PRIVACY POLICY

for Christina Black Edition™ — City of Light™ & EcoDigital™ Programs

Last updated: 22 November 2025

1. WHO WE ARE (DATA CONTROLLER)

For the City of Light™ and EcoDigital™ programs within Europe, the primary data controller under the EU General Data Protection Regulation ("GDPR") is:

Chip & Check Worldwide EU OÜ

Registry code: 17278797
Registered address: Harju maakond, Tallinn, Kesklinna linnaosa, Narva mnt 5, 10117, Estonia
E-mail (for privacy and data protection matters): contacteu@chipandcheckworldwide.com

In accordance with the Estonian Commercial Register, the designated contact person in Estonia is:

Baltic Business Services OÜ

Registry code: 12085251
Address: Harju maakond, Tallinn, Kesklinna linnaosa, Narva mnt 5, 10117, Estonia
E-mail: contact@1office.co

Certain global processing activities (for example investment-related accounting and global reporting) may be carried out together with:

Christina & Black Investments LLC

Registered address: 611 Druid Rd E, Ste 703, Clearwater, FL 33756, USA

In such cases, Christina & Black Investments LLC acts as a data processor or joint controller only to the extent strictly necessary and always under appropriate safeguards (see Sections 6 and 7).

If you have any questions about this Privacy Policy or our data processing, you can contact us at:

E-mail: contacteu@chipandcheckworldwide.com
Postal mail: Chip & Check Worldwide EU OÜ — Privacy, Harju maakond, Tallinn, Kesklinna linnaosa, Narva mnt 5, 10117, Estonia

We currently do not appoint a mandatory Data Protection Officer (DPO) under GDPR, but we treat data protection as a high priority.

2. WHAT THIS PRIVACY POLICY COVERS

This Privacy Policy explains how we process personal data in connection with:

the City of Light™ and EcoDigital™ programs,
your use of our Dashboard and related online interfaces,
our general marketing and communication activities, and
our websites (including, where applicable, pages dedicated to specific Artworks and Partners).

It applies to:

contact persons, representatives and employees of our Partners (companies using our programs),
visitors of our websites and Artwork sub-pages,
other business contacts who communicate with us about our services.

It does not apply to situations where we receive data solely as a processor on behalf of a Partner under a separate data processing agreement (if any) — in such cases, the Partner remains the controller.

3. WHAT PERSONAL DATA WE COLLECT

We only collect and process personal data that is necessary for the purposes described in this Policy.

3.1 Data you or your company provide to us

Contact details:

Name, job title, email address, phone number of Partner representatives
Company name, address, billing details

Account and Dashboard data:

Login credentials (email / username, hashed password)
Company profile details uploaded to the Dashboard (logo, description, CSR preferences)
Visibility settings (e.g. whether to show the Partner's name and logo publicly or remain anonymous)

Contract and billing data:

Individual Rental Agreement details, invoices, payment status
Payment-related identifiers (e.g. transaction IDs from Stripe or other payment processors — we do not store full card data on our servers)

Communication data:

Emails, messages sent via the Dashboard or contact forms
Notes from calls or meetings related to program operation

If you provide us with personal data of other individuals (e.g. colleagues, authorized signatories, contact persons), you are responsible for ensuring that these individuals receive appropriate information about this Privacy Policy.

3.2 Data we collect automatically (online usage data)

When you use our websites or Dashboard, we may automatically collect:

Technical data:

IP address (shortened or pseudonymised where possible)
Browser type and version
Device type and operating system
Date and time of access
Basic log data (e.g. successful/failed logins, error logs)

Usage data:

Which pages you visit on the Dashboard
Changes you make to visibility settings or CSR preferences
System events relevant for security and operation

We may also use cookies or similar technologies for essential technical functions, security, and — with your consent where required — for analytics or preference settings. Details are provided in a separate Cookie Notice where applicable.

4. FOR WHAT PURPOSES AND ON WHAT LEGAL BASES WE USE YOUR DATA

We process personal data only where we have a valid legal basis under GDPR (Articles 6 and 9).

4.1 Performance of a contract (Art. 6(1)(b) GDPR)

We process your data where necessary to:

conclude and perform the Individual Rental Agreement with your company,
provide access to and operate the Dashboard,
manage the placement and rotation of Artworks,
handle billing, invoices and payment-related issues,
respond to your requests related to the programs.

