GOFRENDLY’S PRIVACY NOTICE

Last changed: 9 July 2024

GoFrendly AB, reg.no. 559050-9252 (“GoFrendly”, “we”, “our” or “us”) respects and protects your privacy. This privacy notice (“Privacy Notice”) aims to describe how GoFrendly as a data controller processes your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and other applicable privacy legislation. It also describes what rights you have under the GDPR and how you can enforce them.

1 TO WHOM DOES THIS PRIVACY NOTICE APPLY?

1.1 Business customers and potential business customers Our app gives you the opportunity to get in contact with other users in order to hopefully initiate new friendships (the “Service”). ThisPrivacy Policy applies to the personal data we collect and process in connection with your use of the Service, which for example include registering for a personal user account, send messages or communicate with other users in the Service, post or upload information in the Service, etc.

2 CONTACT DETAILS TO DATA CONTROLLER

GoFrendly is the data controller for the processing of your personal data as described in this Privacy Notice. As the data controller, we are responsible for ensuring that our processing of your personal data takes place in accordance with the GDPR and other applicable data protection legislation.

If you have any questions about this Privacy Notice, our processing of your personal data or if you wish to exercise any of your rights, please contact us at info@gofrendly.com or through the contact details below.

GoFrendly AB reg.no: 559050-9252

Address: C/o Claudia Gård, Rullharvsvägen 4, 137 39 Västerhaninge.

E-mail: info@gofrendly.com

3 HOW DO WE COLLECT YOUR PERSONAL DATA?

We process personal data provided by you when you use the Service, for example, personal data you provide us with when you sign up for the Service, send messages or communicate with other users in the Service, post or upload information in the Service or enable us to collect your geographical position. We may also collect information that is indirectly provided by you via your Facebook or Google account, Apple ID or e-mail address (subject to your selection) or automatically collected through your usage of the Service.

Depending on the user’s device, the Service may request certain permissions that allows the service to access the user’s personal data on such device. Permissions must always be granted by the user before respective information is accessed and processed by the Service and includes, but is not limited to, camera permission, precise location permission (continuous) and reminders permission. In order to revoke these permissions, we refer you to your devices’ settings. Note that revoking of such permissions might impact the proper functioning of the Service.

You, as a user, are responsible for any personal data obtained, published or shared via the Service which you have obtained from a third party. You shall also be able to confirm that you have such third party’s’ approval to provide such personal data to us.

When you use the Service, we may collect data such as IP address, browser type, time zone settings as well as information about how you use our Service from your device. We collect this personal data from your device through the use of cookies, server logs, pixels and similar technologies (“Cookies“).

4 IF YOU DO NOT PROVIDE YOUR PERSONAL DATA

If you are a user of our Service, we process your personal data in order to enter into an agreement with you in order to provide you the Service. It is necessary that you provide certain personal data to us in order to enter into an agreement with us and for us to administer the relationship with you. If you do not provide us with the necessary personal data, it is not possible for us to enter into an agreement with you or provide you with the Service. We will not provide our Service to you if we have not entered into an agreement.

5 OUR PROCESSING OF PERSONAL DATA

In the tables below, you will find a summary with information about why we process your personal data, the categories of personal data processed for the stated purpose, how long we process your personal data and the legal basis on which we base the processing. If we base the processing on a legitimate interest as a legal basis, we have also stated what the legitimate interest is.

6 LEGITIMATE INTEREST

When GoFrendly has stated “legitimate interest” as the legal basis in the section above, it means that we have assessed that we or a third party have a legitimate interest in the processing being carried out (you will also find information about what the identified legitimate interest is in the section above). In addition to identifying the legitimate interest, we have also weighed this interest against your interests or fundamental rights and freedoms that require the protection of personal data. We can only base the processing of your personal data on a legitimate interest as a legal basis if we have carried out a balancing of interest and concluded that our or a third party’s interests outweigh your interests or fundamental rights and freedoms.

If we process your personal data on the basis of a legitimate interest, you can contact us through the contact details provided in section 2 to obtain further information about the performed balancing of interest, through a so-called legitimate interest assessment. Please note that the assessments are general (e.g., based on an average individual in the relevant category) and that no individual assessment has been made.

7 AUTOMATED DECISION-MAKING

We do not use automated processes to make decisions that significantly affect you.

