Wimbo Au Pty Ltd
Effective Date: May 24, 2025

I. INTRODUCTION

This Privacy Policy (hereinafter, the “Policy”) is adopted and published by Wimbo Au Pty Ltd, a proprietary limited liability company duly organized and existing under the laws of the Commonwealth of Australia, Australian Company Number 687 084 984, conducting business under the registered commercial designation “Wimbo” (hereinafter, the “Company”, “we”, “us”, or “our”).

This Policy governs the manner in which the Company collects, uses, processes, discloses, retains, and transfers personal data of natural persons (hereinafter, “Data Subjects”) through their use of or interaction with the Company’s proprietary digital products and services, including but not limited to the Wimbo mobile application, website interfaces, data networks, and associated software infrastructure (collectively referred to herein as the “Platform”).

This Policy constitutes a legally binding document for the purposes of establishing compliance with globally recognized data protection and information privacy regimes, including but not limited to:

• Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (General Data Protection Regulation or “GDPR”), including Articles 5, 6, 13, and 24 through 30 thereof;

• The United Kingdom General Data Protection Regulation and Data Protection Act 2018;

• The California Consumer Privacy Act of 2018 (CCPA) as amended by the California Privacy Rights Act of 2020 (CPRA), codified at Cal. Civ. Code §§ 1798.100 et seq.;

• The Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada, as enacted by S.C. 2000, c.5;

• The Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. §§ 6501–6506, to the extent applicable to data subjects under the age of majority;

• The OECD Privacy Guidelines (2013 Revision) and comparable international data transfer instruments;

• Jurisdictionally relevant consumer protection laws, e-commerce regulations, and digital services directives.

Purpose and Normative Effect

This Policy is enacted in accordance with the Company’s obligation to adhere to the principles of lawfulness, fairness, transparency, data minimization, purpose limitation, accuracy, storage limitation, integrity, and accountability, as codified under Article 5(1) GDPR, and further reflected in the jurisprudence and enforcement frameworks of competent data protection authorities worldwide.

This Policy shall be interpreted in accordance with applicable rules of construction under international private law, including the doctrine of legitimate expectation, the principle of proportionality, and the reasonable reliance of the data subject on transparency, predictability, and lawful safeguards.

Territorial and Material Scope

The protections and obligations enumerated in this Policy apply extraterritorially to all Data Subjects who access the Platform, regardless of physical location or habitual residence, in accordance with Article 3(2) GDPR, CPRA Section 1798.140(c), and other extrajurisdictional reach provisions.

The Company, acting in its capacity as Data Controller within the meaning of Article 4(7) GDPR, undertakes all processing activities either directly or through authorized data processors, subcontractors, or affiliates bound by written agreements and subject to appropriate technical and organizational safeguards.

Binding Nature and Consent to Processing

By accessing, downloading, registering for, or otherwise using the Platform, each Data Subject expressly and voluntarily affirms their informed and unequivocal consent to the terms of this Policy and authorizes the Company to lawfully process their personal data pursuant to the legal bases for processing enumerated in Article 6(1) GDPR, Section 1798.100 of the CCPA/CPRA, Schedule 1 of PIPEDA, and all applicable enabling legislation.

In the case of cross-border data transfers, Data Subjects acknowledge that their information may be transmitted to and processed in countries whose data protection laws may differ from their own, including but not limited to the United States, Australia, and European Economic Area (EEA) member states. The Company undertakes such transfers pursuant to Standard Contractual Clauses (SCCs), adequacy determinations, or equivalent mechanisms recognized by regulatory authorities.

Hierarchy and Interpretation

In the event of a conflict between this Policy and any other document, the provisions of this Policy shall govern with respect to matters relating to the collection, use, and protection of Personal Data, unless expressly superseded by a data processing agreement, court order, or statute of superior authority.

Where required for legal clarity, reference shall be made to interpretive guidance issued by data protection authorities such as the European Data Protection Board (EDPB), UK Information Commissioner’s Office (ICO), California Privacy Protection Agency (CPPA), and Office of the Privacy Commissioner of Canada (OPC).

II. DEFINITIONS

For the purposes of this Privacy Policy (the “Policy”), and in accordance with internationally recognized data protection frameworks including but not limited to the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the United Kingdom GDPR and Data Protection Act 2018, the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), the Personal Information Protection and Electronic Documents Act (Canada) (“PIPEDA”), and other comparable statutes—the terms defined herein shall carry the following meanings:

1. “Personal Data”

Means any information relating to an identified or identifiable natural person (“Data Subject”), as defined under Article 4(1) of the GDPR. An identifiable person is one who can be identified, directly or indirectly, by reference to identifiers such as a name, identification number, location data, online identifier, or attributes specific to the individual’s physical, physiological, genetic, mental, economic, cultural, or social identity.

