This Privacy Policy (the "Policy") sets out the basis on which METATOWER OÜ ("we", "us" or "our") may collect, use, disclose or otherwise process our users' personal data in accordance with applicable privacy laws and regulations ("Privacy Laws"). This Policy applies to personal data in our possession or control, including personal data held by organisations we have engaged to collect, use, disclose or process personal data for our purposes. We take our obligations under applicable privacy laws and regulations ("Privacy Laws") seriously and are committed to respecting the privacy rights of all users of our products and websites (the "Sites") (collectively, the "Services"). User means an individual who registers for an account or otherwise uses or accesses the Services through a platform or means provided by us (individually and collectively "User", "you" or "your"); We recognise the importance of the personal information you entrust to us and believe it is our responsibility to properly manage, protect and process your personal information. This Policy is intended to help you understand： • When we collect your personal data; • What personal data we collect; • Cookies; • How we use your personal data; • How we share, transfer and disclose your personal information; • Withdrawing your consent; • Accessing and correcting your personal data; • Data protection; • Accuracy of personal data; • Retention of personal information; • Information about children; • Your rights (designed to help users residing in the European Union ("EU") understand their applicable data privacy rights that exist under the EU General Data Protection Regulation when using the Services); • Transfers of personal data outside the European Union; and • Policy change, dispute resolution and contact. 1. We generally do not collect your personal data unless (a) it is provided to us voluntarily by you directly or through a third party who has been duly authorised by you to disclose your personal data to us ("authorised representative") after (i) you (or your authorised representative) have been notified of the purposes for which the data is being collected, and (ii) you (or your authorised representative) have consented in writing to the collection and use of your personal data for those purposes, or (b) the collection and use of your personal data without consent is permitted or required by Privacy Laws or other laws. We will obtain your consent before collecting any additional personal information and before using your personal information for a purpose of which you have not been informed (except where permitted or authorised by law). 2. We may collect your personal data: a. when you register for the Services (including your nominated pseudonym or accounts and information that we import from your linked social media account (Facebook, Google, etc.) to set up your profile, including your name as it appears on your social media profile, and your profile picture); b. when you log in as a "guest" to use the Services (your pseudonym); c. when you take a survey on the Services (in which case we will process the information you provide to us as part of the survey); d. when you make transactions through our Services (where applicable) or through third party payment providers authorised by us. e. when you link your Account to your social media accounts (Facebook, Google etc.) or other external accounts or use other social media features in accordance with the Provider's policy. f. when you use our Services or interact with other users and/or us through our Services. This includes, but is not limited to, cookies that may be generated when you interact with us. 3. We will/may collect and use your personal information: a. Name b. Generated username and open id; c. Address, email address, telephone number ("Contact Information"); d. Transaction information; e. Age, gender, date of birth; f. Photo g. Usage and transaction data; h. Location-related information, including geographical location and IP address; i. Survey content and responses; j. Advertising ID; k. Customer support ticket ID and user communication with support; l. Marketing and communication data, such as your preferences for receiving marketing materials, your communication preferences and your communication history with us and our service providers; m. Security-related information. n. Data we receive if you link third party tools (such as Facebook, Google) to the Service. If you register as a user of our Services using your social media account (e.g. Facebook, Google, etc.) and link your account to your social media account, we may access information about you that you voluntarily provide to your social media account provider in accordance with that provider's policies, and we will manage and use such personal data in accordance with this Policy. o. Demographic Data p. Data to combat fraud q. Data for advertising and analytics purposes so that we can provide you with better Services 4. We use cookies and other similar technologies (e.g. beacons, log files, scripts and eTags) ("Cookies") to enhance your experience on the Services. Cookies are small files that, when placed on your device, enable us to provide certain features and functions. You have the option to allow the installation of such cookies or to disable them at a later date. You may accept all cookies or instruct your device to notify you when cookies are installed, or refuse to accept all cookies by adjusting the appropriate cookie retention function on your device. However, if you refuse to install cookies, the Services may not be able to function as intended. 