DATA PROTECTION NOTICE This Data Protection Notice (“Notice”) sets out the basis on which 7Moments Pte. Ltd. (“we”, “us”, or “our”) may collect, use, disclose or otherwise process personal data of our customers in accordance with the Singaporean Personal Data Protection Act (“PDPA”) and the General Data Protection Regulation (“GDPR”). This Notice applies to personal data in our possession or under our control, including personal data in the possession of organisations which we have engaged to collect, use, disclose or process personal data for our purposes. PERSONAL DATA 1. As used in this Notice, “customer” means an individual who (a) has contacted us through any means to find out more about any goods or services we provide, or (b) may, or has, entered into a contract with us for the supply of any goods or services by us; and “personal data” means data, whether true or not, about a customer who can be identified: (a) from that data; or (b) from that data and other information to which we have or are likely to have access. 2. Depending on the nature of your interaction with us, some examples of personal data which we may collect from you may include your name, contact details, IP address, device information, and your usage of our services (e.g., which sites you visit and how you scroll through and use the website). Usage data are collected through cookies and similar technologies, see below for more information. 3. Other terms used in this Notice shall have the meanings given to them in the PDPA or GDPR (where the context so permits). COLLECTION, USE AND DISCLOSURE OF PERSONAL DATA 4. We generally do not collect your personal data unless (a) it is provided to us voluntarily by you directly or via a third party who has been duly authorised by you to disclose your personal data to us (your “authorised representative”) after (i) you (or your authorised representative) have been notified of the purposes for which the data is collected, and (ii) you (or your authorised representative) have provided consent to the collection and usage of your personal data for those purposes, or (b) collection and use of personal data without consent is permitted or required by the PDPA, GDPR, or other laws. We shall seek your consent before collecting any additional personal data and before using your personal data for a purpose which has not been notified to you (except where permitted or authorised by law). 5. In accordance with the principles of lawfulness, fairness, and transparency under the GDPR, we affirm that we process your Personal Data on the following legal bases: a) Consent: Where you have freely given us your explicit consent to process your Personal Data for one or more specific purposes. b) Contract: Where processing is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract. c) Legal Obligation: Where processing is necessary for compliance with a legal obligation to which we are subject. d) Vital Interests: Where processing is necessary in order to protect your vital interests or those of another natural person. e) Public Task: Where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us. f) Legitimate Interests: Where processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of Personal Data. 6. If you choose not to provide your Personal Data when requested, we may not be able to deliver certain products or services to you. Where applicable, we will advise you of this at the point of data collection. We are committed to ensuring that your Personal Data is processed lawfully, fairly, and in a transparent manner, and that your privacy rights are respected. This policy is aimed at providing you with clear and understandable information about the data processing activities we undertake and the legal basis for them. 7. We may disclose your personal data: (a) when such disclosure is required for fulfilling obligations related to our provision of goods or services requested by you; or (b) to third-party service providers, agents and other organisations we have engaged to perform any of the functions listed in clause 4-5 above for us. 8. We may continue to apply the purposes listed in the above clauses even if your relationship with us (for example, pursuant to a contract) has been terminated or altered, for a reasonable period thereafter (including a period that allows us to enforce our rights under any contract with you). USING COOKIES 9. Cookies are pieces of information stored directly on the computer that you are using. Cookies allow us to collect information such as browser type, time spent on our website, pages visited, language preferences, site location, and other anonymous traffic data. We and our service providers use the information for security purposes, to facilitate navigation, to display information more effectively, and to personalise your experience. We also gather statistical information about use of the Services in order to continually improve their design and functionality, understand how they are used and assist us with resolving questions regarding them. Cookies further allow us to select which of our advertisements or offers are most likely to appeal to you and display them while you are on our website. We may also use cookies or other technologies in online advertising to track responses to our ads. We do not respond to browser do-not-track signals at this time. The types of cookies used are as follows: (i) Necessary cookies: The cookies which are essential for enabling users to access and use the Platform and their services. (ii) Performance cookies: The cookies which collect information about how users use the Platform in order for us to improve the Platform’s design and accessibility. (iii) Analytiсs cookies: The cookies which provide statistics and reporting on the performance of the Platform, through Google Analytics. No personally identifiable data will be collected through these cookies. (iv) Advertisement cookies: The cookies which track users’ behaviour on the Platform and potentially across other websites, in order to target content that are relevant for the users. Users would not be personally identified through this information. (v) Uncategorised cookies: Other uncategorised cookies