2. “Processing”

Shall include any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, transmission, dissemination, alignment, restriction, erasure, or destruction, consistent with Article 4(2) GDPR, and analogous with “processing” under CCPA § 1798.140(e) and Section 2(1) PIPEDA.

3. “Data Subject”

Refers to any natural person, irrespective of residency or citizenship, whose Personal Data is collected, processed, or stored by Wimbo in connection with their access to or use of the Platform.

4. “Controller”

Shall mean Wimbo Au Pty Ltd, which determines the purposes and essential means of the Processing of Personal Data, in accordance with Article 4(7) GDPR, and comparable with the term “business” as defined in CCPA § 1798.140(d).

5. “Processor”

Denotes any natural or legal person, public authority, agency, or other body which processes Personal Data on behalf of the Controller pursuant to Article 4(8) GDPR, and bound by written agreements ensuring adequate security and processing obligations.

6. “Platform”

Means the digital environment and service ecosystem made available by Wimbo, including but not limited to its mobile application, associated APIs, cloud infrastructure, user interface, database systems, web portals, and all functions, modules, and components integral to Wimbo’s commercial operations.

7. “Third Party” or “Third Parties”

Refers to any legal or natural person, public authority, agency, or body other than the Data Subject, Controller, Processor, or persons authorized to process data under the direct authority of the Controller or Processor. This includes, without limitation, external vendors such as:

• Payment processors (e.g., Stripe, PayPal);

• Artificial intelligence service providers (e.g., OpenAI);

• Cloud infrastructure providers (e.g., AWS, GCP);

• Analytics partners and performance tracking vendors;

• Regulatory authorities when compelled by legal process.

8. “Consent”

Means any freely given, specific, informed, and unambiguous indication of the Data Subject’s wishes, by which they, by a clear affirmative action, signify agreement to the Processing of their Personal Data, as defined in Article 4(11) GDPR and CPRA § 1798.140(h).

9. “Anonymization”
Shall mean the process by which Personal Data is irreversibly altered in such a manner that the individual is no longer identifiable by any means reasonably likely to be used, thereby removing it from the scope of data protection laws, consistent with Recital 26 GDPR.

10. “Pseudonymization”
Shall refer to the processing of Personal Data in such a manner that it can no longer be attributed to a specific Data Subject without the use of additional information, provided that such additional information is kept separately, in accordance with Article 4(5) GDPR.

11. “Sensitive Personal Data” / “Special Categories of Personal Data”
Means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, biometric or genetic data for the purpose of uniquely identifying a person, data concerning health, or data concerning a natural person’s sex life or sexual orientation, as defined in Article 9(1) GDPR and CPRA § 1798.140(ae).

12. “Supervisory Authority”
Means an independent public authority established pursuant to Article 51 GDPR, or its counterpart under applicable law, with legal competence to oversee compliance with data protection regulations. Examples include:

• The European Data Protection Board (EDPB);

• The UK Information Commissioner’s Office (ICO);

• The California Privacy Protection Agency (CPPA);

• The Office of the Privacy Commissioner of Canada (OPC).

III. JURISDICTION AND SCOPE

1. Corporate Authority and Applicability
This Privacy Policy (hereinafter, the “Policy”) governs all data collection, processing, retention, transfer, and disclosure activities carried out by Wimbo Au Pty Ltd, a proprietary limited company incorporated under the laws of the Commonwealth of Australia, bearing ACN 687 084 984, and trading under the registered business name and trademark “Wimbo” (the “Company”). The Company maintains its principal place of business at 470 St Kilda Road, Melbourne, Victoria 3004, Australia, and acts as the Data Controller for the purposes of this Policy.

2. Elective Jurisdiction and Governing Law
Notwithstanding its place of incorporation in Australia, and in the interest of international commercial uniformity, platform interoperability, and contractual clarity, the Company expressly designates the laws of the State of Delaware, United States of America, as the primary governing legal framework for this Policy and for all matters concerning interpretation, enforceability, dispute resolution, and contractual obligations arising therefrom.
Such designation shall not derogate from the mandatory application of any local data protection laws applicable to the Data Subject based on their domicile, habitual residence, or data localization requirements, including but not limited to:

• Article 3(2) GDPR, for data subjects in the European Union;

• Section 1798.101 CCPA, for California residents;

• Section 4 of PIPEDA, for Canadian users;

• UK Data Protection Act 2018, for users in the United Kingdom.
  Where such laws apply mandatorily, Wimbo undertakes to comply with those obligations as a matter of law and good faith international practice.

