InJoy Global Privacy Policy

Effective Date: August 17, 2016

We want to thank you for using InJoy Global’s products, services, websites, and products. Our customers are the most important aspect of our business and we appreciate you looking to InJoy Global to further your business. InJoy Global offers our customers an online platform to create programs to support their digital businesses. The entire selection of products, services and tools offered on our platform are our “Product.”

This Privacy Policy applies to your use of our Product and including your use of the “Challenge Creator” customer mobile application, which enables our users to build their own “challenge” scenarios for their clients and communities.

The terms “we”, “us”, “our” and “Company” refer to InJoy Global, Inc., a Nevada corporation. “You” or “your” refers to the person or company who uses the Product. Your use of the Product is governed by Privacy Policy as it exists at the time of your use. We reserve the right to change this Privacy Policy in the future without notice, as described below

GENERAL POLICIES

By accessing the Product, you agree to the terms of this Privacy Policy and expressly consent to the processing of personal information and session data according to the terms contained herein. By using our Product, you accept the policies and restrictions set forth in this Privacy Policy. If you do not agree to this policy, please do not use the Product.

This Privacy Policy is incorporated into and subject to the applicable Terms of Service[link] and Acceptable Use Policy[link]. 

Consent

Voluntarily submitting personal information constitutes your consent for InJoy Global to use the information for the purpose stated and indicates to us that you are aware of this Privacy Policy’s provisions.

If you have any questions or unresolved privacy concerns, please contact us at info@injoyglobal.com

Information that We Collect

Information that you provide to us: We may collect personal information that you provide when using our Product, such as when you: (1) create an account; (2) subscribe to our Product; (3) participate in events or promotions; (4) send questions or comments via email or live chat; (5) interact with our sales or customer support team; (6) apply for a job with us online; (7) fill out surveys; or (8) otherwise communicate with us through or about our Product. The types of personal information that you provide may include your name, email address, telephone number, mailing address, credit card information, and other contact or identifying information that you choose to provide. We store, process, and maintain files and content that you create and/or upload using our Product, as well as other data related to your account to provide the Product to you.

We do not store any credit card information we receive except as necessary to complete and satisfy our rights and obligations with regard to such transaction, billing arrangement, and/or as otherwise authorized by you. We use third party payment processors to process online payments.

Information about use of our Product: We collect certain device-specific information when you download and install the Product on your mobile device, including your mobile device model, operating system information, our mobile version and usage information. In addition, we may collect a resettable device identifier from your device. Resettable device identifiers (also known as mobile advertising identifiers) are similar to cookies and are found on many mobile devices and tablets (for example, the “Identifier for Advertisers” (or IDFA) on Apple iOS devices and the “Google Advertising ID” (or GAID) on Android devices), and certain streaming media devices. Like cookies, resettable device identifiers are used to make online advertising more relevant and for analytics and optimization purposes. Your mobile device’s operating system allows you to adjust your settings to opt out of providing this identifier. However, we do not use these identifiers to serve in-app advertising. Also, with your prior permission, we may collect your location information provided by your mobile device, which you may disable at any time through the device settings.

Our servers automatically collect usage information about your use of the Product, including the pages visited, number of log-ins, data displayed or clicked on, actions taken, your language preference, and other login information. We may collect automated error reports in the case of software malfunctions, which may contain some or all of the information in your account and content and may be reviewed to help resolve problems with the Product.

We collect information from the device and application you use to access our Product. Device data mainly means your IP address, operating system version, device type, device ID/MAC address, system and performance information, and browser type. If you are on a mobile device, we also collect the UUID for that device.

We use a variety of technologies to collect this information, such as first party and third-party cookies and tracking services that employ cookies and page tags (also known as web beacons). This data includes usage and user statistics. Emails sent by Injoy Global or by users through our Product also may include page tags that allow the sender to collect information about who opened those emails and clicked on links in them. More information about our use of cookies and other tracking technologies is provided below.

