PIC-TIME PRIVACY POLICY

[Last Updated: December 24, 2023]

This privacy policy ("Privacy Policy") describes how Pic-Time Ltd. ("Pic-Time", "we", "us", or "our") collects, uses and discloses certain information, including your personal information, and the choices you can make about that information.

Pic-Time is the developer and operator of an online-based SaaS platform ("Platform") for professional photographers ("Photographers") enabling them to upload content such as photos, videos and additional digital files and store such content, create online galleries ("Gallery" or "Galleries"), offer their clients various merchandise and online social features, customize portfolio pages, and to use the marketing services and tools ("Services").

This Privacy Policy which is incorporated by reference in our Terms of Service, and any other terms or documentation (together "Terms") governs the processing and transfer of data collected in connection with visitors browsing our website available at https://www.pic-time.com/ ("Visitors" and "website" respectively), as well as Photographer using the Services and Photographers' clients, customers and end users which login to view their Galleries ("Client(s)"). Visitors, Photographers and Clients collectively shall be referred to as "you" unless otherwise required.

• POLICY AMENDMENTS :

We reserve the right to amend this Policy from time to time, at our sole discretion. The most recent version of the Policy will always be posted on the website. The updated date of the Policy will be reflected in the "Last Updated" heading. We will provide notice to you if these changes are material, and, where required by applicable law, we will obtain your consent. Any amendments to this Policy will become effective within 30 days upon the display of the modified Policy. We recommend you review this Policy periodically to ensure that you understand our most updated privacy practices.

• CONTACT INFORMATION :

Pic-Time Ltd. is the controller entity, incorporated under the laws of Israel, its address: 1000 N West Street, Suite 1200 #3015, Wilmington, DE 19801, USA.

You may contact us and our privacy team as follows:

• For privacy inquires, email to our DPO: dpo@pic-time.com
• By Mail: 1000 N West Street, Suite 1200 #3015, Wilmington, DE 19801, USA.
• For general inquiries, by email: info@pic-time.com
• For technical support, by email: support@pic-time.com

Data Protection Representative in the UK & EU Contact Information :

We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our privacy representative and your point of contact for the following regions:

• United Kingdom (UK)

Prighter Ltd

20 Mortlake Mortlake High Street, London, SW14 8JN, United Kingdom

• European Union (EU)

Maetzler Rechtsanwalts GmbH & Co KG

Schellinggasse 3/10, 1010 Vienna, Austria

Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative, Prighter or make use of your data subject rights, please visit the following website: https://prighter.com/q/18322104981

• DATA SETS WE COLLECT AND FOR WHAT PURPOSE:

We may collect two types of information from you, depending on your interaction with us.

The first type of information is non-identifiable and anonymous information ("Non-Personal Data"). We are not aware of the identity of the user from which the Non-Personal Data is collected. The Non-Personal Data which is being collected may include your aggregated usage information and technical information transmitted by your device and may contain, among other things, the type of operating system, type of browser you use, and the time and date you browse our website, or access our Services or Galleries.

The second type of information is individually identifiable information, namely information that identifies an individual or may with reasonable effort identify an individual ("Personal Data"). For the avoidance of doubt, any Non-Personal Data connected or linked to any Personal Data shall be deemed as Personal Data as long as such connection or linkage exists. As detailed below, we may also collect or process sensitive Personal Data constituting children's photographs, or revealingbio-metric data, sexual or nude photographs, etc. ("Special Categories of Personal Data").

Our face-grouping feature, which allows specific individuals to be detected in photographs uploaded to the Services, and enables users' to search for specific photos within the gallery (e.g., photos that include one or a couple of guests) may include certain facial recognition information such as distance between the eyes, the shape of the nose and other facial landmarks ("Face Data"). Depending on the applicable laws, some of the information collected by the facial recognition feature may be considered "biometric data". You will be able to opt-out of such data collection by opting out of the facial recognition feature altogether. Face recognition related-data, including biometric data that we collect from you, will only be used to provide Services. The biometric data will be stored securely in our database and will only be retained for as long as required by applicable law. For more information see our Biometric Retention Policy.

We will not sell, lease, trade or otherwise profit from your Personal Data that constituted as Special Categories of Personal Data, nor will any of our vendors, service providers or partners who have access to such data be permitted to do so .

