 The Processor shall provide reasonable assistance to the Controller in consulting the ICO where required under Article 36 UK GDPR.

12. Records of Processing Activities

12.1 The Processor shall maintain accurate and up-to-date records of all categories of processing activities carried out on behalf of the Controller in accordance with Article 30(2) UK GDPR. Such records shall be made available to the ICO on request.

13. Audit Rights

13.1 The Processor shall make available all information necessary to demonstrate compliance with this DPA and Article 28 UK GDPR.

13.2 The Processor shall allow for audits, including inspections, conducted by the Controller or a mandated auditor, subject to the following conditions:

• the Controller shall provide not less than 30 days' prior written notice of any audit;

• audits shall be conducted during normal business hours and in a manner that minimises operational disruption;

• audits shall not be conducted more than once in any calendar year unless there is a reasonable belief that a breach of this DPA has occurred;

• the auditor shall execute a confidentiality agreement with the Processor prior to commencing the audit;

• the cost of any audit shall be borne by the Controller unless the audit reveals a material breach of this DPA, in which case the cost shall be borne by the Processor.

13.3 Where the Processor provides a relevant third-party audit certification (including ISO 27001 or SOC 2) or a completed information security questionnaire, this shall satisfy the Controller's audit rights in respect of the matters covered by that certification or questionnaire.

14. Deletion and Return of Personal Data

14.1 On termination or expiry of the Services, or earlier on the Controller's written request, the Processor shall, at the Controller's election:

• return all Personal Data to the Controller in a commonly used and machine-readable format; or

• securely delete or destroy all Personal Data processed under this Agreement.

14.2 The Processor shall provide written confirmation of deletion or destruction within 30 days of the termination date.

14.3 The Processor may retain Personal Data to the extent required by applicable law, provided that the Processor notifies the Controller of such requirement and processes the retained data only as required by law.

14.4 The Processor's back-up systems shall remove Personal Data within a maximum of 90 days of any deletion request.

15. Liability

15.1 Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service.

15.2 The Processor shall indemnify the Controller against all claims, losses, damages, and costs arising from the Processor's breach of this DPA or of Applicable Data Protection Law, to the extent attributable to the Processor.

15.3 The Controller shall indemnify the Processor against all claims, losses, damages, and costs arising from the Controller's breach of this DPA or of Applicable Data Protection Law, to the extent attributable to the Controller.

16. Term and Termination

16.1 This DPA commences on the date of the Customer's acceptance and continues for the duration of the Services.

16.2 Either party may terminate this DPA on written notice if the other party materially breaches any provision and fails to remedy the breach (if capable of remedy) within 30 days of written notice.

16.3 Clauses 7, 10, 14, and 15 shall survive termination of this Agreement.

17. General Provisions

17.1 Governing Law. This DPA is governed by the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales.

17.2 Entire Agreement. This DPA, together with the Terms of Service and all Schedules, constitutes the entire agreement between the parties with respect to the processing of Personal Data, and supersedes all prior agreements, representations, and understandings.

17.3 Amendments. AnyWaste may update this DPA from time to time. The current version shall always be published on the AnyWaste website. The Customer's continued use of the Platform after any update constitutes acceptance of the revised DPA, subject to the notice provisions in clause 2.3.

17.4 Severability. If any provision is found to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force.

17.5 Priority. In the event of any conflict between this DPA and the Terms of Service, this DPA shall take precedence in respect of data protection matters.

SCHEDULE 1 — Processing Activities

SCHEDULE 2 — Technical and Organisational Security Measures

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The following measures are in place as at the date of this Agreement. AnyWaste may update these measures over time; any updates shall not materially reduce the level of protection afforded to Personal Data. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

Access Controls

• Role-based access control (RBAC) restricting access to Personal Data to authorised personnel on a need-to-know basis.

• Multi-factor authentication (MFA) required for all administrative access to production systems.

• Individual user accounts with unique credentials; shared accounts are not permitted on production systems.

• Regular access reviews conducted to revoke access for personnel who no longer require it.

Encryption

• All Personal Data is encrypted in transit using TLS 1.2 or higher.

• Personal Data stored in databases is encrypted at rest using industry-standard encryption (AES-256 or equivalent).

• Encryption keys are managed using industry-standard key management practices with appropriate separation of duties.

System and Network Security

• Firewalls, intrusion detection systems, and security monitoring tools are deployed to protect processing environments.

