The following privacy information provides an overview of the collection and processing of your data.

Responsible handling of personal data is particularly important to us and is a matter of course. Where we receive, use or process personal data from you, we do so in compliance with the applicable national and European data protection regulations. Personal data within the meaning of this information means all information that relates to your person.

With the following privacy information, we provide you with an overview of how we process your personal data and of your rights under data protection law.

1. Controller and Data Protection Officer

The controller is:

Loonie Propco Cologne Tower S.à r.l.
2-4 rue Eugène Ruppert
L-2453 Luxembourg

You can contact our Data Protection Officer at:

FPS Rechtsanwaltsgesellschaft mbH & Co. KG
Eschersheimer Landstraße 25-27
60322 Frankfurt am Main
E-Mail: datenschutzbeauftragter@fps-law.de

2. Source of the personal data

We process personal data that we receive from you during your visit to our websites or when you contact us.

3. Categories of personal data processed

(1) When you visit our websites for purely informational purposes, we do not collect any personal data except for the data transmitted by your browser to enable you to visit the website.

• your IP address, shortened in the final segment;
• the remote host, meaning the name of the computer requesting the page, where transmitted by the network;
• date, time, status and volume of data transferred;
• the website from which you accessed the requested page (referrer), where transmitted by the browser;
• product and version information of the browser used (user agent), where transmitted by the browser;
• if your user name is transmitted by your network, it is not stored by us.

These data are not combined with other data sources. The collection of these data is based on Art. 6 (1) sentence 1 lit. f GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimisation of its website; for this purpose, server log files must be collected.

(2) Your browser also stores cookies. Cookies are small text files assigned to or stored by the browser used on your device, through which certain information is transmitted to the party setting the cookie, in this case us. Cookies are used to make the online offering more user-friendly and effective overall.
This website uses the following cookies:

• Transient cookies: These are automatically deleted when you close your browser. They include, in particular, session cookies. These store a session ID that allows various requests from your browser to be assigned to the same session. Session cookies are deleted when you log out or close the browser.
• Persistent cookies: These are automatically deleted after a specified period, which may vary depending on the cookie. You can delete cookies at any time in your browser’s security settings.

The collection of these data is based on Art. 6 (1) sentence 1 lit. a or f GDPR.

(3) In addition to purely informational use of our website, we offer various services that you may use if interested. For this, you will generally need to provide further personal data, which we use to provide the respective service. The collection of these data is based on the legal basis specified for the respective service.

4. Purposes for which the personal data are to be processed and legal bases for processing

We process your personal data in compliance with the applicable national and European legal data protection requirements.

Processing is lawful where at least one of the following conditions is met:

a. Consent (Art. 6 (1) sentence 1 lit. a GDPR)
Where you have given us consent to process your personal data for specific purposes, such as use of data for marketing purposes, cookie use or a contact form, the lawfulness of this processing is based on your consent. The legal basis is Art. 6 (1) lit. a GDPR and Section 25 (1) TTDSG, insofar as the consent includes the storage of cookies or access to information in the user’s terminal device, such as device fingerprinting, within the meaning of the TTDSG. Consent granted may be withdrawn at any time with effect for the future.

b. Performance of contractual obligations or implementation of pre-contractual measures (Art. 6 (1) sentence 1 lit. b GDPR)
To fulfil our contractual obligations in individual cases or to carry out pre-contractual measures at your request, we process personal data for the performance of the contract. The purposes of data processing arise primarily from the specific contractual relationship and may include needs analyses and advisory services. Further details on the purposes of data processing can be found in the contractual documents and terms and conditions.

c. Compliance with legal requirements (Art. 6 (1) sentence 1 lit. c GDPR)
Loonie Propco Cologne Tower S.à r.l. is subject to various legal obligations, such as commercial and tax retention obligations under the German Commercial Code and Fiscal Code. The purposes of processing include, among other things, fulfilment of tax control and reporting obligations as well as risk assessment and risk management within the company.

d. Balancing of interests (Art. 6 (1) sentence 1 lit. f GDPR)
Where necessary, we process your data beyond the actual performance of the contract to protect legitimate interests pursued by us or by third parties. Examples include:

• auditing and improving procedures for general business management and further development of products and services;
• advertising and customer satisfaction, provided you have not objected to use of your data;
• assertion of legal claims and defence in legal disputes;
• prevention, investigation or prevention of criminal offences.