The table below details the processing of Personal Data, the purpose, lawful basis and processing operations:

VISITORS
DATA SET	PURPOSE AND OPERATION	LAWFUL BASIS
Online Identifiers and Usage Data When you access our website, we collect certain online identifiers through first party cookies, which are strictly necessary for the operation of the website and Platform, and through third party cookies for analytics and marketing. Such identifiers include IP address, log files, device identifiers, unique ID, and other unique identifiers. A device identifier may remain persistently on your device, to help you log in and navigate the Services better ("Online Identifiers"). Through these cookies, we also collect information on how you use our website, such as click stream data, duration of use, time and date you enter or exit the website ("Usage Data").	The purposes of using first party cookies are operational and technical purposes, such as to enable the website to be uploaded, as well as fraud prevention and data security, to remember you when you re-enter the Services, enable the cart to upload, etc. The purposes of using third-party cookies are tracking technologies for analytic, marketing, and advertising purposes.	When we are processing such information which is strictly necessary for operating the website and Platform, it is based on our legitimate interest to enable the operation of the website and the Services. When we are processing such information for marketing, tracking, analysis and advertising purposes, it will be subject to your consent provided through the cookie notice and a consent management tool that is used on the website. You may withdraw consent at any time by using the cookie preference settings.
Contact Information If you voluntarily contact us through any form available on the website or by email, you may be required to provide us with certain information such as your full name, email address, and any additional information you decide to share with us ("Contact Information").	We will process the Contact Information to provide you with a response to your inquiry. We may also process the contents of our correspondence with you in order to improve our support services.	We process Contact Information subject to our legitimate interest. We may keep such correspondence for records keeping, for any future possible legal claims or disputes, or if we are legally required to.
Location Data When you access our Services, we process location data that may include approximate location extracted from the IP or GPS location, where made available through your device. (collectively "Location Data")	We will process Location Data for security and verification purposes, as well as to customize our Services.	Where we process Location Data for operation and security, we process your data based on our legitimate interest.
Careers When you apply for a position, we will process your CVs as uploaded by you, your name, email address, phone number, your education and skills, employment history, and your photo (to the extent provided by you). ("Recruitment Information").	We will collect Recruitment Information in order to process your application, for recruitment management purposes, for further recruitment steps (e.g., interview), and to enable us to comply with corporate governance and legal and regulatory requirements. If you are hired, your Recruitment Information may be stored with HR as part of your employee file, and subject to our corporate management.	We process Recruitment Information subject to our legitimate interest. We will retain your information for records keeping and future defense from legal claims under our legitimate interest, or if you have provided consent to contact you in the future. Following the completion of the recruitment process, we may further retain and store the Recruitment Information as part of our internal record keeping, including for legal defense from any future claim, as well as, where we find applicable and subject to applicable law requirements, to contact you in the future for other job positions we believe will suit your qualifications.
Newsletter Registration In the event you sign up to receive our newsletter or other marketing materials, you will be requested to provide your contact details, such as your email address.	We will use your email address in order to send you our newsletter and other marketing materials.	We process such information subject to your consent. You may withdraw consent at any time through the "unsubscribe" link within the email or by contacting us directly.