3. Global Applicability and Territorial Reach
This Policy applies extraterritorially to all Data Subjects who access, install, register for, or otherwise interact with the Wimbo Platform from any jurisdiction, including but not limited to the:

• European Economic Area (EEA);

• United Kingdom;

• United States of America;

• Canada;

• Australia;

• And any other country or territory with applicable data privacy legislation.

Pursuant to the principle of functional equivalence, the Company acknowledges that compliance obligations may be construed in accordance with the standards of the relevant Supervisory Authority or competent data protection body within the Data Subject’s jurisdiction.

4. Conflict of Laws and Supremacy
In the event of a direct conflict between the terms of this Policy and any applicable national or supranational data protection law, the provision that affords the higher standard of protection to the Data Subject shall prevail, consistent with Recital 10 of the GDPR, Article 25 of the ICCPR, and general principles of lex specialis and lex loci solutionis.

IV. LEGAL BASES FOR DATA PROCESSING

Wimbo processes Personal Data in strict accordance with the lawful bases established under the General Data Protection Regulation (Regulation (EU) 2016/679 – GDPR), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), the Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada, and other relevant legal instruments governing data privacy and protection.

In alignment with Article 6(1) GDPR, Section 1798.100 of the California Civil Code, and Section 5 of PIPEDA, the Company relies on the following legal grounds to justify the collection and processing of Personal Data:

1. Consent
(GDPR Article 6(1)(a); CPRA § 1798.130(a)(2); PIPEDA Principle 3)
Wimbo shall obtain the freely given, specific, informed, and unambiguous consent of the Data Subject prior to any processing operation that is not strictly necessary for the performance of a contract or compliance with a legal obligation. This includes, but is not limited to:

• Enabling geolocation-based features (e.g., event matching by proximity);

• Deploying behavioral analytics and marketing communications;

• Utilizing cookies and similar tracking technologies for non-essential purposes.

Consent may be withdrawn by the Data Subject at any time without prejudice to the lawfulness of processing based on consent prior to such withdrawal. Mechanisms for managing consent shall be made available through in-app privacy settings or by contacting help@wimbo.au.

2. Contractual Necessity
(GDPR Article 6(1)(b); CPRA § 1798.140(v)(1)(A); PIPEDA Principle 4.3.2)
Processing is lawful and necessary where it is required for the performance of a contract to which the Data Subject is a party, or in order to take pre-contractual steps at the Data Subject’s request. This basis underpins Wimbo’s core functionality, including:

• Registering and managing user accounts;

• Facilitating participation in events, ticketing, and quick hangouts;

• Administering subscription plans and payment processing;

• Enabling user-generated content and platform interactivity.

Failure to provide Personal Data for these purposes may result in the inability to access certain features or execute contractual obligations.

3. Compliance with Legal Obligations
(GDPR Article 6(1)(c); PIPEDA Section 7(3); CPRA § 1798.105(d)(1))
Wimbo may process Personal Data where necessary for compliance with a legal obligation to which it is subject, including but not limited to:

• Responding to subpoenas, court orders, or other lawful requests from public authorities;

• Adhering to tax, financial, and corporate reporting obligations;

• Satisfying anti-money laundering (AML) or counter-terrorism financing (CTF) laws;

• Fulfilling applicable consumer protection or e-commerce regulations.

Such processing shall be limited to the minimum necessary and may be subject to audit or disclosure under applicable law.

4. Legitimate Interests
(GDPR Article 6(1)(f); Recital 47 GDPR; CPRA § 1798.140(e); PIPEDA Principle 4.3.5)
Processing may occur where it is necessary for the purposes of legitimate interests pursued by Wimbo or a third party, except where such interests are overridden by the fundamental Rights and Freedoms of the Data Subject

Legitimate interests asserted by the Company include:

• Ensuring the security and integrity of the Platform and its infrastructure;

• Preventing fraud, abuse, harassment, and unauthorized access;

• Performing internal diagnostics, analytics, and product optimization;

• Moderating content and enforcing Terms of Use or Community Guidelines;

• Responding to user inquiries, complaints, and support requests.

Where reliance is placed on this basis, Wimbo shall conduct a legitimate interest assessment (LIA) and implement appropriate safeguards, including pseudonymization and opt-out capabilities, where feasible.