Like most websites, our web servers keep log files that record data each time a device accesses those servers. The log files contain data about the nature of each access, including originating IP addresses, internet service providers, the files viewed on our site (e.g., HTML pages, graphics, etc.), operating system versions, device type and timestamps.

If you arrive at Injoy Global from an external source (such as a link on another website or in an email), we record information about the source that referred you to us.

Information from third parties and integration partners: We may obtain personal information from third parties and combine such information with the information that we collect through our Product and such information may be used for the purposes described in the “How We Use the Information We Collect” section below. For example:

How We Use the Information We Collect

Use of Information: We may use the personal information collected through our Product to:

We reserve the right at all times to review your content and information to help resolve problems with our software or Product, or to ensure that you remain in compliance with our Terms of Service[link] and Acceptable Use Policy[link].

Information we may share: We do not “sell” your personal information (as that term is defined in the California Consumer Privacy Act). However, we may share your personal information with third parties as follows:

We may allow others to provide analytics services for our Product. These providers (for example, Google Analytics) may use cookies, web beacons, device identifiers, and other tracking technologies that collect information about your use of our Product. This information may be used by us and others to determine the popularity of our Product, deliver advertising and content targeted to your interests in the Product, and on other websites, apps, and other services, and to better understand your online activity. You can opt out of Google Analytics by visiting https://tools.google.com/dlpage/gaoptout. 

Where We Store Your Personal Data

Data Storage: All data that you provide to use through our Product is stored on secure servers located in the United States. Any payment transactions will be encrypted using SSL technology; all payment data is stored by our payment processors and is never stored on our servers. Where we have given you (or where you have chosen) a password that enables you to access your account and the Product, you are responsible for keeping this password confidential. We recommend that you not share your password and that you change it frequently.

Data Security: Injoy Global takes reasonable measures to protect your personal information and your content from loss, misuse, and unauthorized access, disclosure, modification, and destruction and to ensure that your content remains protected and available to you. Unfortunately, the transmission of data via the internet is not completely secure and although we do our best to protect your personal data, we cannot guarantee the security of your data transmitted through the Product. All transmissions are at your own risk.

Data Retention: Injoy Global stores the information we collect for as long as necessary for the purpose for which it was originally collected and in compliance with our legal obligations. The retention periods applied by Injoy Global comply with applicable legislation then in effect, namely:

We may retain certain information for legitimate business purposes or as required by law.

Third Parties

Third parties who provide and/or publish content via our Product shall be deemed the data controllers for any personal data contained in the content uploaded by any such party to the Product (“Third-Party Content”) and any other personal data processed in relation to such Third-Party Content. This Privacy Policy only concerns the processing for which InJoy Global is the data controller. If you have any questions regarding personal data contained in Third-Party Content, please contact the third-party provider responsible for such Third-Party Content.

Children Age 16 and Under

The Product is not directed at children under the age of 16 and we never knowingly collect personal information from children. We recognize the special obligation to protect personal information obtained from children age 13 and under. IF YOU ARE 16 YEARS OLD OR YOUNGER, THE COMPANY REQUESTS THAT YOU NOT SUBMIT ANY PERSONAL INFORMATION TO THE SITE OR TO INJOY GLOBAL. If we discover that a child age 16 or younger has signed up for our Product or provided us with personal information, we will delete that child’s identifiable information from our records.

How We Use “Cookies” and Other Tracking Technologies

Cookies are files that web servers place on an Internet user’s browser that are designed to store basic information, such as visitor preferences. The use of cookies on a website allows visitors to enjoy more seamless visits and more accurately measures visitor behavior on a website.

The cookies used on the Website do not identify you personally. They merely recognize your browser, unless you choose to identify yourself voluntarily. You may choose to identify yourself for the following reason: So the browser will remember your username and password.

We may use session and persistent cookies. Session cookies exist only during an Internet user’s online session. They disappear (or expire) from the user’s computer when he/she closes the browser software.