8 HOW LONG WE RETAIN YOUR PERSONAL DATA

We will only retain your personal data for as long as it is needed for the purposes for which we collected the personal data and as described in this Privacy Notice. When we no longer need your personal data, we will remove it from our systems, databases, and backups unless we have a legal obligation to save your personal data for a longer period. More specific retention periods are provided in the tables above under section 5.

You may unsubscribe from our newsletters or similar communication at any time. In such event we will no longer store or process your personal data for such purposes.

Processing of your personal data, which is based on your given consent may be stored and processed until you withdraw such given consent.

9 WITH WHOM DO WE SHARE YOUR PERSONAL DATA?

GoFrendly may disclose your personal data to the categories of recipients listed below. For a detailed list of the recipients to which we have disclosed your personal data, please contact us through the contact details provided in section 2.

9.1 Data processors

GoFrendly may engage other companies to process your personal data on our behalf as data processors. Such companies may only process your personal data in accordance with our instructions. We enter into data processing agreements with these companies and ensure a high level of protection to safeguard your personal data. We use the following types of data processors:

• IT and system suppliers – GoFrendly may share your personal data with IT and system suppliers to manage necessary operation, technical support and maintenance of our IT services. It may also be e.g. providers of email, hosting and analyse systems.

• Marketing and communications agencies – GoFrendly may share your personal data with marketing and communications agencies engaged to assist GoFrendly with marketing communications to customers and potential customers.

• Accounting firm – GoFrendly may share personal data contained in invoices and accounting information with our accounting firm, which has been engaged to GoFrendly to fulfill its obligations under the Accounting Act.

9.2 Independent data controller

GoFrendly may share personal data with parties who are independent data controllers, which means that the party independently determines the purposes for which the personal data will be processed and how the processing will be carried out (i.e., the means for the data processing). When sharing personal data with these parties, they have an obligation to inform you about their processing of your personal data. Hence, their respective privacy notice applies to their processing.

• Authorities and the judiciary – in some cases, we may need to disclose your personal data to courts and law enforcement authorities (e.g., the police authority) in accordance with e.g. law. Additionally, we may also need to disclose personal data to other parties in court proceedings or similar. Such disclosure is based on a legitimate interest as a legal basis or to fulfill a legal obligation under law.

• External advisors – we may share your personal data with external advisors, such as audit firms or law firms, in accordance with law or to obtain advice. These advisors usually act as independent data controllers, and a disclosure is usually based on a legitimate interest as a legal basis.

10 WHERE DO WE PROCESS YOUR PERSONAL DATA?

GoFrendly strives to process your personal data within the EU/EEA. In certain circumstances, we may need to transfer your personal data to a country outside the EU/EEA (“Third Country”), as set out below.

Adequate level of protection for transfers outside the EU/EEA

We may transfer your personal data to recipients in countries that the European Commission has determined ensure an adequate level of protection. This means that the European Commission has assessed that the level of protection in this country is equivalent to that in the EU/EEA and that it is therefore possible to transfer personal data to such a country without taking additional security measures. You can find more information on which countries are subject to adequacy decisions on the European Commission’s website.

The European Commission has also decided that the United States ensures an adequate level of protection provided that the recipient is covered by the so-called EU-US Data Privacy Framework (“DPF”). GoFrendly may transfer your personal data to the United States and in such cases will ensure that the receiving party (the data importer) is certified according to the DPF, unless other appropriate safeguards are in place.

Appropriate safeguards for transfers outside the EU/EEA

If your personal data is transferred to a Third Country outside the EU/EEA that is not covered by an adequacy decision by the EU Commission or is certified by the EU/US Data Privacy Framework, we will ensure that there are appropriate safeguards in place. Appropriate safeguards may be that the party transferring the personal data to a Third Country (the data exporter) and the party importing personal data into a Third Country (the data importer) have entered into the EU Commission’s standard contractual clauses for international transfers or that other safeguards have been taken. In the event that these safeguards are not considered sufficient, we can ensure that we have also taken contractual, technical or organizational supplementary measures to ensure an essentially equivalent level of protection as within the EU for the personal data transferred to the Third Country.

Please contact us through the contact details provided under section 2 for more information on a specific transfer or to obtain a copy of the relevant documentation regarding the safeguards taken. You can also read more at the Swedish Authority for Privacy Protection website, available here, regarding what applies under the GDPR for transfers to Third Countries and appropriate safeguards.

