3.DATA SUBJECT RIGHTS

3.1.1 Data Subjects can exercise the following rights:

• The right to access personal data entails the right to access the data being processed and the processing actions applied to the specific Data Subject.

The Owner will, in particular, upon written request from the Data Subject, or their legal representative or proxy, after verifying the identity of that person, and no later than within 15 days from the date of the request, provide the Data Subject with information on whether personal data concerning them are being processed.

• The right to withdraw consent entails the Data Subject's right to withdraw consent for the processing of personal data in cases where such data are collected and processed solely based on consent.

Withdrawal of consent does not affect processing that occurred prior to the withdrawal of consent.

• The right to rectification and supplementation entails the Data Subject's right to request correction or supplementation of their personal data.

• The right to erasure of personal data entails the right of the Data Subject to request the deletion of their data.

• The right to restriction of processing of personal data entails the Data Subject's right to request limited processing of data in situations where (i) the accuracy, legality, or necessity of processing is in doubt, or (ii) the Data Subject has objected to processing in accordance with their right to object.

• The right to data portability entails the Data Subject's right to receive personal data from the Owner in a structured, commonly used, and machine-readable format.

The Owner will provide the Data Subject with a copy of the data upon request so that it can be transmitted to another entity. If the Data Subject requests it from the Owner and if technically feasible, the Owner will transfer the personal data directly to the third party on behalf of the Data Subject.

• The right to object entails the Data Subject's right to object to the actions or decisions of the Owner regarding data processing.

• The right to unsubscribe from marketing notifications can be exercised by any Application User who does not wish to receive marketing communications from the Owner.

3.1.2 When the Data Subject is a minor (i.e. a Child), the above-mentioned rights can be exercised by the Parents or legal guardians.

3.1.3 Data Subjects can exercise their rights free of charge at any time by contacting the data processing officer responsible at the Owner.

3.1.4 If a Data Subject believes that the Owner is violating the Personal Data Protection Act or any of their rights, the Data Subject may contact the data processing officer responsible at the Owner at any time.

3.1.5 The Owner informs and warns Data Subjects that, in certain cases, the exercise of their rights may not be legally or technically possible (e.g., if a Data Subject requests the Owner to delete all their personal data while continuing to use the Application).

3.2 Controller of Personal Data

3.2.1 The controller of personal data regarding the use of the Application and other forms is the Owner, namely Društvo sa ograničenom odgovornošću "MyTurn" Podgorica, established in accordance with the laws of Montenegro, with registered seat in Podgorica at the address: Bulevar Svetog Petra Cetinjskog 104, registration no: 51200505, TIN: 03624293.

3.2.2 The Owner will provide technical, personnel, and organizational measures for the protection of personal data during collection and processing, aiming to prevent loss, destruction, unauthorised access, alteration, disclosure, and misuse of data.

3.2.3 In accordance with Applicable Laws, the Owner may share collected personal data of Data Subjects with affiliated entities and partner organizations of the Owner to facilitate the provision of services, rewards and promotional offers earned by Data Subjects through the Application.

3.2.4 The Owner keeps records of personal data collections it establishes.

The Owner will, before establishing an automated personal data collection, provide a notification of the establishment of the automated personal data collection to the Agency for Personal Data Protection and Free Access to Information.

The Owner will provide notice to the Agency for Personal Data Protection and Free Access to Information regarding the establishment of an automated personal data collection and in all cases of significant changes in the processing of personal data.

3.2.5 The Owner may entrust certain tasks related to the processing of personal data to a data processor based on a specific written agreement.

Tasks related to the processing of personal data may only be entrusted to a data processor who meets the requirements for implementing technical, personnel, and organizational measures for the protection of personal data, in accordance with the Law on Personal Data Protection and other Applicable Laws.

4.PROCESSING AND STORAGE OF PERSONAL DATA

4.1 Purpose of Personal Data Processing

4.1.1 The Owner will process personal data for the following purposes:

• legal purposes;
• contractual purposes;
• security purposes;
• statistical and research purposes;
• marketing and commercial purposes; and
• non-marketing purposes.

4.2 Legal Base

4.2.1 The Owner processes personal data for:

• detecting and investigating fraud and potential criminal activities directed against the Application and all Application Users;

• compliance with Applicable Laws in cases where legal regulations require the Owner to retain personal data for a certain period of time; and

• filing and defending against legal actions against the Owner.

4.2.2 In each of the aforementioned cases, the Owner has the right to use all data obtained from Data Subjects or resulting from Data Subjects' activities on the Application (e.g., communication between Data Subjects, Data Subjects and the Owner, etc.) for the purpose of (i) filing and/or defending against claims and/or legal actions, as well as for (ii) managing incidents arising in connection with the use of the Application.

