BURNITTY PRIVACY POLICY

1. ABOUT THIS PRIVACY POLICY

In Short: This Policy explains how we handle your Personal Information. It helps you understand what we do with it and your privacy rights.

This Privacy Policy (“Policy”) explains how PixelGalaxy Inc, trading as Burnitty brand and other hypnotherapy brands ("Company", "we", "us", or "our") handles your Personal Information (“Personal Information” or “Data”) when you:

• Visit our sales websites (“Website”);
• Purchase our products or services (“Goods” or “Services”);
• Otherwise interact with us (support, social media, contests, affiliate program, etc.).

This Policy applies only if you are resident of United States and it outlines what Personal Information we collect, its purposes, how we use and share it, how long we retain it, your rights, and how we protect your Data. We are fully committed to process your Personal Information lawfully, fairly, and transparently in accordance with:

• the California Consumer Privacy Act (CCPA/CPRA);
• U.S. state privacy laws (e.g. VCDPA, CPA, CTDPA, UCPA);

If you do not agree with our practices, please refrain from using the Website, purchasing our Goods or Services or submitting your Data in any other way. This Policy is effective as of 2nd of January 2026. We may update this Policy occasionally all updates take effect upon publication, so we encourage you to review it regularly to stay informed.

2. WHO IS RESPONSIBLE FOR YOUR PERSONAL INFORMATION?

We are: PixelGalaxy Inc

Our company number is: 001350123

Our registered address: 1574 Woodberry Court, Brentwood, TN 37027, Williamson County

Our office address: 354 Downs Blvd, Suite 102, Franklin, TN 37064

Our support e-mail address: support@burnitty.com

We have appointed a Privacy Officer to oversee our Data protection obligations. You can contact the Privacy Officer directly at dpo@burnitty.com , or use any of the communication methods provided in Section 11 of this Policy.

3. CATEGORIES OF INFORMATION COLLECTED AND HOW IT IS USED

In Short: We mainly collect only the Data needed to provide our Goods or Services and operate our Website. This section explains why we collect it and how we use it.

We only collect the Data we truly need – and only use it for clear, lawful reasons. You can find a full list of purposes, the Data we collect, how we use it, and more detailed information in the tables below, see Section 12 of this Policy. This section also serves as our Notice at Collection under the California Privacy Rights Act (CPRA) and Summary of Processing for the 12 Months Preceding.

Here are also few important things for you to know:

• Automated tools and AI: We may use AI or other fully or semi-automated technologies to support service delivery (e.g., chatbots, ChatGPT, Gemini, AI tools providers and etc.), but we do not use automated decision-making that produces legal or similarly significant effects on you. All AI-assisted or automated responses are reviewed by humans when decisions could impact your rights.
• Cross-Context: We may combine information from different sources (e.g., your Website activity, purchase history, and customer-service interactions) to improve your experience and our service.
• We may “sell” or “share” Data: Under California law, a “sale” includes making Personal Information available to a third party for any form of value, not only for money, and “sharing” refers to disclosing Personal Information for cross-context behavioral advertising. We do not sell Personal Information for monetary consideration, but in some cases, we share limited data - such as internet or network activity and inferences - with advertising and analytics partners to measure performance and deliver relevant ads. You can opt out at any time through our “Your Privacy Choices” link, and where required by law, we honor browser- or device-based opt-out signals (e.g., Global Privacy Control).
• Children’s data: Our Website and Services are not intended for minors. We do not knowingly collect, sell, or share Personal Information of individuals under the age established by law. If we become aware of such a collection, we will delete the information promptly.

4. PERSONAL INFORMATION COLLECTION SOURCES

In Short: We get your Data directly from you, through your use of our Website, or from trusted third parties, public sources, etc. This helps us operate our business and stay in touch with you.