V. CATEGORIES OF PERSONAL DATA COLLECTED

In adherence to the foundational principles of data minimization and purpose limitation as enshrined under Article 5(1)(c) and (b) of the GDPR, and equivalent provisions under Section 1798.100(b) of the California Civil Code (CPRA) and PIPEDA Schedule 1, Clause 4.4, Wimbo commits to collecting only those categories of Personal Data that are adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

The Company may, directly or indirectly through authorized processors, collect and process the following categories of Personal Data:

1. Identification and Contact Information

Includes data necessary to establish, verify, and maintain the User’s identity and account credentials. This may comprise:

• Full legal name

• Email address

• Mobile telephone number

• Internet Protocol (IP) address

• Account registration metadata (timestamp, referral method)

2. Profile and User-Provided Information

Comprises voluntary data submitted by the User in connection with their public-facing or event-specific profile, including:

• Biographical text or personal description

• Profile photographs and cover images

• Uploaded videos or media content

• User-declared interests or community tags

• Event hosting preferences and RSVP visibility settings

3. Geolocation and Proximity Data

Subject to affirmative opt-in consent under Article 6(1)(a) GDPR, Wimbo may collect:

• Approximate geolocation data inferred from IP or device settings

• Precise location data (e.g., GPS coordinates), if expressly permitted by the User

This data is used solely for matching users with local events, customizing discovery features, and ensuring safety integrity of proximity-based functions.

4. Device and Technical Information

Collected automatically through server logs, application analytics, and device integration, including:

• Device type and manufacturer

• Operating system and version number

• Browser type, user agent, and fingerprinting identifiers

• Language preferences and screen resolution

• Log timestamps, crash diagnostics, and usage statistics

5. Financial and Payment Data

Processed securely through third-party PCI-DSS compliant processors (e.g., Stripe, PayPal, Visa), Wimbo may receive the following data in tokenized, non-reversible formats:

• Payment token or masked card data

• Transaction history (e.g., ticket purchases, refunds)

• Subscription billing status and renewal preferences

• Currency, tax region, and receipt logs

Wimbo does not store full payment card numbers or CVV codes.

6. Event Participation and Behavioral Data

Collected in connection with the User’s interactions with events and monetization features, including:

• RSVP status and attendance confirmation

• Ticket purchase and cancellation records

• Event creation metadata

• User boosts, event boosts, and spotlighting transactions

• Waitlist positions and host response activity

7. Communications and In-App Messaging Data

Data generated from User interactions on the Platform, including:

• Messages sent between Users via in-app chat

• Files, images, or links shared during conversations

• AI interactions with Wimbot (including prompts, attachments, usage patterns)

• Communication timestamps and read receipts

• Metadata such as sender ID, recipient ID, and session origin

8. Content Moderation and Enforcement Data

Collected and maintained for the purpose of enforcing Wimbo’s Terms of Use and Community Guidelines, including:

• User-generated reports and complaint submissions

• Admin investigation records and evidence logs

• Decisions regarding warnings, suspensions, or account terminations

• Internal moderator comments or rationale annotations

• Appeals and reinstatement records

This data may be retained for compliance, auditability, and abuse prevention, in accordance with Article 5(1)(e) GDPR.

VI. PURPOSES OF PROCESSING

The Company undertakes to process Personal Data solely for purposes that are specified, explicit, and legitimate, as required under Article 5(1)(b) of the General Data Protection Regulation (GDPR), Section 1798.100(b) of the California Civil Code (CPRA), and Principle 4.2 of the Personal Information Protection and Electronic Documents Act (PIPEDA). Such purposes are objectively justified by the nature of the services offered, the expectations of the Data Subjects, and the operational, contractual, and legal obligations of the Company.

The following constitutes the definitive list of lawful purposes for which Wimbo processes Personal Data:

1. User Account Lifecycle Management

To enable the creation, verification, maintenance, and administration of user accounts, including the assignment of credentials, session authentication, two-factor verification (if applicable), and user access control across Platform services.

2. Social Discovery, Event Hosting, and Community Engagement

To support interest-based networking, matchmaking, discovery algorithms, and real-time participation in hosted or user-generated events. This includes facilitating user interaction through event RSVPs, event boosting, community tags, and personalized engagement prompts.

3. Financial Transactions, Subscription Management, and Escrow Operations

To process payments, recurring billing cycles, digital purchases (e.g., ticketing, add-ons), and escrow management through integrated third-party processors (e.g., Stripe). This includes transaction auditing, refund processing, service fee calculation, and compliance with payment gateway obligations under PCI DSS standards.

4. AI-Enhanced User Experience (Wimbot)

To provide intelligent, AI-assisted informational services through the Wimbot feature, including event discovery suggestions, content generation prompts, and user interface personalization. All AI-generated outputs are non-binding and informational only, and Wimbo does not make automated decisions with legal or similarly significant effects.