4.3 Contractual Purposes

4.3.1 The Owner processes personal data for contractual purposes in order to:

• enable the use of the Application by Data Subjects;
• provide services and ensure the functioning of all Application features;
• facilitate provision of incentives and rewards for Data Subjects;
• enable the use of filters and algorithms that are necessary or recommended for achieving the full potential of the Application and the smooth operation of all its functions;
• enhance the user experience of Application Users;
• facilitate communication, data exchange, notifications, and documentation between the Owner and Application Users; and
• provide technical support to Application Users during the use of the Application.

4.4 Security Purposes

4.4.1 The Owner processes personal data for security purposes in order to:

• prevent and detect malicious and unsafe activities and actions directed against the operation of the Application, the Owner, Application Users, and/or third parties, by collecting data about devices, location, Users Accounts, etc.; and
• detect and track activities and actions that may constitute criminal offenses, for the purpose of sharing such data with competent state authorities in accordance with Applicable Laws.

4.5 Statistical and Research Purposes

4.5.1 The Owner processes personal data for statistical and research purposes in order to:

• analyse patterns of behaviour, preferences, and habits of Application Users; and
• enhance the user experience of Application Users.

4.6 Marketing and Commercial Purposes

4.6.1 The Owner processes personal data for marketing and commercial purposes in order to:

• carry out marketing, communication, research, and development activities;
• analyse and research ways to improve the Application based on user experience data provided by Data Subjects in connection with the Application (e.g., service ratings, satisfaction surveys, and other similar feedback); and
• use materials that Data Subjects post on social media profiles mentioning the Owner or the Application explicitly (e.g., through hashtag # or @ mentions).

4.7 Non-Marketing Purposes

4.7.1 The Owner processes personal data for non-marketing purposes, including:

• sending notifications about incidents, technical disruptions, or interruptions in the operation of the Application; and
• sending notifications about changes and amendments to the General Terms, Cookies Policy, Privacy Policy, and any other documentation relevant to the operation of the Application.

4.7.2 The Owner can use push notifications on the mobile device of the Application User to send non-marketing notifications related to the management of household Tasks and Rewards.

An Application User who does not wish to receive push notifications has the option to disable them through the Application. However, if disabled, the Application User will not receive any push notifications related to their activity on the Application, including, but not limited to, notifications regarding Task assignments, progress updates, or Rewards associated with the Child's activities.

4.8 Types of Personal Data

4.8.1 The Owner stores data provided by Data Subjects directly and indirectly.

4.8.2 Data provided directly by Data Subjects include:

(i) Registration data include information that Data Subjects provide during Registration.

(ii) User Account data include all information that the Application User provides while setting up its User Account on the Application or publishes subsequently on their User Account.

(iii) Additional data include all additional information (including especially photographs) that Application Users publish on their User Account or otherwise use or publish on the Application.

(iv) Data about previous communication with the Owner include all information provided to the Owner by the Application User through the use of Communication Channels.

(v) Data about conversations with the Owner include all transcripts and recordings of conversations generated during the use of Communication Channels, which are stored to guarantee and improve the quality of the Application.

(vi) Communication data represent all data that arise in communication between Application Users using communication tools on the Application.

4.8.3 Data provided indirectly provided by Data Subjects include:

(i) Data resulting from the use of the Application encompass all data that arise from the interaction of Application Users with the Application.

(ii) Data about applications and devices include all data about the devices and applications that Application Users use to access the Application, including in particular:

• the IP address that the Application User uses to connect to the internet via a computer or mobile phone;
• information about the computer, tablet, or mobile phone of the Application User, such as internet connection, browser type, version, and operating system, as well as the type of device;
• the entire sequence of characters used as a Uniform Resource Locator (URL) (information related to navigation through the application and similar), including date and time;
• data from the phone/computer of the Application User, including, but not limited to feedback and/or comments of the Application User; and
• preferred settings.

(iii) User-originated data are data that arise when a Data Subject arrives at the Application via an external source (such as a link from another website or social media).

(iv) Data resulting from managing issues with the operation of the Application are data that arise when an Application User contacts the Owner to resolve technical or other issues with the operation of the Application via Communication Channels.

(v) Data resulting from cookies refer to data that arise in connection with the Owner's own cookies and third-party cookies related to the Application.

(vi) Data resulting from third parties include:

• personal data that third parties authorized by the Application User share with the Owner (e.g., data that Google LLC, Meta Platforms, Inc may share with the Owner); and
• personal data that Application Users or third parties share with the Owner through social media or in another similar manner that does not involve Communication Channels.

4.9 Children Data

4.9.1 The Owner is committed to adhering to the principles of data minimization meaning that it will only collect personal data that is necessary for the functionality and enhancement of the Application.

4.9.2 Children data will be collected from the Parents or legal guardians, who will provide a verifiable parental consent for data processing.