We collect Personal Information from the following categories of sources:

• Directly from you: When you place an order, contact us for support or inquiries, complete forms or surveys, participate in contests or promotional campaigns, communicate with us by email, phone, chat, or social media, or otherwise use our Services.
• Automatically via technology: When you visit or interact with our Website or other online platforms, we automatically collect certain Data, including identifiers and information regarding your activity using cookies, pixels, SDKs, log files, and similar technologies. We use these tools to improve functionality, enhance your experience, analyze usage patterns, and secure our systems.
• From third parties, vendors, and service providers: We collaborate with carefully selected partners (e.g., payment processors, shipping carriers, analytics and marketing platforms, and customer-support providers). They may share limited Personal Information with us when they collect them during service.
• From our affiliate and referral partners: If you follow a referral link, use a partner discount code, we may receive information that might contain your Personal Information.
• From other Intra-group companies (if applicable): Where necessary for internal administrative, service provision, or business development purposes, we may receive your Data from other entities within our corporate group.
• From publicly available sources (if applicable): Where appropriate and permitted by law, we may collect Personal Information from public registers (e.g. company registries, professional association websites), official government databases, or social media profiles (e.g. LinkedIn), particularly in the context of business-to-business (B2B) communication, professional outreach or due diligence.

Note! This Policy does not govern the privacy practices of unaffiliated third parties that operate independently, such as external social networks, advertising providers, or linked websites. We encourage you to review their privacy policies to understand how they process your information.

5. CATEGORIES OF INFORMATION DISCLOSED & SHARED WITH THIRD PARTIES

In Short: We share your Data but only when necessary and with strong safeguards - always ensuring your privacy is protected.

We share your Personal Information when necessary, and with your privacy in mind.

We may share limited Data with trusted third parties to provide our Services, meet legal obligations, or support business daily operations. Whenever we do, we ensure that your Data is protected and handled responsibly. We may share your Data with:

• Service Providers, Contractors: We engage with various service providers to support our business functions (e.g. IT support, hosting, payments, shipping, analytics, customer service, marketing, auditing, legal services, etc.). These providers may access only the Data required to perform their duties and are contractually prohibited from using it for any other purpose.
• Intra-Group Companies: We may share your Data with other entities within our corporate group for internal administrative purposes, centralized services, or to provide integrated services. All intra-group transfers are covered by internal data-protection agreements ensuring consistent safeguards across all locations.
• Advertising/ Analytics Partners or Third Parties: We may share limited Data with platforms that deliver marketing campaigns and analytics. Under California law, this type of disclosure may be considered “sharing” for cross-context behavioral advertising. You can opt out at any time by using our link placed at the bottom of the Website footer “Your Privacy Choices”.
• Public or governmental authorities: In certain circumstances, your Data may be shared with third parties such as public authorities, law enforcements, courts, insurers, fraud prevention services agencies, independent service providers etc.
• Other corporates or auditors: In the context of a potential or actual merger, acquisition, asset sale, or restructuring, we may disclose limited Data to potential investors, buyers, or their auditors, and advisors.
• Other third parties with your consent: Where legally required, we will only share your Data with third parties if you have explicitly given us your informed, freely given consent.

6. PERSONAL INFORMATION RETENTION PERIODS

In Short: We keep your Data only as long as needed for legal, contractual, or Services-related purposes - then we delete or anonymize it securely.

We keep your Data only for as long as necessary to:

• Fulfil the purposes for which it was collected,
• Provide you with our Goods or Services,
• Comply with legal, regulatory, or contractual obligations, or
• Resolve disputes or enforce our agreements.

Detailed retention periods for each Data processing purpose are set out in Section 12 of this Policy.

Once the applicable retention period has expired, we will either securely delete your Data or irreversibly anonymize it within a reasonable timeframe, in line with best industry practices and legal requirements.

7. SECURITY OF PERSONAL INFORMATION

In Short: We use strong technical and organizational measures to keep your Data safe and work continuously to prevent unauthorized access and protect your privacy.

