Ovvio Ltd is the controller and is responsible for your personal data (referred to as "we", "us" or "our" in this policy). We have a US subsidiary, Ovvio, Inc., and which may have access to your financial related data. We will ensure that we have appropriate safeguards in place for transferring personal data to our global group.

We have appointed a data protection manager (DPM). If you have any questions about this privacy policy, please contact them using the details set out below.

Contact details

Our full details are:

• Full name of legal entity: Ovvio Ltd
• Name of DPM: Sachin Tandon
• Email address: [email protected]
• Telephone number: +44 208 176 3908

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK regulator for data protection issues.

Changes to the privacy policy and your duty to inform us of changes

We keep our privacy policy under regular review.

This version was last updated on 5th October, 2023. It may change and if it does, these changes will be posted on this page and, where appropriate, notified to you by SMS OR by email OR when you next start the App or our website. The new policy may be displayed on-screen and you may be required to read and accept the changes to continue your use of the App or the Services.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during our relationship with you.

Third party links

Our Sites may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. Please note that these websites and any services that may be accessible through them have their own privacy policies and that we do not accept any responsibility or liability for these policies or for any personal data that may be collected through these websites or services, such as Contact Data. Please check these policies before you submit any personal data to these websites or use these services.

We may collect, use, store and transfer different kinds of personal data about you as follows and as applicable to your category of data subject (App user, B2B contact etc):

• Identity Data: first name, last name, maiden name, username or similar identifier, title, date of birth, gender.
• Contact Data: billing address, delivery address, email address and telephone numbers and social media handles.
• Financial Data: bank account and payment card details and other details on your invoices.
• Transaction Data: includes details about payments to and from you and details of in-App purchases and details of investments made by you in our company.
• Device Data: includes the type of mobile device you use, a unique device identifier, mobile network information, your mobile operating system, the type of mobile browser you use, time zone setting and other device data provided in the normal course of operation.
• Content Data: includes information stored on your Device or in your App account or any account through any of Our Sites, including contact lists, login information, photos, videos or other digital content, check-ins and the information you provide on the App to register as an App user.
• Profile Data: includes your username and password, in-App purchase and income history, your interests, preferences, feedback and survey responses.
• Usage Data: includes details of your use of any of our Apps or your visits to any of Our Sites including, but not limited to, traffic data and other communication data, whether this is required for our own billing purposes or otherwise.
• Marketing and Communications Data: includes your preferences in receiving marketing from us and our third parties and your communication preferences.
• Interaction Data: includes all data created on our App in your interactions with other users of our App, whether as a Giver or a Seeker (those terms are defined in our App and in our App terms which registered users agree to).

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific App feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

We do not knowingly collect any Special Categories of Personal Data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences. If you provide that information voluntarily for whatever reason on our App and which we then process, we do so because you provide it unilaterally and therefore we do so with your explicit consent as our lawful basis for processing. You can of course withdraw this consent and delete such data from the App or Our Sites – or please ask our DPM to do so if you cannot. Their details are set out above.

If you fail to provide personal data

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide or receive goods or services). In this case, we may have to cancel a product or service you have with us or we have with you but we will notify you if this is the case at the time.

We will collect and process the following data about you:

• Information you give us. This is information (including Identity, Contact, Financial, Profile, Marketing and Communications Data and Interaction Data) you consent to giving us about you by filling in forms on the App or our website (together Our Sites), or by corresponding with us (for example, by email or chat/messaging services or through social media) or with other App users. It includes information you provide when you register to use the App, download or register the App, search for, subscribe to and use any of our Services, make an in-App purchase for information from a Giver or receive income through the App as a Giver, enter a competition, promotion or survey, or when you engage with us as a supplier, investor or other B2B contact for business related purposes, and when you report a problem with the App, our Services, or any of Our Sites. If you contact us, we will keep a record of that correspondence.
• Information we collect about you and your device. Each time you visit one of Our Sites or use the App we will automatically collect personal data including Device, Content and Usage Data. We collect this data using cookies and other similar technologies. Please see our Cookie Policy for further details.
• Information we receive from other sources including third parties and publicly available sources. We may receive personal data about you from various third parties as set out below:
  • Device Data from the following parties (although we expect much of this data to be aggregated and not your personal data):
    • analytics providers such as Google and Apple, potentially based outside the UK;
  • Marketing and Communications Data, Contact, Financial and Transaction Data from providers of marketing, technical, payment and delivery services such as email marketing companies, banks and payment services providers (such as Stripe);
  • Identity and Contact Data from publicly available sources such as Companies House and your website, social media channels and marketing literature;
• Cookies
  • We use cookies and/or other tracking technologies to distinguish you from other users of Our Sites, the distribution platform (Appstore and Google Play) and to remember your preferences. This helps us to provide you with a good experience when you use the App or browse any of Our Sites and also allows us to improve the App and Our Sites. For detailed information on the cookies we use, the purposes for which we use them and how you can exercise your choices regarding our use of your cookies, see our Cookie Policy.