4.9.3 Data that will be collected from the Parents or legal guardians with regards to Children, as Data Subjects, include in particular:

(i) Name and surname or nickname of the Child which is to be used for account creation;
(ii) Date of birth which is to be primarily used to provide recommendations to Parents or legal guardians as to which Tasks, Rewards and incentives are appropriate for the Child of specific age; and
(iii) Gender which is to be primarily used by the Owner for collecting statistical data.

4.9.4 The data specified above will be provided to the Owner by the Parent or legal guardian in the process of setting up the User Account for the Child. All Children data that the Owner collects will be encrypted.

4.9.5 While setting up a User Account for a Child, Parents or legal guardians have complete discretion to decide whether to include a profile picture of the Child or create its User Account without one. Parents or legal guardians can later add or remove the Child's profile picture within the Application, through the User Account settings.

4.9.6 If the Parent or legal guardian requests pictures to be taken by a Child for the purpose of verifying the completion of the assigned Task, such pictures will be automatically deleted immediately after being seen and verified by the Parent or legal guardian.

4.9.7 Upon request, Parents or legal guardians will be further informed about the specific types of Children data the Owner collects, how it is used, and how they can review or request deletion of the Child's information which they have provided.

4.9.8 Before collecting any personal information from a Child, the Owner will seek a verifiable parental consent.

4.10 Data Recipients

4.10.1 The Owner guarantees Data Subjects that all commercial partners, technicians, suppliers, or independent third parties with whom the Owner shares personal data are bound by a contractual obligation to handle the data in accordance with the Privacy Policy and all requirements of Applicable Laws.

4.10.2 The Owner will not disclose collected personal data to third parties who do not comply with the specified instructions, and no notice shall imply the sale, rental, sharing, or disclosure of Application User personal data in any way for commercial purposes.

4.10.3 Personal data may be shared with, in particular but not limited to, the following entities:

• employees and associates of the Owner;
• affiliated entities or partner organizations of the Owner;
• relevant government authorities;
• call centres and customer service providers with whom the Owner collaborates regarding the Application;
• third parties providing incident and risk management services with whom the Owner collaborates regarding the Application;
• insurers and insurance agents with whom the Owner collaborates regarding Application insurance; and
• entities conducting satisfaction surveys on behalf of the Owner regarding services provided.

4.10.3.1 Personal data will not be disclosed to third parties unless:

• it is necessary or advisable to ensure the smooth operation of the Application and all its functions; or
• the Data Subject has explicitly consented to the disclosure of their personal data; or
• required by competent government authorities; or
• the disclosure of personal data is explicitly permitted or provided for by Applicable Laws.

4.10.3.2 The Owner shall keep records of (i) third parties, or users of personal data; (ii) the type and scope of data provided for use; (iii) the purpose for which they were provided; (iv) the legal basis for the use and provision of data for use; and (v) the duration of use.

The Owner will maintain the aforementioned records for a period of 10 years, after which the data in the records will be deleted.

4.11 Data Retention Period

4.11.1 The Owner will retain the data for processing for the time strictly necessary to achieve the given purpose.

4.11.2 After achieving the processing purpose, the Owner will store and protect personal data appropriately during the mandatory retention period prescribed by Applicable Laws, if such period exists. Otherwise, the Owner will appropriately destroy the personal data immediately upon achieving the processing purpose.

4.12 Transfer of Data to Other Countries and International Organizations

4.12.1 The Owner may transfer personal data outside the borders of Montenegro and outside the borders of the European Economic Area.

In such cases, the Owner will ensure before sending the data that the recipients meet minimum security standards in accordance with Applicable Laws.

4.12.2 Third parties may only collect, process, or use data in accordance with the contract between them and the Owner.

4.12.3 The Owner keeps a record of personal data containing information about the export of personal data from Montenegro, indicating the country to which the data are exported or the international organization or other foreign user of personal data.

4.13 Classification of Application Users

4.13.1 The Owner may classify Application Users into different categories based on personal data collected about them.

4.13.2 Classifications will be used solely and exclusively for the purpose of improving user experience and the functioning of the Application.

5.MISCELLANEOUS

5.1 Amendments and Supplements

5.1.1 The Owner reserves the right to periodically change (partially or entirely) and update the Privacy Policy.

5.1.2 The Owner will notify Data Subjects of changes and amendments to the Privacy Policy in accordance with Applicable Laws.

5.1.3 The use of the Application after updating the Privacy Policy will be considered as consent to the changes and amendments to the Privacy Policy, to the extent permitted by Applicable Laws.

5.2 Contact Information

5.2.1 Any questions or concerns regarding the Privacy Policy, as well as the methods of data collection and processing, Data Subject can address to the data processing officer responsible at the Owner:

Name and surname: Ivana Gazivoda
Address: Bulevar Svetog Petra Cetinjskog 104
81000 Podgorica Montenegro
E-mail: contact@myturn.me