About this version (v1.0 Initial). This is the initial Privacy Policy of the Coinis Platform, drafted on the same legal foundations as the Coinis Terms and Conditions v1.0 Initial. The data controller is Coinis d.o.o. (Podgorica, Montenegro), the Coinis Group entity in which substantive product, engineering, customer-support and operational decision-making is concentrated. Coinis DIFC remains the contracting entity for the Services and the counterparty for billing, invoicing and dispute-resolution purposes under the Terms; for those limited billing-related purposes Coinis DIFC acts as processor of Coinis d.o.o. on the basis of an intra-group Data Processing Agreement satisfying Article 28(3) GDPR. The classification of Coinis d.o.o. as data controller reflects the substance-over-form principle articulated by the Court of Justice of the European Union in Cases C-25/17 Jehovan todistajat and C-184/20 OT v. Vyriausioji tarnybinės etikos komisija and the EDPB Guidelines 07/2020 on the concepts of controller and processor. Coinis acknowledges and accepts the extraterritorial application of (a) Regulation (EU) 2016/679 (GDPR) and Regulation (EU) 2024/1689 (EU AI Act) where the Services are offered to data subjects located in the European Union or European Economic Area, (b) the UK GDPR and the Data Protection Act 2018 where the Services are offered to data subjects located in the United Kingdom, (c) the Data Protection Law of Montenegro ("Sl. list CG" 79/08 with amendments) as the law of the place of establishment of the controller, (d) DIFC Data Protection Law No. 5 of 2020 in respect of personal data processed in the DIFC by Coinis DIFC as billing processor, (e) UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data in respect of UAE-onshore activities, (f) the Swiss nFADP where Services are offered to data subjects located in Switzerland, (g) the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100–1798.199.100, as amended by the CPRA), the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Utah Consumer Privacy Act and other US state privacy laws as they enter into force, where applicable. The primary supervisory authority is the Agencija za zaštitu podataka o ličnosti (AZLP); for European Economic Area data subjects, the lead supervisory authority is determined in accordance with Article 56 GDPR through the EU Article 27 representative. This Policy adopts the most protective default for every open privacy question. The bracketed items in red are factual data (Coinis d.o.o. registered address and CRPS number; Coinis DIFC full legal name, address, CRN; EU/UK representatives; sub-processor list) that Coinis must finalise immediately before publication.

IMPORTANT NOTICE TO ALL DATA SUBJECTS

This Privacy Policy (the "Policy") explains how the Coinis entity identified in Section 1 ("Coinis", "we", "us", or "our") collects, uses, discloses, retains and otherwise processes personal data when you use the Coinis Platform, the AI Ad Generator, the Publisher Network, the Coinis web crawler or any related service (together, the "Services"). It applies to all categories of data subjects defined in Section 4, including Users (Business and Consumer), Visitors, Subjects of AI-generated content and Customers-of-Customers.

0. How to read this Policy

0.1 Combined privacy notice

This Policy is a combined privacy notice covering all categories of data subjects whose personal data Coinis processes through the Services. Where a particular provision applies only to a specific category of data subject (for example, only to data subjects in the EU/EEA, only to California residents, or only to Subjects of AI-generated content), that limitation is expressly indicated. In all other cases, the provision applies to all data subjects.

0.2 Relationship to the Coinis Terms and Conditions

This Policy forms an integral part of the contractual framework governing your use of the Services and is incorporated by reference into the Coinis Terms and Conditions (the "Terms"). Capitalised terms not defined in this Policy have the meaning given to them in Section 3 (Definitions) of the Terms. Where a conflict arises between this Policy and the Terms in respect of the processing of personal data, this Policy prevails on that subject matter.

0.3 Order of precedence

The following order of precedence applies, from highest to lowest: (a) any mandatory provision of the data protection law of the data subject's habitual residence or otherwise mandatorily applicable to the processing; (b) any individually negotiated and signed Data Processing Agreement (DPA) between the data subject (or its controller, as the case may be) and Coinis; (c) the provisions of this Policy; (d) the provisions of the Terms; (e) any policy incorporated by reference into the Terms or this Policy (including the Acceptable Use Policy and the Cookie Policy).

0.4 Mandatory data-protection law prevails in case of conflict

Where any provision of this Policy is, when applied to a data subject, less protective than a mandatory rule of the data protection law of the data subject's habitual residence or otherwise mandatorily applicable to the processing, that mandatory rule prevails to the extent of the inconsistency. Coinis will not seek to enforce any such provision against a data subject to that extent. Mandatory provisions to which Coinis expressly defers include in particular Articles 12 to 23 GDPR (data subject rights), Articles 44 to 49 GDPR (international transfers), Article 9 GDPR (special categories), Article 22 GDPR (automated decisions), and equivalent provisions of the UK GDPR, DIFC DP Law No. 5 of 2020, UAE Federal Decree-Law No. 45 of 2021, the Swiss nFADP, the CCPA/CPRA and other applicable laws.

