Wimbotm Data Sharing Summary Annex
(Annexed to the WimboTM Privacy Policy)
Effective Date: May 25, 2025
Entity: Wimbo Au Pty Ltd (ACN: 687 084 984), trading as WimboTM
Jurisdictional Scope: Global (inclusive of GDPR, UK GDPR, CCPA/CPRA, PIPEDA, COPPA, and applicable international consumer protection frameworks)
ARTICLE I — PURPOSE, TRANSPARENCY MANDATE, AND STATUTORY BASIS
1.1 This Data Sharing Summary Annex ("Summary") is issued by Wimbo Au Pty Ltd, trading as WimboTM, to fulfill its affirmative obligations under applicable data privacy and digital governance laws requiring transparency, user notice, and accountability in relation to disclosures of personal information to third parties and affiliates.
1.2 This Summary shall be construed as an extension of Wimbo’s core Privacy Policy, Organizer Verification Policy, and Terms of Use, and is intended to provide:
(a) A categorical disclosure of what personal data may be shared by WimboTM with third parties;
(b) The lawful bases and conditions under which such sharing may occur;
(c) The safeguards and compliance measures in place to protect such shared data;
(d) The identity and classification of recipients, including cross-border processors and controllers;
(e) A listing of the statutory instruments governing these obligations.
1.3 This Summary is issued in accordance with, and derives binding authority from, the following legal frameworks:
Regulation (EU) 2016/679 (GDPR) — Articles 5(1)(a) (lawfulness, fairness, and transparency), 6(1)(a–f) (lawful bases of processing), 13–14 (data subject information rights);
United Kingdom General Data Protection Regulation and Data Protection Act 2018, including Section 170 (unlawful disclosure);
California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) — Cal. Civ. Code §§ 1798.100–1798.199.100, including notice at collection and sharing for commercial purposes;
Personal Information Protection and Electronic Documents Act (PIPEDA), Division 1 — governing data use and disclosures in Canada;
Children’s Online Privacy Protection Act (COPPA) — 15 U.S.C. §§ 6501–6506, regulating data collection and parental consent for users under age 13.
1.4 This Summary applies to all data subjects whose information is collected, processed, or shared by or through the WimboTM Platform in connection with platform usage, event attendance, ticketing, or identity verification processes.
ARTICLE II — DEFINITIONS AND INTERPRETATION
2.1 Personal Data: Any information relating to an identified or identifiable natural person, as defined under GDPR Art. 4(1), including identifiers such as name, identification number, location data, or online identifiers.
2.2 Third Party: Any natural or legal person, public authority, agency, or body that is not the data subject, WimboTM, or a person processing data under Wimbo’s direct authority and supervision.
2.3 Processor: A third party processing data on behalf of WimboTM and subject to a binding data processing agreement under GDPR Art. 28 or equivalent provisions under UK GDPR or PIPEDA.
2.4 Joint Controller: Any party jointly determining the purposes and means of processing with WimboTM, as defined under GDPR Art. 26, and bound by a Joint Controller Agreement.
2.5 Sale and Sharing (under CCPA/CPRA):
"Sale" refers to disclosure of personal information to a third party for monetary or other valuable consideration.
"Sharing" refers to disclosure for cross-contextual behavioral advertising, as defined in Cal. Civ. Code § 1798.140(ad), (ah).
2.6 Adequacy Decision: A formal decision by the European Commission under GDPR Art. 45 recognizing a third country’s legal framework as providing an adequate level of data protection.
ARTICLE III — CATEGORIES OF PERSONAL DATA SHARED
3.1 Subject to the user’s affirmative consent or availability of a valid legal basis, WimboTM may share the following categories of personal data with authorized recipients, for the limited and specified purposes set forth in Article VI:
(a) Identity Data
Full legal name, government-issued identification numbers, date of birth, age classification, and national identification documents (passport, driver’s license, or other forms of Acceptable ID).
Shared for purposes of age-restricted access (18+), Kids Event validation, and identity authentication.
(b) Contact Data
Email addresses, mobile phone numbers, mailing or billing addresses.
Used for communications, confirmations, and Organizer or regulatory notifications.
(c) Usage and Platform Interaction Data
Timestamps, login activity, feature usage, session metadata, and navigation logs.
