BRANDWALLET 3.0 – PRIVACY POLICY

Effective Date: [01.05.2025]

BrandWallet Digital Technologies LLC ("BrandWallet," "we," "us," or "our") is committed to protecting the privacy and security of the personal data collected through our Software-as-a-Service (SaaS) solutions. This Privacy Policy explains how we collect, use, store, share, and protect personal data in connection with our services, including our website, applications, and digital wallet platform. It also outlines the rights of individuals whose data we process and how they can exercise those rights.

This Privacy Policy applies to all users of BrandWallet's services, including our Customers (business entities subscribing to our platform) and their End Customers (individuals who engage with digital wallet passes, campaigns, or other functionalities managed by our Customers).

BrandWallet and its Customers act as Joint Controllers regarding End Customer data, meaning both parties determine how and why this data is processed. Customers are responsible for collecting and obtaining consent (where required) from End Customers, while BrandWallet processes and analyzes the data as part of its service offering. Customers should refer End Customers to this Privacy Policy and their own policies for full transparency on personal data usage.

By using our services, Customers and End Customers acknowledge that their personal data may be processed as described in this Privacy Policy.

1. SCOPE OF THIS PRIVACY POLICY

This Privacy Policy applies to personal data collected when you:

• Visit our website, use our applications, or access the BrandWallet platform.

• Engage with our Customers' digital wallet passes, promotions, or campaigns.

• Communicate with us via email, phone, online forms, live chat, or customer support services.

• Register for an account, subscribe to our services, or request support.

• Interact with our branded social media pages (e.g., LinkedIn, Twitter, Facebook, Instagram).

• Visit our offices or attend an event, webinar, or conference hosted by BrandWallet.

• Submit personal data in connection with a business partnership, reseller program, or vendor relationship.

• Location information when you enable location services on your device.

This policy does not cover the privacy practices of our Customers. If you are an End Customer, you should also review the privacy policy of the Customer managing your digital wallet pass or campaign.

2. PERSONAL DATA WE COLLECT

Providing personal data is necessary for the performance of our services.

(i) If a Customer does not provide the required information (such as account credentials, payment details, or contact information), BrandWallet will not be able to offer its services. This applies to both Customers who subscribe to our services and End Customers whose data is processed for digital wallet functionalities.

(ii) For End Customers, the provision of personal data is determined by the respective Customer. BrandWallet does not control whether an End Customer is required to provide data but processes data as received from its Customers. If an End Customer refuses to provide personal data, they may not be able to use the services provided by BrandWallet.

### 2.1 Customer Data

When Customers register for and use our services, we collect the following personal data:

• Identity Information: Full name, job title, company name.

• Contact Information: Email address, phone number, business address, social media profile (if provided).

• Account Information: Username, password, authentication details.

• Billing Information: Payment details, transaction history, tax identification (if applicable).

• Communications & Engagement Data: Records of customer service interactions, support requests, live chat conversations, and webinar registrations.

• Marketing Preferences: Subscription status for newsletters, promotional emails, and event invitations.

• Website & Platform Usage Data: IP address, browser type, device information, session activity, referral source, and analytics data.

### 2.2 End Customer Data

BrandWallet processes End Customer data on behalf of its Customers. The types of personal data collected depend on the Customer's preferences and may include:

• Identity Information: Full name, email address, phone number.

• Transaction Data: Purchase history, discount usage, campaign interactions.

• Wallet Pass Information: Digital card details, activation status.

• Behavioral Data: Engagement with loyalty programs, promotional offers, and discounts.

• Fraud Prevention & Security Data: Login attempts, device fingerprints, and fraud detection signals.

BrandWallet does not collect End Customer data directly but receives it through its Customers. We do not collect End Customer data via cookies or tracking technologies.

### 2.3 Data Collected Automatically

When you visit our website or use our services, we may automatically collect certain technical data, including:

• Device Information: IP address, browser type, operating system.

• Usage Data: Pages viewed, session duration, clickstream data.

• Cookies and Similar Technologies: Tracking data to enhance service functionality and security.

• Location: Location Information Our Service may collect and use information about your device's location to provide location-based features and services, including:

Sending location-based push notifications

Providing location-relevant content and services

Improving our Service based on location data

We collect location information only when you grant permission through your device settings. You can enable or disable location services for our app at any time through your device's settings menu.

The location information we collect may include:

GPS coordinates

Network-based location data

Other location-related information from your device

This location data is used solely for providing location-based features within our Service and is handled in accordance with the same privacy standards as other personal information described in this policy. Location Information is collected only upon your explicit consent via device settings.

3. HOW WE USE PERSONAL DATA

BrandWallet processes personal data for the following purposes:

• To Provide and Manage Our Services – We process personal data to create and manage Customer accounts, provide platform access, authenticate users, process payments, and deliver customer support. This processing is necessary to fulfill our service commitments.

• To Facilitate End Customer Engagement – We process End Customer data to enable Customers to manage digital wallet passes, execute promotions, and analyze campaign performance. This processing is carried out based on business interests related to platform functionality and service enhancement.

