PRIVACY NOTICE "GRAZE"

DATA CONTROLLER

The data controller is Damiano Petrungaro (hereinafter, "Controller"), who can be contacted at the following email address: vgv vev vtv vgv vrv vav vzv vev v@v vgv vmv vav viv vlv v.v vcv vov vmv

The Controller will process the personal data of users who will use the "Graze" application (hereinafter, individually "Data Subject" or, jointly, "Data Subjects").

CATEGORIES OF PERSONAL DATA PROCESSED

The personal data (hereinafter, "Data") being processed are the following:

• Common personal data: name and surname, email address, phone number, photos, IP address, user ID.

The Controller does not request to process additional Data and, therefore, refrains from processing any additional personal information provided by the Data Subject, if possible also deleting/destroying anything that is not actually necessary with respect to the purposes described below.

SOURCE OF PERSONAL DATA

The Data will be collected directly from the Data Subject at the time of registration or, additionally, during the use of the "Graze" application.

PURPOSES OF PROCESSING AND RETENTION PERIOD OF PERSONAL DATA

The Data will be processed by the Controller for the following purposes:

1. Purposes based on the Data Subject's consent

1. Registration and use of the "Graze" application;
2. Publication of reviews, which may contain photographic material. By uploading images to the Graze application, the Data Subject grants the Controller a perpetual, worldwide, royalty-free, non-exclusive license to use, reproduce, modify, distribute, and display such images for promotional activities, marketing campaigns, social media content, and any other commercial or non-commercial purposes deemed appropriate by the Controller. Uploaded images become part of the Controller's content library and may be used indefinitely, even after account termination.

The Data processed for the purposes mentioned above in letters a) and b) will be retained until consent is withdrawn and, in any case, within 24 months from its collection unless the Data Subject renews it. Images licensed for promotional use may be retained indefinitely as part of the Controller's marketing assets.

2. Purposes for the protection of legitimate interest

1. Bug management;

The Data processed for purpose c) will be retained for 6 months from the resolution of the bug.

Note: If it becomes necessary to ascertain, exercise, or defend the Controller's rights in court, the retention period may extend until the end of the litigation.

After the above retention periods have elapsed, the Data will be destroyed, deleted, or anonymized by the Controller.

LEGAL BASIS FOR PROCESSING

The processing of Data is based on the following legal grounds:

1. Data Subject's consent (Art. 6, par. 1 let. a), of GDPR);
2. Controller's legitimate interest (Art. 6, par. 1 let. f), of GDPR).

NATURE OF PERSONAL DATA PROVISION

The provision of Data by the Data Subject for the purposes mentioned above in letters a) and b) is optional; however, failure to provide such Data will not allow the Data Subject to register and, therefore, use the "Graze" application.

The provision of images is optional but automatically grants the usage rights described above. Users who do not wish to grant such rights should not upload content to the platform.

The provision of Data by the Data Subject for the purpose mentioned above in letter c) is necessary for the resolution of bugs that have occurred and to ensure the efficient operation of the "Graze" application.

METHODS OF PROCESSING PERSONAL DATA

The Data will be processed electronically, carrying out any appropriate operation in compliance with applicable regulatory provisions.

CATEGORIES OF RECIPIENTS OF PERSONAL DATA

The Data acquired by the Controller, within the scope of the purposes mentioned above, may be communicated and/or disclosed to subjects who collaborate in any capacity with the Controller for the achievement of the above purposes.

The complete and updated list of independent data controllers, data processors, and recipients of Data (pursuant to Art. 4, n. 9, of GDPR) will be made available upon request using the contact details provided in the "DATA CONTROLLER" paragraph above.

TRANSFER OF PERSONAL DATA OUTSIDE THE EEA

The Controller may transfer the Data to third parties as independent data controllers or data processors to allow the performance of the activities listed in this Notice. In case such transfer occurs to countries that do not provide the same level of protection provided by applicable law or, in any case, an adequate level of Data protection, the Controller ensures that each of these recipient subjects assumes specific contractual obligations in accordance with applicable data protection regulations (including the signing of Standard Contractual Clauses approved by the European Commission), unless the Controller can refer to any other legal basis for the transfer of such information.

In any case, the Data Subject may always request more information regarding the transfer of their Data by writing to the email address provided in the "DATA CONTROLLER" paragraph above.

Personal Data will not be disseminated, therefore will not be made available to indeterminate subjects.

RIGHTS OF THE DATA SUBJECT

The Data Subject, in relation to the Data provided, has the right to exercise at any time and based on the provisions of the GDPR the rights established by the latter and listed below:

• Right to withdraw consent (Art. 7, par. 3, of GDPR): right to withdraw given consent. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal;
• Right of access (Art. 15 of GDPR): right to obtain confirmation of whether or not personal Data is being processed and, if so, to obtain access to such Data and additional information;
• Right to rectification (Art. 16 of GDPR): right to rectification of personal Data without undue delay;
• Right to erasure (Art. 17 of GDPR): right to erasure of personal Data;
• Right to restriction of processing (Art. 18 of GDPR): right to obtain restriction of processing.

RIGHT OF OBJECTION (ART. 21 OF GDPR)

The Data Subject also has the right to object (Art. 21 of GDPR) at any time, on grounds relating to their particular situation, to the processing of Data concerning them where it is based on legitimate interests (Art. 6, par. 1 let. f), of GDPR), as indicated in the previous paragraph.

RIGHT TO LODGE A COMPLAINT (ART. 77 OF GDPR)

If the Data Subject believes that their rights have been compromised or violated, or that the processing of their Data is contrary to current regulations, they have the right to lodge a complaint with the Data Protection Authority according to the procedures indicated at the following link:

https://www.garanteprivacy.it/diritti/come-agire-per-tutelare-i-tuoi-dati-personali/reclamo

CHILD SAFETY AND CSAE STANDARDS

Graze is committed to maintaining a safe environment for all users and strictly prohibits any content or behavior related to child sexual abuse and exploitation (CSAE).

• Any user found to be engaging in, promoting, or facilitating CSAE-related content or behavior will be immediately removed and reported to relevant authorities, including the National Center for Missing and Exploited Children (NCMEC) or regional equivalent.
• We have implemented an in-app reporting mechanism that allows users to flag inappropriate content or behavior directly within the app.
• We maintain an internal moderation process to promptly review, investigate, and take appropriate action on reports of CSAE or other harmful conduct.
• We fully comply with all applicable child safety laws and regulations.
• A designated child safety contact is available to handle CSAE-related issues and communication with regulatory bodies. You may contact our Child Safety Officer via the email listed in the "DATA CONTROLLER" section.

Graze does not tolerate any misuse of the platform. Violations of these policies will result in immediate suspension or termination of user access, and reported materials will be dealt with in accordance with applicable laws and platform standards.

CHANGES AND UPDATES

The Controller may make changes and/or additions to this privacy notice, including as a consequence of any subsequent regulatory changes and/or additions. In such cases, the new version of this privacy notice will be communicated as soon as possible in a manner designed to reach the Data Subject as quickly as possible.