PRIVACY POLICY

Section 1.1 Definitions

For the purposes of this Policy, the following terms shall have the meanings ascribed to them herein, unless the context otherwise requires:

(a) "Applicable Data Protection Laws" means all laws, statutes, regulations, ordinances, rules, and other legally binding requirements relating to data protection, privacy, and the processing of personal information applicable to the Company or to Data Subjects, including without limitation the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA"), and any other federal, state, provincial, or international data protection legislation as may be enacted or amended from time to time.

(b) "Data Controller" means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

(c) "Data Subject" means an identified or identifiable natural person whose Personal Data is processed by or on behalf of the Company.

(d) "Personal Data" or "Personal Information" means any information relating to an identified or identifiable natural person, including but not limited to name, email address, IP address, device identifiers, location data, online identifiers, and any other information that, alone or in combination with other data, can be used to identify, contact, or locate an individual.

(e) "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

(f) "Service Providers" means third-party entities engaged by the Company to perform services on its behalf, including but not limited to analytics providers, cloud computing and infrastructure services, payment processors, and customer support platforms.

(g) "Sites" has the meaning ascribed to it in the Preamble.

Section 1.2 Interpretation

In this Policy, unless the context otherwise requires: (i) words importing the singular shall include the plural and vice versa; (ii) words importing any gender shall include all genders; (iii) references to "including" or "includes" shall be construed as illustrative and not limiting; (iv) headings are for convenience only and shall not affect the interpretation of this Policy; (v) references to Articles, Sections, or subsections are references to Articles, Sections, or subsections of this Policy; and (vi) references to any statute, regulation, or law include any amendments, re-enactments, or successor legislation thereto.

Section 2.1 Scope of Policy

This Policy applies to all Personal Data collected, processed, stored, or otherwise handled by the Company in connection with the operation of the Sites, regardless of the means or medium through which such Personal Data is collected. This Policy governs the Processing activities of the Company with respect to all Data Subjects who access, use, or interact with the Sites.

Section 2.2 Territorial Application

This Policy applies to Data Subjects located in any jurisdiction worldwide, including but not limited to the European Union, the European Economic Area, the United Kingdom, the United States, Canada, and any other jurisdiction from which the Sites may be accessed. The Company shall comply with Applicable Data Protection Laws relevant to the jurisdiction of each Data Subject to the extent such laws apply to the Company's Processing activities.

Section 2.3 Acceptance of Policy

By accessing, browsing, or otherwise using the Sites, you acknowledge that you have read, understood, and agree to be bound by the terms and conditions of this Policy. If you do not agree with any provision of this Policy, you must immediately discontinue your use of the Sites and refrain from providing any Personal Data to the Company.

Section 3.1 Categories of Personal Data Collected

In connection with the operation of the Sites, the Company may collect the following categories of Personal Data:

(a) Contact Information: Personal Data provided voluntarily by Data Subjects during the account registration process, including but not limited to electronic mail addresses and such other contact information as may be requested during the sign-up process.

(b) Usage and Behavioral Data: Anonymized and pseudonymized data relating to Data Subjects' interactions with the Sites, including but not limited to session duration, page views, click patterns, navigation paths, scroll depth, feature utilization metrics, and other behavioral analytics data collected through automated technologies.

(c) Technical and Device Information: Data automatically collected from Data Subjects' devices upon access to the Sites, including but not limited to Internet Protocol (IP) addresses, browser type and version, device type and identifiers, operating system and platform, screen resolution, language preferences, time zone settings, referring and exit URLs, and other technical parameters.

(d) Communications Data: Records of correspondence and communications between Data Subjects and the Company, including inquiries, support requests, feedback, and any other communications submitted through the Sites or via electronic mail.

Section 3.2 Methods of Collection

The Company collects Personal Data through the following methods and means:

(a) Direct Collection: Personal Data provided directly by Data Subjects through voluntary submission via registration forms, contact forms, subscription mechanisms, or other input mechanisms made available on the Sites.

(b) Automated Collection: Personal Data collected automatically through the use of cookies, web beacons, pixels, software development kits, application programming interfaces, and other tracking technologies deployed on the Sites, as more particularly described in Article VIII hereof.

(c) Third-Party Sources: To the extent permitted by Applicable Data Protection Laws, the Company may receive Personal Data from third-party sources, including but not limited to analytics providers and publicly available databases, provided that such data is collected and shared in accordance with applicable legal requirements.

