This Privacy Policy of personal information (hereinafter – "Policy") applies to all information that KIVISMARTUA Limited Liability Company (EDRPOU code 43325558, location: Ukraine, 01014, Kyiv, Zvirynetska Street, building 63; phone: +38(044)-499-09-94, e-mail: [email protected]), as the Administrator, may obtain about the Partner during their use of the Benefits+ Service. Use of the Benefits+ Service signifies the Partner's unconditional consent to this Policy and the terms for the collection and processing of Personal Information specified herein ; in case of disagreement with these terms, the Partner must refrain from using the Benefits+ Service.

The Policy establishes the procedure for the Administrator's processing of personal data, the types of personal data collected, the purposes and objectives of using such personal data, the Partner's interaction with the Administrator and third parties, security measures for protecting personal data, conditions for accessing personal data, as well as contact information for the user regarding obtaining access, making changes, blocking or deleting their personal data and addressing any questions that may arise regarding personal data protection practices.

SECTION 1. Personal Information Received and Processed by the Administrator

1.1. For the purposes of this Policy, "Personal Information" (for the purposes of this Policy, the term Personal Information, unless otherwise directly stated in the Policy, is synonymous with personal data as defined in the legislative acts of Ukraine) means:

1.1.1. personal information that the Partner provides about themselves voluntarily and on their own initiative to the Administrator for the creation of the Partner's personal account in the Benefits+ Service and (or) in the process of using the Benefits+ Service, namely: surname, name, contact details (e-mail and phone) of the responsible person, as well as other data that are not personal but allow the Administrator to identify the Partner, namely: company website, full company name, EDRPOU code, legal address, country of registration, form of ownership;

1.1.2. information traffic between the Partner and the Administrator, including commercial electronic messages and electronic messages relating to the Benefits+ Service as a whole (e.g., account confirmation, technical messages and security system information, etc.);

1.1.3. The Administrator may collect and process data about the Partner's device identifiers.

1.2. The Administrator shall not verify the accuracy of the Personal Information provided by the Partner and does not control the Partner's legal capacity.

1.3. The Administrator proceeds on the assumption that the Partner:

1.3.1. provides reliable and sufficient Personal Information, including on matters proposed in the form provided by the Partner to the Administrator for the creation of the Partner's personal account in the Benefits+ Service;

1.3.2. possesses all necessary rights allowing them to request registration and use the Benefits+ Service;

1.3.3. is familiar with this Policy, expresses their unconditional consent to it, and accepts the rights and obligations specified therein.

1.4. Changes to the Partner's account, including information identifying the Partner, their contact details, account settings, changes to other account-related functionality, or deletion of the account are carried out exclusively by the Administrator at the Partner's request for such changes, or at the Administrator's own discretion.

1.5. Relations related to the collection, processing, storage, dissemination, and protection of information about End Users are regulated by this Policy, other local normative legal acts of the Administrator, and applicable law.

SECTION 2. Purpose, Grounds, and Terms of Personal Data Processing

2.1. The purpose of this Policy is to ensure proper protection of information about the Partner, including their personal data, from unauthorized access and disclosure.

2.2. The Administrator processes Personal Information about the Partner, in particular, for the following purposes:

- ensuring the registration and creation of the Partner's account by the Administrator in the Benefits+ Service;

- identification of the Partner in the Benefits+ Service;

- providing access to the functionality of the Benefits+ Service and technical support to the Partner by the Administrator;

- communications regarding the use of the Benefits+ Service, changes in its operation, technical updates, etc.;

- fulfillment of contractual obligations, if any, between the Partner and the Administrator;

- display of statistical, analytical reports, internal documentation, when contractual relations arise between the Partner and the Administrator and if such are provided for by the contract;

- prevention of fraud, abuse of access rights, and other violations of the Benefits+ Service usage rules.

- sending informational and marketing mailings (commercial offers, news, personal recommendations) containing information about services offered in the Benefits+ Service, and/or sending messages regarding the functioning of the Benefits+ Service, by email, phone number (SMS, Telegram), as well as by sending informational messages and notifications through the Benefits+ Service.

2.3. The Partner may at any time refuse to receive informational and marketing mailings – through the appropriate settings in the personal account of their Benefits+ Service account or by sending a corresponding request to the Administrator.

2.4. The Administrator strictly adheres to the requirements of Ukrainian legislation in the field of personal data protection and guarantees that the collected Personal Information is necessary and sufficient to achieve the purposes of collection and processing set forth in this Policy.

2.5. The Partner agrees that the Administrator, in the process of personal data processing, has the right to perform the following actions with personal data: collection, systematization, accumulation, storage, use, transfer to third parties, including outside Ukraine, destruction, and other necessary actions for the purpose of fulfilling the Policy and using the Benefits+ Service.

2.6. The Administrator processes the Partner's personal data on the following grounds:

- explicit consent of the Partner to the processing of their personal data as provided in this Policy, to the extent that such consent is required by applicable law.

- In particular, consent is required upon registration in the Benefits+ Service.

2.7. Terms of processing the Partner's personal data. The Partner's personal data is stored no longer than necessary to achieve the purpose of its processing, as defined above, unless otherwise provided by legislation in the field of archival affairs and record keeping.