Persistent cookies remain on the user’s browser after the browser has been closed. We may place persistent cookies on your web browser to remember your information and settings when you visit our Website at a future date. This makes your experience more convenient, meaningful, and relevant. When you come to the Website, our web server uses persistent cookies to improve your interaction with the Website by, for example, remembering your preferences and dynamically serving more relevant content to you. We use cookies to identify the fact that you are one of our customers or a prior visitor (as applicable). Visitors who disable their web browsers’ ability to accept cookies will still be able to browse a website, however, they may lose some of the functionality provided by the use of cookies.

We may also use first-party and third-party cookies. First-party cookies are served directly by a website to your computer’s browser and are only used by the website operator, who recognizes your computer when you revisit a website. Third-party cookies are served to your computer through one of our service providers on behalf of a website operator.

You have the ability to accept or decline cookies. Most web browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies if you prefer. For further information about disabling cookies you can visit www.allaboutcookies.org. If you choose to decline cookies, you may not be able to login or use other interactive features of our Website and services that depend on cookies.

Your Choices and Rights

Subject to applicable law, we will make reasonable efforts to ensure your collected personal information is accurate and complete and we will update or correct your information as needed when notified by you. If you would like to request access to your personal information, request to verify your personal information, identify any inaccuracy in your personal information, or change or delete your personal information, please contact us at info@injoyglobal.com. We strive to respond to these requests with 30 days or as required in accordance with applicable law.

Whenever you directly provide us with your personal information, please be sure it is accurate and complete. We cannot be responsible for any information you provide to us that is incomplete or incorrect.

We will not collect, use, or disclose your personal information in any ways or for any purposes that are materially different from those set forth herein. However, if we wish to do so in the future, we will obtain your consent first, and offer you the choice to opt-out of such proposed collection, use, or disclosure.

In addition, you have several options with respect to your personal information, as follows:

Links to External Sites

Our Product may, from time to time, contain links to and from third party websites, such as partners, affiliates, and advertisers. If you follow a link to any external website, it will have its own privacy policy and we are not responsible for the content or practices of such third-party websites or their policies. We are also not responsible for any information that you might share with such linked websites. You should refer to each website’s respective privacy policy and practices before you submit any personal information.

Data Posted on Forums

Product users may have the ability to post content to one or more Product or other forums sponsored by Injoy Global, such as chat rooms and bulletin boards. You should be aware that when you voluntarily disclose personal information in any forum, that information can be collected and used by others and may result in unsolicited messages from other people. You are responsible for the personal information you choose to submit in these instances. Please take care when using these features. You may request and obtain removal of such posted content by contacting us at info@injoyglobal.com and specifically identifying the content to be removed. Please be advised that any such removal does not ensure complete or comprehensive removal of all traces of the content posted on the our forums.

Located in the United States

For users located outside the jurisdiction of the United States, InJoy Global operates and processes data in the United States. Information we collect from you will be processed in the United States, and by using this website you acknowledge and consent to the processing of your data in the United States. The United States has not received a finding of “adequacy” from the European Union under Article 41 of the GDPR. We collect and transfer to the US personal data only with your consent; to perform a contract with you; or to fulfill a compelling legitimate interest of ours in a manner that does not outweigh your rights and freedoms. Please be aware that the United States and jurisdictions other than the one in which you are located may not provide the same level of data protection as considered adequate in your country. Note also that your personal information may be available to the US Government or its agencies under legal process in the United States.

If your business operates within the European Economic Area (EEA), United Kingdom or Switzerland, as an InJoy Global customer you are operating as a “data controller” of “personal data” of “data subjects” located in the EEA (as those terms are defined in the European General Data Protection Regulation 2016/679 (GDPR)). By requesting the Product and agreeing to these Terms, you are providing us with instructions to process any personal data collected by you through our Product on your behalf. You shall ensure and hereby warrant and represent that you are entitled to transfer personal data to InJoy Global so that we may lawfully process and transfer the personal data in accordance with these Terms. You shall ensure that relevant data subjects have been informed of, and have given their consent to, such use, processing, and transfer as required by all applicable data protection laws and have sole responsibility for the accuracy, quality and legality of personal data processed by us in the provision of the Product.