5. Platform Integrity, Moderation, and Enforcement

To detect, prevent, and respond to violations of the Terms of Use, Community Guidelines, or applicable law. This includes content filtering, user reporting workflows, flagging of harmful behavior, and enforcement actions such as suspensions or removals, as well as retention of moderation logs for legal defensibility.

6. Legal Compliance and Regulatory Cooperation

To comply with applicable legal obligations, including but not limited to those arising under tax laws, anti-money laundering regulations, consumer protection statutes, and data protection legislation. This also includes the processing of lawful requests by courts, administrative agencies, and law enforcement bodies pursuant to subpoenas, warrants, or other legal instruments.

7. Platform Optimization, Feature Enhancement, and Diagnostic Analytics

To conduct application diagnostics, user interaction analytics, and feature usage tracking in order to refine Platform performance, eliminate technical errors, and inform future feature development. This includes A/B testing, user feedback analysis, and measurement of engagement trends.

8. Safeguarding the Rights, Safety, and Property of Users and Third Parties

To investigate, defend, or pursue claims involving suspected fraud, harassment, threats, or other unlawful or unethical conduct that may endanger the Platform, its users, or the public interest. This extends to cooperation with cybersecurity experts or authorities in the event of a data breach or coordinated attack.

VII. CHILDREN’S PRIVACY AND MINIMUM AGE REQUIREMENTS

1. Age Threshold for Platform Access

Access to the Wimbo Platform is expressly limited to individuals who are sixteen (16) years of age or older. This restriction is imposed in accordance with international data protection standards, including Article 8(1) of the GDPR, which sets the minimum age for lawful digital consent at 16 unless derogated by Member State law.

2. User Declaration and Warranties

By registering an account or otherwise using the Platform, the user represents and warrants that they are not under the age of sixteen (16) and that the information provided during registration is accurate, truthful, and complete. The Company reserves the right to—suspend or terminate any account where a breach of age requirements is reasonably suspected or confirmed.

1. Compliance with the Children’s Online Privacy Protection Act (COPPA)
   In compliance with the Children’s Online Privacy Protection Act (15 U.S.C. §§ 6501–6506) and associated regulations (16 C.F.R. Part 312), Wimbo does not knowingly collect, solicit, store, or process any Personal Data from children under the age of thirteen (13). Should Wimbo become aware that such data has been inadvertently collected, it shall be deleted without undue delay, and appropriate remedial measures shall be taken in accordance with the Company’s data breach and incident response protocols.

2. 18+ Event Restrictions and Organizer Verification Obligations
   Users who have not attained the age of eighteen (18) are prohibited from participating in events designated as “18+.” Event organizers are required, as a condition of use, to implement reasonable age verification procedures prior to permitting entry to such events, and Wimbo shall not be held liable for any failure on the part of the organizer to comply with this mandate. Wimbo’s platform interface will display explicit disclosures and warnings on all 18+ events.

3. Parental Control and “Kids Events” Protocol
   Wimbo permits the creation of “Kids Events,” subject to the following strict conditions:

• Events must be created, administered, and supervised exclusively by adult users (parents or legal guardians), who assume full legal and ethical responsibility for all communications, invitations, and real-world supervision.

• Children under sixteen (16) shall not access or register for the Platform directly under any circumstances.

• All invitations, coordination, and communication related to “Kids Events” shall occur between verified adult accounts only.

• The Company disclaims all liability for the supervision, behavior, health, safety, logistics, or any other aspect of in-person interaction arising from “Kids Events,” whether hosted publicly or privately, as Wimbo is a technology platform and not a childcare, educational, or event supervision provider.

6. International Compliance and Conflicting Laws
   Where local laws impose a higher minimum age requirement for the processing of Personal Data or use of digital services, such higher standard shall apply in that jurisdiction. Wimbo shall act in good faith to honor regional legal age mandates to the extent practicable and in compliance with relevant supervisory authorities.

VIII. ARTIFICIAL INTELLIGENCE DISCLOSURE (WIMBOT)

1. General Description of AI Functionality
   The Wimbo Platform incorporates an integrated artificial intelligence (AI) interface known as “Wimbot”, which is designed to deliver natural language responses to user queries, generate informational content, suggest events or features, and assist with basic support or app navigation. Wimbot’s outputs are dynamically generated using machine learning models and language algorithms, and are not pre-scripted or manually authored by Wimbo personnel.