11 YOUR RIGHTS

11.1 Our responsibility for your rights

GoFrendly is responsible, in its capacity as data controller, for ensuring that your personal data is processed in accordance with applicable data protection legislation and that you can effectively exercise your rights under the GDPR. You can find more information about your rights in the sections below and at the Swedish Authority for Privacy Protection (IMY’s) website, available here. In order to exercise your rights, you may contact us at any time through the contact details provided under section 2 in this Privacy Notice. Please do not forget to specify the right to which the request relates.

Time limits

GoFrendly is obliged to respond to your request to exercise your rights within one month of receiving your request and to inform you of the action taken. In the event that a request is complex or if we have received a large number of requests, we are entitled to extend the time limit by two additional months (i.e., in total no later than three months from receipt of the request). We will notify you of such an extension including the reason for the extension within one month. If we do not take any action in response to your request, we are obliged to notify you within one month of receipt of your request: (i) that the action has not been taken; (ii) the reason for this; and (iii) inform you of your right to lodge a complaint with the supervisory authority and seek judicial redress.

As a general rule, it is free of charge

All information, communication and actions we carry out are free of charge for you. If requests related to your rights are manifestly unfounded or unreasonable, we have the right to either charge a reasonable administrative fee for providing the information or carrying out the requested action. We may also refuse to comply with your request.

We may need to identify you

If we have reasonable grounds to doubt the identity of the applicant, we may request additional information necessary to confirm your identity. We will not collect more personal data than necessary.

11.2 Your rights of access, rectification, erasure and restriction

According to the GDPR, you have certain rights in relation to the data we process about you, which are described below. Some of these rights apply under certain conditions, which you can read more about below. You have the right to request the following rights.

a) Access to your personal data. In order for you to check whether processing of your personal data is taking place and whether the processing is lawful, you have the right to request access to your personal data. This means that you have the right to receive confirmation of whether we process your personal data and, if so, receive a copy of the personal data we are processing about you, free of charge. If you are only interested in a certain category of personal data or data processed for a specific purpose (for example, direct marketing), please indicate this in your request. In connection with the access request, you will also receive information about the processing, such as the reason why we process your personal data (i.e., the purpose of the processing), the envisaged period for which the personal data will be stored (if possible), to whom the personal data have been or will be disclosed, etc. For any additional copies you request, we are entitled to charge a reasonable administration fee to cover our administrative costs. If you make a request in electronic format, such as by e-mail, we will provide you with the information in a commonly used electronic format, unless you request otherwise.

b) Rectification or completion of your personal data. If we process personal data that is inaccurate, you have the right to request rectification. We will also, on our own initiative, rectify or erase information that we discover to be inaccurate. You also have the right to complete any incomplete personal data by providing a supplementary statement.

c) Erasure of your personal data. In some cases, you have the right to have your personal data deleted. This applies in the event that:

i. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

ii. we process your personal data on the basis of your consent and you withdraw the consent, provided that there is no other legal basis for the processing of the personal data;

iii. we process your data for direct marketing purposes and you object to this processing;

iv. you object to our processing of your personal data that takes place based on the legal basis legitimate interest or a public interest, and we have no compelling legitimate grounds for the processing which override your interests, rights and freedoms;

v. we have processed the personal data unlawfully; or

vi. we have a legal obligation to delete the personal data.

There are exceptions to the right to erasure. For example, there may be requirements in law or other compelling reasons that prevent us from deleting your personal data. We may e.g. be prevented from deleting your personal data due to archiving purposes in the public interest, scientific or historical research purposes or for statistical purposes.

d) Restriction of processing. This means that we temporarily restrict the processing of your personal data so that they are only processed for certain limited purposes. We will inform you before the restriction of processing ends. You have the right to request restriction when:

i. you consider your data to be inaccurate and you have requested rectification as

defined in section 11.2 b), while we establish the accuracy of the personal data;

ii. the processing is unlawful, and you do not want the personal data to be erased;

iii. we, as the data controller, no longer need to process your personal data for the purposes of the processing, but you need them to be able to establish, exercise or defend a legal claim; or

iv. you have objected to the processing as set out in section 11.3, while pending verification of whether our legitimate grounds override yours.