• To Improve and Develop Our Services – We analyze aggregated and anonymized data to enhance platform functionality, conduct performance testing, and evaluate new service features. This processing helps optimize our offerings and improve the user experience.

• To Ensure Security and Prevent Fraud – We use automated and manual processes to monitor system activity, detect fraudulent transactions, prevent unauthorized access, and maintain platform security. This processing helps protect users and our infrastructure from potential threats.

• To Comply with Regulatory and Legal Requirements – We may process personal data when necessary to meet tax, financial, regulatory, or legal obligations, enforce our Terms of Use, or respond to authorized governmental or law enforcement requests.

• To Conduct Marketing and Communication Activities – Where permitted by law or based on individual preferences, we use personal data to send service updates, promotional content, newsletters, and event invitations. Individuals can manage their communication preferences or opt out of marketing communications at any time.

• To Personalize User Experiences and Engagement – We analyze user interactions with digital wallet passes, promotional campaigns, and loyalty programs to offer relevant recommendations and improve engagement strategies. This processing allows for a more tailored and optimized user experience.

• To Support Business Development and Partnerships – We may process personal data for internal business purposes, including evaluating partnerships, vendor relationships, and customer acquisition strategies. This processing helps identify growth opportunities and expand our services.

• To Provide Location-Based Features- We use location data to send relevant push notifications, deliver tailored content, and improve service experience based on aggregated location usage.

4. LEGAL PRINCIPLES FOR PROCESSING PERSONAL DATA

BrandWallet ensures that all personal data is processed in accordance with applicable data protection principles and legal requirements. The following principles guide how we collect, use, and protect personal data:

• Necessity for Service Delivery – Personal data is processed when required to provide services, manage Customer accounts, process transactions, and deliver customer support. Without this processing, we would be unable to fulfill our contractual or service commitments.

• Legitimate Business Interests – We process personal data when necessary to improve our services, enhance platform functionality, ensure security, detect fraud, analyze trends, and personalize user experiences. When processing data for business interests, we carefully assess the impact on individual privacy rights.

• Regulatory and Legal Compliance – In certain situations, we process personal data to comply with financial, tax, and legal obligations, respond to law enforcement requests, or meet other regulatory requirements.

• User Preferences and Consent – Where required by applicable laws, we obtain consent before processing personal data for specific purposes. Individuals can withdraw their consent at any time by updating their preferences or contacting us. Location data is processed exclusively on the basis of user consent and may be disabled at any time via device settings.

• Data Minimization and Purpose Limitation – We only collect and process personal data that is relevant, necessary, and proportionate to the purposes outlined in this policy. We do not process personal data for unrelated or unauthorized purposes.

• Transparency and User Rights – We are committed to providing clear and accessible information about our data practices. Where applicable, individuals may have the right to access, correct, or request the deletion of their personal data, subject to legal and operational limitations.

• Security and Protection Measures – We implement industry-standard security safeguards to protect personal data from unauthorized access, misuse, loss, or disclosure.

5. AUTOMATED DECISION-MAKING & PROFILING

BrandWallet does not engage in fully automated decision-making that produces legal or similarly significant effects on individuals. However, we use automated processing techniques to analyze and enhance service delivery in the following ways:

• Fraud Detection & Security Monitoring – We use automated systems to detect suspicious activities, unauthorized access attempts, and potential fraudulent transactions. These systems analyze patterns in login behavior, device usage, and transaction history to flag potential risks.

• Campaign & Loyalty Program Recommendations – We utilize data analytics and algorithmic profiling to suggest marketing strategies, promotions, and customer engagement enhancements to our Customers. This allows Customers to optimize their digital wallet campaigns based on End Customer interactions.

• Service Personalization & User Experience Optimization – We analyze aggregated usage data to provide personalized insights and improve the platform's functionality.

Although BrandWallet leverages automated data analysis, all final decision-making remains subject to human oversight. Customers or End Customers who believe they have been unfairly impacted by an automated process may contact [email protected] to request a review.

6. DATA SHARING AND THIRD-PARTY ACCESS

BrandWallet does not sell personal data to third parties. However, data may be shared in the following circumstances:

• With Customers: End Customer data is accessible to the Customer managing the respective digital wallet pass or campaign.

• With Service Providers: We engage third-party vendors for cloud hosting, data analytics, email marketing, cybersecurity, and fraud prevention. These providers process data strictly on our behalf under contractual agreements ensuring data confidentiality and security.

• With Advertising & Marketing Partners: If a Customer opts into promotional content, we may share limited data with third-party marketing services to improve targeting and campaign effectiveness.

• For Legal Compliance: We may disclose data if required by law, regulatory authorities, court orders, or fraud investigations.

• In Business Transfers: In case of a merger, acquisition, or sale of assets, personal data may be transferred as part of the business transaction, subject to appropriate confidentiality measures.