We are committed to protecting your Data and take the security of your information seriously. We apply a combination of technical and organisational measures to prevent unauthorised access, accidental loss, misuse, alteration, or disclosure of Personal Information. These safeguards reflect the principles of privacy laws, including accountability, limiting collection, accuracy, openness, and safeguards:

• Processing Personal Information fairly, lawfully, and transparently;
• Limiting collection and retention to what is necessary;
• Restricting access to authorized employees only;
• Requiring service providers to meet strict security standards;
• Providing regular privacy and security training to staff;
• Conducting periodic internal and external audits;
• Using encryption and other safeguards where sensitive information may be involved;
• Performing regular Data backups and logging activity for security purposes;
• Continuously monitoring our systems for threats and vulnerabilities;
• Updating our processes as risks and technology evolve.

Note! Even with strong safeguards, no system or internet transmission is completely risk-free. To help protect yourself, use strong and unique passwords, keep them confidential, secure your devices, and be cautious with suspicious links. If a data breach occurs that poses a risk of significant harm, we will notify affected individuals and regulators as required by law.

8. INTERNATIONAL PERSONAL INFORMATION TRANSFERS

In Short: Sometimes we need to transfer your Personal Information outside your country or state, but only when necessary and always with strong legal safeguards to keep your Data protected.

Our Company works with partners and service providers around the world. This means your information may be transferred outside the United States - for example, to the EU, the UK, or other countries where our Intra-group companies or service providers are located.

Whenever we transfer Personal Information internationally, we apply appropriate contractual, organizational, and technical safeguards to ensure an equivalent level of protection consistent with the privacy laws of your jurisdiction. These safeguards may include:

• Data-transfer agreements incorporating Standard Contractual Clauses (SCCs) or their local equivalents approved by regulators;
• Intra-group data-protection agreements binding all affiliated entities to the same high standards of confidentiality and security;
• Vendor due diligence to confirm that third-party processors maintain adequate security and privacy controls; and
• Risk assessments and ongoing monitoring of cross-border data flows.

9. AUTOMATED DECISION MAKING AND ARTIFICIAL INTELLIGENCE

In Short: We use some AI and automated tools to support our Services, but we do not rely on them to make decisions that have legal or similarly significant effects on you.

We may use certain Artificial Intelligence (AI) - based tools and fully or semi-automated systems - for example, AI may help our customer service team, Chatbot tolls suggesting draft replies to enhance the speed and accuracy of our services.

However, we do not engage in automated decision-making, including profiling, that produces legal, financial or similar effects concerning you. Specifically:

• Any recommendations, responses, or information generated by AI tools are provided for informational purposes only and are subject to review and validation by our human staff;
• We do not use algorithms or automated systems to make decisions about you that produce legal effects (e.g., the denial of a service), without meaningful human involvement;
• You have the right to request human intervention and express your point of view if you believe any decision or response has been generated through automated means that significantly affects you, and to obtain an explanation and review of such a decision by a human member of our staff;
• We try to be transparent and inform you when AI or automation was used to help deliver a service;
• We never use your identifiable Personal Information to train AI models. If any Data is used for improvement, it is anonymized so it can no longer identify you.
• We keep this information only as long as needed to deliver the service, protect it under strict contracts with our vendors, and prohibit those vendors from using identifiable data for their own model training.

10. YOUR RIGHTS OVER YOUR PERSONAL INFORMATION

In Short: You have rights over your Personal Information, including access, correction, deletion, objection, and more. This section explains what those rights are and how they work.

If we process your Data as set out in this Policy, or you believe we may be doing so, you have the following rights. These rights apply regardless of whether we process your Data as a client, supplier, contractor, or professional contact:

If you are a U.S. resident or our processing relates to U.S. individuals, your rights under State Privacy Laws (which may vary by state):