California Privacy Rights

California Civil Code Section 1798.83, also known as the “Shine The Light” law, permits our users who are California residents to request and obtain from us, once a year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes and the names and addresses of all third parties with which we shared personal information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request in writing to us using the contact information provided below.

If you are under 18 years of age, reside in California, and have provided your personal information to our Website, you have the right to request removal of unwanted data that you publicly post on the Website. To request removal of such data, please contact us using the contact information provided below, and include sufficient detail about the public post(s) and a statement that you reside in California. We will make sure the data is not publicly displayed on the Website, but please be aware that the data may not be completely or comprehensively removed from our systems, nor can we guarantee any cached or archived version of the Website will remove such data.

The California Consumer Privacy Act (CCPA), enacted in 2018, creates new consumer rights relating to the access to, deletion of, and sharing of personal information of California residents that is collected by businesses. While we do not sell your personal information to any third party, we may partner with third-party service providers and affiliate partners who may gain access to your personal and non-personal information through the use of beacons, tracking pixels, or cookies as provided in this Privacy Policy. If you are a California resident, California law may provide you with additional rights regarding our use of your personal information.

Nevada Privacy Rights

Nevada law (SB 220) requires website operators to provide a way for Nevada consumers to opt out of the sale of certain information that the website operator may collect about them. We do not sell your personal information to third parties as defined in Nevada law, and will not do so in the future without providing you with notice and an opportunity to opt-out of such sale as required by law.

European Economic Area, UK and Swiss Privacy Rights

For residents of the European Economic Area (EEA), United Kingdom (UK) or Switzerland, we advise that your personal information will be transferred to and processed in the United States, which has data protection laws that are different than those in your country and may not be as protective. The United States has not sought or received a finding of “adequacy” from the European Union under Article 45 of the General Data Protection Regulation (GDPR). Our legal basis for collecting and using your personal information is to do so with your consent; where we need the personal information for performance of a contract or requested service, or where the collection and use is in our or another’s legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms. In some cases, we may also have a legal obligation to collect the personal information in question. If we collected your personal information with your consent, you may withdraw your consent at any time.

Our retention of your personal information and any subsequent communications are based on our legitimate interest in providing you with new and potentially relevant materials based on your geography, role, or company. As always, you can elect to opt out from receiving such future communications.

To the extent that we transfer personal information from the EEA, UK or Switzerland to a jurisdiction outside those countries that has not been adduced by the European Commission as providing adequate data protections (such as the United States), we will ensure that such personal information is safeguarded through appropriate contractual terms or other approved mechanisms.

Rights for EEA/UK/Swiss Residents – If you are a resident of the EEA, UK or Switzerland, you have the right to:

Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.

If we ask you to provide personal information to us to comply with a legal requirement or enter into a contract, we will inform you of this and let you know whether providing us with your personal information is required and if not, the consequences of not sharing your personal information with us.

Similarly, if we collect and use your personal information in reliance on our or a third party’s legitimate interests and those interests are not already described above, we will let you know what those legitimate interests are.

We endeavor to apply suitable safeguards to protect the privacy and security of your personal information and to use it only consistent with your relationship with us and the practices described in this Privacy Policy.

To withdraw consent or exercise these rights, please contact us via email at info@injoyglobal.com.

If you are not satisfied with our response, or believe we are processing your personal information in violation of the law, you have the right to lodge a complaint with the Supervisory Authority (also known as Data Protection Authority) or other appropriate governmental authority in your EEA Member State. A list of Supervisory Authorities is available here: https://edpb.europa.eu/about-edpb/board/members_en.