We will take all reasonable measures possible to notify all recipients of your personal data as set out in section 9 above if we have rectified, erased or restricted access to your personal data after you have requested us to do so, provided that it is not impossible or if it would involve a disproportionate effort. At your request, we will inform you about who we have disclosed personal data to.

11.3 Your right to object to our processing of your personal data

You have the right to object to our processing of your personal data if we base the processing on a legitimate interest as a legal basis (see section 5 above). When you object, you must provide reasons for your objection that are related to your specific situation. If you object to a processing, we will only continue the processing if we have compelling legitimate grounds to continue the processing which override your specific reasons, interests, rights and freedoms or if the processing is necessary to establish, exercise or defend legal claims.

11.4 Your right to object to direct marketing including profiling

If you do not want us to process your personal data for direct marketing purposes, which include profiling, you always have the right to object to such processing (including profiling) by contacting us. Once we have received your objection, we will cease to process your personal data for this purpose. If you receive marketing communications from us by e-mail or text message, you can also click on our unsubscribe link at the bottom of each e-mail and text message.

11.5 Your right to withdraw your consent

If we process your personal data based on your consent as a legal basis (see section 5 above), you have the right to withdraw your consent at any time by contacting us. We are then not entitled to continue the processing of your personal data if there is no other legal basis for the processing. You will find our contact details in section 2 of this Privacy Notice.

If you wish to withdraw a consent that you have given to us in order to receive our direct marketing by email or SMS, you can choose between contacting us to withdraw your consent or clicking on our unsubscribe link which you will find at the bottom of each email.

If you have given your consent to the placement of Cookies in our Service you can withdraw your consent by clicking on the icon in the bottom right corner of our website and then clicking on “refuse”.

11.6 Your right to data portability

You have the right to data portability when we process your personal data by, for example, when the legal basis for the processing is your consent or performance of a contract. Your right to data portability means that you have the right to receive the personal data that you have provided to us in a structured, commonly used, and machine-readable format and to transfer this personal data to another data controller. You may also request that we transfer the personal data directly to another data controller, provided that such direct transfer is technically possible.

11.7 Your right to lodge a complaint with the relevant supervisory authority

You always have the right to lodge a complaint with the relevant supervisory authority if you believe that our processing of your personal data violates the GDPR. This is particularly the case in the member state where you have your habitual residence, place of work or where the infringement was committed. The supervisory authority in Sweden is the Swedish Authority for Privacy Protection (IMY). You can contact IMY through the e-mail address imy@imy.se or through the contact details provided on IMY’s website, available here.

12 WE PROTECT YOUR PERSONAL DATA

Our mission is that you feel comfortable when we process your personal data. We have thereforeimplemented both technical and organizational security measures, including access restrictions and regular internal controls, to protect your personal data against, for example, unauthorizedaccess, alteration, or loss. In the event of a personal data breach that could significantly affectyou or your personal data, such as the risk of fraud or identity theft, we will contact you to explainwhat has happened and advise you on how to reduce the risk of potentially harmful effects.

13 COOKIES AND SIMILAR TECHNOLOGIES

We use Cookies in our Service to improve your experience with us and adapt our services to your needs and preferences. Our Cookie Policy explains in more detail how we use Cookies and what choices you can make about our Cookies. Please see our Cookie Policy (https://www.gofrendly.se/cookie-policy/) for more information.

14 LINKS TO THIRD-PARTY SITES

Our Service may contain links to third party sites. If you click on a third-party link, you will be directed to that site. Note that these external sites are not operated by GoFrendly and, therefore, we strongly advise you to review the privacy notices of these websites. We have no control over, and assume no responsibility for the content, privacy notices, or practices of any third-party sites or services.

15 CHANGES TO THIS PRIVACY NOTICE

GoFrendly may change this Privacy Notice. In the event of a change, you will receive clear information about the change and what it means for you within a reasonable time before the amended version becomes effective. This applies provided that the change is not merely linguisticor editorial but involves a fundamental change in the processing itself, or if the change is not afundamental change but we consider it to be relevant and to affect you. If a change in theprocessing of your personal data requires that your consent is obtained, you will be notified of this and given the opportunity to provide your consent.

You can always find the latest version of the Privacy Notice on our website and we will always

indicate the date of the last update at the top of the Privacy Notice.