• Vulnerability assessments and penetration testing are conducted periodically.

• Security patches and updates are applied in accordance with a documented patch management policy.

• Production environments are logically separated from development and test environments.

Data Backup and Recovery

• Regular automated backups of all Personal Data are performed and tested periodically.

• Documented incident response and disaster recovery procedures are maintained.

• Recovery time and recovery point objectives are defined and reviewed regularly.

Personnel Measures

• All personnel with access to Personal Data receive data protection training on appointment and regularly thereafter.

• All employees and contractors are bound by contractual confidentiality obligations.

• Background checks are conducted for roles with access to sensitive data, in accordance with applicable law.

Incident Management

• A documented Personal Data Breach response procedure is maintained and tested.

• All security incidents are logged, investigated, and reported in accordance with this DPA and Applicable Data Protection Law.

SCHEDULE 3 — Authorised Sub-processors

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ The following Sub-processors are authorised as at the last-updated date of this Agreement. AnyWaste will provide 30 days' advance notice of changes to this list in accordance with clause 8.2. The current version of this Schedule is always published on the AnyWaste website. ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

The current and complete Sub-processor list is maintained on the AnyWaste website. Customers may request a copy at any time by contacting privacy@anywaste.com.

SCHEDULE 4 — Contact Details

AnyWaste Global Ltd | Registered in England & Wales | anywaste.com | privacy@anywaste.com

This document is published on the AnyWaste website and is updated from time to time. The version displayed on the website is always the current operative version.

1. Who We Are

AnyWaste Global Ltd ("AnyWaste", "we", "our", "us") is the data controller responsible for the personal data processed in connection with anywaste.com and the AnyWaste digital waste tracking platform ("Platform"). We are registered with the Information Commissioner's Office ("ICO") and comply with the UK General Data Protection Regulation ("UK GDPR") and the Data Protection Act 2018 ("DPA 2018").

For any questions about this Privacy Policy or about how we handle your personal data, please contact us at privacy@anywaste.com.

2. The Personal Data We Collect

2.1 Account and Registration Data

When you register for an AnyWaste account we collect:

• full name, job title, and employer or business details;

• business email address and telephone number;

• username and password (stored in hashed, non-reversible form);

• billing contact details and invoice address;

• regulatory identifiers provided during registration, such as carrier licence numbers or waste management licence references.

2.2 Waste Movement and Operational Data

When you use the Platform to create and manage waste documentation we may process:

• waste transfer note (WTN) data, including consignor, consignee, and carrier details;

• hazardous waste consignment note (HWCN) data;

• dangerous goods note (DGN) data;

• driver names, vehicle registration numbers, and digital signature data;

• waste type, EWC code, quantity, and movement details;

• site names, addresses, and associated contact details;

• any personal data included within documents uploaded to the Platform.

2.3 Technical and Usage Data

When you access the Platform we automatically collect certain technical data:

• IP address and device identifiers;

• browser type and version;

• operating system;

• pages visited, features used, and session duration (collected via analytics tools);

• audit logs and session data;

• cookies and similar tracking technologies (see our Cookie Policy).

2.4 Communications Data

When you contact us, we collect:

• the content of communications with our support and sales teams, by email, telephone, or through the Platform;

• contact details and correspondence records;

• demo requests and enquiry form submissions.

3. How We Use Your Personal Data --- Lawful Bases

We process personal data only where we have a valid lawful basis under Article 6 of the UK GDPR. The table below sets out the purposes for which we use personal data and the lawful basis for each:

4. Sharing Personal Data with Third Parties

We do not sell, rent, or trade personal data. We may share personal data only as set out below.

4.1 Service Providers and Sub-processors

We engage trusted third-party service providers ("Sub-processors") to assist in delivering the Platform, including cloud infrastructure, email delivery, and analytics services. All Sub-processors are bound by data processing agreements providing at minimum equivalent data protection safeguards. Where AnyWaste acts as a data processor on behalf of its business customers, the Sub-processors engaged are listed in Schedule 3 of our Data Processing Agreement, which is published on this website.

4.2 Legal and Regulatory Disclosure

We may disclose personal data where required to do so by applicable law, court order, or regulatory authority, including the Environment Agency, the Information Commissioner's Office, and HMRC. We will notify you of any such disclosure where we are legally permitted to do so.