We will only use your personal data when the law allows us to do so. Most commonly we will use your personal data in the following circumstances:

• Where you have consented before the processing.
• Where we need to perform a contract we are about to enter or have entered with you.
• Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
• Where we need to comply with a legal or regulatory obligation.

Please read the Glossary below to find out more about the types of lawful basis that we will rely on to process your personal data.

Generally, we do not rely on consent as a legal basis for processing your personal data although we will get your consent before sending third party direct marketing communications to you via email or text message. You have the right to withdraw consent to marketing at any time by contacting us.

Purposes for which we will use your personal data

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

Purposes for which we will use your personal data

| Purpose/activity | Type of data | Lawful basis for processing | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | To install the App and register you as a new App user Or To engage with you as a B2B contact and for you to register with our business to provide or receive services | 1) Identity 2) Contact 3) Financial 4) Device | 1) Your consent 2) Performance of a contract with you 3) Necessary for our and your company’s legitimate interests (to perform our mutual contract) | | To process in-App purchases/income facilities and deliver Services including managing payments and collecting money owed to us and to allow you to use the App or our Services as required | 1) Identity 2) Contact 3) Financial 4) Transaction 5) Device 6) Marketing and Communications 7) Content 8) Profile 9) Interaction | 1) Your consent 2) Performance of a contract with you 3) Necessary for our legitimate interests (to recover debts due to us) | | To manage our relationship with you including notifying you of changes to the App or any Services or to manage our B2B relationship with you for legitimate business purposes | 1) Identity 2) Contact 3) Financial 4) Profile 5) Marketing and Communications 6) Transaction | 1) Your consent 2) Performance of a contract with you 3) Necessary for our and your company’s legitimate interests (to keep records updated and to analyse how customers use our products/Services and to perform the contract with your company) 4) Necessary to comply with legal obligations (to inform you of any changes to our terms and conditions or relevant changes in the law affecting our business) | | To enable you to participate in a prize draw, competition or complete a survey or other promotional offer | 1) Identity 2) Contact 3) Device 4) Profile 5) Marketing and Communications | 1) Your consent 2) Performance of a contract with you 3) Necessary for our legitimate interests (to analyse how customers use our products/Services and to develop them and grow our business) | | To administer and protect our business and this App including troubleshooting, dealing with issues between users, data analysis and system testing and complying with our legal obligations in respect of our services (such as necessary regulatory, legal and tax reporting obligations) | 1) Identity 2) Contact 3) Device 4) Profile 5) Transaction 6) Financial 7) Usage 8) Interaction | 1) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security) 2) Necessary to comply with legal obligations (for ongoing legal, tax and regulatory reasons) | | 1) To deliver content and advertisements to you 2) To make recommendations to you about goods or services which may interest you 3) To measure and analyse the effectiveness of the advertising we serve you 4) To monitor trends so we can improve the App | 1) Identity 2) Contact 3) Device 4) Content 5) Profile 6) Usage 7) Marketing and Communications 8) Transaction 9) Interaction | 1) Your Consent 2) Necessary for our legitimate interests (to develop our products/Services and grow our business) |

Marketing

We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. Please get in touch with us if you do not wish to receive marketing or wish to unsubscribe from marketing you signed up to.

Promotional offers from us

We may use your Identity, Contact, Technical, Usage, Interaction (to the extent of the type of information you seek and give on our App) and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).

You will receive marketing communications from us if you have requested information from us or purchased/requested services from us and you have not opted out of receiving that marketing.