BrandWallet does not share personal data with Apple Wallet, Google Wallet, or other third-party wallet application providers. Location data is not shared with third parties except where necessary to enable core service functionality (e.g., location-based notifications)

7. DATA RETENTION POLICY

BrandWallet retains personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, meet regulatory and legal obligations, resolve disputes, and enforce agreements. The retention periods for different categories of personal data are determined based on:

• The necessity of the data for service delivery (e.g., maintaining active user accounts).

• Legal and regulatory requirements that mandate retention for specific periods.

• Legitimate business purposes such as fraud prevention, security, and audit compliance.

The specific retention periods are as follows:

• Customer Data – Personal data associated with Customers is retained for the duration of the service relationship. If a Customer terminates their account, we retain their data for up to six (6) months to allow for potential reactivation, dispute resolution, or legal compliance. After this period, data is securely deleted or anonymized unless further retention is required by law. In the case of a failed payment resulting in a "Cancel Subscription" status, the Customer's account will be placed in a suspended state for a maximum of six (6) months. During this suspension period, the Customer may reactivate the account by updating their payment information and completing the transaction. If payment is not completed within this period, BrandWallet reserves the right to irreversibly anonymize all associated Customer data — including any End Customer Personal Data. Once anonymized, the data will no longer be accessible, cannot be linked back to the Customer, and will no longer be subject to data subject rights such as access, deletion, or portability. Additionally, any associated analytics or content will become permanently inaccessible.

• End Customer Data – Data processed on behalf of Customers is retained for as long as the Customer maintains an active subscription. If a Customer ceases to use BrandWallet's services, all associated End Customer data will be deleted within six (6) months following account termination. If an End Customer remains inactive for a continuous period of five (5) years, their data is automatically deleted or anonymized. Upon Customer-initiated account deletion, BrandWallet will irreversibly delete all associated personal data without undue delay. The Customer acknowledges and accepts that such deletion is final and waives any subsequent rights to data access or retrieval. Location data is retained only for as long as necessary to provide location-based services and is either deleted or anonymized once such services are disabled or no longer required.

• Transaction and Billing Records – Financial records, invoices, and payment transaction details are retained for up to seven (7) years, or as required by financial regulations, tax authorities, and audit obligations. This retention ensures compliance with applicable laws regarding financial record-keeping.

• Fraud Prevention and Security Logs – Security-related logs, access records, and fraud detection data are retained for up to three (3) years to assist with security audits, compliance checks, and the prevention of fraudulent activities. In cases of suspected fraud or security incidents, data may be retained for extended periods as necessary for investigations.

• Marketing and Communication Preferences – Email marketing preferences and consent records are stored for as long as the individual remains subscribed. If a user unsubscribes, we retain minimal data (e.g., email address) for up to two (2) years to ensure compliance with opt-out requests and prevent accidental re-subscription.

• User Support and Service Records – Communications with customer support, inquiries, and service-related requests are retained for up to two (2) years to improve service quality, handle disputes, and provide historical context for recurring issues.

• Backups and Disaster Recovery Copies – Backup copies of personal data are stored in accordance with our disaster recovery policies and retained for up to twelve (12) months, after which they are securely overwritten or deleted.

After the applicable retention period expires, personal data is either securely deleted, anonymized, or aggregated to prevent identification of individuals. If an individual requests data deletion before the end of the retention period, we will assess whether legal or regulatory obligations require continued retention. Please note that once personal data has been anonymized or irreversibly deleted in accordance with our data retention policy and Terms of Use, it is no longer subject to access, deletion, or portability rights.

8. INTERNATIONAL DATA TRANSFERS

BrandWallet stores personal data on secure servers. If data is transferred outside the servers, we implement appropriate safeguards based on the applicable data protection regulations.

9. DATA SECURITY MEASURES

BrandWallet employs industry-standard security practices, including:

• Encryption of sensitive data during transmission and storage.

• Access Controls restricting unauthorized personnel access.

• Regular Security Audits to identify and address vulnerabilities.

Despite our security measures, Customers and End Customers should take precautions to protect their own account credentials and access devices.

10. DATA SUBJECT RIGHTS

Based on the applicable data protection regulations, individuals could have the following rights:

• Access their personal data and request details on processing.

• Rectify inaccurate or incomplete information.

• Erase their data under certain conditions.

• Object to data processing based on legitimate interests.

• Request Data Portability to transfer their data to another provider.

Requests related to End Customer data should first be made to the Customer managing the data. If a Customer is unable to process a request or does not respond, BrandWallet may assist in facilitating the request as a Joint Controller.

To submit a data request, individuals may contact [email protected] with the subject line "Personal Data Request". Requests will be processed within one month.

Please note that once personal data has been anonymized or irreversibly deleted in accordance with our data retention policy and Terms of Use, it is no longer subject to access, deletion, or portability rights.

11. CONTACT INFORMATION

For privacy-related inquiries, please contact:

BrandWallet Digital Technologies LLC The Binary By Omniyat Tower , 19th Floor, Office 1914, 32 Marasi Drive, Business Bay Dubai,United Arab Emirates Email: [email protected]

This Privacy Policy may be updated periodically. Any changes will be posted on our website and will take effect upon publication.