INJOY GLOBAL INC DATA PROCESSING AGREEMENT

INJOY GLOBAL INC DATA PROCESSING AGREEMENT

Date: June 28, 2022

The General Data Protection Regulation (GDPR) is a set of rules, enforced on 25th May 2018, that aims to give EU citizens more control over their personal information. INJOY GLOBAL INC (“we, us”) is committed to respect all GDPR requirements.

01. Application of the DPA

1.1. This Data Processing Agreement, including its Appendixes (the “DPA”), is between us and entities who subscribe for INJOY GLOBAL INC’s services (“Customer, you, your”) and reflects the Parties agreements with respect to the processing of personal data by us, on your behalf and in connection with the services we provide to our customers under our terms and conditions (the “Master Agreement”). Please note, however, that this DPA solely applies if the processing of data is governed by the GDPR.

1.2. If this DPA applies, this DPA forms part of our terms and conditions between us and you. In other words: this DPA supplements the Master Agreement and forms an integral part of the Master Agreement.

02. Definitions

2.1. In this DPA, the following terms shall have the following meaning:

a) “Applicable Privacy Law(s)” means EU Data Protection laws and regulations, including the GDPR;

b) “EEA” means the European Economic Area;

c) “GDPR” means the European Union General Data Protection Regulation (2016/679);

d) “Personal data” means all data which is qualified as personal data under Applicable Privacy Law(s);

e) “Services” means all products and services provided by us under the Main Agreement;

f) “Sub-processors” means any entity appointed by us or on our behalf to process personal data;

g) “Standard Contractual Clauses” means the “controller-to-processor” (Module 2) modules of the Standard Contractual Clauses for the transfer of Personal data to third countries pursuant to Regulation (EU) (04 June 2021).

2.2. Other terms such as “controller”, “processor”, “data subject”, “sensitive data”, or “data breach”, shall have the meaning assigned to them under the Applicable Privacy Law(s).

03. Roles of the Parties

3.1. The Parties acknowledge and agree that, with respect to the processing of Personal data under this DPA:

You act as the controller, and have the sole and exclusive authority to determine the purposes and means of the processing of Personal data;

We act as the processor, and will only process Personal data on your behalf and under your instructions;

We may engage sub-processors (in accordance with article 9).

3.2. All Personal data processed under this DPA shall remain your property and we will not have or obtain any rights therein. Under no circumstances will we act, or be deemed to act, as a “Controller” of the personal data under Applicable Privacy Law(s).

04. Your responsibilities

4.1. You agree and guarantee that:

the processing of Personal data, including your instructions to us, are and shall continue to be in accordance with all Applicable Privacy(s);

the Personal data may be processed outside of the European Economic Area (EEA);

you have provided notice and obtained all consents and rights necessary under Applicable Privacy Law(s) for us to process Personal data and provide our services to you under the Master Agreement;

you will be solely responsible for the quality, accuracy and legality of Personal data and the means by which you acquired the Personal data;

if processing by us involves any sensitive data, you have collected such data in accordance with all Applicable Privacy Law(s);

you will inform your data subjects about your use of data processors to process their Personal data, including us (INJOY GLOBAL INC).

05. Purpose, ownership of data

5.1. In using our services under the Main Agreement, you may submit through the services or otherwise provide access to us, certain Personal data. As your processor, we shall only process Personal data for the following purposes:

In order to provide our services in accordance with the Main Agreement, including transmission of communication, implementing improvements and updates;

In order to comply with other reasonable instructions provided by you (e.g., via support tickets or email);

As initiated through the use of our services by you, your personnel and other end users you allow to use our services;

For our legitimate business purposes, such as preventing security threats from happening, billing, financial reporting, product improvement, and to comply with any legal requirements.

5.2. You agree to take full responsibility to keep the amount of Personal data provided to us, to the minimum necessary for the performance of our services under the Master Agreement. You are solely responsible for ensuring that your use of our services comply with Applicable Privacy Law(s).