Shared for diagnostic purposes, analytics, or trust and safety interventions.
(d) Device and Technical Data
IP address, device type and model, operating system version, browser agent string, crash logs, and app version data.
Utilized for fraud prevention, security auditing, and optimization.
(e) Payment and Transaction Metadata
Transaction reference numbers, order timestamps, payment confirmation codes.
Full cardholder data is not collected or retained by Wimbo; all payment processing is delegated to PCI-DSS certified vendors (e.g., Stripe).
(f) Location Data
Geolocation derived from device GPS (real-time) or IP mapping (approximate), collected strictly upon opt-in consent.
(g) AI Interaction Data
Non-sensitive queries and user prompts submitted to Wimbo’s AI assistant (Wimbot).
Such interactions are pseudonymized and not used to profile individual users.
(h) Event Participation Data
RSVP status, event browsing history, ticket purchase records, QR code check-in scans, and user comments.
Shared selectively with Verified Organizers or internal systems for the purpose of event execution and fraud monitoring.
ARTICLE IV — CATEGORIES OF AUTHORIZED DATA RECIPIENTS
4.1 WimboTM may disclose Personal Data to the following authorized recipient classes, each bound by legal, technical, and contractual safeguards:
(a) Payment Processors
Stripe, Inc. handles all monetary transactions under a binding Data Processing Agreement (DPA) incorporating GDPR Art. 28, PCI-DSS obligations, and CPRA contract terms.
(b) Cloud and Infrastructure Providers
Amazon Web Services (AWS) and Cloudflare, Inc. host, encrypt, and deliver platform infrastructure under strict data processing and technical security agreements.
(c) Artificial Intelligence Vendors
Confidential AI sub-processors used to enhance WimbotTM capabilities. All access to query content is pseudonymized and governed by non-disclosure agreements and processing limitation clauses.
(d) Verified Event Organizers
Limited data (e.g., RSVP responses, name, ticket status) may be shared with Organizers solely to facilitate legitimate access control to the event in question.
(e) Public Authorities and Legal Bodies
WimboTM shall disclose Personal Data where legally required pursuant to:
Lawful subpoenas
Court orders
Governmental requests related to fraud, consumer protection, or child endangerment
(f) Wimbo Affiliates and Subsidiaries
Intra-group data sharing is conducted under Standard Contractual Clauses, Intra-Group Data Sharing Agreements, or Joint Controller Addenda, where necessary to perform cross-border operations.
ARTICLE V — LEGAL BASES FOR DATA DISCLOSURE
5.1 All sharing of personal data by WimboTM is grounded in at least one of the following legal bases:
(a) Consent — GDPR Art. 6(1)(a); CPRA §§ 1798.120
Applies to geolocation tracking, AI query usage, and optional data sharing preferences enabled by the user.
(b) Contractual Necessity — GDPR Art. 6(1)(b)
Required to process RSVP submissions, confirm ticket purchases, or deliver event access services.
(c) Legal Obligation — GDPR Art. 6(1)(c); COPPA 15 U.S.C. § 6502
Encompasses child protection verification, court disclosures, and other lawful compliance requirements.
(d) Legitimate Interests — GDPR Art. 6(1)(f)
Justifies disclosures necessary to prevent abuse, detect fraud, maintain security, and protect platform integrity, provided such interests do not override data subject rights.
(e) Commercial Purpose — CPRA § 1798.140(e), (t)
Encompasses disclosures for operational efficiency, engagement analytics, and event optimization.
ARTICLE VI — PURPOSES OF DATA DISCLOSURE
6.1 WimboTM shares Personal Data only for the following lawful and limited purposes, strictly adhering to the principle of purpose limitation:
(a) Event Access Facilitation
Verifying user registration and identity for check-ins, QR code access, and ticketed event participation.
(b) Identity and Age Verification
Ensuring compliance with legal restrictions on minors and validating Organizer credentials.
(c) Payment and Transaction Integrity
Enabling secure payment completion, fraud detection, and payment reconciliation.
(d) Compliance with Legal Mandates
Providing disclosures required by regulators, courts, or governmental entities under binding process.
(e) Platform Performance Optimization
Analyzing user behavior for UI/UX improvement, bug resolution, and stability assurance.
