Avantage Entertainment USA Privacy and Data Protection Policy

Version 1.4.1, September 17, 2019

1.0 Background

Avantage® Entertainment USA, LLC (Avantage) is a US-based entity under Delaware registration number 4634638. A marketing and entertainment company that develops and operates online and mobile platforms for data sharing and community interaction services. Avantage collects specific types of customer data to enable these services and to create and optimize the Customer Experience (CX) across our platforms. Avantage considers personal data to be anything that can or could be used to identify an individual or individual's online activity either directly or indirectly. As outlined in this policy, Avantage is committed to a consent-based strategy of collecting only that data which is necessary and securing all processed and stored data to safeguard our customers' privacy and sensitive data.

2.0 Scope

All Avantage staff (i.e. Ownership, Executive Leadership, and personnel in every department) are responsible for executing this policy and immediately reporting any actual or suspected violations to the Data Protection Officer (DPO). This policy explains data Avantage collects, how the data is used (processed, stored, and shared), how the data is protected, and customers' rights relating to their personal data. This policy describes the lawful basis for processing and sharing data and provides relevant contact details.

Avantage collects, processes, displays, and/or stores the following data types:

This policy is designed to meet the legal obligations under the European Union (EU)'s General Data Protection Regulation (GDPR), the Privacy Shield Framework, Privacy Shield Data Protection Act 2018 (DPA) and Privacy and Electronic Communications Regulation (PECR).

2.1 GDPR and Privacy Shield Compliance

Avantage complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States (US). Avantage has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/

2.2 Avantage Commitment to Privacy Shield Principles

In compliance with the Privacy Shield Principles, Avantage commits to resolve complaints about our collection or use of your personal information. Individuals with inquiries or complaints regarding our Privacy and Data Protection Policy, processes, and associated procedures should first contact Avantage via the Help Center Link on our web pages and within our applications or via email at: support@avantage.net.

For specific questions about the principles and data subject rights, see Privacy Shield's Privacy Policy FAQs and note:

3.0 Why We Collect and How We Use Customer Data

Avantage's goal is to be a premier entertainment provider and to deliver a world-class CX to each user every time they use one of our products or services. Achieving this level of service requires an in-depth understanding of our users' preferences, what they like about the products and services, and what can be improved upon. Accordingly, Avantage collects data that provides our marketing and development teams with the insight needed to customize the users' experience. It is Avantage's intention to only collect the minimum data required to meet legal and regulatory requirements (e.g. Know Your Customer (KYC) and Customer Due Diligence (CDD)), and to enable an optimal CX for each customer. Elements of personal data described in Section 4.0 will be exported outside the European Economic Area (EEA) to other countries, including the US, for processing and analysis.

4.0 The Personal and Sensitive Data We Collect

Avantage will securely collect, process, use, store, and transfer the following categories of personal and engagement data to enable optimal operations, meet regulatory requirements, and continuously improve our products, services, and customer's experiences:

5.0 Data Collection Methods

Avantage uses three methods to collect data: direct collection of data that customers provide, indirect system-to-system collection, and third-party collection.

6.0 Data and Privacy Protection Methods

In accordance with GDPR and DPA guidelines, Avantage is committed to protecting customer personal data through encryption, anonymization, and pseudonymization of sensitive and Privacy data or Personally Identifiable Information (PII).

6.1 GDPR Requirements

GDPR (Article 5) requires that personal data be:

6.2 DPA Requirements

The DPA of 2018 requires that personal data:

6.3 Avantage Privacy and Data Protection Safeguards

In accordance with the processes and procedures outlined in Avantage's Information Security Management Plan (ISMP) and Information Security Policy (ISP), Avantage proactively enables and continuously monitors a robust system of layered security controls specifically designed to limit and protect the collection, processing, storage and use of personal data. The following safeguards are designed to educate Avantage users about the personal data collection, use, sharing and protection.

6.4 Alternative Dispute Resolution (ADR)/Independent Recourse Mechanism (IRM)

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

7.0 Data Sharing

Avantage's data sharing policy is to only share personal data when informed consent has been given by the data subject, it has been requested by the data subject, or it is required by law. Personal data will be protected from access by persons within Avantage unless expressly required for job-related functions as outlined in the user consent.

7.1 Lawful Data Processing

To optimize users' CX, collected data may be exported out of the EEA/EU and shared with the following groups for the expressed purposes:

7.2 Incident Response Support

To effectively and efficiently investigate, respond to and resolve suspected or actual data breaches and/or security incidents, Avantage maintains communication with and contacts for local, state, and federal authorities, Internet Service Providers (ISPs), utilities, and applicable Supervisory Authorities including, but not limited to:

To stay abreast of current threats and vulnerabilities, Avantage subscribes to the US CERT National Cyber Awareness System Mailing Lists. Prior to reporting suspected or actual security incidents, Avantage personnel collects the appropriate information in accordance with our Incident Response Plan (IRP). This information is shared to foster a prompt response to and containment of risks to information, associated Avantage operations, the safety of Avantage customers and their PII/privacy data, and to facilitate widespread awareness of the threats and/or vulnerabilities associated with the incident. As deemed appropriate by the DPO and based on the nature and extent of the security incident, data subjects will be informed of suspected and/or actual breaches that have potentially compromised their PII/privacy data within 72 hours of identification and reporting of the concern.

8.0 Data Retention

Avantage will only retain personal data for as long as necessary to fulfill the purposes it was collected it for, including compliance with any applicable legal, accounting or reporting requirements. To determine the appropriate retention period for personal data, Avantage will take into account its legal and regulatory obligations the amount, nature and sensitivity of the personal data and the potential risk from unauthorized use or disclosure of personal data. Electronically stored data will be backed up and protected in accordance with processes and procedures outlined in the ISMP and ISP. Avantage will continually assess the purposes for which the data is collected and processed to determine whether those aims might be achieved through other means. Customer data may be anonymized, such that it can no longer be associated with a specific user, for research or statistical purposes. In these cases, we may use this information indefinitely without further notice to customers or data subjects. Unless otherwise required by law, personal data will be deleted after five years or upon request of the user.

9.0 Customer Rights and Responsibilities

Avantage has a legal obligation to protect customer data as a controller of personal data. For the customers' part, data should be kept up-to-date, accurate, and secure from public disclosure or easy unauthorized access. Customers will have access and the ability to update their personal data via the websites and mobile applications. Customers should never share accounts, user IDs, or passwords, and passwords should be complex.

Customers have the right to:

Data subject access requests should be sent to (support@avantage.net). All requests will be responded to within one month, unless a request is particularly complex, or a significant number of requests have been made. Avantage may refuse to comply with a customer request in certain circumstances such as clearly unfounded, repetitive or excessive requests. As part of its handling of the requests, Avantage may need to contact the customer to confirm their identity to process the request.