5. We will/may use your information for the following purposes: a. to create your account on the Services in accordance with your request; b. to contact or communicate with you by telephone, SMS and/or fax, email and/or postal mail or other means in order to manage and/or administer your relationship with us or your use of the Services; c. to maintain a record of your transaction history; d. to manage, operate, provide and/or administer your use of and/or access to the Services (including, without limitation, your preferences) and your relationship and Account with us; e. For identification and/or verification purposes; (where applicable) f. for research, analysis and development activities (including, but not limited to, data analysis, surveys, product and service development and/or profiling) to analyse your use of our Services, to improve our Services or products and/or to enhance your customer experience; g. for security and verification purposes; to identify and fix errors; to troubleshoot and optimise device compatibility with the Services; and to combat users registering with multiple accounts; h. to store, host, back-up (for disaster recovery or otherwise) your personal data, both within and outside your jurisdiction; i. to carry out due diligence or other screening activities (including, without limitation, background checks) in accordance with legal or regulatory obligations or our risk management procedures that may be required by law or that we may have put in place; j. in response to legal process or to comply with, or as required by, applicable law, governmental or regulatory requirements of any relevant jurisdiction, including, without limitation, complying with disclosure requirements under the requirements of any law binding on us or related corporations or affiliates; k. for marketing purposes and, advertising for any marketing activity where permitted by applicable law, and to the extent permitted by applicable law, to recommend products and/or services relevant to your interests, to send you by various means and modes (including email or SMS) of communication marketing and promotional information and materials relating to products and/or services (including, without limitation, products and/or services of third parties with whom we may partner or associate) that we (and/or our affiliates or related corporations) may sell, market or promote, whether such products or services currently exist or are created in the future. You may opt-out of receiving marketing communications at any time by using the unsubscribe feature within electronic marketing materials. l. We may use your contact details to send you newsletters or marketing material from us and our affiliates; m. other purposes that are permissible under applicable law and which we inform you about when we obtain your consent. n. Such purposes may not be the case as the purposes for which we will/can collect, use, disclose or process your personal data will depend on the circumstances. However, unless privacy legislation permits the processing of relevant data without your consent, we will notify you of other purposes when we obtain your consent. 6. We value the protection of your personal data, which is an important basis and part of the products and services we provide to you. We will only collect and use your personal data for the purposes and to the extent set out in this Policy or as required by law and regulation and will keep it strictly confidential. In general, we will not share your personal information with any company, organisation or individual except in the following cases: a. with your prior consent; b. when the sharing of your personal information is required by applicable law, regulation, legal process, government compulsion or court decision; c. to the extent required or permitted by law, it is necessary to provide your personal information to third parties to protect us, its users or the public from harm to their interests, property or safety; d. your personal data may be shared with our affiliated companies. We will only share personal information where necessary, and such sharing is subject to the stated purposes of this Policy. If an affiliate wishes to change the purpose for which personal data is processed, they will again seek your authorised consent; e. in order to provide you with improved, high quality products and services, some of our services will be provided by authorised affiliates. We may share some of your personal data with our partners to provide better customer service and user experience. We will only share your personal information for purposes that are lawful, legitimate, necessary, specific and explicit, and only as much personal information as is necessary to provide the services. We also require our partners to handle your personal information in accordance with our instructions, this Policy and any other appropriate confidentiality and security measures. Our partners are not authorised to use the personal data provided for any other purpose. If you refuse to allow our partners to collect the personal information necessary to provide the service, you may not be able to use this third party service on our platform. 7. The collection and processing of information by our partners is subject to their own privacy policies or related statements, which do not apply to this Policy. In order to maximise the security of your information, we recommend that you read the privacy policy of each third party service before using it. In order to protect your legitimate rights and interests, if you find that the relevant third party services carry risks, we recommend that you terminate the relevant operations immediately and contact us in a timely manner. 8. We will not share your personal information with any company, organisation or individual, except for the following reasons: a. with your explicit consent; b. sharing in accordance with applicable laws and regulations, legal process requirements and mandatory administrative or judicial requirements that may be necessary; c. in the event of a merger, acquisition, transfer of assets, bankruptcy and liquidation or similar transaction involving the transfer of your personal information, we will require the new company or organisation holding your personal information to continue to be bound by this Policy before we require them to re-obtain your authorised consent. 