Section 3.3 Sensitive Personal Data

The Company does not knowingly or intentionally collect, solicit, or process sensitive categories of Personal Data, including without limitation data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation (collectively, "Sensitive Personal Data"), unless such collection is: (i) expressly consented to by the Data Subject; (ii) necessary for the establishment, exercise, or defense of legal claims; or (iii) otherwise required or permitted by Applicable Data Protection Laws.

Section 4.1 Purposes of Processing

The Company processes Personal Data for the following purposes, subject to and in accordance with Applicable Data Protection Laws:

(a) Service Provision: To provide, operate, maintain, improve, and administer the Sites and the services offered thereon, including account creation, user authentication, and access management.

(b) Customer Support: To respond to inquiries, requests, complaints, and other communications from Data Subjects, and to provide technical support and customer service.

(c) Analytics and Improvement: To analyze usage patterns, user behavior, and site performance metrics for the purpose of enhancing the functionality, user experience, and overall quality of the Sites.

(d) Communications: To send service-related notices, updates, security alerts, and administrative messages, and, where the Data Subject has provided consent or where otherwise permitted by law, to send promotional communications, newsletters, and marketing materials.

(e) Security and Fraud Prevention: To detect, prevent, investigate, and address fraud, unauthorized access, security incidents, and other potentially illegal or prohibited activities.

(f) Legal Compliance: To comply with applicable laws, regulations, legal processes, and governmental requests, and to enforce the Company's terms of service, policies, and agreements.

(g) Business Operations: To conduct internal business operations, including but not limited to data analysis, audits, developing new products and services, and identifying usage trends.

Section 4.2 Legal Bases for Processing

The Company processes Personal Data on one or more of the following legal bases, as applicable under the GDPR and other Applicable Data Protection Laws:

(a) Consent: Where the Data Subject has given clear, affirmative consent to the Processing of their Personal Data for one or more specific purposes.

(b) Contractual Necessity: Where Processing is necessary for the performance of a contract to which the Data Subject is a party, or in order to take steps at the request of the Data Subject prior to entering into a contract.

(c) Legal Obligation: Where Processing is necessary for compliance with a legal obligation to which the Company is subject.

(d) Legitimate Interests: Where Processing is necessary for the purposes of the legitimate interests pursued by the Company or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject which require protection of Personal Data.

Section 4.3 Automated Decision-Making

The Company does not engage in automated decision-making, including profiling, that produces legal effects concerning Data Subjects or similarly significantly affects them, unless: (i) such Processing is necessary for entering into or performance of a contract; (ii) is authorized by applicable law; or (iii) is based on the Data Subject's explicit consent.

Section 5.1 General Disclosure Policy

The Company does not sell, rent, lease, trade, or otherwise transfer Personal Data to third parties for monetary or other valuable consideration. Notwithstanding the foregoing, the Company may disclose Personal Data in the circumstances and to the categories of recipients described in this Article V.

Section 5.2 Disclosure to Service Providers

The Company may disclose Personal Data to Service Providers engaged to perform functions and provide services on behalf of the Company, including but not limited to: (i) analytics and performance measurement providers; (ii) cloud computing, hosting, and infrastructure services; (iii) customer relationship management platforms; (iv) payment processing services; and (v) professional advisors and consultants. All Service Providers are contractually bound to process Personal Data only in accordance with the Company's instructions and subject to appropriate confidentiality, security, and data protection obligations consistent with this Policy and Applicable Data Protection Laws.

Section 5.3 Disclosure for Legal and Compliance Purposes

The Company may disclose Personal Data where such disclosure is reasonably necessary to: (i) comply with any applicable law, regulation, legal process, subpoena, court order, or governmental or regulatory request; (ii) enforce the Company's terms of service, policies, or other agreements; (iii) investigate potential violations thereof; (iv) detect, prevent, or otherwise address fraud, security, or technical issues; (v) protect the rights, property, or safety of the Company, its users, or the public as required or permitted by law; or (vi) respond to claims that any content violates the rights of third parties.

Section 5.4 Disclosure in Connection with Business Transactions

In the event of a merger, acquisition, consolidation, divestiture, restructuring, reorganization, dissolution, bankruptcy, or other change of ownership or control of the Company or any of its assets (whether in whole or in part), Personal Data may be among the assets transferred to or acquired by the successor entity or purchaser. In such event, the acquiring entity shall be subject to the terms of this Policy with respect to the Personal Data transferred.

Section 6.1 Retention Periods

The Company shall retain Personal Data for no longer than is necessary to fulfill the purposes for which such data was collected, as set forth in this Policy, or as required or permitted by Applicable Data Protection Laws. The specific retention periods applicable to different categories of Personal Data are as follows:

(a) Contact Information: Retained for the duration of the Data Subject's account or business relationship with the Company, and for a reasonable period thereafter as necessary to comply with legal obligations, resolve disputes, and enforce agreements, unless the Data Subject requests deletion in accordance with Section 7.3 hereof.