that are being analysed and have not been classified into a category yet. (vi) Functional cookies: Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features. If you do not want information collected through the use of cookies, most browsers allow you to automatically decline cookies or be given the choice of declining or accepting a particular cookie (or cookies) from a particular website. You may also wish to refer to http://www.allaboutcookies.org/manage-cookies/index.html. If, however, you do not accept cookies, you may experience some inconvenience in your use of our services. You also may not receive advertising or other offers from us that are relevant to your interests and needs. CONSENT 10. Upon visiting our website at www.ikonia.com, you are provided with the capability to customise your consent preferences pertaining to our usage of cookies. You retain the freedom to enable or disable one, some, or all of these cookies in accordance with your personal preferences. However, please be advised that your decision to disable certain cookies may impact your user experience on our website. The deactivation of some cookies could potentially limit the functionality of the website and may influence the smoothness of your browsing experience. Please review your preferences carefully to ensure they align with your comfort level and user experience expectations. 11. We use services of Google Analytics, which use cookies and similar technologies to collect and analyse information about use of our services and report on activities and trends. This service may also collect information regarding the use of other websites, apps and online resources. You can learn about Google’s practices by going to www.google.com/policies/privacy/partners/, and opt out of them by downloading the Google Analytics opt-out browser add-on, available at https://tools.google.com/dlpage/gaoptout. 12. We use the Facebook Pixel to monitor our Facebook and Instagram advertising. The Facebook Pixel is used to track the actions of users who click or view an ad on Facebook, Instagram or Facebook’s Audience Network. The Facebook Pixel provides us with data such as how many users click on an ad and visit our website, and how many users complete an enquiry form on our website after clicking or viewing one of our Facebook and Instagram ads. We use the Facebook Pixel to build advertising audiences based on behaviours such as visits to our website. The data provided to us is anonymised in that we cannot see information such as your name or email address. 13. We gather certain information and store it in log files automatically in order to improve the Platform’s services. This information includes operating system, internet protocol addresses, internet service provider, referring/exit pages, files viewed on the Platform, date/time stamp, clickstream data and/or browser type. This information may be combined with other information we collect about users. We and/or our service providers may use local storage to store content information and preferences. 14. Compilation of cookies and storage times. Cookie Provider Description Expiry: Cookie: _ga_*. Duration: 1 year 1 month 4 days. Google Analytics sets this cookie to store and count page views. Cookie: CONSENT. Duration: 2 years. YouTube sets this cookie via embedded YouTube videos and registers anonymous statistical data. Cookie: _ga. Duration: 1 year 1 month 4 days. Google Analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors. Cookie: _gid. Duration: 24 hours. Google Analytics Used to distinguish users. Cookie: _ga_<container-id>. Duration: 2 years. Google Analytics Used to persist session state. Cookie: _gac_gb_<container-id>. Duration: 90 days. Google Analytics Contains campaign related information. If you have linked your Google Analytics and Google Ads accounts, Google Ads website conversion tags will read this cookie unless you opt-out. 15. In line with our commitment to provide secure transaction processes, we employ the services of Stripe, a renowned third-party service provider, for credit card payment processing. In the course of providing this service, we assure you that we do not store or collect your payment card details on our systems. Stripe is responsible for the use and processing of your complete payment information. Their handling of your payment information complies with Stripe's privacy policy, as well as with the guidelines outlined by both the General Data Protection Regulation (GDPR) and the Personal Data Protection Act (PDPA). We recommend you to review Stripe's privacy policy to better understand their data handling practices. By choosing to proceed with transactions that require Stripe's payment processing, you hereby provide consent to the processing of your payment data by Stripe in accordance with their privacy policy, and the applicable data protection regulations YOUR RIGHTS 16. Under GDPR, you have several rights in relation to your personal data. You have the right to request from us access to and rectification or erasure of your personal data, data portability, restriction of processing of your personal data, the right to object to processing of your personal data, and the right to lodge a complaint with a supervisory authority. 17. Your consent given hereunder is valid until revoked. You may withdraw your consent to our collection, use, and disclosure of your personal data at any time, subject to legal and contractual restrictions and reasonable notice. However, if you withdraw your consent, depending on the nature and extent of your request, we may not be able to provide you our goods and services. WITHDRAWING YOUR CONSENT 18. The consent that you provide for the collection, use and disclosure of your personal data will remain valid until such time it is being withdrawn by you in writing. You may withdraw consent and request us to stop using and/or disclosing your personal data for any or all of the purposes listed above by submitting your request in writing or via email to contact@ikonia.com. 19. Upon receipt of your written request to withdraw your consent, we may require reasonable time (depending on the complexity of the request and its impact on our relationship with you) for your request to be processed and for us to notify you of the consequences of us acceding to the same, including any legal consequences which may affect your rights and liabilities to us. In general, we shall seek to process your request within ten (10) business days of receiving it. 20. Whilst we respect your decision to withdraw your consent, please note that depending on the nature and scope of your request, we may not be in a position to continue providing our goods or services to you and we shall, in such circumstances, notify you before completing the processing of your request. Should you decide to cancel your withdrawal of consent, please inform us in writing in the manner described in clause 8 above. 