9. We will only publicly disclose your personal information: a. when we have obtained your express consent; b. if we are compelled to do so by law, legal process, legal proceedings or a government body. c. In accordance with relevant laws and regulations and national standards, we may share, transfer and publicly disclose personal data without obtaining your prior authorised consent in the following cases: d. In connection with the performance of our legal and regulatory obligations; e. Directly related to national security and defence security; f. Directly related to public safety, public health and significant public interest; g. Directly related to the investigation of crimes, prosecution, trial and execution of sentences, etc; h. In order to protect the life, property and other essential rights and interests of the personal data subject or other individuals, but where it is difficult to obtain their consent; i. Personal data disclosed to the public by the personal data subject himself; j. Personal data collected from information that is lawfully and publicly disclosed, such as legal news reports, government disclosure and other channels. k. the sharing, transfer or public disclosure of personal data that has been anonymised to the extent that the recipient of the data cannot recover and re-identify the subject of the information is not considered a sharing, transfer or public disclosure of personal data, and such data is stored and processed without your notice or consent. 10. Your consent to the collection, use and disclosure of your personal data will remain valid until you withdraw it in writing. You may withdraw your consent and require us to stop collecting, using and/or disclosing your personal data for any or all of the purposes listed above by submitting a request in writing or by email to our Data Protection Officer at the contact details below. 11. Upon receipt of a written request to withdraw consent, we may require a reasonable amount of time (depending on the complexity of the request and its impact on our relationship with you) to process the request and to notify you of the consequences of our acceding to it, including any legal consequences that may affect your rights and obligations to us. We will generally endeavour to process your request within thirty (30) working days of receipt. 12. Whilst we respect your decision to withdraw your consent, please note that, depending on the nature and extent of your request, we may not be able to continue to provide the Services to you and, in such circumstances, we will notify you before terminating the processing of your request. If you decide to revoke your withdrawal of consent, please inform us in writing as described below. 13. Please note that withdrawal of consent does not affect our right to continue to collect, use and disclose your personal information where such collection, use and disclosure without consent is permitted or required by applicable law. 14. If you wish to make (a) a request for access to a copy of the personal data we hold about you or information about how we use or disclose your personal data, or (b) a correction request to correct or update any personal data we hold about you, you may submit your request in writing or by email to our Data Protection Officer at the contact details below. 15. Please note that a reasonable fee may be charged for an access request. If this is the case, we will inform you of the fee before processing your request. 16. We will respond to your request as soon as possible. Generally, our response will be within thirty (30) working days. If we are unable to respond to your request within thirty (30) days of receiving your request, we will inform you in writing within thirty (30) days of when we will be able to respond to your request. If we are unable to provide you with the personal data or make the correction you have requested, we will inform you generally of the reasons why we are unable to do so (except where we are not required to do so under the Privacy Acts). 17. In order to protect your personal information from unauthorised access, collection, use, disclosure, copying, modification, deletion or similar risks, we have put in place appropriate administrative, physical and technical measures, such as minimised collection of personal information, authentication and access controls (such as good password practices, the need to disclose data etc. ), data encryption, data anonymisation, up-to-date anti-virus protection, regular patching of the operating system and other software, secure disposal of storage media on devices prior to disposal, measures to protect websites from threats, use of one-time password(otp)/two-factor authentication (2fa)/multifactor authentication (mfa) to secure access, and security review and testing carried out regularly. However, it is important to remember that no method of transmission over the Internet or method of electronic storage is completely secure. Although security cannot be guaranteed, we strive to ensure it and are constantly reviewing and improving our information security measures. 18. We generally rely on the personal information provided by you (or your authorised representative). To ensure that your personal information is up to date, complete and accurate, we ask you to update us if there are any changes to your personal information by informing our Data Protection Officer in writing or by email to the contact details below. 19. We may retain your personal data for as long as necessary to fulfil the purpose for which it was collected or as required or permitted by applicable law. 20. We will cease to store your personal data or remove the means by which the data can be linked to you as soon as it can be assumed that such storage no longer serves the purpose for which the personal data was collected and is no longer necessary for legal or business purposes. 21. This service is not directed at children under the age of 18. We do not knowingly collect or store personally identifiable information or non-personally identifiable information from anyone under the age of 18, nor is any part of our site or service directed to them. 22. As a parent or legal guardian, please do not allow children in your care to provide us with personal information. Please refer to our Terms of Service for more information. 23. If you disclose to us the personal data of a child under the age of 18 in your care, you hereby consent to the processing of your child's personal data and accept and agree to be bound by the terms of this Policy on behalf of your child. 