4.3 Business Transfer

In the event of a merger, acquisition, or sale of all or part of our business, personal data may be transferred to a successor entity. We will notify you in advance by publishing an updated Privacy Policy and, where appropriate, by direct communication.

4.4 With Your Consent

We will share personal data with third parties where you have given your prior explicit consent.

5. International Transfers

We process personal data principally within the United Kingdom. Where we transfer personal data outside the UK, we ensure that an appropriate safeguard is in place under Chapter V of the UK GDPR. Appropriate safeguards include:

• an adequacy decision made by the UK Secretary of State;

• a UK International Data Transfer Agreement (IDTA) or UK Addendum to EU Standard Contractual Clauses;

• another lawful mechanism approved under the UK GDPR.

You may request details of the safeguards applicable to any international transfer by contacting privacy@anywaste.com.

6. How Long We Keep Your Personal Data

We retain personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law. Our principal retention periods are:

7. Your Rights Under UK Data Protection Law

You have the following rights under the UK GDPR. To exercise any of these rights, contact us at privacy@anywaste.com. We will respond within one calendar month.

8. Security

We take the security of personal data seriously. We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, including:

• encryption of personal data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent);

• role-based access controls and multi-factor authentication for platform administration;

• regular security assessments and penetration testing;

• documented incident response and breach notification procedures.

Please note that no method of transmission over the internet is entirely secure. You are responsible for keeping your account credentials confidential and should notify us immediately at privacy@anywaste.com if you believe your account has been compromised.

9. Children

The Platform is intended solely for business users and is not directed at or intended for use by children under 18 years of age. We do not knowingly collect personal data from children. If we become aware that personal data from a child has been submitted to the Platform, we will delete it promptly. Please notify us at privacy@anywaste.com if you believe this has occurred.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Platform, or applicable law. Where we make material changes, we will notify registered users by email and by a prominent notice on the Platform before the change takes effect. The "last updated" date at the top of this page indicates when the policy was most recently revised. Your continued use of the Platform after a change is published constitutes your acceptance of the updated policy.

11. Contact Us

1. Definitions

2. How These Terms Are Accepted

2.1 These Terms are accepted without the need for a handwritten or electronic signature. The Customer is deemed to have accepted these Terms by:

• completing the account registration process and ticking the acceptance checkbox presented during registration (clickwrap acceptance); or

• accessing or using the Platform after these Terms have been published or updated.

2.2 The person completing registration represents and warrants that they have authority to bind the Customer to these Terms. All Authorised Users' use of the Platform is subject to and governed by these Terms.

2.3 AnyWaste may update these Terms from time to time. Where material changes are made, AnyWaste will provide not less than 30 days' notice by email to the registered account holder and/or by a prominent notice on the Platform. The Customer's continued use of the Platform after the effective date of any update constitutes acceptance. If the Customer does not accept the updated Terms, they may terminate their subscription in accordance with clause 11.

2.4 The current version of these Terms is always available at anywaste.com/terms. AnyWaste will retain a record of the version of these Terms that was in force at the time of each Customer's registration.

3. Account Registration

3.1 The Platform is for use by business customers only. By registering, you represent and warrant that:

• you are a business entity and not a consumer;

• you are duly authorised to enter into and perform obligations under this Agreement on behalf of the Customer;

• the information provided during registration is accurate, complete, and up to date;

• you hold all licences, permits, and regulatory registrations required to conduct the waste management activities you wish to record on the Platform.

3.2 You are responsible for maintaining the confidentiality of your account credentials and for all activities that occur under your account. Notify us immediately at support@anywaste.com if you suspect any unauthorised access to your account.

3.3 We reserve the right to refuse registration or to suspend or terminate accounts where we have reasonable grounds to do so, including where information provided is inaccurate or where there is suspected misuse.

4. Licence to Use the Platform

4.1 Subject to payment of the Fees and compliance with this Agreement, AnyWaste grants the Customer a limited, non-exclusive, non-transferable, revocable licence to access and use the Platform during the subscription term, solely for the Customer's internal business purposes.

4.2 The Customer may permit its Authorised Users to access the Platform. The Customer remains responsible for all use by its Authorised Users and for ensuring they comply with these Terms.