If you are a representative, signatory or contact person of a Partner, we process your personal data as far as necessary to manage the contractual relationship with your company.

4.2 Compliance with legal obligations (Art. 6(1)(c) GDPR)

We process certain data to:

comply with accounting and tax laws,
comply with anti-money laundering or other regulatory requirements (where applicable),
respond to lawful requests from public authorities.

4.3 Legitimate interests (Art. 6(1)(f) GDPR)

We process data based on our legitimate interest, for example to:

ensure the security and integrity of our IT systems and Artwork-related records,
protect our Artworks and programs against abuse, fraud or unauthorized use,
document the placement and condition of Artworks (e.g. handover photos in Partners' offices),
send program-related updates or information that is reasonably expected in the context of your business relationship,
maintain and improve our services, including statistics and internal reporting,
support our Guinness World Records™ and similar certification efforts, while respecting confidentiality.

Where we rely on legitimate interests, we carefully balance our interests against your rights and freedoms. You have the right to object to certain processing based on legitimate interests (see Section 9).

4.4 Consent (Art. 6(1)(a) GDPR)

In some cases, we may rely on your consent, for example to:

send certain types of marketing communications (e.g. newsletters not linked directly to your existing business relationship),
place non-essential cookies or similar technologies on your device,
publish photos or testimonials that feature identifiable individuals in a more prominent way than usual documentation.

Where we rely on consent, you can withdraw your consent at any time with effect for the future, without affecting the lawfulness of processing based on consent before its withdrawal.

5. WHO CAN ACCESS YOUR DATA (RECIPIENTS)

We treat your data confidentially. We only share it where necessary and with appropriate safeguards.

5.1 Internal recipients

Access to personal data is limited to those within the Christina Black Group who need it for the purposes described above, including in particular:

Owners and founders of the Christina Black Group,
Designated team members and developers who maintain the platform and systems,
Administrative and support staff as needed.

All individuals with access are bound by confidentiality obligations and only access data as required for their tasks.

5.2 External service providers (processors)

We may engage trusted service providers who process personal data on our behalf, including:

Hosting provider:

DigitalOcean (we use EU-based data centers for EU customers where possible, on shared hosting infrastructure)

Payment processor:

Stripe or similar services (for subscription payments)

Email and communication services:

Providers for sending system emails and newsletters

IT and security providers:

For monitoring, maintaining and securing the platform

These providers act as data processors under GDPR and may only process personal data in accordance with our documented instructions, under contractual data protection agreements (including Standard Contractual Clauses where required).

5.3 Other recipients

In addition, personal data may be shared with:

Logistics partners (e.g. delivery companies) to coordinate the placement and rotation of Artworks at your premises,
Accountants, auditors and legal advisors where necessary for compliance or protection of our rights,
Public authorities or courts, where we are legally required or where it is necessary to protect our rights, property or safety (for example in case of theft, vandalism or serious contractual disputes).

We do not sell your personal data to third parties.

6. INTERNATIONAL DATA TRANSFERS

In principle, we seek to store and process personal data related to EU-based Partners on servers located in the European Union, e.g. within DigitalOcean's EU data centers.

However, some of our service providers or group entities may be located outside the European Economic Area ("EEA"), especially:

Christina & Black Investments LLC (USA), and
certain technical support or email services (if hosted outside the EEA).

Where personal data is transferred outside the EEA, we ensure that either:

the destination country has been granted an adequacy decision by the European Commission, or
appropriate safeguards are in place, such as the EU Standard Contractual Clauses (SCCs) combined with additional technical and organizational measures.

You can request more information about international transfers and the safeguards we use by contacting us (see Section 1).

7. HOW LONG WE KEEP YOUR DATA (RETENTION PERIODS)

We retain personal data only for as long as necessary for the purposes described above, or as required by law.

In general:

Contract and billing data: kept for the duration of the contract and for the statutory retention period (typically 5–10 years under accounting/tax laws, depending on jurisdiction).
Account and Dashboard data: kept for as long as the Partner's account is active and for a limited period after termination (e.g. 3 years), unless longer retention is required for legal claims.
Technical logs and security data: kept for a short period (typically 6–24 months), unless needed longer for incident analysis or legal proceedings.
Marketing and newsletter data: kept until you unsubscribe or object to receiving such communications, unless longer retention is required to document your preferences.
Guinness World Records™ and documentation material: kept for as long as necessary to document the program and related records, with appropriate safeguards and restricted access.

