Privacy policy

Introduction

The RULL Application and websites https://rull.market and https://rull.world (together the “Website”) are operated by and the controller of the personal data is Payment4U, a.s., Id. No.: 05256666, with its registered office at Fričova 1662/4, Vinohrady, 120 00 Praha 2, registered in the Commercial Register maintained by the Municipal Court in Prague under B 21741 (the “Company” or “we”).

The RULL Application allows its Users to store and manage supported Virtual Assets and exchange their Cryptocurrencies for products or services offered by eligible merchants (the “Merchants”).

Your privacy is our priority. We have committed to implement appropriate measures to ensure the protection, integrity and security of personal data obtained from you as the data subjects. Processing of your personal data is carried out in accordance with generally applicable legislation, particularly the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the “GDPR”).

The purpose of this Privacy Policy (the “Policy”) is to inform you how we process your personal data, about their categories, scope and purposes of processing as well as their recipients. In this Policy, you will also find the information about your rights related to the personal data processing.

By providing your personal data to us, you accept this Policy and acknowledge that we may process your personal data as described herein and for the below-mentioned purposes. If you do not agree to this Policy, please do not provide any personal details to us.

Words that are not defined directly in this Policy and begin with a capital letter have the meaning defined in the Terms and Conditions for using the RULL Application [ https://rull.world ].

What are personal data

Personal data means any information about an identified or identifiable individual - natural person (data subject), such as name, e-mail address, cryptocurrency wallet data, payment account details, network identifier etc.

What kind of personal data we collect and how we use them

We only collect personal data voluntarily provided or obtained via our RULL Application or our Website or via our communication in writing, by phone or in other form. We process only personal data that are relevant, adequate and limited to the scope necessary with regard to the purpose of the processing. We exert reasonable efforts to ensure that your personal data are accurate, complete and, where necessary, up to date.

The personal data processed may include:

(a) your identification and contact data (e.g. first name, last name, e-mail address) (b) your User Account data (e.g. cryptocurrency wallet data)

(c) bank data (e.g. payment account details)

(d) information necessary for your identification and check under the AML Act (e.g. data from your personal documents)

(e) electronic information (e.g. information on use of our Website, including the type of internet browser, login times, web pages viewed, IP address and web pages that you visited before accessing our Website and information about the computer or mobile device used to access our Website, including the hardware model, operating system and internet browser and their versions, unique device identifiers and mobile network information),

(f) further information provided by you or obtained by us when providing the agreed Services or necessary for the performance of the Agreement.

Purpose of Personal Data Processing and Legal Basis

We process personal data of Users for the following purposes (with respect to each purpose, we also note the legal basis of such processing):

Purpose Legal basis for processing

Creating your User Account performance of a contract, taking steps at your request prior to enteringinto a contract (Article 6(1)(b) GDPR)

Managing your User Account, providing you with requested Services and performance of our obligations under the Agreementperformance of a contract (Article 6(1)(b) GDPR)

Complying with our legal obligations under generally applicable legislation, including (a) the obligation under the AML Act (especially the obligation to identify and control the client), and (b) the obligation to keep accounting and tax documents)compliance with our legal obligations (Article (6)(1)(c) GDPR)

Protecting our rights, legitimate interests, and propertyour legitimate interest in judicial and other protection (Article 6(1)(f) GDPR)

Securing the technical operation of our Website our legitimate interest on functional operation of our Website (Article 6(1)(f) GDPR)

Adaptation, evaluation, and improvement of the Website, including monitoring and analysis of trends, uses and activities related to the Website, and marketing and remarketing (profiling) through cookiesyour consent (Article (6)(1)(a) GDPR)

Providing personal data processed to comply with our legal obligations under the generally applicable legislation (e.g. the AML Act) is a statutory requirement and you are obliged to provide such information to us. Without such data, we cannot meet our obligations under generally applicable legislation.

