LAST UPDATED: 03/01/2023

1. INTRODUCTION

At Policy Platforms Ltd (“Polyloop,” “us,” “we,” or “our”), our mission is to help governments around the world build better public policies. We exist to improve your life, not invade it. We take your privacy seriously and want you to understand how we use, collect, and share Personal Data, and the measures we take to protect your Personal Data.

This Privacy Policy applies to Personal Data we collect about members and other consumers who interact with Polyloop or use our services, including by visiting our websites or our social media pages, or using our mobile apps (collectively, the “Services”). This Privacy Policy does not cover the practices of companies that we do not own or control, or people that we do not manage. We are not responsible for the policies and practices of any third parties, and we do not control, operate, or endorse any information, products, or services that may be offered by third parties or accessible on or through the Services.

We have provided supplemental notices below for residents of California and individuals located in the European Economic Area, the United Kingdom, and Switzerland (collectively “Europe” or “European”).

2. HOW WE COLLECT PERSONAL DATA

We collect Personal Data about you from:

1. Yourself, when you provide such information directly to us, such as when completing your profile;

2. Automatic data collection, such as Cookies, local storage objects, web beacons, and other similar technologies in connection with your use of the Services;

3. Customers and partners, such as employers, government agencies, or other organisations that engage with our Services;

4. Social media, other third-party platforms, and linked accounts, devices, or features, if you interact with our pages on social media sites, post content to their sites using the Services, sign into the Services through a third-party site or service, or otherwise link accounts, devices, or features to your Polyloop account; and

5. Data providers, such as information services and data licensors, when we supplement your data.

3. PERSONAL DATA WE COLLECT

We may collect the following types of Personal Data:

1. Contact details, such as your first and last name, email and mailing address, and phone number;

2. Profile data, such as username and password that you may establish to create a Polyloop account, as well as any photographs or information you choose to include in your Polyloop profile;

3. Communications that we exchange with you, including when you contact us via email, web app, or mobile app with questions, feedback, or reviews;

4. Payment and transactional data needed to complete your orders on the website or through the Services (including name, email address, payment card information, bank account number, billing information) and your transaction history, although Polyloop does not have access to payment card numbers. Our payment processors will collect the financial information necessary to process your payments in accordance with the payment processor’s respective services agreement and privacy policy;

5. Marketing data, such as your preferences for receiving our marketing communications, and details about your engagement with them (e.g., the marketing emails that you open and the links within them that you click);

6. Device data, such as your computer or mobile device operating system type and version, manufacturer and model, browser type, screen resolution, RAM and disk size, CPU usage, device type (e.g., phone, tablet), IP Address, unique identifiers (including identifiers used for advertising purposes), language settings, mobile device carrier, radio/network information (e.g., Wi-Fi, LTE, 3G), and general location information such as city, state, or geographic area;

7. Geolocation data, such as GPS, IP Address, and movement on certain exercise types if you give permission for Polyloop to do so; and

8. Online activity data, such as pages or screens you view, how long you spent on a page or screen, the website you visited before visiting our website, navigation paths between pages or screens, information about your activity on a page or screen, access times, and duration of access.

4. COOKIES AND SIMILAR TECHNOLOGIES

Polyloop uses cookies and similar technologies such as pixel tags, web beacons, clear GIFs, and JavaScript (collectively, “Cookies”) to enable our servers to recognise your web browser and tell us how and when you visit and use our Services, as well as to analyse trends, learn about our user base, and operate and improve our Services. Cookies are small pieces of data – usually text files – placed on your computer, tablet, phone, or similar device when you use that device to visit our Services. We may also supplement the information we collect from you with information received from third parties, including third parties that have placed their own Cookies on your device(s).

Cookie Usage and Type. Polyloop uses the following Cookies:

1. Essential Cookies: Essential Cookies are required for providing you with features or Services that you have requested. For example, certain Cookies enable you to log into secure areas of our Services. Disabling these Cookies may make certain features and Services unavailable.