• Right to know/access – Request information about the categories and specific pieces of Personal Information we have collected, used, disclosed, sold, or shared about you, and obtain a copy of that Data.
• Right to deletion – to request the deletion of Personal Information we hold about you, subject to certain exceptions ((e.g., to complete a transaction, detect fraud, or comply with recordkeeping laws).
• Right to correction – to request correction of inaccurate Personal Information;
• Right to data portability – to request receive a copy of your Personal Information in a portable format;
• Right to Opt-out of Sale or Sharing (California law and other states) – Opt-out of the “sale” or “sharing” of Personal Information, including use for cross-context behavioral advertising. We provide a link in footer “Your Privacy Choices” where you can easily execute your right.
• Right to Limit the Use of Sensitive Personal Information (CPRA) – Request that we restrict the use and disclosure of your sensitive information (e.g., precise geolocation, health data, or financial details) beyond what is necessary to provide requested services.
• Right to Opt-Out of Profiling (where applicable by state law) – Object to profiling that produces legal or similarly significant effects concerning you.
• Right to Non-Discrimination – You should not receive any discriminatory treatment for exercising your privacy rights.
• Right to Appeal (Virginia, Colorado, Connecticut) – If we deny your privacy rights request, you may appeal our decision by contacting us through the same request channel. If your appeal is denied, you may contact your state Attorney General.
• Right to limit use of sensitive Personal Information (CPRA only) – to request restrictions on how we use sensitive information (e.g., precise geolocation, health data, financial data).
• Right to non – discrimination – You will not be treated differently for exercising your privacy rights
• Right to appeal – You have the right to appeal if we deny your privacy rights request (as required by Virginia, Colorado, and Connecticut laws). If the appeal is denied, you may contact your state Attorney General.

Please note: Your rights are not absolute and in U.S. varies by state. In some cases, the exercise of your rights may be restricted under applicable laws - for example, where fulfilling your request would adversely affect the rights and freedoms of others, where we are legally required to retain certain Personal Information (e.g. for compliance, legal claims, or regulatory purposes) or request is manifestly unfounded, excessive, or repetitive.

11. HOW TO EXERCISE YOUR RIGHTS OR CONTACT US?

If you have any general questions about this Policy, how we process Data, complaint or if you wish to exercise any of your Data Subject rights, you can contact us by email at: dpo@burnitty.com. or via post address: 354 Downs Blvd, Suite 102, Franklin, TN 37064.

To help us process your request efficiently, please:

• clearly express your question or complaint,
• specify which right you wish to exercise (if applicable),
• provide enough information to identify you (we may ask for proof of identity or proceed identity verification process), and
• include any relevant details that will help us respond quickly.

You may also authorize someone to act on your behalf. If so, please ensure your authorized person provides us with written and signed permission confirming they are allowed to act for you. We may deny a request if sufficient proof of authorization is not provided.

We aim to respond without undue delay within 45 days of receiving your request. This time is extendable by an additional 45 days where reasonably necessary in which case, we will inform you in advance and explain the reason for the delay.

12. DETAILED INFORMATION ABOUT THE PROCESSING OF YOUR PERSONAL DATA

12.1 Identifiers & commercial data

Purpose of collection / use	When you purchase Services or Goods via our Website, we process your Data to manage your order, arrange delivery, handle payments, send transactional communication and provide other related services (e.g., order confirmation, updates, returns, or refunds). We also use Identifiers and Commercial Information to detect and prevent fraud, maintain security, provide customer service, and comply with legal obligations. Also to access and use the Burnitty Services, you are required to create a user Account. During this process, we process certain Personal Information to properly identify you as a client, link your Account with other data processed by us, and ensure the secure and efficient operation of the Services. Once the Account creation process is completed, you will immediately gain access to your Account functionalities, such as managing your profile and preferences, ordering or cancelling Services, viewing your usage information, and accessing other related Service features.
Category examples	Identification and contact details: full name, email address, password, registration data, and other information necessary for Account creation and operation; Technical information: IP address, language, device type, IP address, log data and other technical parameters required to provide the Services. Commercial information: products purchased, order/return history, subscription status, cart data, feedback.
Data retention period	While you use the Services. If there’s no activity (no payments or usage) for 24 consecutive months, we will consider your Account inactive and begin the contract termination process. Various Service logs are deleted periodically within 1-12months. Order and payment records are retained for 10 years in line with legal, tax and accounting obligations.
Sold or Shared for cross-context behavioral advertising?	No. We do not sell or share this information for cross-context behavioral advertising.