PHOTOGRAPHERS
DATA SET	PURPOSE AND OPERATION	LAWFUL BASIS
Registration Information In order for you to access our Services, Platform or certain features on the website (including the free trial), you will need to register and create an account ("Account"). As part of the registration as a Photographer, you will be requested to provide us with certain information such as your full name, email address, phone number, tax ID, user name, and password ("Registration Information"). You are also able to log in through your social media accounts (i.e., Facebook and Instagram), if you do so we will receive your publicly available information (name and email address).	We use the Registration Information to manage, support, and provide the Services, such as creating your Account, verifying your identity, and enabling the Services.	We process Registration Information for the purpose of performing our contract with you, subject to our Terms of Service.
Payment Information As part of the Services, you may need to provide us with your payment details your name, full address, phone number, and payment information (e.g., credit card or PayPal UID); however, we do not collect any credit card information, as we use third party payment processors which may include PayPal, Stripe, Square and BlueSnap, pursuant to their privacy policy linked ("Payment Information").	We will process this information for billing purposes, for the purpose of enabling you to use the Services.	We process Payment Information as part of the performance of our contract with you. Subject to legal obligation, we may record transaction information, such as your payments and purchase history.
Contact Information- Customer Support When our customers contact us for customer support, we will process your Contact Information.	We will use Contact Information to provide the customer support needed. We will retain such correspondence for as long as needed, and to evidence the support was provided.	We process such information for performing our contract with you.
Contact Information- Direct Marketing As a Photographer, we will send you invoices, materials and marketing content through the email information you provided during your onboarding ("Direct Marketing").	We will use this information to keep you updated with offers and content such as new capabilities and features, surveys, invoices and supporting documentation. We use third party service providers for the purpose of managing our marketing activities, such as Mailchimp and SendGrid, which will process your data on our behalf.	We process such information subject to our legitimate interest. You can opt-out at any time by using the "unsubscribe" option.
Photographer Usage Data When you access or use our Platform or Services, information regarding such use is automatically generated and collected, which may include the click stream within the Platform, the use of the Services (i.e., accessed or used by you) and the time spent on those pages or features, crash data and analytics, crash and errors, your purchases, etc. (" Photographer Usage Data"). Such data might be considered as Personal Data, when it is linked to or combined with other types of identifying data such as online identifiers, account, email address, username, etc.	We use this information to help us to understand how you are using our Platform, and how to better provide and improve our Services. This helps us to better understand our business, analyze our operations, maintain, improve, innovate, plan, design, and develop the Service and our new products. We also use such data for statistical analysis purposes, to test and improve our offers, decide how to improve the Services based on the results obtained from this processing.	We process such data subject to our legitimate interest.
Photographs When a Photographer uses our Services, they upload content, photos, videos, GIF, etc. on the Platform ("Photographs") for the purpose of managing and storing the Galleries or offering their Clients to log-in and view the Photographs as further detailed below. The Photographs can include sensitive information, Special Categories of Personal Data (nude, sexual content, minors) and may also infer or provide information such as gender, ethnicity (by means of example if the Photograph includes cloture or religiose symbols, images inferring the gender, etc.).	We process, host and store the Photographs to enable our Photographers to manage their Galleries and use the Services.	As the Processor of this data (as such term is defined under data protection laws), the processing is subject to the Photographers' instructions and subject to a Data Processing Agreement, such as the Pic-Time's Data Processing Agreement.
Face Data By uploading the Photographs and using the AI face recognition feature, we will process facial recognition information, such as run face scan and possibly extract features of your face (e.g., distance between the eyes, the shape of the nose and other facial landmarks). This information may be considered as biometric data in certain jurisdictions (i.e., Illinois, Texas).	We will only use this information to provide you with our Services, provide the facial grouping feature, and improve your experience of the Services. We will ensure a high standard of security is placed and we will not identify a specific individual or information about such individual together with the Face Data.	We process such information to provide the face grouping feature, to comply with our contractual obligations towards the Photographers and as part of delivering our Services to them. We are the Processor of such information, acting on behalf of the Photographers. Therefore, the processing is subject to the Photographers' instructions and subject to a Data Processing Agreement, such as the Pic-Time's Data Processing Agreement.

CLIENTS
DATA SET	PURPOSE AND OPERATION	LAWFUL BASIS
Client Registration Information In order for you to access a Gallery you will be invited by the Photographer via a link. We will process your name, username and password that you will be provided during the registration process, as well as the Photographs available in your Gallery.	To enable a secure access of Client to the Gallery.	We process such information for performing our contract with you or the Photographer as applicable.
Commercial Information The Photographers may offer certain merchandise or printing the Photographs, the billing for such services can be done either by Photographer or directly through Pic-Time Platform. When payment is processed through the Platform you will be requested to provide customary billing information including, name, address, email address, phone number and your payment details; however, we do not collect any credit card information.	We will use and process such information in order to enable the transaction. We use third party payment processors, such as PayPal , Stripe, Square and BlueSnap pursuant to their privacy policies linked ("Purchase Information").	This Information will be processed for performing our contract with you or the Photographer and will enable you to make a purchase. Subject to legal obligation, we may record commercial and transaction information, such as your payments and purchase history.
Usage Data When you access the Gallery, we process the Online Identifiers and Usage Data, as defined above.	We will use such information in order to operate, provide, maintain, protect, and manage our Services.	We process such information subject to our legitimate interest.
Share on Social Network You can choose to share the Photograph on your social networks or website, directly from the Platform.	Technically through the applicable API we will post your Photograph as requested by you, please be aware that according to your settings on Social Networks, you are making the Photograph publicly available.	We process such information for the performance of our contract with you.