Providing us with information processed to perform the contract or for our legitimate interest or based on your consent is fully voluntary; you are not obliged to provide us with such information. However, without such data, the respective contract between you and us cannot be concluded or fulfilled and we may not be able to deliver the requested service (at all or in the required quality) or inform you about our news.

With respect to consent-based processing, you are entitled to refuse or withdraw your consent at any time without any detrimental impact on any contract you may have with us. However, the withdrawal of your consent will not affect the lawfulness of processing before such withdrawal.

If you are the User please be informed that within the transaction with the Merchants, carried out via the RULL Application, the automated data processing may occur (confirmation that there are sufficient Cryptocurrencies on your User Account). We process your personal data automatically due to the efficient operation of the RULL Application and smooth execution of the requested transaction. If you believe that our system has evaluated any operation incorrectly, please do not hesitate to contact us via the contact below.

We will not sell or lease your personal data to any third party

Personal Data Security

We have taken appropriate technical and organizational measures to secure your personal data. Such measures include passwords, secured operating system, data communication encryption, storage encryption and maintaining an updated antivirus program and all other software. Personal data are accessible only to authorized persons and always only to the necessary extent.

At the same time, we would like to warn you that no method of data transfer over the Internet is 100% secure and reliable, and therefore the absolute security of your personal data can never be guaranteed.

Data Retention Period

We will process your data for no longer than is necessary for the purpose of their processing. If we process your personal data for two or more purposes, we will retain it until the purpose with the latest period expires. However, we will stop using it for the purpose with a shorter period once that period expires.

We use the following criteria to determine the processing period:

(a) Personal data processed to comply with our legal obligations will be processed for the duration of such legal obligation.

(b) Personal data processed to perform a contract (or in order to take steps at your request

prior to entering into a contract) will be processed until the termination of all obligations under the respective contract, or until an adoption of a decision that the contract will not be concluded.

(c) Personal data processed for our legitimate interests will be processed for the duration of our specific legitimate interest. In order to protect our rights, we will, for example, process your personal data even after the termination of all contractual obligations. Such processing will last for 5 calendar years following the termination of the contractual obligations. In case of judicial, administrative, or other proceedings dealing with our mutual rights and/or obligations, the processing of personal data will never end before the termination of such proceedings.

(d) Personal data processed for direct marketing purposes will be processed until you object such processing (unless we determine a shorter processing period),

(e) If you have consented to our use of your personal data for specific purpose, we will process your personal data until you withdraw such consent (unless we determine a shorter processing period)

No later than by the end of the calendar quarter following the expiry of the processing period, personal data which no longer need to be processed will be irreversibly anonymized or securely destroyed.

Disclosures and recipients of your personal data

To provide you with the requested Services we may need to disclose your personal data to the respective Merchant whose products or services you have ordered. Such Merchant will process your personal data as an independent controller, and we are not liable for such processing. If you have any questions regarding the processing of your personal data by the Merchant, please contact the Merchant directly.

We are entitled to disclose your personal data to the respective state bodies and authorities and other recipients to whom we are obliged to transfer personal data under the generally applicable legislation. These recipients will process your personal data as independent controllers.

We are also entitled to disclose your personal data to our data processors (e.g. third party service providers engaged by us). These processors act solely on our instructions, have limited access to your personal data, and are bound by the same level of security and confidentiality as we are. Upon request, we will provide you with information on processors engaged in processing of your personal data.

We do not plan to process your personal data outside of the European Economic Area (EEA), i.e. in countries where the data protection laws may be of a lower standard than in the EEA. If such processing is necessary, we will exert major effort to ensure that respective guarantees are followed when your personal data are being processed. Certain countries outside the EEA, such as Canada and Switzerland, have been approved by the European Commission as 6

providing essentially equivalent protection to EEA data protection laws and therefore no additional legal safeguards are required (see the full list here http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.html). In case of personal data processing in countries which have not obtained such approval, we may (a) ask you for consent to the transfer of your personal data or (b) make the transfer subject to European Commission approved standard contractual terms. This does not apply if we are permitted under generally applicable legislation to make such transfer of personal data without these steps.