(f) Safety, Trust, and Abuse Mitigation
Investigating suspicious conduct, suspending harmful actors, and escalating violations under Wimbo’s Suspension & Enforcement Policy.
ARTICLE VII — CROSS-BORDER DATA TRANSFERS AND SAFEGUARDS
7.1 Personal Data may be transferred by WimboTM to countries outside of the user’s domicile only where adequate protections are in place, in accordance with international law.
7.2 Transfers shall be executed only under one or more of the following conditions:
(a) Adequacy Decisions
Recipient country has been recognized by the European Commission or UK Information Commissioner’s Office (ICO) as having an adequate level of protection (GDPR Art. 45).
(b) Standard Contractual Clauses (SCCs)
Execution of updated EU-approved SCCs (2021/914) and UK International Data Transfer Agreements (IDTA) per GDPR Art. 46 and UK GDPR Part 3.
(c) Supplementary Measures
Encryption, pseudonymization, role-based access controls, and zero-trust security protocols applied to ensure equivalent protection (EDPB Recommendations 01/2020).
(d) Data Transfer Impact Assessments (DTIA)
Comprehensive legal and technical risk assessments conducted prior to material transfers, with remediation plans where necessary.
7.3 Upon written request, users are entitled to receive a copy of the relevant SCCs, safeguards, and a list of receiving countries or entities.
ARTICLE VIII — USER RIGHTS REGARDING DISCLOSURE AND DATA SHARING
8.1 Fundamental Data Subject Rights
All users of the WimboTM Platform (“Data Subjects”) retain full legal rights to exercise the following with respect to their personal data disclosed or shared by WimboTM:
(a) Right to Be Informed
Users have the right to clear, accessible information about the categories, scope, recipients, and purposes of data disclosures before or at collection (GDPR Arts. 12, 13; CPRA §§ 1798.100(a), 1798.110).
(b) Right of Access
Users can request confirmation whether WimboTM processes or disclosed their personal data, and receive a detailed record including categories of third-party recipients, disclosure purposes, and retention periods (GDPR Art. 15; CPRA § 1798.110(c)).
(c) Right to Rectification
Users may request correction or supplementation of inaccurate or incomplete personal data. WimboTM will notify third-party recipients of corrections unless impossible or requiring disproportionate effort (GDPR Art. 16, 19).
(d) Right to Erasure ("Right to Be Forgotten")
Users may request deletion of personal data when it’s no longer necessary, or consent is withdrawn and no other legal basis exists. WimboTM will notify third parties of erasure (GDPR Art. 17; CPRA § 1798.105).
(e) Right to Object or Opt-Out
Users can object to direct marketing or cross-context behavioral advertising, and opt out of sale or sharing of data under CPRA § 1798.120. WimboTM provides a “Do Not Sell or Share My Personal Information” option for California users and equivalent opt-out mechanisms globally.
(f) Right to Withdraw Consent
Consent-based data disclosures can be withdrawn at any time without affecting prior lawful processing (GDPR Art. 7(3)).
(g) Right to Restriction of Processing
Users can request temporary suspension of data sharing if data accuracy is contested, processing is unlawful, or data is retained only for legal claims (GDPR Art. 18).
ARTICLE IX — SPECIAL PROVISIONS ON CHILDREN’S DATA AND VERIFICATION DISCLOSURES
9.1 WimboTM complies with strict global standards to protect children’s personal data. It applies rigorous procedural, legal, and technical safeguards when handling, verifying, or disclosing children’s data, ensuring adherence to laws such as COPPA (U.S.) and equivalent frameworks internationally.
9.2 Disclosure of personal data relating to Children (under 13 years of age) is subject to the following constraints and shall be permitted only in the following instances:
(a) Verified Parental Disclosures
Data may be disclosed only to a verified Parental Account Holder, as defined in Wimbo’s Organizer Policy, solely for organizing or administering a registered Kids Event.
(b) Statutory Age Verification
Limited personal data (such as age or date of birth confirmation) may be disclosed to authorized age-verification vendors or legal authorities to comply with COPPA (15 U.S.C. §§ 6501–6506), GDPR Art. 8, and Australian Privacy Principle 9.