Please note that the actual processing operation per each purpose of use and lawful basis detailed in the table above, may differ. Such processing operation usually includes a set of operations, made by automated means, such as collection, storage, use, disclosure by transmission, erasure or destruction. Transfer of Personal Data to third party countries as further detailed in the Data Transfer section is based on the same lawful basis as stipulated in the table above.

In addition, we may use certain Personal Data to prevent potentially prohibited or illegal activities, fraud, misappropriation, infringements, identity thefts and any other misuse of the Services and to enforce the Terms, as well as to protect the security or integrity of our databases and the Services, and to take precautions against legal liability. Such processing is based on our legitimate interests.

• HOW WE COLLECT YOUR INFORMATION:

Depending on the nature of your interaction with us, we may collect the above detailed information from you, as follows:

• Automatically , when you visit our website or interact with the Platform, including through the use of Cookies (as detailed below) and similar tracking technologies.
• Provided by you voluntarily - we will collect information if and when you choose to provide us with the information, as through the Services, contact us communications, registration, etc.
• Provided by Third Parties - as detailed above, our Photographers may provide us with your photographs or email address.

COOKIES AND SIMILAR TECHNOLOGIES :

We use "cookies" (or similar tracking technologies) when you access the website or interact with the Services we offer. The use of cookies is a standard industry-wide practice. A "cookie" is a small piece of information that a website assigns and stores on your computer while you are viewing a website. You can find more information about cookies at http://www.allaboutcookies.org/.

Cookies can be used for various purposes, including allowing you to navigate between pages efficiently, for statistical purposes, as well as for advertising purposes. You can find more information about our use of cookies, as well as change your settings and preferences, as detailed under our Cookie Policy.

• DATA SHARING - CATEGORIES OF RECIPIENTS WE SHARE PERSONAL DATA WITH :

We share your data with third parties, including with trusted partners or service providers that help us provide our Services. You can find here information about the categories of such third-party recipients.

CATEGORY OF RECIPIENT	DATA THAT WILL BE SHARED	PURPOSE OF SHARING
Service Providers	Various types of Personal Data, Online Identifiers, Usage Data, Registration Information, etc.	Thus, we share your data with third party entities, for the purpose of hosting, storing, analytics, and assessing in providing the Services, such information on our behalf, or for other processing needs. These entities are prohibited from using your personal information for any purposes other than providing us with requested services.
Photo labs, merchandises providers and related service providers.	Photographs, contact information (for shipping) payment information, etc.	We may disclose such Personal Data to our service providers (including, but not limited to, payment processors, printing partners and marketing providers) to perform certain requested services on our behalf, such as our third-party photo labs. Thus, we share your data with third party entities, for the purpose of storing such information on our behalf, or for other processing needs. These entities are prohibited from using your personal information for any purposes other than providing us with requested services.
Any acquirer of our business	All types of Personal Data	We may share Personal Data, in the event of a corporate transaction (e.g., sale of a substantial part of our business, merger, consolidation or asset sale). In the event of the above, our affiliated companies or acquiring company will assume the rights and obligations as described in this Policy.
Legal and law enforcement	Subject to law enforcement authority request.	We may disclose certain data to law enforcement, governmental agencies, or authorized third parties, in response to a verified request relating to terror acts, criminal investigations or alleged illegal activity or any other activity that may expose us, you, or any other user to legal liability, and solely to the extent necessary to comply with such purpose.

Please note that the actual processing operation per each purpose of use and lawful basis detailed in the table above may differ. Such processing operation usually includes a set of operations made by automated means, such as collection, storage, use, disclosure by transmission, erasure, or destruction. The transfer of Personal Data to third-party countries, as further detailed in the Transfer of Data section below, is based on the same lawful basis as stipulated in the table above.

In addition, we may use certain Personal Data to prevent potentially prohibited or illegal activities, fraud, misappropriation, infringements, identity thefts, and any other misuse of the Services and to enforce the Terms, as well as to protect the security or integrity of our databases and the Services, and to take precautions against legal liability. Such processing is based on our legitimate interests.

• USER RIGHTS:

We acknowledge that different people have different privacy concerns and preferences. Our goal is to be clear about what information we collect so that you can make meaningful choices about how it is used. We allow you to exercise certain choices, rights, and controls in connection with your information. Depending on your relationship with us, your jurisdiction and the applicable data protection laws that apply to you, you have the right to control and request certain limitations or rights to be executed.

You may exercise any or all of your above rights in relation to your Personal Data by filling out the Data Subject Request ("DSR") form available HERE ,and sending it to:dpo@pic-time.com .