2. Functionality Cookies: Functional Cookies are used to record your choices and settings regarding our Services, maintain your preferences over time, and recognise you when you return to our Services. These Cookies help us to personalise our content for you, greet you by name, and remember your preferences (e.g., your region).

3. Performance/Analytical Cookies: Performance/Analytical Cookies allow us to understand how users use our Services by collecting information on how often a user engages with a particular feature of the Services. We use these aggregated statistics internally to improve the Services. Performance/Analytical Cookies also help us measure the performance of our advertising campaigns in order to help us improve our campaigns and the Services’ content for those who engage with our advertising. For example, Google, Inc. (“Google”) uses Cookies in connection with its Google Analytics services. For more information on how Google uses this information, click here.

4. Marketing Cookies: Marketing Cookies collect data about your online activity and identify your interests so that we and our advertising partners can provide marketing that we believe is relevant to you. For more information, please see the section below titled “Interest-based advertisements.”

Online tracking opt-outs.There are a number of ways you can opt-out of certain interest-based advertising and other online tracking activities, which we have summarised below.

1. Blocking Cookies in your browser. Most browsers let you remove or reject Cookies, including Cookies used for interest-based advertising. To do this, follow the instructions in your browser settings. Many browsers accept Cookies by default until you change your settings. For more information about Cookies, including how to see what Cookies have been set on your device and how to manage and delete them, visit www.allaboutcookies.org.

2. Blocking advertising ID use in your mobile device settings. Your mobile devices may offer settings that enable you to make choices about the collection, use, or transfer of your advertising ID associated with your mobile device for interest-based advertising purposes.

3. Using privacy plug-ins or browsers. You can block our websites from setting Cookies used for interest-based ads by using a browser with privacy features, like Brave, or installing browser plugins like Privacy Badger, Ghostery, or uBlock Origin, and configuring them to block third party Cookies/trackers. You can also opt out of Google Analytics by downloading and installing the browser plug-in available at: https://tools.google.com/dlpage/gaoptout.

4. Visiting our online Privacy Settings page. You can click here to customise your Cookie consent preferences.

5. Platform opt out. Some third-party ad networks, including third-party ad servers, ad agencies, ad technology vendors, and research firms, allow you to opt-out directly by using their opt-out tools. Some of these providers, and links to their opt-out tools, are:

   1. Google (AdWords): adsettings.google.com;

   2. Microsoft (Bing): about.ads.microsoft.com/en-us/resources/policies/personalized-ads; and

   3. Facebook: www.facebook.com/about/ads.

6. Advertising industry opt-out tools. You can also use these opt-out options to limit use of your information for interest-based advertising by participating companies:

   1. Digital Advertising Alliance for Websites: https://optout.aboutads.info;

   2. Digital Advertising Alliance for Mobile Apps: https://youradchoices.com/appchoices; and

   3. Network Advertising Initiative: https://optout.networkadvertising.org/.

Please note that some opt-out features are Cookie-based, meaning that when you use these opt-out features, an “opt-out” Cookie will be placed on your computer or other device indicating that you do not want to receive interest-based advertising from certain companies. If you delete your Cookies, use a different browser, or use a different device, you will need to renew your opt-out choice.

Opting-out of interest-based advertising does not mean that you will no longer receive online ads. It only means that such ads will no longer be tailored to your specific viewing habits or interests. You may continue to see ads on and about the Service.

5. HOW WE USE PERSONAL DATA

We process Personal Data to operate, improve, understand, and personalise our Services. We use Personal Data for the following purposes:

Service delivery, including to:

1. Provide, operate, improve, develop, understand, and personalise the Services and our business, including testing, research, analysis and product development;

2. Satisfy the reason you provided the information to us, including responding to and fulfilling requests;

3. Communicate with you about the Services, including Service announcements, updates, or offers;

4. Provide support and assistance for the Services;

5. Create and manage your account or other user profiles;

6. Customise website content and communications based on your preferences; and

7. Process orders, memberships, or other transactions.

Research and development. We may create and use Aggregated Data, De-identified Data or other anonymous data from Personal Data we collect for our business purpose, including to analyse the effectiveness of the Services, to improve and add features to the Services, and to analyse the general behaviour and characteristics of users of the Services.