2.8. The Partner agrees that the contact details provided by them during registration (including, but not limited to, email, phone number, etc.) will be automatically included in the Administrator's news distribution system from the moment they are entered into the Benefits+ Service system, including advertising and other information.

2.9. The Partner agrees to immediately notify the Administrator of any security breach related to access to the Benefits+ Service, carried out using the Partner's login and password without their knowledge and consent. The Administrator does not assume responsibility for any consequences of security breaches, including loss or corruption of data, that occurred as a result of unauthorized access by third parties to the Benefits+ Service using the Partner's login and password.

SECTION 3. Procedure for Processing Personal Information and its Transfer to Third Parties

3.1. The collection of the Partner's Personal Information is carried out by the Administrator upon registration, and subsequently when the Partner, on their own initiative, adds additional information about themselves to their account in the Benefits+ Service or by sending a corresponding request for such changes to the Administrator.

3.2. The Partner's personal data and information are stored exclusively on electronic media and processed using automated systems, except in cases where non-automated processing of personal data is necessary in connection with compliance with legislative requirements.

3.3. The Administrator may transfer personal data to third parties, including foreign subjects of relations related to personal data, in particular, related parties of the Administrator for the purpose of processing personal data as defined by this Policy. For example, data may be transferred to other Administrator partners who provide their services within the Benefits+ Service. In doing so, the Administrator makes the necessary and reasonable efforts to ensure the protection of the transferred personal data, including by concluding relevant agreements. In such a case, the Partner gives explicit consent to the transfer of their personal data to any third party for the purpose of processing personal data in accordance with this Policy. No transfer of personal data will require separate consent from the Partner or a separate notification to the Partner.

SECTION 4. Change of Personal Information

4.1. The Partner may at any time change (update, supplement) the Personal Information provided by them or part of it in their account or send a corresponding request to the Administrator for the necessary changes.

4.2. The Partner may also delete Personal Information provided by them during account creation or send a corresponding request for deletion to the Administrator. In doing so, the Partner understands and agrees that such deletion may result in the inability to use the Benefits+ Service.

SECTION 5. Measures Applied for the Protection of Personal Information

5.1. The Administrator takes technical and organizational-legal measures to ensure the protection of the Partner's personal data from unlawful or accidental access, destruction, distortion, blocking, copying, dissemination, as well as from other unlawful actions.

5.2. The Administrator has developed an action plan in case of unauthorized access to personal data, damage to technical equipment, or emergencies.

5.3. The Administrator regularly organizes training for Administrator employees involved in personal data processing to raise awareness of international legal standards and national legislation provisions in the field of personal data protection, effective implementation, and compliance with the Company's internal rules regarding the collection, storage, use, or other actions constituting personal data processing.

5.4. Technical protection measures taken by the Administrator include the following:

- The Administrator uses equipped system and software-technical means and communication means that prevent loss, theft, unauthorized destruction, distortion, falsification, copying of information and comply with the requirements of international and national standards.

- Software products used by the Administrator in the process of personal data processing to achieve their purpose have built-in mechanisms for protecting information from unauthorized access to ensure the identification and authentication of the Partner, the integrity of electronic documents, the registration of the Partner's actions, and access management for the Partner to information and individual functions of the Benefits+ Service.

- The Administrator has developed and implemented internal rules regarding working with personal data, which include a procedure for deleting a number of data after deleting the Partner's personal account, levels of access for internal Administrator employees to Partner data, and a secure procedure for exchanging such data internally. The Administrator regularly audits its security systems to identify opportunities for improving the secure storage and use of Partner data. The Administrator also complies with the norms and requirements of applicable legislation regarding the procedure for processing personal data.

5.5. The Partner understands and agrees that absolute protection of information from existing threats cannot be ensured on the Internet. Hereby, the Partner gives their unconditional and irrevocable consent to the Administrator to determine a sufficient level of personal data protection, methods, and location (territory) of their storage.

5.6. The Partner accepts and agrees that the Administrator shall under no circumstances be liable for the loss and/or dissemination of personal data if such loss and/or dissemination resulted from actions, due to the fault or negligence, of third parties or the Partner's own actions/inactions.

SECTION 6. Amendments to the Policy. Partner's Consent to the Policy

6.1. By registering and using the Benefits+ Service, the Partner expresses their consent to the terms of this Policy.

6.2. In case of the Partner's disagreement with the terms of this Policy, the use of the Benefits+ Service must be immediately terminated.

6.3. The Partner acknowledges and agrees that the creation of a personal account and subsequent use of the Benefits+ Service signifies the Partner's unconditional consent to all points of this Policy and unconditional acceptance of its terms. Continued use of the Benefits+ Service by the Partner after any changes to this Policy signifies their consent to such changes and/or additions. The Partner is recommended to regularly review the content of this Policy in order to timely familiarize themselves with its changes.

6.4. The Administrator has the right to make changes and/or additions to this Policy at any time without prior and/or subsequent notification to the Partner. When making changes, the last update date is indicated in the current version. The new version of the Policy comes into force from the moment of its placement, unless otherwise provided by the new version of the Policy. The current version is always available in the Benefits+ Service.