21. Please note that withdrawing consent does not affect our right to continue to collect, use and disclose personal data where such collection, use and disclosure without consent is permitted or required under applicable laws. ACCESS TO AND CORRECTION OF PERSONAL DATA 22. If you wish to make (a) an access request for access to a copy of the personal data which we hold about you or information about the ways in which we use or disclose your personal data, or (b) a correction request to correct or update any of your personal data which we hold about you, you may submit your request in writing or via email to contact@ikonia.com. 23. Please note that a reasonable fee may be charged for an access request. If so, we will inform you of the fee before processing your request. 24. We will respond to your request as soon as reasonably possible. Should we not be able to respond to your request within fifteen (15) business days after receiving your request, we will inform you in writing within fifteen (15) business days of the time by which we will be able to respond to your request. If we are unable to provide you with any personal data or to make a correction requested by you, we shall generally inform you of the reasons why we are unable to do so (except where we are not required to do so under the PDPA or GDPR). PROTECTION OF PERSONAL DATA 25. In full compliance with both the Singapore Personal Data Protection Act (PDPA) and the General Data Protection Regulation (GDPR), we are committed to practising data minimization and limitation. We collect and process your Personal Data only to the extent that it is necessary for clearly defined and legitimate purposes. We ensure that the Personal Data we collect is adequate, relevant and not excessive in relation to the purposes for which it is processed. 26. We have implemented robust administrative, physical, and technical measures to protect your Personal Data from unauthorised access, collection, use, disclosure, alteration, or destruction. These measures include, but are not limited to, the following: Minimised collection of Personal Data: We only collect Personal Data that is strictly necessary for our operations and to provide you with our services. Authentication and access controls: We enforce good password practices and strictly manage access to your Personal Data, ensuring that it is disclosed only on a need-to-know basis. Data Encryption: We use advanced encryption techniques to protect the integrity and confidentiality of your Personal Data during storage and transmission. Updated Antivirus Protection: We ensure our systems are equipped with the latest antivirus protection to guard against malware and other potential threats. Privacy Filters: We use privacy filters as an added security measure to prevent unauthorised viewing or data leakage. Need-to-Know Basis Disclosure: Personal data is only disclosed, both internally and to our authorised third-party service providers and agents, strictly on a need-to-know basis. These measures aim to ensure that your Personal Data is always kept secure, maintaining its integrity and confidentiality at all times. ACCURACY OF PERSONAL DATA 27. We generally rely on personal data provided by you (or your authorised representative). In order to ensure that your personal data is current, complete and accurate, please update us if there are changes to your personal data by informing via email at the contact details provided below: contact@ikonia.com. RETENTION OF PERSONAL DATA 28. We may retain your personal data for as long as it is necessary to fulfil the purpose for which it was collected, or as required or permitted by applicable laws. We will cease to retain your personal data, or remove the means by which the data can be associated with you, as soon as it is reasonable to assume that such retention no longer serves the purpose for which the personal data was collected, and is no longer necessary for legal or business purposes. TRANSFERS OF PERSONAL DATA 29. We may transfer your Personal Data to countries outside of Singapore and the European Economic Area (EEA). However, if we do so, we will ensure that such transfers are legal and safe by ensuring at least one of the following safeguards are in place: (i) The country that we send your information to might be approved by the European Commission. (ii) The recipient might have signed a contract based on “model contractual clauses” approved by the European Commission, obliging them to protect your personal data. (iii) We will ensure that any such transfers are carried out in accordance with the PDPA, GDPR, and other applicable laws, and that adequate safeguards are in place to protect your Personal Data. 30. We hereby inform you that your personal data may be processed by our employees or by other third-party entities operating outside the territorial boundaries of Singapore, who are engaged in tasks for and on behalf of our organisation, or by the representatives and employees of our parent company. 31. Please be aware that the countries to which your personal data may be transferred may not have data protection laws as comprehensive or protective as those in your country of residence. However, we take all necessary steps to ensure that your personal data is treated securely and in accordance with this Privacy Policy and no transfer of your personal data will take place to an organisation or a country unless there are adequate controls in place including the security of your data and other personal information. 