4.3 The Customer must not:

• sublicence, resell, transfer, or assign access to the Platform without AnyWaste's prior written consent;

• copy, modify, reverse engineer, decompile, or create derivative works based on the Platform;

• use the Platform to develop any competing product or service;

• attempt to gain unauthorised access to any part of the Platform or its underlying infrastructure;

• use the Platform in any manner that is unlawful, fraudulent, or harmful to any person.

5. Subscription and Fees

5.1 Access to the Platform is subject to payment of the applicable Fees. Subscription plans and Fees are published on the AnyWaste website and may be updated from time to time.

5.2 Fees are payable in advance by the payment method selected at registration. All Fees are quoted exclusive of VAT unless stated otherwise. VAT will be charged at the applicable rate.

5.3 Subscriptions automatically renew at the end of each subscription period unless the Customer cancels in accordance with clause 11.

5.4 AnyWaste may vary the Fees applicable to subscription renewals by providing not less than 30 days' written notice before the renewal date. The Customer may cancel in accordance with clause 11 if it does not wish to accept the revised Fees.

5.5 If the Customer fails to pay any amount when due, AnyWaste may:

• charge interest on overdue amounts at 8% per annum above the Bank of England base rate from the due date until the date of actual payment (pursuant to the Late Payment of Commercial Debts (Interest) Act 1998);

• suspend the Customer's access to the Platform until all outstanding amounts are paid.

5.6 All Fees paid are non-refundable except as provided in clause 5.7 or as required by applicable law.

5.7 Where AnyWaste cancels or materially reduces the Services other than as a result of the Customer's breach, AnyWaste shall provide a pro-rata refund of prepaid Fees for the unused portion of the subscription term.

6. Customer Obligations

6.1 The Customer shall:

• use the Platform only for lawful purposes and in compliance with all applicable legislation and regulatory requirements, including the Waste (England and Wales) Regulations 2011, the Hazardous Waste (England and Wales) Regulations 2005, the Environmental Protection Act 1990, the Environmental Permitting (England and Wales) Regulations 2016, and all applicable Environment Agency guidance and codes of practice;

• ensure that all waste records, consignment notes, and documentation created on the Platform are accurate, complete, and compliant with applicable regulatory requirements;

• hold and maintain all licences, permits, and registrations required by law to transport, broker, receive, or dispose of the categories of waste recorded on the Platform;

• be solely responsible for the accuracy and lawfulness of all Content uploaded or created by the Customer and its Authorised Users;

• promptly notify AnyWaste of any change in circumstances that affects the Customer's regulatory authorisations or the lawfulness of its use of the Platform;

• implement appropriate access controls to prevent unauthorised use of its account.

6.2 The Platform is a digital record-keeping and compliance tool. AnyWaste does not provide legal advice, and nothing on the Platform constitutes legal or regulatory advice. The Customer is solely responsible for ensuring that its use of the Platform satisfies its legal and regulatory obligations. AnyWaste strongly recommends that the Customer seeks independent legal advice on its regulatory obligations.

7. Acceptable Use

7.1 The Customer must not, and must ensure that its Authorised Users do not, use the Platform to:

• create, store, or transmit any Content that is unlawful, fraudulent, misleading, defamatory, or in breach of any third party's rights;

• record or process waste movements that the Customer is not legally authorised to make or receive;

• falsify, manipulate, or misrepresent waste records, consignment notes, or regulatory documentation;

• transmit any virus, malware, or other harmful code;

• harvest personal data of other users without their consent;

• interfere with or disrupt the integrity or performance of the Platform;

• access the Platform by automated means without AnyWaste's prior written consent.

7.2 AnyWaste reserves the right to investigate any suspected breach of this clause and to suspend or terminate the Customer's access pending investigation.

8. Intellectual Property

8.1 All Intellectual Property Rights in the Platform --- including its software, design, databases, and all associated documentation --- are owned by or licensed to AnyWaste Global Ltd. Nothing in this Agreement transfers any Intellectual Property Rights to the Customer.

8.2 The Customer retains all Intellectual Property Rights in its Content. By uploading Content to the Platform, the Customer grants AnyWaste a limited, non-exclusive licence to use, store, and process that Content solely to the extent necessary to provide the Services.

8.3 AnyWaste may use aggregated, anonymised data derived from Platform usage (which does not identify any individual or Customer) to improve the Platform, conduct research, and produce statistical reports. This does not constitute a breach of the Customer's rights.

9. Confidentiality

9.1 Each party agrees to treat as confidential all non-public information of the other party disclosed in connection with this Agreement and not to disclose it to any third party without prior written consent.