Marketing and advertising. We do not use personally identifiable data for marketing or advertising purposes. We may use other Personal Data, such as data collected when you browse our website, to send you marketing messages or advertise the Services:

Direct marketing. We may send you direct marketing messages as permitted by law.

Interest-based advertising. We engage our advertising partners, including third party advertising companies and social media companies, to advertise our Services. We and our advertising partners may use Cookies and similar technologies to collect information about your interaction over time across the web, our communications, and other online services, and may use that information to serve online ads. We comply with the Digital Advertising Alliance Self-Regulatory Principles for Online Behavioral Advertising. To learn more about the industry self-regulatory programs and other information and choices about interest-based ads, please see the section above entitled “Online tracking opt-outs.”

Compliance and protection, including to:

1. Protect against or deter fraudulent, illegal, or harmful actions and maintain the safety, security, and integrity of our Services;

2. Comply with our legal or contractual obligations, resolve disputes, and enforce our Terms of Use and Terms of Sale;

3. Audit our internal processes for compliance with legal and contractual requirements and internal policies;

4. Protect our, your, or others’ rights, privacy, safety, or property (including by making and defending legal claims); and

5. Respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.

6. HOW WE SHARE PERSONAL DATA

We may share your Personal Data with:

1. Service providers, such as payment processors, vendors who advertise our Services, security and fraud prevention consultants, hosting and other technology and communications providers, analytics providers, and staff augmentation and contract personnel, that provide services to us or on our behalf;

2. Advertising partners that may collect information on our website through Cookies and other automated technologies, including for the interest-based advertising purposes described above;

3. Professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional services they render to us;

4. Authorities and others, including law enforcement, government authorities, and private parties we believe in good faith to be necessary or appropriate to comply with the law or legal process; and

5. Business transferees, such as acquirers and other relevant participants in business transactions (or negotiations for such transactions) involving a corporate divestiture, merger, consolidation, acquisition, reorganisation, sale, or other disposition of all or any portion of the business or assets of, or equity interests in, Polyloop or our affiliates (including, in connection with a bankruptcy or similar proceedings).

7. HOW YOU MAY SHARE PERSONAL DATA THROUGH POLYLOOP

Depending on your use of the Services, you may share Personal Data with:

1. Other users of the Services which allow you to share information and content with other users of the Service, and users are by default searchable by other users;

2. Third-party social media platforms, or linked accounts, devices, or features, when you choose to connect your account on those services with Polyloop or post content to social media;

3. Public. When you make Personal Data visible to other users of the Services it may become publicly available and can be collected, viewed and used by anyone; and

4. Managing entity. If your use of the Services is on behalf of or managed by a managing entity, such as an organising body, or other entity with which you are affiliated, your account information and Personal Data may be shared with the managing entity subject to your consent, and you consent to that managing entity allowing that information to be publicly shared, subject to any features of the Services that expressly override that control. The managing entity will determine how the relevant information and content is shared.

8. YOUR CHOICES

Access, update, or delete. When you log in to your account, you may access, and, in some cases, edit or delete certain information you’ve provided to us, such as first and last name, username and password, email and mailing address, and other information in your profile. When you update information, however, we may maintain a copy of the unrevised information in our records. You may request a full deletion of your account and corresponding data by emailing support@polyloop.io. We may need to retain certain Personal Data in our records, as well as Aggregated Data or De-identified Data derived from or incorporating your Personal Data that does not identify you after you update or delete it.