What are your rights

With respect to processing of your personal data, you have the below mentioned rights. However, please note that certain exceptions apply to the exercise of such rights and, therefore, you may not be able to exercise them in all situations. If you legitimately exercise your rights, we will take the required action without undue delay and within one month at the latest (this period may be extended for another two months in justified cases).

If you exercise your rights, we may request provision of additional information necessary to confirm your identity.

Right to be informed You have a right to be informed in a concise, transparent, intelligible, and easily accessible form about how your personal data are processed. Such information is provided by this Policy.

Right of access You have a right to obtain confirmation as to whether or not personal data concerning you are being processed, and, where that is the case, you have the right to access such personal data (including related information) and obtain a copy thereof.

Right to rectification You can ask us to rectify inaccurate personal data. You can also ask us to complete incomplete personal data, including by means of providing a supplementary statement.

Right to erasure Under circumstances set forth in Article 17 of the GDPR, you can ask us to erase your personal data. However, please note that in some cases this right cannot be exercised and we will continue processing your personal data.

Right to restriction of processing In certain cases, you can ask us to restrict the processing (for example until your objection is solved).

Right to data portability You can ask us to transfer to you or a third party personal data processed electronically and based on a contract or your consent.

Right to withdraw consent You may withdraw your consent with processing at any time to prevent further processing for the purpose stated in such consent. Please note that withdrawal of your consent will not affect the lawfulness of processing before such withdrawal.

Right to object

If we process your personal data based on our legitimate interests, you have a right to raise an objection against such processing. However, we can demonstrate compelling legitimate grounds for the processing on our side.

If your personal data are processed for direct marketing purposes, you have the right to object any time to processing of your personal data for such marketing. If you object to processing for direct marketing purposes, your personal data will no longer be processed for such purposes.

Right to apply for a remedy and right to lodge a complaintIf you assume that processing of your personal data is in breach with legal regulation, please contact us and we will immediately remedy the situation. This is without prejudice to your right to lodge a complaint directly with the Office for Personal Data Protection.

access the Website (the “device”). If you return to our Website, we will use cookies to obtain information about your previous visits and other information that our server has stored on your device. You can find more general information about cookies, for example, on the website allaboutcookies.org.

You can find information about specific cookies used on our Website in our CMP (consent management platform) form. This form is automatically displayed on your first visit to the Website and you can use it to easily manage your cookies preferences. The CMP form or bar that links to this form will be displayed to you until you save your preferences. If you wish to change your choices later, you can do so by clicking on the “Manage cookies” link located at the bottom of our Website.

In the CMP form you can set your preferences (consent or disagreement) in relation to the use of cookies on your device. You can express your consent or disagreement both (a) for specific cookies that are or may be used on our Website, and (b) collectively for a certain category of cookies. Within the CMP form, cookies are divided into marketing, statistical, analytical, and necessary (technical) cookies.

In case of marketing, statistical, and analytical cookies, the default setting is your disagreement and such cookies will not be used on your device until you give your consent. On the other hand, the necessary cookies are automatically enabled and their use cannot be refused via the CMP form.

You can also manage the use of cookies on your device within the settings of your web browser. Please note that if you deactivate the necessary cookies in your browser settings, this will result in a reduced functionality of our Website or its complete malfunction.

Social networks and other applications widgets

We may use social networks widgets and other applications widgets at our Website (such as Facebook, YouTube, Instagram, Google Play or App Store). These applications may collect and use information about you and your use of our Website. Any information provided by you via these applications may be processed by their providers. Such processing is governed by policies of the respective provider. We have no control over or responsibility for the scope, means and purpose of data processing carried out by such providers.

Change of the Policy

We reserve the right to amend or supplement this Policy. We recommend you to check this Policy regularly to be informed of any future changes. Our Website will always contain an “up to date” version of this Policy.

Contacting us

If you have any comments relating to this Policy or to your rights related to the data processing, please contact us using the following e-mail address: [support@rull.app]. You may also use the form published on the Website https://rull.world/support