(c) Parental Consent Register
Prior to disclosure, verifiable parental consent must be obtained via industry-standard methods (e.g., knowledge-based authentication, payment token, signed consent form). This consent must be:
Timestamped,
Digitally signed (where applicable),
Retained in a centralized Consent Ledger for at least seven (7) years or as required by law.
(d) No Commercial Profiling or Behavioral Tracking
Children’s data must never be used for advertising, sold, or shared for behavioral profiling unless strictly necessary for event access and explicitly authorized by parents under separate documented consent.
ARTICLE X — TECHNICAL AND ORGANIZATIONAL SAFEGUARDS FOR DATA DISCLOSURE
10.1 All data disclosures by or on behalf of WimboTM are protected by a multilayered compliance and security framework consistent with GDPR Article 32, ISO/IEC 27001, and NIST SP 800-53 standards. Key safeguards include:
(a) Encryption Protocols
Data is encrypted in transit using TLS 1.3 and at rest with AES-256 or stronger encryption, implementing forward secrecy and routine key rotation.
(b) Role-Based Access Control (RBAC)
Access to shared data is strictly limited to authorized personnel via unique credentials, enforced multi-factor authentication (MFA), and finely tuned access rights aligned with job responsibilities.
(c) Secure APIs and Tokenization
All data transfers with third parties occur through signed, authenticated API calls. Personally Identifiable Information (PII) is tokenized when full identifiers are not essential for processing.
(d) Logging and Monitoring
Every data disclosure is recorded in immutable security event logs, continuously monitored for suspicious activity, and reviewed during quarterly security audits.
(e) Vendor Security Assessments
Third-party recipients undergo rigorous due diligence, including execution of Data Processing Agreements (DPAs), review of penetration testing results, and completion of security questionnaires.
(f) Data Minimization Protocols
WimboTM discloses only the minimum necessary personal data for the stated lawful purpose, consistent with GDPR Article 5(1)(c), and applies pseudonymization whenever possible to reduce exposure of full identifiers.
ARTICLE XI — DATA RETENTION AND STORAGE DURATION OF SHARED DATA
11.1 WimboTM retains personal data disclosed to third parties only for the duration necessary to achieve the specific lawful purpose for which it was shared, in compliance with:
GDPR Art. 5(1)(e) — proportionality in data retention;
CPRA § 1798.105(c) — limits on data lifecycle.
11.2 Specific retention periods depend on:
(a) Transactional Necessity
Data needed for ticketing, identity verification, or event access is kept only for the operational period of the event plus an additional secure archival timeframe as required for audit, compliance, or dispute resolution.
(b) Legal Recordkeeping
Certain disclosures—such as payments, invoices, and tax reports—are retained for a period of 5 to 7 years to comply with applicable jurisdictional tax, corporate, or financial recordkeeping laws.
(c) Ongoing User Relationship
Personal data may be retained for as long as a user maintains an active account or contractual relationship with WimboTM, or as necessary to fulfill ongoing user requests and obligations.
11.3 At the end of the applicable retention period, WimboTM shall securely:
Delete the personal data using digital wiping techniques compliant with NIST standards, or
Anonymize the data so that it permanently cannot be linked to any identifiable individual.
ARTICLE XII — DISCLOSURE LEDGER AND TRANSPARENCY LOGGING
12.1 To comply with GDPR Article 30 (Records of Processing Activities) and CPRA § 1798.135, WimboTM maintains a comprehensive Data Sharing Ledger which serves as:
An internal compliance and audit record, and
A register accessible to users upon verified request.
12.2 Each entry in the ledger documents:
(a) The nature and category of data disclosed (e.g., full name, ticket info)
(b) The legal basis for disclosure (e.g., user consent, contractual necessity)
(c) The intended purpose of the disclosure (e.g., identity verification, event access)
(d) The recipient entity’s identity and jurisdiction
(e) The time, date, and method of transfer (e.g., encrypted API call, secure email)
(f) Any actions taken by the data subject related to the disclosure (e.g., objections, rectification requests)
12.3 The Data Sharing Ledger is retained for a minimum of six (6) years from the disclosure date, or longer where mandated by tax, regulatory, or evidentiary requirements.
12.4 Data Subjects may request a summary report of their personal data disclosures from WimboTM. This report will be redacted as needed to protect confidential or third-party proprietary information.