12.2 Payment & financial data

Purpose of collection / use	We process your Data when handling payments related to your orders, subscriptions, discounts, returns, chargebacks or refunds. This processing also includes the performance of tax obligations, such as issuing invoices, maintaining accounting records, and fulfilling other legal statutory requirements e.g. fraud detection, transaction security.
Category examples	Payment Information: Payment method/type, masked card digits, payment token, transaction amount/time, refund reasons; billing address; bank/IBAN (if used); customs data where required, invoices, VAT and other required accounting documentation.
Data retention period	While you use the Services. If there’s no activity (no payments or usage) for 24 consecutive months, we will consider your Account inactive and begin the contract termination process. Various Service logs are deleted periodically within 1-12months. Fraud logs retained for 5 years after transaction. Order and payment records are retained for 10 years in line with legal, tax and accounting obligations.
Sold or Shared for cross-context behavioral advertising?	No.

12.3 Services data

Purpose of collection / use	We process your Personal Data when it is necessary to provide you with access to and use of the Burnitty Service, including the core functionalities of the platform and related features. This includes creating and managing your user Accounts and subscriptions, sessions, ensuring proper functionality of the Service environment, processing your Service requests, maintaining communication related to Service delivery, and providing any requested support or updates. The processing of your Personal Data is strictly limited to what is necessary to deliver and maintain the Burnitty Service in accordance with our contractual obligations.
Category examples	Identification data name, surname, email address, and user ID (where applicable); Service usage data logs of access and interactions with the Burnitty platform, service requests, and feature usage history; Technical data IP address, device type, operating system version, and other technical information necessary to ensure service functionality and security.
Data retention period	While you use the Services. If there’s no activity (no payments or usage) for 24 consecutive months, we will consider your Account inactive and begin the contract termination process. Various Service logs are deleted periodically within 1-12months.
Sold or Shared for cross-context behavioral advertising?	No from our side. Cannot guarantee for Independent controllers.

12.4 Communication data

Purpose of collection / use	If you contact us in writing (via Live Chat, customer support, email, social media or otherwise), we will keep a record of the fact of your contact and the information you have provided to us, including your Personal Information, to properly process your request and respond to your question, request or complaint. We use artificial intelligence (AI)-based tools (fully or semi-automated) to assist our customer support team. These tools are used for suggesting draft responses, transcribing and summarising conversations, and providing automated replies to frequently asked or trained questions. Note! All AI-generated outputs are reviewed and validated by human staff where decisions could affect your rights. We do not rely solely on automated decision-making that produces legal or similarly significant effects. We do not use your data for training AI models unless fully anonymized.
Category examples	Contact by email / or via Livechat, Customer Support: name, surname, mobile phone number, email address, residential address. Purchase details and other information required to verify your identity (if needed). Other information related to the written request, attached documents or other visual content, all correspondence history.
Data retention period	Written communication - 3 years after your inquiry was closed. We may retain some information longer if we are required to do so to comply with applicable laws or based on justified interests.
Sold or Shared for cross-context behavioral advertising?	No.