(b) Usage and Behavioral Data: Retained in anonymized or pseudonymized form for a period not exceeding twenty-four (24) months from the date of collection, after which such data shall be permanently deleted or further anonymized such that it can no longer be attributed to an identifiable natural person.

(c) Technical and Device Information: Retained for a period reasonably necessary to ensure the security and proper functioning of the Sites, generally not exceeding twelve (12) months.

(d) Communications Data: Retained for the period necessary to address the subject matter of the communication and for a reasonable period thereafter for record-keeping and quality assurance purposes.

Section 6.2 Deletion and Anonymization

Upon expiration of the applicable retention period, or upon a valid request for deletion from a Data Subject (subject to applicable exceptions), the Company shall securely delete or irreversibly anonymize the relevant Personal Data using industry-standard methods. Notwithstanding the foregoing, the Company may retain Personal Data for longer periods where necessary to comply with legal obligations, establish or defend legal claims, or for archival purposes in the public interest.

Section 7.1 General Rights

Subject to Applicable Data Protection Laws and the limitations and exceptions provided therein, Data Subjects may be entitled to exercise the following rights with respect to their Personal Data:

(a) Right of Access: The right to obtain confirmation as to whether or not Personal Data concerning the Data Subject is being processed, and, where that is the case, to access the Personal Data and obtain certain information relating to its Processing.

(b) Right to Rectification: The right to obtain the rectification of inaccurate Personal Data and, taking into account the purposes of the Processing, to have incomplete Personal Data completed.

(c) Right to Erasure: The right to obtain the erasure of Personal Data in certain circumstances, including where the data is no longer necessary for the purposes for which it was collected, where consent has been withdrawn, or where the data has been unlawfully processed.

(d) Right to Restriction: The right to obtain restriction of Processing in certain circumstances, including where the accuracy of the data is contested, where the Processing is unlawful, or where the Company no longer needs the data but the Data Subject requires it for legal claims.

(e) Right to Data Portability: The right to receive Personal Data in a structured, commonly used, and machine-readable format, and to transmit such data to another controller without hindrance, where technically feasible.

(f) Right to Object: The right to object, on grounds relating to the Data Subject's particular situation, to Processing based on legitimate interests or for direct marketing purposes.

(g) Right to Withdraw Consent: Where Processing is based on consent, the right to withdraw consent at any time, without affecting the lawfulness of Processing based on consent before its withdrawal.

Section 7.2 California Residents

In addition to the rights set forth in Section 7.1, California residents have certain additional rights under the CCPA, including: (i) the right to know what Personal Information is collected, used, shared, or sold; (ii) the right to delete Personal Information held by the Company and, by extension, its Service Providers; (iii) the right to opt-out of the sale or sharing of Personal Information (the Company does not sell Personal Information as defined under the CCPA); (iv) the right to non-discrimination for exercising CCPA rights; and (v) the right to correct inaccurate Personal Information. The Company shall not discriminate against any Data Subject for exercising their rights under the CCPA.

Section 7.3 Exercising Rights

To exercise any of the rights described in this Article VII, Data Subjects may submit a request to the Company using the contact information provided in Article XIII hereof. The Company shall respond to such requests within the timeframes required by Applicable Data Protection Laws (generally thirty (30) days under the GDPR and forty-five (45) days under the CCPA, subject to permitted extensions). The Company may require verification of the Data Subject's identity prior to processing any request. Certain requests may be subject to exceptions or limitations under Applicable Data Protection Laws.

Section 7.4 Right to Lodge Complaint

Data Subjects who believe that their rights under Applicable Data Protection Laws have been violated have the right to lodge a complaint with the relevant supervisory authority in their jurisdiction. For Data Subjects in the European Union or European Economic Area, this includes the data protection authority of the Member State in which the Data Subject resides, works, or in which the alleged violation occurred.

Section 8.1 Use of Cookies

The Sites utilize cookies and similar tracking technologies (including but not limited to web beacons, pixels, and local storage) to collect and store certain information about Data Subjects' interactions with the Sites. A "cookie" is a small text file that is stored on a Data Subject's device by a web browser at the request of a website.

Section 8.2 Types of Cookies

The Company uses the following categories of cookies on the Sites:

(a) Strictly Necessary Cookies: Cookies that are essential for the operation of the Sites and the provision of services requested by the Data Subject, including session management, authentication, and security cookies. These cookies cannot be disabled without impairing the functionality of the Sites.