2. Third-Party Technology Providers
   Wimbot is partially powered by the OpenAI API, which utilizes advanced large language models to generate text-based outputs in response to user inputs. Wimbo’s use of this technology is governed by OpenAI’s published API Terms of Use, Content and Usage Policy, and security protocols, which include standards for input handling, content filtering, and data integrity. Users acknowledge that their interactions with Wimbot may be subject to OpenAI’s processing standards and transmitted via secure, encrypted endpoints.

3. Scope of Functionality and Operational Limitations
   Wimbot is strictly limited to providing non-binding, informational, and contextual assistance. It does not possess any legal, supervisory, disciplinary, or adjudicative authority, and shall not be relied upon for purposes of:

• Legal, medical, financial, or mental health advice;

• Issuing or enforcing platform penalties or suspensions;

• Delivering contractual notices or modifying user agreements;

• Replacing any human administrator’s decision-making role.

All enforcement decisions, content moderation outcomes, and user sanctions are rendered exclusively by Wimbo’s designated administrative personnel, and are subject to manual review under a dual-layered (human + AI-assisted) protocol to ensure procedural fairness and legal accountability.

4. Disclaimer of Liability
   Wimbo expressly disclaims any and all representations, warranties, or assurances as to the accuracy, completeness, timeliness, or reliability of Wimbot-generated content. Wimbot responses are generated using probabilistic modeling and do not constitute official communications, guarantees, or endorsements by Wimbo Au Pty Ltd.
   To the maximum extent permitted under applicable law, Wimbo shall not be liable for any damages, losses, or consequences (whether direct, indirect, incidental, or consequential) arising from the reliance, misuse, interpretation, or application of any response or information provided by Wimbot.

5. User Responsibility and Consent
   By engaging with Wimbot, users acknowledge that the content provided is automated, generalized, and context-dependent, and that human judgment must be exercised in evaluating and acting upon any output. Users further agree not to use Wimbot to generate, solicit, or disseminate unlawful, harmful, or prohibited content, as defined in Wimbo’s Community Guidelines and Terms of Use.

IX. DATA SHARING AND THIRD PARTIES

1. Categories of Authorized Recipients
   Subject to the principles of purpose limitation and data minimization under Article 5(1)(b)–(c) of the GDPR, Wimbo may share Personal Data with carefully vetted third parties, either as data processors acting on its behalf or as independent data controllers, pursuant to Article 28 GDPR and equivalent global legal instruments. These include the following categories of recipients:

• Payment Processors: Entities that facilitate user transactions, ticket payments, and escrow disbursements, such as Stripe, PayPal, and Visa, operating under PCI DSS-compliant environments.

• Cloud Infrastructure Providers: Hosting partners providing secure data storage, redundancy, and uptime services for the Platform’s backend systems (e.g., AWS, Google Cloud).

• Artificial Intelligence Service Providers: Including, but not limited to, OpenAI, which supports Wimbot’s natural language generation, subject to API-based terms and internal safeguards.

• Customer Support Platforms: Providers assisting in the processing of user requests, help tickets, and administrative resolution workflows.

• Analytics and Performance Vendors: Tools used to track anonymized usage patterns, user engagement, and feature performance (e.g., Google Analytics), consistent with pseudonymization standards under Article 89 GDPR.

• Supervisory, Tax, or Judicial Authorities: Disclosure may be made where required under applicable law, pursuant to subpoena, court order, tax audit, fraud investigation, or other lawful authority, in accordance with Article 6(1)(c) GDPR and CCPA § 1798.105(d).

All third-party data recipients are contractually bound by data processing agreements (DPAs) and required to implement appropriate technical and organizational measures to ensure confidentiality, integrity, and lawful processing.

2. Prohibition on Sale of Personal Data
   Wimbo affirms that it does not and shall not sell Personal Data, as defined under CPRA § 1798.140(t)(1), nor does it engage in any “sharing” of Personal Data for cross-context behavioral advertising without prior affirmative opt-in consent, as defined under CPRA § 1798.140(ah).
   Wimbo does not disclose user data to third parties in exchange for monetary consideration, nor for targeted advertising outside the confines of the Wimbo ecosystem.

3. Cross-Border Transfers and Safeguards
   Where Personal Data is transferred across national borders, including transfers outside of the European Economic Area (EEA) or United Kingdom, such transfers are governed by:

• Standard Contractual Clauses (SCCs) approved by the European Commission;

• UK International Data Transfer Addendum;

• Adequacy decisions issued by the European Commission or other competent data protection authorities.

