FANZO Privacy Policy

What this policy covers

FANZO recognizes the importance of personal privacy and security. This Privacy Policy describes how we collect, use, share, and protect personal information of users of our websites, mobile applications, and services (collectively, the "Services"), and the rights and choices available to you under applicable U.S. federal and state privacy laws, including the California Consumer Privacy Act, as amended by the California Privacy Rights Act (together, the "CCPA"), and the Children's Online Privacy Protection Act ("COPPA").

This policy is issued by Rail Media Inc., a Delaware corporation with a mailing address at P.O. Box 575, Monson, MA 01057, United States ("Rail Media," "we," "our," or "us"). Rail Media Inc. operates the FANZO-branded Services and is the entity that bills our customers in the United States. Rail Media Inc. is a wholly-owned subsidiary of FANZO Inc., a Delaware corporation, which is itself part of a corporate group whose ultimate parent is organized under the laws of England and Wales. References in this policy to "FANZO" refer to the FANZO-branded Services operated by Rail Media Inc.

Scope of this policy

By using our Services, subscribing to them, or submitting any online forms on FANZO-branded websites or applications, you agree that we may collect, process, store, and use your personal information in accordance with this policy. Your rights are described in the "Your Privacy Rights" and "Notice to California Residents" sections below.

This policy applies to individuals located in the United States. If you are located outside the United States and interact with our affiliated operations in another jurisdiction, a separate privacy notice may apply to you.

Information We Collect

We collect information about you when you provide it to us, when you use our Services, and when other services provide it to us. In the last 12 months we have collected the following categories of personal information (as those categories are defined in the CCPA):

• Identifiers: name, email address, mailing address, phone number, account username, device identifiers, IP address, and similar identifiers.
• Customer records: information you provide when signing up, such as venue information and billing contact details.
• Commercial information: records of products or services purchased, subscriptions, and promotional participation.
• Internet or other electronic network activity: browser type, referring website, pages viewed, features used, timestamps, and interactions with our Services.
• Geolocation data: approximate, non-precise location (e.g., city or region) derived from your IP address or device.
• Inferences: preferences and characteristics derived from the above to personalize your experience.
• Financial information (Venue customers only): bank account details and tax identification numbers collected for reimbursement and accounting purposes. Card payments are processed by our PCI-compliant payment processors (listed below); we do not store full card numbers.

We do not knowingly collect "sensitive personal information" as defined under the CCPA beyond what is necessary to authenticate your account (e.g., account login credentials).

How we collect this information:

• Account information: When you register for an account on FANZO or submit information to us, you may provide personal details such as your name, email address, and date of birth.
• Website visitors (Consumers): When visiting any FANZO-branded website, we may automatically collect non-personally identifying data such as your browser type, referring website, and timestamps of your visits. We also collect information when you sign up a venue, subscribe to our newsletter, or complete a form.
• Automatically collected information: When you use our Services, we may automatically collect data such as features you use, pages you visit, your approximate location, and frequency of platform use. This is typically used in aggregate form for analytics and product improvement.
• Venue Clients (Customers): We collect your email address, venue information, phone number, and name to register for the service. You may also add other users. For payment processing we use third-party payment processors (such as Stripe); Rail Media does not store full payment card information. We may also collect bank account details and tax identification numbers (e.g., TIN or EIN) for reimbursement and U.S. tax reporting purposes.
• Cookies: FANZO and trusted partners, including Google Analytics, use cookies and similar technologies (such as pixels and tags) to recognize you and deliver personalized content. See our Cookie Policy at https://www.fanzo.com/en/cookies for more information.

How We Use Your Information

We process information you provide directly or indirectly, or that we collect automatically, for the following business purposes:

• Personalizing your experience by using your preferences to deliver relevant content
• Improving our website and Services through user feedback and behavior analysis
• Providing customer service and support
• Processing payments and reimbursements for venue customers
• Sending relevant push notifications (with opt-in/opt-out controls)
• Managing contests, promotions, surveys, and site features
• Sending marketing communications about promotions, offers, and content (with opt-out available in every marketing email and via your account settings)
• Providing aggregated, de-identified data to clients for insights and improvements
• Detecting, investigating, and preventing fraud, abuse, and security incidents
• Complying with legal obligations, including tax, accounting, and law-enforcement requirements

Sale or Sharing of Personal Information

Rail Media Inc. does not sell your personal information for money. We do, however, "share" personal information for cross-context behavioral advertising as that term is defined under the CCPA — specifically, when we use advertising cookies and similar technologies (such as Google Ads remarketing) to deliver interest-based ads. California residents and residents of other states that offer an opt-out right may opt out of this sharing. See "Your Privacy Rights" below.

We do not knowingly sell or share the personal information of any individual we know to be under 16 years of age.

Data Storage and Protection

We use reasonable technical and organizational security measures to protect your information, including access controls, encryption in transit, authentication protocols, and monitoring. Our production database is accessible only via authenticated channels using authorized keys, servers are dedicated and monitored, and passwords are stored using one-way cryptographic hashing. You are responsible for protecting your own devices, browsers, and account credentials from unauthorized access. For third-party sites we link to, we recommend reviewing their own privacy policies.

All personnel with access to personal information receive ongoing training on data protection. Physical access to our facilities is controlled to minimize the risk of internal data incidents.

Retention

How long we keep information depends on the type of account and information we hold. We retain personal information only for as long as necessary for the purposes for which it was collected, including to satisfy legal, tax, accounting, and reporting requirements. After the applicable period, we either securely delete the data or retain it in de-identified, aggregated form.