Privacy settings. You can change certain privacy settings, such as whether you are searchable on Polyloop by your name or username, if you scroll down to Settings, located on the Main Menu page of the Polyloop web application, and select “Privacy,” where you can choose to make yourself private or searchable.

Geolocation data. You may allow or disallow Polyloop to collect geolocation data by enabling or disabling location services on your device. If you decline to grant Polyloop access to this data, we will not be able to provide certain Services, capabilities, or features to you.

Marketing communications. We will give you the ability to opt-out of marketing-related emails and other communications by going to our preferences management page, or by following the opt-out or unsubscribe instructions contained in the message. You cannot opt-out of receiving certain non-marketing emails regarding the Service.

Online tracking opt-outs. There are a number of ways you can opt-out of certain interest-based advertising and other online tracking activities, which we summarise in the “Online tracking opt-outs” section above.

Do Not Track. Some Internet browsers may be configured to send “Do Not Track” signals to online services. The Services do support “Do Not Track” requests or similar signals. To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.

9. OTHER SITES AND SERVICES

The Services may contain links to websites and other online services operated by Third Parties. In addition, our content may be integrated into web pages or other online services that are not associated with us. These links and integrations are not an endorsement of, or representation that we are affiliated with, any Third Party. We do not control websites or online services operated by Third Parties, and we are not responsible for their actions. You can learn about and control how these Third Parties use and share Personal Data about you, including with Polyloop, by reviewing their privacy notices and exercising the privacy choices the Third Party may offer.

10. DATA SECURITY AND RETENTION OF PERSONAL DATA

We employ a number of physical, technical, organisational, and administrative security measures designed to protect the Personal Data we collect. While we endeavour to protect the privacy of your account and other Personal Data we hold in our records, no security measures are failsafe, and we cannot guarantee the security of your Personal Data.

We retain Personal Data for as long as reasonably necessary for the purposes described in this Privacy Policy, while we have a business need to do so, or as required by law (e.g., for tax, legal, accounting, or other purposes), whichever is longer.

11. CHANGES TO THIS PRIVACY POLICY

We are constantly trying to improve our Services, so we may need to change this Privacy Policy from time to time. We will alert you to changes by placing a notice on the Polyloop website, by sending you an email, and/or by some other means. If you use the Services after any changes to the Privacy Policy have been posted, that means you agree to all of the changes.

12. CONTACT US

If you have any questions or concerns regarding our privacy policies, please send us a detailed message to privacy@polyloop.io or at the mailing addresses below.

Policy Platforms Ltd Portview Trade Centre 310 Newtownards Road Belfast, Northern Ireland, BT4 1HE

13. PRIVACY NOTICE FOR EUROPEAN RESIDENTS

If you are a resident of the European Economic Area, the United Kingdom, or Switzerland (collectively, “Europe”), you may have additional rights under the General Data Protection Regulation (the “GDPR”) or other European data protection legislation.

Controller and European Representatives. Polyloop Motion Inc. will be the controller of your Personal Data processed in connection with the Services. Our contact information is as follows:

Policy Platforms Ltd Attn: Data Protection Officer Portview Trade Centre 310 Newtownards Road Belfast, Northern Ireland, BT4 1HE privacy@polyloop.io

Legal bases for processing. The “How We Use Personal Data” section above explains how we use your Personal Data. We will only process your Personal Data if we have a lawful basis for doing so. Lawful bases for processing include consent, contractual necessity and our “legitimate interests” or the legitimate interest of others but will depend on the type of Personal Data and the specific context in which we process it. However, the legal bases we typically rely on for each category of processing activity are set out below.

1. Service delivery: Processing is necessary to perform our contract, or to take steps that you request prior to engaging our Services. Where we cannot process your Personal Data as required to operate the Services on the grounds of contractual necessity, we process your personal information for this purpose based on our legitimate interest in providing you with the products or Services you access and request.