X. COOKIES AND TRACKING TECHNOLOGIES

1. Use of Cookies and Similar Technologies
   Wimbo employs session cookies, persistent cookies, local storage objects, and other tracking technologies to:

• Authenticate and maintain user sessions;

• Retain in-app language, theme, and preference settings;

• Analyze user behavior, interaction flows, and feature efficacy;

• Prevent abuse or fraudulent activity on the Platform.

Cookies are deployed both by Wimbo and by authorized third-party service providers acting on its instructions.

2. Legal Basis and Regulatory Compliance
   All cookie-related data collection complies with the ePrivacy Directive (2002/58/EC) and the General Data Protection Regulation, particularly Recital 30 and Article 6(1)(a) where consent is required.
   For California residents, tracking mechanisms are disclosed pursuant to CPRA § 1798.100(b) and Cal. Bus. & Prof. Code § 22575 (CalOPPA). Users are notified of tracking through cookie banners or privacy notices upon first interaction with the Platform.

3. User Rights and Cookie Preferences
   Users may manage their cookie and tracking preferences through the following means:

• Device-Level Controls: Browser settings, mobile OS privacy controls, or ad tracking preferences;

• In-App Cookie Settings: A dedicated cookie management interface allowing granular control of functional, analytics, and marketing cookies;

• Do Not Track Signals: Wimbo honors DNT signals where technically feasible and legally required.

Users are advised that disabling certain categories of cookies may impair platform functionality or limit personalized features.

XI. REFUND POLICY AND ESCROW STRUCTURE

1. Structured Refund Framework
   In accordance with the principle of fair dealing and commercial transparency, Wimbo has implemented a tiered refund policy applicable to ticket purchases made through the Platform. The following rules govern the eligibility of refund requests initiated by users:

   
   

• Full Refund: If the cancellation request is submitted five (5) calendar days or more prior to the scheduled commencement of the event, the user is entitled to a 100% refund of the ticket price (excluding platform fees).

• Partial Refund: If the cancellation request is submitted three (3) calendar days or more, but fewer than five (5) days before the event, the user is entitled to a 50% refund of the ticket price.

• No Refund: If the cancellation request is submitted within twenty-four (24) hours of the scheduled event start time, the ticket shall be deemed non-refundable.

2. Organizer-Initiated Cancellations
In the event that an event organizer cancels the event for any reason, all affected users shall receive an automatic refund of the full ticket price, excluding the non-refundable 4% platform service fee. This fee represents sunk administrative and processing costs incurred by Wimbo at the time of purchase.

3. Escrow and Payment Processing Mechanism
Wimbo utilizes Stripe Connect, a third-party escrow and payment infrastructure, to hold ticket proceeds in a segregated account on behalf of the event organizer. Funds are disbursed to the organizer only upon confirmation of successful event completion or other predetermined criteria, as part of Wimbo’s fraud prevention and event assurance program.

In cases where disputes arise, the Company reserves the right to withhold, delay, or reverse payouts pending investigation, in accordance with applicable dispute resolution procedures and payment gateway policies.

4. Breakdown of Fees and Deductions
Each transaction made through the Platform is subject to a non-refundable cumulative service charge totaling approximately 8.2%, calculated as follows:

• Wimbo Service Fee: 4% of the ticket price (non-refundable)

• Stripe Processing Fee: Approximately 2.9% + $0.30 per transaction (variable by region)

• Escrow Management Fee: 1% applied to ensure secure transaction hold and release

This fee structure is transparently disclosed at the point of sale and is deemed accepted upon completion of the transaction.

XII. DATA RETENTION AND SECURITY MEASURES

1. Retention Period and Purpose
Wimbo retains Personal Data for no longer than is necessary to fulfill the purposes for which such data was collected, including but not limited to:

• Fulfillment of contractual obligations under Terms of Use

• Facilitation of event history, refund, and moderation logs

• Compliance with statutory record-keeping obligations (e.g., financial and tax law)

• Defense of legal claims or regulatory investigations

• Platform safety, abuse prevention, and fraud monitoring

The specific retention period may vary depending on the data category and applicable legal requirements. Where a statutory retention period exists (e.g., under taxation law), such period shall prevail.

2. Security Measures and Data Protection Controls
Wimbo implements a comprehensive Information Security Management System (ISMS) to ensure the confidentiality, integrity, and availability of all Personal Data under its control. Security measures include, but are not limited to:

• Transport Layer Security (TLS) v1.2 or higher for all data in transit

• Advanced Encryption Standard (AES-256) for data at rest

• Role-based access control (RBAC) and principle of least privilege for internal systems

• Two-Factor Authentication (2FA) and periodic credential rotation for administrative access

• Regular penetration testing and security patching protocols

• Access logging and anomaly detection

These measures are aligned with the ISO/IEC 27001 standards and industry best practices, and are reviewed periodically for effectiveness.