• Consumers: As long as your account is active, your account information will be retained. We may keep some data for up to 18 months after you deactivate your account (distinct from deleting it) in case you choose to reactivate. We may also retain information as necessary to comply with legal obligations, resolve disputes, enforce our agreements, and support business operations.
• Marketing communications: Unless you opt out, we may retain your information for marketing communications for up to 18 months after you deactivate your account. If you opt out, we retain your email address only on a suppression list to ensure you do not receive further marketing communications from us.
• Venue Customers: We hold account information for as long as your account remains active, and up to 7 years from the end of the fiscal year in which you deactivate your account to comply with applicable U.S. federal and state tax, accounting, and recordkeeping requirements.

If you delete, or request deletion of, your account, your personal information (other than what we are required to keep by law) will be securely and irreversibly deleted, and any remaining information will be de-identified.

Cookies and similar technology

We use cookies on our Services (small files that a site transfers to your device through your web browser) to enable our systems to recognize your browser and remember certain information. We may use cookies to understand and save your preferences for future visits and to tailor advertising with trusted third parties. You can view our full Cookie Policy at https://www.fanzo.com/en/cookies. You can also control cookies through your browser settings and, where applicable, through our on-site cookie preferences tool.

How We Share Information

We do not rent, sell, or trade your personal information for money. We may share personal information as follows:

• Service providers: Trusted vendors (listed under "Service Providers" below) who process information on our behalf under written contracts that restrict their use of the data to the services they provide to us.
• Corporate affiliates: Our parent company FANZO Inc., and its ultimate parent and affiliated entities, for ordinary corporate administration, product operations, and legal compliance.
• Legal and safety: Law enforcement, regulators, courts, or other parties when required by law, subpoena, or legal process, or where we believe in good faith that disclosure is necessary to protect rights, safety, or property.
• Business transfers: In the event of a merger, acquisition, financing, reorganization, bankruptcy, or sale of some or all of our assets, information may be transferred as part of that transaction, subject to the protections of this policy.
• With your consent: For any other purpose disclosed to you at the time of collection or with your consent.

We may also share aggregated, de-identified information for analytics, research, or marketing without restriction.

Your Privacy Rights

Subject to applicable law, you have the right to:

• Request access to the personal information we hold about you
• Request an electronic copy of your personal information (data portability)
• Request correction of inaccurate personal information
• Request deletion of your personal information
• Opt out of the "sharing" of your personal information for cross-context behavioral advertising
• Opt out of marketing communications
• Where we have asked for your consent, withdraw that consent at any time

To exercise any of these rights, contact us at [email protected] or write to Rail Media Inc., Attn: Privacy, P.O. Box 575, Monson, MA 01057. We will respond within the time required by applicable law (generally 45 days under the CCPA, extendable by an additional 45 days where reasonably necessary).

We will not discriminate against you for exercising your privacy rights. You may designate an authorized agent to make a request on your behalf; we may require reasonable verification of your identity and the agent's authority before acting on a request.

Notice to California Residents

If you are a California resident, you have the rights described above under the CCPA, including the right to know, right to delete, right to correct, right to opt out of "sale" or "sharing" of personal information, and right to limit the use and disclosure of sensitive personal information. Rail Media does not sell personal information for money, and does not use or disclose sensitive personal information for purposes that would trigger the right to limit under the CCPA. To submit a verifiable consumer request, email [email protected] or write to the address above.

You may also opt out of "sharing" for cross-context behavioral advertising by adjusting cookie preferences on our Services, by using the Global Privacy Control (GPC) signal in a supported browser, or by emailing [email protected].

California's "Shine the Light" law (Civil Code §1798.83) permits California residents to request information regarding the disclosure of their personal information to third parties for direct marketing purposes. We do not share personal information with third parties for their own direct marketing purposes.

Children's Online Privacy (COPPA)

Our Services are directed to users 18 years of age or older and are not intended for children. We comply with the Children's Online Privacy Protection Act ("COPPA") and do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will promptly delete it. If you believe a child has provided us with personal information, please contact [email protected].

Service Providers

We engage the following categories of service providers, each bound by contract to process personal information only as instructed and in accordance with applicable law:

• Stripe and similar PCI-compliant processors (for collecting customer payments)
• Accounting and invoicing platforms (for managing our accounting processes)
• Intercom (for customer service)
• Batch (for in-app messaging and notifications)
• Google LLC (for analytics and email delivery)
• Dotdigital (for email marketing and newsletters)
• Customer feedback and NPS tools (e.g., SurveyMonkey)
• Cloud infrastructure providers (e.g., DigitalOcean, AWS)

Google Analytics and Advertising

Our Services use Google Analytics to measure and evaluate web and application performance. Google Analytics uses cookies and similar technologies on our behalf to evaluate how users interact with our platforms. You can learn more about Google Analytics at https://policies.google.com/privacy and opt out of Google Analytics at https://tools.google.com/dlpage/gaoptout.

We may use Google's remarketing products and similar services to display ads across the Google Display Network and other ad networks. These ads are delivered based on cookies stored in your browser and are not linked to your personally identifiable account information. You can opt out of interest-based advertising at https://adssettings.google.com, by visiting the Digital Advertising Alliance opt-out page at https://optout.aboutads.info, or the Network Advertising Initiative at https://optout.networkadvertising.org.

Changes to this Privacy Policy

Rail Media may update this policy from time to time. Material changes will be communicated by posting the updated policy on our Services and, where appropriate, by email or in-app notice. The "Last Updated" date below will always reflect the most recent version.

Contacting Us

For questions about this policy, to exercise your privacy rights, or to reach our Privacy team:

• Email: [email protected]
• Mail: Rail Media Inc., Attn: Privacy, P.O. Box 575, Monson, MA 01057, United States

Your information is controlled by Rail Media Inc. (operating the FANZO-branded Services).