5. Categories of recipients of the personal data

We have individual processes and services carried out by carefully selected service providers commissioned in compliance with data protection law. These external service providers are bound by our instructions and are regularly monitored. They will not pass your data on to third parties.
With regard to disclosure to further recipients, we disclose information about you only where statutory provisions require this, where you have given consent or where we are authorised to disclose it. If these requirements are met, recipients of personal data may include:

• • public authorities and institutions, such as tax authorities or law enforcement agencies, where there is a statutory or official obligation;
• other companies or comparable institutions to which we transfer personal data for the purpose of conducting the business relationship with you, such as network operators or credit agencies.

6. Intention to transfer personal data to a third country or international organisation

An active transfer of personal data to a third country takes place only where expressly indicated in connection with the services mentioned above and where the requirements of Art. 44 et seq. GDPR are met. A third country is a country outside the European Economic Area (EEA) in which the GDPR does not apply directly. For the USA, the European Commission has not issued an adequacy decision pursuant to Art. 45 (1) GDPR.

7. Criteria for determining the period for which personal data are stored

The criteria for determining the storage period are based on the end of the purpose and subsequent statutory retention periods. If the data are no longer required for the fulfilment of contractual or legal obligations, they are generally deleted unless further processing for a limited period, and where applicable in a restricted manner, is required for the following purposes:

• fulfilment of commercial and tax retention obligations, in particular under the German Commercial Code (HGB) and Fiscal Code (AO), which provide for retention and documentation periods of up to ten years;
• preservation of evidence within the statutory limitation periods. Pursuant to Sections 195 et seq. of the German Civil Code (BGB), the regular limitation period is three years, but under special circumstances it may be up to 30 years.

8. Data protection rights

You may at any time request information about the stored data, the purpose of storage or the origin of the data. In addition, you may at any time have your personal data blocked, corrected or deleted. A corresponding request for correction, blocking or deletion of personal data should be addressed to the controller. Further contact details can be found in the Legal Notice.

All requests for information, correction, blocking, deletion and withdrawal of consent to data collection, use or processing should be directed to this address. You also have the right to lodge a complaint with the data protection supervisory authorities. You have the right, on grounds relating to your particular situation, to object at any time to processing of personal data concerning you based on Art. 6 (1) sentence 1 lit. e GDPR (processing in the public interest) or Art. 6 (1) sentence 1 lit. f GDPR (processing based on a balancing of interests); this also applies to profiling based on these provisions within the meaning of Art. 4 No. 4 GDPR.

In individual cases, we process your personal data for direct marketing purposes. You have the right to object at any time to processing of personal data concerning you for such marketing, including profiling to the extent that it is related to such direct marketing.

If you object to processing for direct marketing purposes, we will no longer process your personal data for these purposes.

If you object, we will no longer process your personal data unless we can demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms, or the processing serves the assertion, exercise or defence of legal claims.

The objection may be made in any form and addressed to the contact details given above.

9. Obligation to provide data and possible consequences of failure to provide data

In the context of our business relationship, you must provide the personal data necessary for entering into and conducting a business relationship and for fulfilling the associated contractual obligations, or data that we are legally required to collect. Without these data, we will generally not be able to enter into or perform the contract with you.

10. Existence of automated decision-making, including profiling

As a general rule, we do not use automated decision-making pursuant to Article 22 GDPR to establish or conduct the business relationship. If we use such procedures in individual cases, we will inform you separately where required by law.

11. Data security

We protect your information using modern security systems and comply with data protection and security provisions under the GDPR.

We maintain current technical measures to ensure data security, in particular to protect your personal data against risks during data transmission and against access by third parties. These measures are adapted to the current state of the art.

Online forms on our website are sent using SSL encryption to protect the data you enter. Nevertheless, we cannot guarantee that the information transmitted cannot be viewed by third parties during transmission.

Version: 15.01.2026