Third-party marketing

We will get your express opt-in consent before we share your personal data with any third party for marketing purposes.

Opting out

You can ask us or third parties to stop sending you marketing messages at any time by logging into our website or App and checking or unchecking relevant boxes to adjust your marketing preferences, by following the opt-out links on any marketing message sent to you or by contacting us at any time.

Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product/service purchase, warranty registration, product/service experience or other transactions.

Cookies

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our website may become inaccessible or not function properly. For more information about the cookies we use, please see our Cookie Policy.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

We may share your personal data with the parties set out below for the purposes set out in the table Purposes for which we will use your personal data above:

• External Third Parties as set out in the Glossary.
• Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets or seek investment from. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.

Our external third parties might be based outside the UK so their processing of your personal data might involve a transfer of data outside the UK.

Whenever we transfer your personal data out of the UK, we seek to ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

• We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data. For further details, see https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-transfers/#Q1.
• Where we use certain service providers or share data with associated companies of ours which are outside of the UK, we may use specific contracts approved by the UK which give personal data the same protection it has in the UK. For further details, see https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/.
• Where we use large reputable providers such as Apple, Google and Stripe and we are confident in their systems and controls to safeguard your personal data whether it is processed in the UK or transferred outside of the UK.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

Where we have given you (or where you have chosen) a password that enables you to access certain parts of Our Sites, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

We will collect and store personal data on your Device using local application data caches and browser web storage (including HTML5) and other technology.

Certain Services might include social networking, chat room or forum features or similar. Ensure when using these features that you do not submit any personal data that you do not want to be seen, collected or used by other users.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator when we are legally required to do so.

Details of retention periods for different aspects of your personal data are available in our retention policy which you can request by contacting us.

For legal reasons, we may have to keep basic information about our customers (including Contact, Identity, Profile, Financial and Transaction Data) for six years after they cease being customers for legal, regulatory and tax purposes.

In some circumstances you can ask us to delete your data: see Your legal rights below for further information.

In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

In the event that you do not use the App for a period of 6 years then we will treat the account as expired and your personal data may be deleted.

Under certain circumstances you have the following rights under data protection laws in relation to your personal data.

Please see the sections below to find out more about these rights:

• Request access to your personal data.
• Request correction of your personal data.
• Request erasure of your personal data.
• Object to processing of your personal data.
• Request restriction of processing your personal data.
• Request transfer or your personal data.
• Right to withdraw consent.

You also have the right to ask us not to continue to process your personal data for marketing purposes.

You can exercise any of these rights at any time by contacting us at the DPM’s details above and there is usually no fee, except in certain circumstances allowed by law.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

1.1 Lawful basis

Consent means processing your personal data where you have signified your agreement by a statement or clear opt-in to processing for a specific purpose. Consent will only be valid if it is a freely given, specific, informed and unambiguous indication of what you want. You can withdraw your consent at any time by contacting us.

Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

Comply with a legal obligation means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to.

1.2 Third parties

1.3 External third parties

Suppliers of our technology infrastructure used to run our business, communicate internally and externally, provide and maintain the App and Our Sites and services received by us tend to be cloud based and provided by household names such as, Google, Stripe and Apple. Please follow the links below to access relevant data protection information from those suppliers. They may be acting as processors or joint or independent controllers.

https://firebase.google.com/support/privacy

https://support.google.com/a/answer/60762?hl=en

https://support.apple.com/en-gb/HT203033

https://support.google.com/googleplay/answer/11416267?hl=en&co=GENIE.Platform%3DAndroid

https://stripe.com/en-gb/privacy

Professional advisers acting as processors or joint or independent controllers including lawyers, bankers, auditors and insurers based usually in the UK and the US who provide marketing, consultancy, banking, legal, insurance and accounting services.

HM Revenue and Customs, regulators and other authorities acting as processors or joint or independent controllers based in the UK or the US who require reporting of processing activities in certain circumstances. Unless in exceptional circumstances, we would only provide personal data of UK and European data subjects to authorities in those jurisdictions and not to authorities in the US, for example.

1.4 Your legal rights

You have the right to:

• Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
• Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
• Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
• Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
• Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
  • if you want us to establish the data's accuracy;
  • where our use of the data is unlawful but you do not want us to erase it;
  • where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
  • you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
• Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
• Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.