12.5 Marketing & preference data

Purpose of collection / use	We process your Personal Information to inform you about our Goods, Services, promotions, new features, or to request your feedback. This includes sending general or personalized marketing content (e.g., newsletters, promotional messages, surveys) via email, SMS. When we send communications from the Company, they may include marketing information and offers about this brand and other brands operated by the Company (“Hypnotherapy brands”). We may tailor our marketing based on information we already maintain about you - such as your purchase history, browsing activity, or stated preferences - to make our offers more relevant. This practice is sometimes referred to as personalized or targeted marketing. In compliance with the California Consumer Privacy Act (CCPA/CPRA) and other U.S. state privacy laws (VCDPA, CPA, CTDPA, UCPA), we send marketing communications only where permitted by law and provide clear options to opt-out at any time: Email: We may send promotional or informational emails without prior consent, provided that each message clearly identifies the sender, includes our contact details, and offers a simple unsubscribe option. SMS: We only send marketing text messages if you have given us express written consent (for example, by checking a box or signing up). However, we may contact you by phone or text about your existing order or product (e.g., delivery updates, support, or warranty reminders) without separate marketing consent, as these are considered transactional or service communications. Remember! You have the right to object for direct marketing at any time, free of charge, by: using the unsubscribe link in any email; replying “STOP” or the specified keyword to an SMS; emailing us with your request. Opting out will not affect important transactional or service-related messages (such as order confirmations, product updates, or safety notices).
Category examples	Contact details: full name, e-mail address, telephone number, country; Logs: consent collection logs (date, method, preferences, unsubscribe information, opt-out requests). Marketing interaction data: information about how you engage with our marketing materials - such as message delivery and opening status, link clicks, campaign participation, communication preferences, unsubscribe or opt-out actions, and interaction timestamps. Purchase and engagement history (if applicable): information derived from your previous transactions or marketing interactions, such as products purchased, referral sources, links used, or responses to promotional campaigns.
Data retention period	5 years from contact received date, unless you opt-out earlier. The suppression lists may be kept longer to comply with legal requirements.
Sold or Shared for cross-context behavioral advertising?	Yes. We may share limited identifiers (for example, cookie IDs or advertising device IDs) with analytics and ad partners to measure the effectiveness of our campaigns and deliver advertising relevant to your interests. You can opt out of cross-context advertising through Your Privacy Choices link. Where required by law, we honor browser- or device-based opt-out signals, including Global Privacy Control (GPC). We do not sell Personal Information for monetary consideration.

12.6 Legal claims data

Purpose of collection / use	We may process your Personal Information in case we become a party or concerned party in legal proceedings to which you are subject to, or we are statutorily required to collect and/or provide information about you in order to comply with the applicable law. Also, in all cases where we suspect fraud, theft, unlawful reselling, misuse of marketing activities with our brand names, or other unlawful activities involving our Website, Company, brands and or services, we report such cases to the appropriate pre-trial investigation authorities (such as the police or prosecutor’s office).
Category examples	All information that we uphold about you and that is a part of the legal process e.g. accounting and legal case files, legal documents, other information you provide us with, other information that we are statutorily required to collect and/or provide. Also, pleadings, claims, court decisions. If the case arises - information about criminal offenses and convictions.
Data retention period	As long as the legal proceedings are going and 5 years from the date of entry into force of the court or authority's decision, or the date on which the legally binding decision is fully implemented.
Sold or Shared for cross-context behavioral advertising?	No.

12.7 Internet & network activity data

Purpose of collection / use	When you visit and browse our Website, we process certain Personal Information for statistical, analytical, marketing, and performance monitoring purposes. This helps us improve the functionality, stability, security, and overall user experience of our Website. Depending on your cookie preferences and consent choices, we may collect various information through cookies and similar tracking technologies, using trusted tools such as Google Analytics 4 or other authorized analytics and marketing platforms. Detailed information is provided in our Cookie Policy.
Category examples	Identifiers: IP address or other device identifiers; Technical information: device type, browser type, language settings, hardware/software settings and configurations, referring URLs (websites visited before/after); Use information: pages visited on our Website, interactions, clicks, or session behavior, visit timestamps, session duration, selected interface or account preferences (if applicable).
Data retention period	For more information on the retention periods of cookies, please refer to our Cookie Policy.
Sold or Shared for cross-context behavioral advertising?	Yes (ads/analytics). Opt-out via Your Privacy Choices link. Where required by law, we honor browser- or device-based opt-out signals, including Global Privacy Control (GPC).