06. Data Subject Requests

6.1. To the extent we are required under Applicable Privacy Law(s) and only to the extent you are unable to independently address a request or complaint from a data subject, we will provide reasonable assistance to you to respond to such a request or complaint. You shall be responsible for any costs arising from this assistance.

6.2. Please note that we will not respond to a request or complaint from a data subject, except on your written request or if required by Applicable Privacy Law(s).

6.3. In the event that we receive a request or complaint from a data subject, we shall promptly notify you and shall not respond to such communication without your consent, unless we are required to do so by Applicable Privacy Law(s).

07. International transfers

7.1. We are located in the United States. You understand and agree that we may transfer Personal data to the United States and to other jurisdictions where we and / or our sub-processors have operations. We will only do so, however, if there is an adequacy decision in place issued by the EU Commission or if there are appropriate safeguards in place for the transfer.

7.2. If Personal data is transferred out of the EEA or Switzerland, to countries which do not ensure an adequate level of data protection within the meaning of the Applicable Privacy Law(s), the relevant Standard Contractual Clauses will apply, which shall be deemed incorporated into and form a part of this DPA. The Parties agree to abide by and process Personal data in compliance with the Standard Contractual Clauses. Since we are acting as a processor, and you are acting as a controller, the Controller-to-Processor clauses (Module 2) will apply to a data transfer.

7.3. The Parties agree that for the purposes of the Standard Contractual Clauses, (i) we will be deemed the data importer and (ii) you will be deemed the data exporter.

7.4. Nothing in this DPA will be construed to prevail over any conflicting clause of the Standard Contractual Clauses.

7.5. Where the Standard Contractual Clauses require the Parties to choose between optional clauses and / or to input information, the Parties have agreed as follows:

Docking clause: this option under clause 7 shall not apply;

In Clause 9, Option 2 (“General written authorisation”) shall apply: “The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 14 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.”;

In Clause 17, Option 1 will apply: “These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of the Netherlands”;

Clause 18(b), (“Choice of forum and jurisdiction”): disputes shall be resolved before the court of the Netherlands;

For Clause 11(a) (“Redress”): the Parties do not adopt the Option.

The Annexes of the Standard Contractual Clauses shall be deemed completed with the relevant information set out in Appendix 1 and Appendix 2 of this DPA.

7.6. The Standard Contractual Clauses will not apply to a transfer of Personal data if we have adopted Binding Corporate Rules or an alternative recognized compliance standard for lawful transfers.

08. Government access requests

8.1. As a matter of general practice, we do not voluntarily provide government authorities or agencies with access to Personal data. We shall promptly notify you about any compulsory request for disclosure of Personal data from any government authority or agency, unless otherwise prohibited from doing so. We shall challenge the request if, after careful assessment, we determine that the request is unlawful.

09. Sub-processing

9.1. By means of this DPA, you agree and provide a general authorization to us to engage Sub-processors for the processing of personal data.

9.2. A list of our current Sub-processors is set out in Appendix 3. We may update the list of Sub-processors from time to time. Before replacing or engaging a new Sub-processor, we will give you the option to object to the change (“change notice”). We may change a Sub-processor where the reason for the change is outside of our reasonable control (“emergency replacement”). In this case, we will inform you of the emergency replacement, as soon as possible.

9.3. If you have a legitimate reason that relates to the Sub-processors’ processing of Personal data, you may object to a new Sub-processor, by notifying us within 10 days of receipt of our change notice. When you object to the use of a new Sub-processor, the Parties will come together in good faith to discuss a solution. If it is not possible to come to a commercially reasonable solution, either party may terminate the Master Agreement on thirty days’ written notice. Please note that if you do not terminate the Master Agreement in accordance with this clause, you are deemed to have agreed to the new Sub-processor.