32. By submitting your personal data to us, you expressly consent to such international data transfers, acknowledging that such employees, representatives, and third-party service providers may access, use, store and transfer your personal data as necessary to perform their roles and deliver the services. 33. Our organisation, our parent company Nifty Moments AB (org.no. 559311-6865, registered and operated entity according to laws of Sweden), and any third-party service providers engaged by us are obliged to adhere to applicable data protection legislation, including but not limited to the General Data Protection Regulation (GDPR) and the Personal Data Protection Act (PDPA), and to use such information strictly in line with our instructions and data protection laws. USER FEEDBACK AND COMMUNICATION 34. We value your feedback and are committed to providing you with the best possible experience when you interact with our services. In this regard, should you wish to communicate with us, share your feedback or have any inquiries that do not necessarily require the intervention of the Data Protection Officer (DPO), we provide a designated communication channel. 35. You can reach us via email at contact@ikonia.com. Please note, this communication method is intended for general queries, suggestions, comments, or concerns. 36. We assure you that any information provided will be processed in compliance with the relevant data protection laws, including but not limited to the General Data Protection Regulation (GDPR) and the Personal Data Protection Act (PDPA). 37. We respect your privacy rights and promise to respond to your communication in a timely and respectful manner. However, if your communication involves a specific issue regarding your personal data or its handling, we advise you to contact: Chief Operating Officer: Julia Shumishyna Email: julia@ikonia.com 38. The purpose of this clause is to facilitate an open line of communication with our users and ensure your experience with our services is as smooth as possible. It is not intended to circumvent the role of the DPO or any statutory requirements in terms of data protection law. We remain committed to the safeguarding of your personal data and your privacy rights in line with GDPR and PDPA guidelines. DATA PROTECTION IMPACT ASSESSMENT PROTOCOL 39. We recognize the importance of thoroughly assessing potential risks associated with processing activities that may significantly impact the rights and freedoms of individuals. In accordance with the guidelines of the GDPR and PDPA, we conduct Data Protection Impact Assessments (DPIAs) when implementing new technologies or initiating data processing activities that may result in a high risk to these rights and freedoms. 40. A DPIA is an essential element in our commitment to upholding the data protection principles and maintaining transparency about our data processing activities. This proactive approach allows us to identify and mitigate any potential data protection risks at an early stage, thus ensuring the highest level of protection for your personal data. 41. The process includes systematically considering the potential impact that a project or initiative might have on individuals' privacy and involves consultations with relevant stakeholders as necessary. Upon completion of a DPIA, if potential high risks are identified, we will take the necessary steps to reduce these risks to an acceptable level or will seek the relevant supervisory authority's guidance on proceeding with the processing activity. 42. Our DPIA protocol reflects our commitment to adhere to legal and best practice standards, ensuring the safe and lawful processing of personal data. DATA BREACH NOTIFICATION 43. In the unfortunate event of a personal data breach, we are committed to manage the situation in a prompt and responsible manner, in accordance with the requirements of the Personal Data Protection Act (PDPA) and the General Data Protection Regulation (GDPR). 44. Upon detection of any potential or confirmed personal data breach, we will immediately initiate our response protocol to identify, contain, and mitigate the impact of the breach. This may include but is not limited to the recovery of lost data, securing affected systems to prevent further unauthorised access, and the rectification of any vulnerabilities that may have caused the breach. 45. In compliance with the PDPA and GDPR, we will notify the relevant supervisory authority of any breach within 72 hours of our becoming aware of it, unless the breach is unlikely to result in a risk to the rights and freedoms of the individuals affected. When the personal data breach is likely to result in a high risk to your rights and freedoms, we will communicate the breach to you without undue delay. 46. We will provide all necessary information about the nature of the breach, the data involved, potential consequences, and the measures taken to address the breach. We are committed to cooperating fully with the supervisory authorities, and to taking all necessary steps to mitigate the effects of the breach and prevent its recurrence. 47. Our data breach management and notification protocol underscores our commitment to safeguard your personal data and ensure transparency in all our data processing activities EFFECT OF NOTICE AND CHANGES TO NOTICE 48. This Privacy Policy is effective and enforceable in conjunction with any other notices, contractual clauses, and consent statements that pertain to the collection, use, and disclosure of your Personal Data by us. 49. We reserve the right to amend this Privacy Policy at our discretion, and without any prior notice. The date at the bottom of this Policy indicates when it was last updated. Your ongoing use of our services following these updates constitutes your acknowledgement and acceptance of any changes to this Policy. Please refer to the last update date to check for any revisions. 50. We encourage you to review this Privacy Policy regularly to stay informed about how we are protecting and respecting your Personal Data. Effective date : July 9th, 2021 Last updated : July 4th, 2023