2. Research and development: These activities constitute our legitimate interests.

3. Marketing and advertising: Processing is based on your consent where that consent is required by applicable law. Where such consent is not required by applicable law, we process your personal information for these purposes based on our legitimate interests in promoting our business.

4. Compliance and protection: From time to time we may also need to process Personal Data to comply with a legal obligation, if it is necessary to protect the vital interests of you or other data subjects, or if it is necessary for a task carried out in the public interest.

5. Consent: In some cases, such as when you direct us to share it, we process Personal Data based on the consent you expressly grant to us at the time we collect such data. When we process Personal Data based on your consent, you have the right to withdraw it any time in the manner indicated at the time you give consent or as listed in our Services.

We may use your Personal Data for reasons not described in this Privacy Policy where permitted by law and where the reason is compatible with the purpose for which we collected it. If we need to use your Personal Data for an unrelated purpose, we will notify you and explain the applicable legal basis.

Retention. To determine the appropriate retention period for your Personal Data, we consider the amount, nature, and sensitivity of the information, the potential risk of harm from unauthorised use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Data subject rights. You have certain rights with respect to your Personal Data, including:

• Access. You can request more information about the Personal Data we hold about you and request a copy of such Personal Data. You can also access certain of your Personal Data by logging into your account.

• Rectification. . If you believe that any Personal Data we are holding about you is incorrect or incomplete, you can request that we correct or supplement such data. You can also correct some of this information directly by logging into your account.

• Erasure. You can request that we erase some or all of your Personal Data from our systems.

• Withdrawal of consent. If we are processing your Personal Data based on your consent (as indicated at the time of collection of such data), you have the right to withdraw your consent at any time. Please note, however, that if you exercise this right, you may have to then provide express consent on a case-by-case basis for the use or disclosure of certain of your Personal Data, if such use or disclosure is necessary to enable you to utilise some or all of our Services.

• Portability. You can ask for a copy of your Personal Data in a machine-readable format. You can also request that we transmit the data to another controller where technically feasible.

• Objection. You can contact us to let us know that you object to the further use or disclosure of your Personal Data for certain purposes, such as for direct marketing purposes.

• Restriction of processing: You can ask us to restrict further processing of your Personal Data.

• Right to file a complaint. You have the right to lodge a complaint about our practices with respect to your Personal Data with the supervisory authority of your country or European Economic Area Member State.

For more information about these rights, or to submit a request, please email polyloop@gdpr-rep.com or privacy@polyloop.io. Please note that in some circumstances, we may not be able to fully comply with your request, such as if it is frivolous or extremely impractical, if it jeopardises the rights of others, or if it is not required by law, but in those circumstances, we will still respond to notify you of such a decision. In some cases, we may also need you to provide us with additional information, which may include Personal Data, if necessary to verify your identity and the nature of your request.

Processing of Personal Data in the United States. To provide the Services, we will process your Personal Data in the United States, where Polyloop is based. If such processing involves the transfer of Personal Data to the U.S. in a manner governed by European data protection law, the transfer will be performed pursuant to the applicable requirements of the law, such as standard contractual clauses, the individual’s consent, or other circumstances permitted by European data protection law.

Privacy Shield Certification. Polyloop certified to the EU-U.S. Privacy Shield Framework set forth by the U.S. Department of Commerce regarding the collection and use of Personal Data transferred from the EU to the U.S. For more information about the Privacy Shield Program, and to view our certification, please visit www.privacyshield.gov.

Although Polyloop does not rely on the Privacy Shield Framework to facilitate cross-border data transfers, Polyloop remains committed to the Privacy Shield Principles of (1) notice, (2) consent, (3) accountability for onward transfer, (4) security, (5) data integrity and purpose limitation, (6) access, and (7) recourse, enforcement, and liability with respect to all Personal Data received from within the EU in reliance on the Privacy Shield before it was invalidated. The Privacy Shield Principles require that we remain potentially liable if any Third-Party processing Personal Data on our behalf fails to comply with these Privacy Shield Principles (except to the extent we are not responsible for the event giving rise to any alleged damage). Our compliance with the Privacy Shield is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.