12.8 Visual data

Purpose of collection / use	We process your Personal Information when you submit, create, or allow us to use content that features you for promotional purposes. This includes: User-generated content (UGC), such as testimonials, reviews, photos, or videos that you share with us directly or tag us in on social media. Participation in photo or video shoots organized by us, where your image, voice, or personal identifiers may be used for marketing or advertising campaigns. Where applicable, a separate image-use or content-use agreement will be signed before publication or distribution, or consent will be collected via a dedicated form.
Category examples	Identifiers: full name, username or profile name. Media content: photo, video, or audio recordings. Participation: testimonials, reviews, or other content you provide or permit us to use, social media identifiers (tags, mentions, handles), image-use or promotional content agreement (if applicable), consent logs.
Data retention period	UGC and campaign content: retained for up to 2 years from the date of collection or consent, unless a shorter or longer period is specified or consent is withdrawn. Advertising campaign content: archived for up to 10 years for legal, contractual, or compliance purposes.
Sold or Shared for cross-context behavioral advertising?	No.

12.9 Sensitive personal information (SPI)

Purpose of collection / use	We do not intentionally collect sensitive Personal Information such as health, biometric, or religious data.However, certain information like payment details, government identifiers, or precise geolocation may be classified as SPI under specific stale law. We do not use or disclose Sensitive Personal Information to infer characteristics or for any non-exempt purpose. As a result, a “Limit the Use of My Sensitive Personal Information” control is not presented. Also the Burnitty Service may offer you an optional personalization quiz or questionnaire to tailor programs and recommendations to your goals and preferences (for example, lifestyle habits, wellbeing, or product interests). Participation is completely optional, and you can use all Burnitty Services even if you choose not to complete it. Some quizzes are anonymous and used only in aggregated form to improve our programs. Others may ask for limited contact details (like your name or email) so we can send personalized recommendations. Any wellbeing or lifestyle information you provide is used only with your consent to personalize your experience and is never shared, sold, or used for medical or automated decision-making purposes.
Category examples	Payments: Payment tokens, limited payment metadata, government identifiers; Identification and contact data: name, email address (only if provided); Quiz and questionnaire data: responses related to wellbeing, lifestyle, or preferences; Technical data: device or session information (only where necessary to deliver the quiz).
Data retention period	Payment records are retained for 10 years. Tokens normally retained only as long as necessary to complete transactions and handle refunds or chargebacks, no longer than 2 years. Quiz responses containing Personal Data are stored for up to 6 months from submission, unless you withdraw your consent earlier. After that, the data is anonymized or securely deleted.
Sold or Shared for cross-context behavioral advertising?	No.

12.10 Contest & promotional data

Purpose of collection / use	We process your Personal Information when you participate in our contests, competitions, games, or events. This is done to manage your participation, communicate with you, and (where applicable) publish or promote the outcome of the activity.
Category examples	Identifiers: full name, email address, phone number; Participation: social media engagement (comments, shares, “likes”, “follows”, reactions) contest entries, responses, evaluation/ratings, event attendance; Media content: submitted or captured photos/videos, image/voice in recording.
Data retention period	Contest participant data – retained for 1 year after the announcement of winners or as described in specific contest terms.
Sold or Shared for cross-context behavioral advertising?	No.

12.11 Social media data

Purpose of collection / use	We manage our business profiles and accounts on various social networks. If you are interested in our Services and follow our profiles on social networks, participate in our games, promotions, share your photos with us or tag us in your photos, public posts, etc., we collect and use your Data, which we receive directly from you, when you are active in our accounts. Please note that our accounts are integrated into social networking platforms (e.g. Facebook, Instagram, Linkedin, etc.) and therefore all social platform providers as independent data controllers have full access to collect your Personal Information. You can find detailed information on the data processing, purposes and scope of data use by each social networking platform in the privacy policy of the respective social network. Also if you want to exercise your rights in relation to data processed by social networks, it is more efficient to contact the controller of the social network directly.
Category examples	Identifiers: name, surname, and profile photo; Public interactions: likes, follows, comments, shares; Participation: messages you send (content, time, attachments, history), active participation in games/events, any photos you send us or tag us in.
Data retention period	The provider of the social network concerned shall set the time limits for the retention of data. We recommend that you check the privacy policy of the social network concerned. We normally retain and don’t delete them unless you withdraw consent, request deletion, or the platform enforces earlier deletion.
Shared for cross-context behavioral advertising?	No.