Certain rights can be easily executed independently by you without the need to fill out the DSR Form:

• As a Photographer, you can correct certain data provided under your Account (such as contact information) through the account settings;
• You can opt-out from receiving our emails by clicking "unsubscribe" link;
• You can delete Photographs;
• You can use the cookie settings tool on our website to change your preferences.

You can also opt out of interest-based advertising with some of the service providers we use, such as Google HERE, Google Analytics HERE.

• DATA RETENTION :

In general, we retain the Personal Data we collect for as long as it remains necessary for the purposes set forth above, all under the applicable regulation, or until you express your preference to opt-out (where applicable), or terminate your use of the Services, or you request to delete your Personal Data.

Other circumstances in which we will retain your Personal Data for longer periods of time include: (i) where we are required to do so in accordance with legal, regulatory, tax, or accounting requirements; (ii) for us to have an accurate record of your dealings with us in the event of any complaints or challenges; or (iii) if we reasonably believe there is a prospect of litigation relating to your Personal Data. Please note that except as required by applicable law, we may at our sole discretion, delete or amend information from our systems, without notice to you, once we deem it is no longer necessary for such purposes.

• SECURITY MEASURES:

At Pic-Time, security is our highest priority. We have implemented physical, technical and administrative security measures for the Services that comply with applicable laws and industry such as: encryption using SSL, we minimize the amount of data that we store on our servers, restrict access to Personal Data to Pic-Time employees, contractors and agents, etc. To learn more, you can review our Security Policy.

Note that we cannot be held responsible for unauthorized or unintended access beyond our control, and we make no warranty, express, implied, or otherwise, that we will always be able to prevent such access.

Please contact us at: dpo@pic-time.com if you feel that your privacy was not dealt with properly, in a way that was in breach of our Privacy Policy, or if you become aware of a third party's attempt to gain unauthorized access to any of your Personal Data. We will make a reasonable effort to notify you and the appropriate authorities (if required by applicable law) in the event that we discover a security incident related to your Personal Data.

• TRANSFER OF DATA :

Our data servers in which we host and store the information are located in the EU, the US and Australia. The Company's HQ are based in Israel in which we may access the information stored on such servers or other systems such as the Company's ERP, CRM, Salesforce, and other systems. We will take appropriate measures to ensure that your Personal Data receives an adequate level of data protection upon its transfer. When Personal Data that was collected within the EEA is transferred outside the EEA, we will take necessary steps in order to ensure that sufficient safeguards are provided during the transferring of such Personal Data. You may exercise your rights, where applicable, to receive information regarding the transfer mechanism that was used during such transfer. Personal Data transferred outside the EEA is transferred, in all cases pursuant to standard contractual clauses approved by the European Union ("SCCs"). Additionally, following the withdrawal of the United Kingdom ("UK") from the European Union on January 31, 2020, the UK is no longer considered to be a part of the EEA and therefore, the transferring of Personal Data from the EEA to the UK will also be subject to the SCCs or other contractual clauses that will ensure the security of the Personal Data (pending an adequacy decision from the European Commission).

• ELIGIBILITY AND CHILDREN PRIVACY :

Pic-Time website and Services are not intended for use by children, and we do not knowingly collect or maintain information about anyone under the age of 16. Please contact us at: dpo@pic-time.com if you have reason to believe that a child has shared any data with us.

• JURISDICTION-SPECIFIC NOTICES :

ADDITIONAL INFORMATION FOR CALIFORNIA RESIDENTS

This section applies only to California residents. Pursuant to the California Consumer Privacy Act of 2018 and as amended by the California Privacy Rights Act of 2020 effective January 1, 2023 ("CPRA") (collectively "CCPA").

Please see the CCPA Privacy Notice, which discloses the categories of Personal Information collected, purpose of processing, source, categories of recipients with whom we share the Personal Information for a business purpose, whether the Personal Information is sole or shared, the retention period, and how to exercise your rights as a California resident.

ADDITIONAL INFORMATION FOR COLORADO RESIDENTS

This section applies to Colorado residents acting only as an individual or household context (and not in a commercial or employment context, as a job applicant or as a beneficiary of someone acting in an employment context). Pursuant to the Colorado Privacy Act ("CPA") please see below the disclosure of the categories of Personal Data that are collected or processed, the purposes, how consumers can exercise their rights, and appeal such decision, categories of third-parties the controller shares or sells the Personal Data, or sells the Personal Data for advertising and how to opt-out.