9.2 This obligation does not apply to information that: (a) is or becomes publicly available through no breach of this Agreement; (b) was already known to the receiving party; (c) is independently developed without use of the Confidential Information; or (d) is required to be disclosed by law or regulatory authority.

9.3 This clause shall survive termination for a period of five years.

10. Warranties and Disclaimers

10.1 AnyWaste warrants that:

• it has the right, power, and authority to enter into this Agreement and to grant the rights set out herein;

• the Platform will perform materially in accordance with its published documentation during the subscription term;

• the Services will be provided with reasonable care and skill.

10.2 AnyWaste does not warrant that:

• the Platform will be error-free or uninterrupted at all times;

• the Platform will meet the Customer's specific regulatory requirements (the Customer is solely responsible for ensuring its regulatory compliance);

• the Platform will be compatible with all third-party systems or software.

10.3 The Customer warrants that:

• it has the right to upload and process the Content;

• the Content does not infringe any third party's Intellectual Property Rights;

• it holds all regulatory authorisations required for the waste management activities for which it uses the Platform.

10.4 All other warranties, conditions, and terms implied by statute, common law, or otherwise are excluded to the fullest extent permitted by applicable law.

11. Limitation of Liability

11.1 Nothing in this Agreement limits or excludes liability for: death or personal injury caused by negligence; fraud or fraudulent misrepresentation; or any liability that cannot be excluded under applicable law.

11.2 Subject to clause 11.1, AnyWaste's total aggregate liability to the Customer under or in connection with this Agreement shall not exceed the total Fees paid by the Customer in the 12-month period immediately preceding the event giving rise to the claim.

11.3 Subject to clause 11.1, AnyWaste shall not be liable for any: loss of profits, revenue, or business; loss of anticipated savings; loss or corruption of data; indirect, consequential, or special loss or damage; or loss arising from the Customer's failure to comply with its legal or regulatory obligations.

11.4 AnyWaste shall not be liable for any failure or delay resulting from circumstances beyond its reasonable control, including acts of God, pandemic, civil unrest, government action, or third-party infrastructure failures. AnyWaste will notify the Customer promptly of any such event.

12. Cancellation and Termination

12.1 The Customer may cancel its subscription at any time via the account settings or by contacting support@anywaste.com. Cancellation takes effect at the end of the then-current subscription period. No refund is due for any unused portion of a pre-paid period, save as provided in clause 5.7.

12.2 AnyWaste may terminate this Agreement immediately on written notice if the Customer:

• materially breaches any term and fails to remedy the breach (if capable of remedy) within 14 days of written notice;

• becomes insolvent, enters administration, makes arrangements with creditors, or ceases to trade;

• engages in fraudulent or unlawful activity in connection with the Platform.

12.3 On termination for any reason:

• the Customer's licence to use the Platform ceases immediately;

• the Customer shall cease all use of the Platform and delete any AnyWaste software from its systems;

• AnyWaste will make the Customer's Content available for export for 30 days following termination, after which it will be deleted in accordance with the Data Processing Agreement and applicable law.

12.4 Clauses 8, 9, 11, 14, and 15 shall survive termination.

13. Service Availability

13.1 AnyWaste will use commercially reasonable endeavours to make the Platform available 99.5% of the time in any calendar month, excluding scheduled maintenance and circumstances beyond our reasonable control.

13.2 We will provide not less than 24 hours' advance notice of scheduled maintenance where practicable, and will endeavour to schedule it outside normal UK business hours.

13.3 We reserve the right to modify, update, or discontinue Platform features with reasonable notice. Where a material feature is discontinued, we will provide not less than 30 days' notice.

14. Data Protection

14.1 Each party shall comply with its obligations under the UK GDPR, the DPA 2018, and any other applicable data protection legislation.

14.2 Where AnyWaste processes personal data on behalf of the Customer in connection with the Services, the parties' obligations as data processor and data controller are governed by the Data Processing Agreement, which is incorporated into and forms part of this Agreement.

14.3 AnyWaste's collection and use of personal data as a data controller in its own right is governed by the Privacy Policy.

15. General

15.1 Governing Law. This Agreement is governed by the laws of England and Wales. The parties submit to the exclusive jurisdiction of the courts of England and Wales.