24. If, in fact, you do not consent to us processing the personal data of a child under the age of 18 in your care, please contact our Data Protection Officer. We will close any account used exclusively by such child and delete and/or erase any personal data provided by such child without parental consent or as otherwise required by applicable law. 25. You have certain rights in relation to the personal data we hold about you. Some of these only apply in certain circumstances (as set out in more detail below). We must respond to your request to exercise these rights without undue delay and at least within one month (although this period may be extended by a further two months in certain circumstances). To exercise any of your rights, please contact us by email at office@metatower.com. 26. You have the right to access your personal data that we hold, how we use it and with whom we share it. You can access the personal information you have provided under your account by logging into your account and by contacting office@metatower.com . If you believe that we are in possession of any other personal information about you, please email us at office@metatower.com . 27. You have the right to receive a copy of some of the personal data we process about you. This includes any personal data we process on the basis of your consent (e.g. certain survey information) or on the basis of our agreement with you, as described in 'How we use your personal data'. You have the right to receive this information in a structured, commonly used and machine-readable format. You also have the right to request that we transfer this personal information to another party. 28. If you want us to transfer such personal information to a third party, please make sure you specify that party in your request. Please note that we can only do this if it is technically feasible. Please note that we may not be able to provide you with personal data if providing it would violate the rights of others (for example, if providing personal data we hold about you would reveal information about another person or our trade secrets or intellectual property). 29. You have the right to correct any personal data held about you that is inaccurate. You can access the personal information provided under your account by logging into your account. If you believe that we hold any other personal data about you and it is inaccurate, please email us at office@metatower.com. 30. You can delete your account or remove some personal information by logging into your account. If there is any other personal data that you think we are processing that you would like us to delete, please email us at office@metatower.com. 31. You can request that we delete personal data that we hold about you in the following circumstances: a. you believe that it is no longer necessary for us to hold such personal data; b. you believe that the personal data we hold about you is being unlawfully processed by us. 32. You may also exercise your right to restrict our processing of your personal data (as described below) while we consider your request. 33. We may need to retain personal data if there are legitimate reasons under data protection law for us to do so (e.g. to defend legal claims or freedom of speech), but we will inform you if this is the case. If you request that we delete personal data made publicly available on the Services and there are grounds for deletion, we will take reasonable steps to try to inform other people who display personal data or provide links to personal data to also delete it. 34. In certain circumstances, you have the right to request that we stop processing the personal data we hold about you other than for storage purposes. However, please note that if we stop processing your personal data, we may use it again if there are compelling reasons under data protection law for us to do so (e.g. to defend a legal claim or to protect another person). As above, where we agree to stop processing your personal data, we will endeavour to inform any third parties to whom we have disclosed the relevant personal data so that they can also stop processing it. 35. You may request that we cease processing and only retain personal data that we hold about you where: a. you believe that the personal data is not accurate, for the period of time needed for us to check that it is accurate; b. you want to delete the personal data because the processing we are carrying out is unlawful, but you want us to keep the personal data; c. you want the personal data deleted because it is no longer needed for our purposes, but you require it to be retained for the establishment, exercise or defence of legal claims. 36. You have the right to object to our processing of personal data relating to you. We will consider your request in other circumstances, detailed below, by emailing us at office@metatower.com. 37. We may send you communications from time to time when we deem it necessary (e.g. when we temporarily suspend access to the Service for maintenance, or security, privacy or administrative messages). You may not opt-out of these non-promotional Service-related announcements. 38. We generally do not transfer your personal information to countries outside the European Economic Area. However, if we do, we will obtain your consent to the transfer and take steps to ensure that your personal data continues to receive a standard of protection that is at least comparable to that provided by the General Data Protection Regulation ("GDPR"). 39. This Policy applies in conjunction with any other Policies, contractual clauses and consent clauses that apply in relation to our collection, use and disclosure of your personal information. 40. We may change this Policy from time to time without prior notice. You can determine whether such a change has occurred by referring to the date this Policy was last updated. Your continued use of our services constitutes your acknowledgement and acceptance of such changes. 41. This Policy and any actions related thereto will be governed by the laws of Poland, without regard to its conflict of law provisions. 42. Contact and Complaints. You may contact us if you have any queries or feedback about our Data Protection Policy and procedures, or if you wish to make any request, as follows: Data Protection Officer: Email address: Effective date : Last updated :