"Personal Data " as defined in the CPA means information that is linked or reasonably linkable to an identified or identifiable individual and does not include publicly available information that is lawfully made available from government records, or that a consumer has otherwise made available to the public; de-identified or aggregated consumer information; or information excluded from the CPA scope, such as: Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPPA) or 42 CFR Part 2- "Confidentiality Of Substance Use Disorder Patient Records", Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or and the Driver's Privacy Protection Act of 1994, Children's Online Policy Protection Act of 1998 (COPPA), Family Educational Rights and Privacy Act of 1974, national Security Exchange Act of 1934, higher education data and employment data.

"Sensitive Data" include (i) racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation; (ii) Genetic or biometric data that can be processed to uniquely identify an individual; or (iii) child data.

Under CPA, Pic-Time needs to provide a privacy notice that identifies the categories of Personal Data that are collected or processed, the purposes, how consumers can exercise their rights, and appeal such decision, categories of third-parties the controller shares or sells the personal data, or sells the Personal Data for advertising and how to opt-out.

Highlights Sections

In Section 3 to the Privacy Policy, we describe our collection and processing of Personal Data, the categories of Personal Data that are collected or processed, and the purposes for which Personal Data is processed, stored or used. We will not collect additional categories of Personal Data or use the Personal Data we collected for materially different, unrelated, or incompatible purposes without obtaining your consent. Additionally, Section 5 to this Privacy Policy details and discloses the categories of third-parties we share for business purposes. Section 6 to this Privacy Policy details and discloses your rights and Personal Data shared or sold for targeted advertising.

Deletion Right Exemptions

Only you, or someone legally authorized to act on your behalf, may make a request to know or delete your Personal Data. If the request is submitted by someone other than you, proof of authorization (such as power of attorney or probate documents) will be required. The deletion right is not absolute and in certain circumstances we may deny such request. We may deny your deletion request, in full or in part, if retaining the information is necessary for us or our service provider(s) for any of the following reasons: (1) complete the transaction for which we collected the Personal Data or Personal Information, provide the service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform our contract with you; (2)detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities; (3) debug products to identify and repair errors that impair existing intended functionality;(4)exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law; (5)comply with the law or legal obligation; (6) engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if you previously provided informed consent; (7) enable solely internal uses that are reasonably aligned with consumer expectations based on your relationship with us; (8) make other internal and lawful uses of that information that are compatible with the context in which you provided it. We will delete or de-identify personal information not subject to one of these exceptions from our records and will direct our processors to take similar action.

Response Timeline

We will respond to your request within 45 days after receipt of a verifiable Consumer Request (no more than twice in a twelve-month period). We reserve the right to extend the response time by an additional 45 days when reasonably necessary and provided consumer notification of the extension is made within the first 45 days. If we refuse to take action on a request, you may appeal our decision within a reasonable period time by contacting us at: dpo@pic-time.com and specifying you wish to appeal. Within 60 days of our receipt of your appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, you may submit a complaint as follows: Colorado AG at: https://coag.gov/file-complaint/.

If you have an account with us, we may deliver our written response to that account or via email at our sole discretion. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. You do not need to create an account for submitting a request.

Any disclosures we provide will only cover the 12-months period preceding our receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable.

ADDITIONAL INFORMATION FOR CONNECTICUT RESIDENTS

Under the Connecticut Data Privacy Act, Public Act. No. 22-14 ("CDPA") if you are a resident of Connecticut, acting in an individual or household context (and not in a commercial or employment context or as a representative of business, non-profit or governmental entity), your rights with respect to your personal data are described below.

"Personal Data " means any information that is linked or reasonably linkable to an identified or identifiable individual and does not include publicly available information that is lawfully made available from government records, or that a consumer has otherwise made available to the public; de-identified or aggregated consumer information; or information excluded from the CDPA scope, such as: HIPAA, GBPA, non-profit entities, higher education, employment data and FCRA, Driver's Privacy Protection Act of 1994, Family Educational Rights and Privacy Act, Farm Credit Act.

"Sensitive Data " means data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship, or immigration status; The processing of genetic or biometric data for the purpose of uniquely identifying an individual; Personal data collected from a known child; Precise geolocation data. In certain cases, we will process precise geolocation data if you explicitly enable the GPS permission within our properties.