(b) Analytics and Performance Cookies: Cookies that collect anonymized information about how Data Subjects use the Sites, including which pages are visited most frequently, how users navigate between pages, and whether users encounter error messages. These cookies are used to improve the performance and user experience of the Sites.

Section 8.3 Cookie Management

Data Subjects may manage their cookie preferences through their browser settings. Most browsers allow users to refuse cookies, delete existing cookies, and set preferences for cookie acceptance. Instructions for managing cookies are typically found in the "Help" or "Settings" menu of the browser. Please note that disabling certain cookies may affect the functionality of the Sites and may prevent access to certain features.

Section 8.4 Do Not Track Signals

The Sites do not currently respond to "Do Not Track" signals transmitted by web browsers. The Company does not engage in cross-site tracking or targeted advertising based on user behavior across different websites.

Section 9.1 Security Measures

The Company implements reasonable and appropriate administrative, technical, and physical safeguards designed to protect Personal Data from unauthorized access, use, alteration, disclosure, or destruction. Such measures include, without limitation:

(a) Encryption of Personal Data in transit using industry-standard Transport Layer Security (TLS) protocols;

(b) Encryption of Personal Data at rest using appropriate encryption algorithms;

(c) Implementation of access controls, authentication mechanisms, and authorization protocols to limit access to Personal Data to authorized personnel on a need-to-know basis;

(d) Regular security assessments and vulnerability testing of systems and infrastructure;

(e) Employee training and awareness programs regarding data protection and security best practices.

Section 9.2 Limitations

Notwithstanding the security measures described herein, no method of transmission over the Internet, method of electronic storage, or other security measure is completely secure or impenetrable. Accordingly, the Company cannot guarantee the absolute security of Personal Data and disclaims any liability for unauthorized access to or acquisition of Personal Data despite the Company's reasonable security measures.

Section 9.3 Data Breach Notification

In the event of a security breach involving Personal Data that is likely to result in a risk to the rights and freedoms of Data Subjects, the Company shall notify the relevant supervisory authority and affected Data Subjects in accordance with Applicable Data Protection Laws. Such notification shall include, to the extent known, the nature of the breach, categories of data affected, approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach.

Section 11.1 Cross-Border Transfers

Personal Data collected through the Sites may be transferred to, stored in, and processed in countries or jurisdictions outside the Data Subject's country of residence, including the United States and other countries where the Company or its Service Providers maintain facilities. These countries may have data protection laws that differ from, and may provide lesser protection than, the laws of the Data Subject's jurisdiction.

Section 11.2 Safeguards for International Transfers

Where Personal Data is transferred to countries outside the European Economic Area that have not been deemed to provide an adequate level of data protection by the European Commission, the Company shall ensure that appropriate safeguards are in place to protect such data in accordance with Applicable Data Protection Laws. Such safeguards may include: (i) Standard Contractual Clauses approved by the European Commission; (ii) Binding Corporate Rules; (iii) certification under an approved certification mechanism; or (iv) other lawful transfer mechanisms recognized under Applicable Data Protection Laws.

Section 14.1 Governing Law

This Policy and any disputes arising out of or relating to this Policy or the Processing of Personal Data shall be governed by and construed in accordance with the Applicable Data Protection Laws of the Data Subject's jurisdiction of residence, to the extent such laws apply. Nothing in this Policy shall be construed to limit any rights afforded to Data Subjects under mandatory provisions of local law that cannot be waived by contract.

Section 14.2 Severability

If any provision of this Policy is held by a court or other tribunal of competent jurisdiction to be invalid, illegal, or unenforceable for any reason, such provision shall be eliminated or modified to the minimum extent necessary such that this Policy shall otherwise remain in full force and effect, and the remaining provisions of this Policy shall continue to be valid and enforceable.

Section 14.3 No Waiver

The failure of the Company to enforce any provision of this Policy shall not constitute a waiver of such provision or the Company's right to enforce such provision or any other provision in the future.

Section 14.4 Entire Agreement

This Policy, together with the Company's Terms of Service and any other agreements or policies referenced herein, constitutes the entire agreement between the Company and Data Subjects with respect to the subject matter hereof and supersedes all prior or contemporaneous understandings, representations, and agreements with respect thereto.

Section 14.5 Assignment

The Company may assign its rights and obligations under this Policy to any successor or assignee in connection with a merger, acquisition, or sale of assets as described in Section 5.4 hereof. Data Subjects may not assign or transfer any rights or obligations under this Policy without the prior written consent of the Company.

Section 14.6 Language

This Policy is drafted in the English language. In the event of any inconsistency between the English version of this Policy and any translation thereof, the English version shall prevail.