9.4. We shall make proper arrangements with any Sub-processors. We do our best to ensure that our Sub-processors comply with the obligations set forth in this DPA with respect to the processing of the Personal data. If a Sub-processor fails to comply with its data protection obligations, we shall remain fully liable to you for the performance of the Sub-processor’s obligations.

10. Audit

10.1. We are willing to cooperate and provide information in the event of an audit. Upon your written request, we shall (but not more than once per year, other than in the event of a breach) submit to your audits and inspections, to demonstrate compliance with the obligations set forth in this DPA and our respective obligations under Applicable Privacy Law(s). The findings of the audit conducted will be assessed by the Parties in mutual consultation. The costs of the audit will be borne by you.

11. Data breach

11.1. In the event of a data breach, we will inform you of the data breach within a timely manner and in accordance with the timeframe required of us under Applicable Privacy Law(s), so that you are able to meet your obligations to report a data breach.

11.2. In the event of a data breach, we shall take all reasonable steps to mitigate the effects of the incident and / or prevent such a breach from reoccurring.

11.3. The Parties agree to coordinate in good faith on developing the content of any public/regulatory communication or press release, provided that this shall not prevent you from complying with Applicable Privacy Law(s).

12. Term

12.1. This DPA shall remain in effect for as long as we and / or our Sub-processors process Personal data on your behalf or until termination of the Master Agreement (and all Personal data has been returned or deleted in accordance with article 14 of this DPA).

12.2. Obligations under the DPA that are intended by their nature to continue after termination of the DPA, will continue to apply after termination of the DPA.

13. Limitation of liability

13.1. Notwithstanding anything to the contrary in the Master Agreement or this DPA, the

liability of each party and each party’s affiliates under this DPA will be subject to

the limitations and exclusions of liability set out in the Master Agreement.

14. Deletion and return of Personal data

14.1. Upon termination or expiration of the Master Agreement, we will (at your election) delete or return to you all Personal data in our control or possession. We, or our Sub-processors, may retain some or all Personal data to the extent that it is required by Applicable Privacy Law(s). In this event, we shall protect the Personal data from any further processing except when required by such law.

14.2. If we are unable to delete Personal data due to technical or other reasons, we shall apply reasonable measures to ensure that:

the Personal data is blocked from any further processing;

the Personal data is anonymized.

15. Amendment to this DPA

15.1. We are allowed on at least 30 days’ notice to you, to make any variations to this DPA that we deem necessary in case of changes in the Master Agreement, Applicable Privacy Law(s) or other relevant circumstances affecting the processing of personal data.

15.2. If you choose to object to any variation on reasonable grounds, you have the right to terminate the Master Agreement on written notice, provided that we receive your notice before the effective date of our 30 days’ notice.

16. Governing law and jurisdiction

16.1. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Master Agreement, unless required otherwise by Applicable Privacy Law(s).

17. General

17.1. If there is any conflict or inconsistency between this DPA and the Master Agreement, the provisions of the following documents (in order of precedence) shall prevail: (i) SCCs; then (ii) this DPA; and then (iii) the Master Agreement.

APPENDIX 1 – Details of Data Processing

Where relevant, this Appendix I will serve as Annex I to the Standard Contractual Clauses EEA, Module 2 (Transfer Controller-to-Processor).

Annex 1 , Section A, List of Parties

Data exporter(s): You, the Customer.

Data exporter contact details: the contact details that are stored in the Customer’s account.

Signature and date: as of the effective date of this DPA, you are deemed to have signed and accepted the Standard Contractual Clauses incorporated herein.

Role: controller.

Representative: not applicable.

Data importer: we, InJoy Global, Inc.

Data importer contact details: InJoy Global, Inc., General Counsel 5348 Vegas Dr., Las Vegas, NV 89108 USA (info@injoyglobal.com)

Signature and date: as of the effective date of this DPA, we are deemed to have signed and accepted the Standard Contractual Clauses incorporated herein.