Under CDPA, Pic-Time is required to provide you with a clear and accessible privacy notice that includes categories of Personal Data processed, purpose of processing, instructions for exercising consumer rights and appealing decisions, categories of Personal Data shared with third parties, categories of third parties with whom data is shared, and any sale of data or targeted advertising.

Please read the "Highlights Sections" and "Deletion Right Exemptions" paragraphs under the CPA Additional Information.

Response Timeline

We shall respond to your request within 45 days of receipt. The response period may be extended once by 45 additional days when reasonably necessary, taking into account the complexity and number of requests and we inform you of such extension within the initial 45-day response period, together with the reason for the extension.

If we decline to take action on your request, we shall so inform you without undue delay, within 45 days of receipt of your request. The notification will include a justification for declining to take action and instructions on how you may appeal. Within 60 days of our receipt of your appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, you may submit a complaint to the Connecticut Attorney General at link: https://www.dir.ct.gov/ag/complaint/ or (860) 808-5318.

We shall provide information in response to your request free of charge, up to twice annually, unless requests are manifestly unfounded, excessive or repetitive. If we are unable to authenticate your request using commercially reasonable efforts, we may request additional information reasonably necessary to authenticate you and your request. If we cannot authenticate you and your request, we will not be able to grant your request.

ADDITIONAL INFORMATION FOR VIRGINIA RESIDENTS

Under the Virginia Consumer Data Protection Act, as amended ("VCDPA") if you are a resident of Virginia acting in an individual or household context (and not in an employment or commercial context), you have the following rights with respect to your Personal Data.

" Personal Data" means any information that is linked or reasonably linkable to an identified or identifiable natural person, and does not include publicly available information that is lawfully made available from government records, that a consumer has otherwise made available to the public; de-identified or aggregated consumer information; Information excluded from the VCDPA scope, such as: HIPAA, GBPA, non-profit entities, higher education, employment data and FCRA, Driver's Privacy Protection Act of 1994, Family Educational Rights and Privacy Act, Farm Credit Act.

The VCDPA requires Pic-Time to disclose the categories of Personal Data processed, the purpose of processing, how you can exercise your rights, including how you may appeal our decision with regard to the consumer request, the categories of Personal Data shared with third parties, and with whom, and if the Pic-Time sells Personal Data to third parties or processes Personal Data for targeted advertising.

Please read the "Highlights Sections" and "Deletion Right Exemptions" paragraphs under the CPA Additional Information.

Response Timeline

We will respond to your request within 45 days after receipt of a verifiable Consumer Request (no more than twice in a twelve-month period). We reserve the right to extend the response time by an additional 45 days when reasonably necessary and provided consumer notification of the extension is made within the first 45 days. If we refuse to take action on a request, you may appeal our decision within a reasonable period time by contacting us at: dpo@pic-time.com and specifying you wish to appeal. Within 60 days of our receipt of your appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, you may submit a complaint to the Virginia Attorney General HERE.

If you have an account with us, we may deliver our written response to that account or via email at our sole discretion. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. You do not need to create an account for submitting a request.

Any disclosures we provide will only cover the 12-months period preceding our receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable.

We shall provide information in response to your request free of charge, up to twice annually, unless requests are manifestly unfounded, excessive or repetitive. If we are unable to authenticate your request using commercially reasonable efforts, we may request additional information reasonably necessary to authenticate you and your request. If we cannot authenticate you and your request we will not be able to grant your request.

ADDITIONAL INFORMATION FOR UTAH RESIDENTS (EFFECTIVE JENUARY 2024)

Under the Utah Consumer Privacy Act ("UCPA") if you are a resident of Utah, acting in an individual or household context (and not in a commercial or employment context) your rights with respect to your Personal Data are described below. "Personal Data " means data that is linked or reasonably linkable to an identifiable individual, and does not include de-identified data and publicly available data or data that is processed not within the scope of UCPA.

Please read the "Highlights Sections" paragraph under the CPA Additional Information.

ADDITIONAL NOTICE TO NEVADA RESIDENTS

Nevada law allows Nevada residents to opt out of the sale of certain types of Personal Information. Subject to several exceptions, Nevada law defines "sale" to mean the exchange of certain types of personal information for monetary consideration to another person. We currently do not sell personal information as defined in the Nevada law. However, if you are a Nevada resident, you still may submit a verified request to opt out of sales and will record your instructions and incorporate them in the future if our policy changes. You may send opt-out requests to us at dpo@pic-time.com or through the DSR Form.