Where data is no longer needed, we securely delete or anonymise it.

8. DASHBOARD VISIBILITY SETTINGS AND YOUR RESPONSIBILITY

Our Dashboard allows each Partner to control the visibility of certain information:

whether the Partner's name and logo appear publicly on Artwork pages,
which CSR topics the Partner chooses to be associated with,
what kind of content is visible to the public or to internal viewers.

We provide these tools so that Partners can decide what corporate information they wish to show.

However:

The Partner is responsible for ensuring that any personal data it uploads (e.g. photos of staff, named contact persons on public pages) is used lawfully and in line with GDPR, including obtaining any necessary consents or legitimate interest assessments on its side.
The Partner is responsible for the correctness of its own profile data and for reviewing its visibility settings regularly.

From our side, we process data in line with this Privacy Policy, the T&Cs and applicable law.

9. YOUR RIGHTS UNDER GDPR

Under the GDPR, you have the following rights regarding your personal data, subject to certain conditions and exceptions:

1. Right of access. You can request confirmation as to whether we process your personal data and obtain a copy of the data we hold about you.

2. Right to rectification. You can request that we correct inaccurate or incomplete personal data concerning you.

3. Right to erasure ("right to be forgotten"). You can request that we delete your personal data, for example where it is no longer necessary for the purposes for which it was collected, or where you withdraw consent and there is no other legal basis.

4. Right to restriction of processing. You can request that we restrict the processing of your data in certain situations (e.g. while we assess a complaint or objection).

5. Right to data portability. For data that you provided to us and that we process based on consent or contract by automated means, you can request that we provide it in a structured, commonly used, machine-readable format, or transmit it to another controller where technically feasible.

6. Right to object. Where we process your data based on legitimate interests, you have the right to object at any time on grounds relating to your particular situation. We will then no longer process the data unless we can demonstrate compelling legitimate grounds which override your interests, rights and freedoms, or where processing is necessary for legal claims. Where we process your data for direct marketing, you can object at any time, and we will stop such processing.

7. Right to withdraw consent. Where processing is based on your consent, you can withdraw your consent at any time with effect for the future.

To exercise any of these rights, please contact us at contacteu@chipandcheckworldwide.com. We may need to verify your identity before responding to your request.

You also have the right to lodge a complaint with a supervisory authority, in particular in the EU Member State of your habitual residence, place of work, or place of the alleged infringement.

For our main establishment in Estonia, the competent authority is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon). Up-to-date contact details are available on the authority's official website.

10. HOW WE PROTECT YOUR DATA (SECURITY)

We take appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.

Measures include in particular:

hosting our systems on secure infrastructure (e.g. DigitalOcean data centers) with appropriate access controls,
using EU-based data centers for EU customers where possible, on shared but access-controlled hosting,
restricting access to personal data to a limited number of authorized persons (owners and designated staff / developers),
using strong authentication and password policies for administrative access,
encrypting data in transit (e.g. HTTPS / TLS) and, where appropriate, at rest,
regular backups and monitoring for technical issues,
staff awareness and confidentiality commitments.

However, no online system can be guaranteed to be 100% secure. We continuously evaluate and improve our security measures in line with industry standards and regulatory requirements.

11. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time, for example to reflect:

changes in our services or technical infrastructure,
legal or regulatory developments,
feedback from supervisory authorities or our Partners.

The current version will always be available on our website, indicating the date of the latest update. Where changes are significant or materially affect your rights, we will seek to notify you by email or via the Dashboard.

By continuing to use our services after the updated Policy takes effect, you acknowledge the updated terms.

12. CONTACT

If you have any questions, concerns or requests related to this Privacy Policy or to our handling of your personal data, you can contact us at:

E-mail: contacteu@chipandcheckworldwide.com
Postal address: Chip & Check Worldwide EU OÜ — Privacy, Harju maakond, Tallinn, Kesklinna linnaosa, Narva mnt 5, 10117, Estonia

We will do our best to respond within one month, as required by GDPR.