Role: processor.

Representative: not applicable.

Annex 1 , Section B, Description of transfer

1. Categories of data subjects whose personal data is transferred:

Transferred Personal data relates to the following categories of data subjects: customers’ end-users and other individuals having been granted access to the services.

2. Categories of personal data transferred:

Communication information, such as personal data included in chats;

End-user account information, such as first name, last name, as email address, telephone number, location information;

End-user usage information, such as device-specific information, resettable device identifier.

3. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

Although we do not anticipate the transfer of sensitive data, it may happen that we process sensitive data if you or your end-users choose to transmit sensitive data using our services. Please note that you are solely responsible for applying specific restrictions and / or additional safeguards adapted to the specific nature of the sensitive data.

4. The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

Personal data is transferred on a continuous basis.

5. Nature of the processing:

Personal data will be processed by us to the extent necessary to provide the services under the Master Agreement and as otherwise authorized by the Master Agreement, this DPA or Applicable Privacy Law(s).

6. Purpose(s) of the data transfer and further processing:

We process Personal data for the purpose of providing our services under the Master Agreement and for the other purposes as set out in this DPA.

7. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

We store the information we collect for as long as necessary for the purpose for which it was originally collected and in compliance with our legal obligations. End-users data relating to the personal account, will not be retained after the account has been deleted.

8. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

For transfers to (sub-)processors, the subject matter and nature of the processing is outlined at Appendix 3 – List of sub-processors. The duration is for the duration of the Master Agreement.

Annex 1 , Section C, Competent supervisory authority

Identify the competent supervisory authority/ies in accordance with Clause 13:

If the data exporter is established in an EU Member State: the supervisory authority responsible for ensuring compliance by the data exporter with the GDPR.

If the data exporter is not established in an EU Member State, but falls within the (extra-)territorial scope of the GDPR and has appointed a representative pursuant to Article 27(1) of the GDPR: the supervisory authority of the Member State in which the representative is established.

If the data exporter is not established in an EU Member State but falls within the (extra-)territorial scope of the GDPR without, however, having to appoint a representative pursuant to Article 27(2) of the GDPR: the supervisory authority of one of the Member States in which the data subjects whose Personal data is transferred under the Standard Contractual Clauses, are predominantly located.

APPENDIX 2 – Technical and organizational measures, including technical and organizational measures to ensure the security of the data

The security measures applicable to the processing of data subjects’ personal data, are described here (as updated from time to time):

Physical access controls are in place

Logging & monitoring

Data minimization

Customer data stored within AWS is encrypted at all times

APPENDIX 3 – List of Sub-processors

The controller has authorized the use of the following sub-processors:

Amazon Web Services

410 Terry Avenue North, Seattle, WA

Hosting provider to store the personal data that is being processed

Stripe, Inc.

354 Oyster Point Blvd South San Francisco, CA 94080 United States

Payment processor to process customer payments

Do Not Track Disclosure

We currently do not process or comply with any web browser’s “do-not-track” signal or other similar mechanism that indicates a request to disable online tracking of individual users who visit the Product or visit an Injoy Global website.

Changes to Our Privacy Policy

We may update this Privacy Policy to reflect changes to our data practices. If we make any material changes, we may notify you by email (sent to the email address specified in your account) or by means of a notice on our website or in the Product prior to becoming effective. We encourage you to periodically review this page for the latest data on our privacy practices.

Contact Information for Complaints or Concerns

We welcome your questions, comments, and requests regarding our Privacy Policy. Written questions or comments regarding this Policy should be submitted to InJoy Global as follows:

InJoy Global, Inc.

General Counsel

5348 Vegas Dr.

Las Vegas, NV 89108 USA

Email: info@injoyglobal.com

Your Acceptance of These Terms

By using our website or Product, you accept the policies and restrictions set forth in this Privacy Policy. If you do not agree to this policy, please do not use the website or the Product.