XIII. INTERNATIONAL TRANSFERS

1. Cross-Border Data Transfers
Wimbo may transfer, store, or process Personal Data in jurisdictions outside the country of the Data Subject’s residence, including but not limited to the United States, European Union (EU), United Kingdom, and Australia, for the legitimate and necessary purposes outlined in this Policy.

2. Transfer Safeguards and Legal Mechanisms
All international data transfers are carried out in accordance with Chapter V of the GDPR, UK GDPR, and applicable international data flow regulations. Transfers to jurisdictions that have not received an adequacy decision from the European Commission or UK Government shall be based on appropriate safeguards, including:

• Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914/EU)

• UK International Data Transfer Addendum (for transfers from the UK)

• Binding Corporate Rules (BCRs) (where applicable)

• Supplemental technical and organizational safeguards, including encryption and audit controls

Users may request further details regarding these safeguards by contacting: legal@wimbo.au

XIV. DATA SUBJECT RIGHTS

In accordance with the applicable data protection laws—including but not limited to the General Data Protection Regulation (EU) 2016/679 (GDPR), the UK GDPR, the California Consumer Privacy Act as amended by the CPRA (CCPA/CPRA), and the Personal Information Protection and Electronic Documents Act (PIPEDA)—all Data Subjects whose Personal Data is processed by Wimbo are entitled to exercise the following rights, subject to verification and legal limitations:

1. Right of Access
   (GDPR Article 15) – The right to request confirmation as to whether Personal Data concerning the Data Subject is being processed, and if so, to access such data along with information on the categories, purposes, recipients, retention period, and rights available.

2. Right to Rectification
   (GDPR Article 16) – The right to obtain without undue delay the correction of inaccurate Personal Data and, where applicable, the completion of incomplete Personal Data.

3. Right to Erasure (Right to Be Forgotten)
   (GDPR Article 17) – The right to request the deletion of Personal Data under specific grounds, such as withdrawal of consent, unlawful processing, or where data is no longer necessary for the purposes collected, subject to lawful exceptions.

4. Right to Restriction of Processing
   (GDPR Article 18) – The right to request the temporary suspension of processing under certain circumstances, such as the contestation of data accuracy or pending legal claims.

5. Right to Data Portability
   (GDPR Article 20) – The right to receive one’s Personal Data in a structured, commonly used, and machine-readable format and to transmit that data to another controller, where technically feasible.

6. Right to Object to Processing
   (GDPR Article 21) – The right to object, on grounds relating to the Data Subject’s particular situation, to the processing of Personal Data based on legitimate interests or public task, including profiling.

7. Right to Lodge a Complaint
   (GDPR Article 77, UK DPA 2018, PIPEDA s. 11(1)) – The right to lodge a formal complaint with a competent Supervisory Authority or Privacy Commissioner if the Data Subject believes that the processing of their Personal Data infringes applicable law.

8. Right to Opt-Out of Sale or Sharing (California Residents Only)
   (CPRA § 1798.120) – The right to direct a business that sells or shares Personal Data to third parties to cease such activity, and to limit the use of sensitive personal information for secondary purposes.

Submission of Requests:
All data subject access requests (DSARs), rectification notices, objections, or complaints should be submitted in writing to:

📧 help@wimbo.au

Wimbo will acknowledge all valid requests within the legally required timeframe (typically 30 days under GDPR and 45 days under CPRA), and reserves the right to request identity verification prior to disclosure or amendment of any Personal Data.

XV. AMENDMENTS TO THIS POLICY

Wimbo reserves the exclusive right to modify, update, amend, or replace any portion of this Privacy Policy at its sole discretion and in accordance with applicable legal obligations. Any material changes to the scope of data collection, purposes of processing, data sharing practices, or user rights will be communicated to users via:

• In-app notifications and banners, or

• Email correspondence to the address on file.

Continued use of the Platform after the effective date of the amended Policy shall constitute binding acceptance of the revised terms, unless otherwise prohibited by law. Users are encouraged to review the Privacy Policy periodically to remain informed of their rights and Wimbo’s obligations.

For all matters related to privacy, data rights, or regulatory inquiries, please contact:

• 📨 Privacy & User Data Rights: help@wimbo.au

• 📨 Legal, Compliance & Regulatory Affairs: legal@wimbo.au

Wimbo Au Pty Ltd
ACN 687 084 984
470 St Kilda Road, Melbourne, Victoria 3004 Australia