Please contact us at privacy@polyloop.io with any questions or concerns relating to our Privacy Shield Certification. If you do not receive timely acknowledgment of your Privacy Shield-related complaint from us, or if we have not resolved your complaint, you may also resolve a Privacy Shield-related complaint through JAMS, an alternative dispute resolution provider located in the United States. You can visit https://www.jamsadr.com/file-an-eu-us-privacy-shield-or-safe-harbor-claim for more information or to file a complaint, at no cost to you. Under certain conditions, you may also be entitled to invoke binding arbitration for complaints not resolved by other means.

If you have any questions about this section or our data practices generally, please contact us at privacy@polyloop.io or using the contact information above.

14. DEFINITIONS

We use some specifically defined terms in our Privacy Policy and when we communicate about our Privacy Policy. We want to be clear on how the terms we use are defined to help you better understand our policies.

Aggregated Data

Aggregated Data is data that has undergone a process whereby raw data is gathered and expressed in a summary form for statistical analysis. Raw data can be aggregated over a given time period, across individuals, or both, to provide statistics such as average, minimum, maximum, sum, and count. After the data is aggregated, analysis can be performed to gain insights about particular data sets. When data is aggregated across a number of individuals, the resulting aggregation is considered anonymized such that it is no longer Personal Data. See our Privacy Policy here for more information on how we use Aggregated Data.

Cookies

Cookies are small files which are stored on a user’s computer. They are designed to hold a modest amount of data specific to a particular user and website, and can be accessed either by the web server or the user computer. This allows the server to deliver a page tailored to a particular user, or the page itself can contain some script which is aware of the data in the cookie and is therefore able to carry information from one visit to the website (or related site) to the next. See our Privacy Policy here to learn about cookies and how they are used on our websites.

De-Identified Data

De-Identified Data is data where all the personally identifiable information has been removed, rendering the data anonymous by stripping out information that would allow an individual’s identity to be determined from the remaining data. Data is “de-identified” to protect the privacy and identity of individuals associated with the data. De-identified Data is no longer Personal Data. See our Privacy Policy here for more information on how we use De-identified Data.

GDPR

The General Data Protection Regulation, or GDPR, is a data privacy and security regulation under European law that sets guidelines for the collection and processing of personal information from individuals who live in the European Economic Area, Switzerland and United Kingdom (collectively, “Europe” or “European”). The GDPR provides data protection rights to European residents and applies to any organisation that offers goods or services to individuals in Europe, even if that organisation is not based in Europe. See our Privacy Policy here for more information on the data rights available to European residents.

IP Address

An IP Address is a unique address that identifies a device on the internet or a local network. It allows a system to be recognized by other systems connected via the internet protocol. An IP Address may be considered Personal Data and is at times used by advertisers to serve interest-based ads. See our Privacy Policy here for details on how we share Personal Data.

Personal Data

Personal Data is any data that identifies or relates to you as a particular individual, including information referred to as “personally identifiable information” or “personal information” under applicable data privacy laws, rules, or regulations. See our Privacy Policy here for an outline of the ways in which we use, collect, and share Personal Data.

Services

Services means, collectively, our websites and mobile apps, and any features, content, or applications offered, from time to time, by Polyloop in connection therewith.

Third Parties

Third Parties in the context of the relationship between Polyloop, Polyloop customers, and third parties are entities or businesses involved in an arrangement, contract, deal, or transaction but are not one of the principals. We use Third Parties to enable us to do business with our members, such as charging for transactions or storing data. Third Parties also include advertisers that serve interest-based ads to visitors to our website. See our Privacy Policy here for more information on the Third Parties that do business with Polyloop.

Polyloop, we, us, our

The terms “Polyloop,” “we,” “us,” or “our” mean Policy Platforms Ltd and each of its wholly owned subsidiaries.