15.2 Entire Agreement. This Agreement constitutes the entire agreement between the parties and supersedes all prior representations and understandings. No terms proposed by the Customer (including any purchase order terms) shall be incorporated.

15.3 Updates. We may update these Terms as described in clause 2.3. The current version is always published at anywaste.com/terms.

15.4 Assignment. AnyWaste may assign its rights and obligations to a successor entity without consent. The Customer may not assign its rights or obligations without AnyWaste's prior written consent.

15.5 Severability. If any provision is found invalid or unenforceable, the remaining provisions continue in full force.

15.6 Waiver. No failure to exercise any right under this Agreement constitutes a waiver of that right.

15.7 No Partnership. Nothing in this Agreement creates a partnership, agency, joint venture, or employment relationship between the parties.

15.8 Notices. Written notices under this Agreement shall be sent to legal@anywaste.com (for AnyWaste) or to the email address registered on the Customer's account.

16. Contact

1. What Are Cookies?

Cookies are small text files placed on your device when you visit a website. They allow the website to remember your actions and preferences over time. Similar technologies include web beacons, pixels, and local storage. In this policy, "cookies" refers to all such technologies. Our use of cookies is governed by the Privacy and Electronic Communications Regulations 2003 ("PECR") and the UK General Data Protection Regulation ("UK GDPR").

2. Who Sets Cookies on This Website?

Cookies on anywaste.com and app.anywaste.com are set by:

• AnyWaste Global Ltd (first-party cookies); and

• third-party service providers engaged by AnyWaste, such as analytics platforms and email services (third-party cookies).

We are responsible for the cookies set by AnyWaste and for ensuring that our third-party providers meet the required data protection standards.

3. Categories of Cookies We Use

3.1 Strictly Necessary Cookies

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- These cookies are essential for the website and platform to operate correctly. They do not require your consent under PECR. You cannot opt out of strictly necessary cookies without affecting the functionality of the site. -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

3.2 Analytics Cookies

---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- These cookies help us understand how visitors use our website so we can improve it. They collect information in an aggregated and, where possible, anonymised form. These cookies are only placed with your consent. ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

3.3 Functional Cookies

--------------------------------------------------------------------------------------------------------------------- Functional cookies enhance your experience by remembering your preferences. They are placed only with your consent. ---------------------------------------------------------------------------------------------------------------------

3.4 Marketing and Targeting Cookies

AnyWaste Global Ltd does not currently use marketing, retargeting, or advertising cookies on this website. Should we introduce such cookies in future, this policy will be updated and your prior consent will be sought in accordance with PECR before they are placed.

4. Managing and Withdrawing Cookie Consent

4.1 Our Cookie Consent Tool

When you first visit the website, our cookie consent banner gives you the choice to accept all non-essential cookies, reject all non-essential cookies, or customise your preferences by category. Your choices are saved in the cookie\_consent cookie for 12 months. You can update your preferences at any time using the Cookie Settings link in the website footer.

4.2 Browser Settings

You can also control cookies through your browser settings. Most browsers allow you to:

• view the cookies that are set and delete individual cookies;

• block third-party cookies;

• block all cookies from being set;

• delete all cookies when you close your browser.

Please note that disabling or blocking cookies --- including strictly necessary cookies --- may prevent you from logging in to the Platform or may impair certain features of the website.

4.3 Third-party Opt-out

You may also opt out of cookies set by specific third-party providers directly:

• Google Analytics: visit tools.google.com/dlpage/gaoptout or adjust your Google account settings at myaccount.google.com.

• \<span class="legal-tbc">[additional third-party opt-out links — to add if applicable]</span>

5. Cookies and Personal Data

Some cookies, including session and analytics cookies, may involve the processing of personal data (such as IP addresses or device identifiers). Where this is the case, the processing is carried out in accordance with our Privacy Policy and in compliance with the UK GDPR. For full details on how we handle personal data collected through cookies, please see our Privacy Policy at anywaste.com/privacy.

6. Changes to This Cookie Policy

We may update this Cookie Policy from time to time. We will notify you of material changes by updating the date at the top of this page and, where appropriate, through the cookie consent banner or by email. Your continued use of the website following publication of an update constitutes acceptance of the updated policy.

7. Contact Us

AnyWaste Global Ltd | Registered in England & Wales | anywaste.com | legal@anywaste.com

This document is a draft for legal review. It does not constitute legal advice. The version published on the AnyWaste website is always the current operative version.