0.5 Defined terms

Capitalised terms used in this Policy have the meanings given to them either in this Policy, in the Terms, or, where neither defines them, the meanings given to them in the applicable data protection law (for example, "controller", "processor", "personal data", "processing", "data subject", "special categories of personal data", "recipient", "third country" have the meanings given to them in Article 4 GDPR).

0.6 Language

This Policy is drafted in English. The English version is the binding version. Translations into other languages are provided for information only. Where applicable national law requires that information be provided to a data subject in a specific language, that information will be provided in that language in addition to English.

PART I — CONTROLLER IDENTITY AND CONTACT

1. Controller identity, Coinis Group structure and contracting entity

1.1 The data controller

The data controller responsible for the processing of your personal data described in this Policy, within the meaning of Article 4(7) GDPR, Article 4(7) UK GDPR, Article 9 of the DIFC Data Protection Law No. 5 of 2020 and the equivalent provisions of UAE Federal Decree-Law No. 45 of 2021, the Swiss nFADP and the Data Protection Law of Montenegro is:

• Legal name: Coinis DOO
• Place of establishment: Podgorica, Montenegro
• Registered address: Stanka Dragojevica, 20
• Commercial registration: 50708966
• Tax identification number: 03014215
• General privacy contact: [email protected]
• Primary supervisory authority: Agencija za zaštitu podataka o ličnosti i slobodan pristup informacijama (AZLP), Podgorica, Montenegro, https://www.azlp.me; for European Economic Area data subjects, the lead supervisory authority is determined in accordance with Article 56 GDPR through the EU Article 27 representative referenced in Section 2.

Coinis d.o.o. is the entity that determines the purposes and means of the processing of personal data for the operation of the Coinis Platform, including product engineering, customer support, retention practices, sub-processor onboarding, security operations and content-moderation procedures. The classification of Coinis d.o.o. as data controller reflects the substantive allocation of decision-making within the Coinis Group, in accordance with the substance-over-form principle articulated by the Court of Justice of the European Union in Cases C-25/17 Jehovan todistajat and C-184/20 OT v. Vyriausioji tarnybinės etikos komisija and the EDPB Guidelines 07/2020 on the concepts of controller and processor.

1.2 The contracting entity for the Services

The Services provided through the Coinis Platform are contracted to you by a different Coinis Group entity, namely:

• Legal name: Coinis Limited
• Place of establishment: Dubai International Financial Centre (DIFC), Dubai, United Arab Emirates
• Registered address: Unit IH-00-01-01-OF-01, Level 1, Innovation One, Dubai International Financial Centre, Dubai, United Arab Emirates
• DIFC Registrar of Companies number: CL12431

Coinis DIFC is the counterparty under the Coinis Terms and Conditions, the entity that issues invoices and to which fees are payable, and the counterparty for the purposes of the dispute-resolution regime set out in Section 33 of the Terms (DIAC arbitration with seat in the DIFC). Coinis DIFC processes a limited subset of your personal data — specifically your name, billing email address, billing address, VAT identification number (where applicable) and payment-method tokens — strictly for the purposes of contracting, invoicing, payment processing, accounting and tax-record retention, on the legal bases of performance of a contract (Article 6(1)(b) GDPR) and compliance with a legal obligation (Article 6(1)(c) GDPR). For those limited billing-related purposes, Coinis DIFC processes personal data on behalf of, and on the documented instructions of, Coinis d.o.o. as controller, in accordance with an intra-group Data Processing Agreement that satisfies Article 28(3) GDPR. For the avoidance of doubt, Coinis DIFC does not determine the purposes or means of the processing of User Content, AI Output, biometric data or other Platform-generated personal data.

1.3 Coinis Group affiliates acting as processors of Coinis d.o.o.

In addition to Coinis DIFC (which acts as billing processor as set out in Section 1.2), Coinis d.o.o. as controller engages other Coinis Group affiliates as processors within the meaning of Article 28 GDPR for specific operational functions:

• Coinis Ltd (United States) — U.S.-market sales support, customer success and marketing operations, acting solely on the documented instructions of the controller pursuant to an intra-group Data Processing Agreement that satisfies Article 28(3) GDPR and, in respect of personal data of EEA, UK and Swiss data subjects, on the basis of the EU-U.S. Data Privacy Framework, the UK Extension and the Swiss-U.S. DPF (where Coinis Ltd is self-certified) or the EU SCCs Module 3 with Transfer Impact Assessment;
• Other Coinis Group affiliates not listed above.

Each Coinis Group affiliate engaged as a processor (a) processes personal data only on the documented instructions of Coinis d.o.o.; (b) ensures that persons authorised to process personal data have committed themselves to confidentiality; (c) implements the technical and organisational measures required by Article 32 GDPR; and (d) is bound by the obligations set out in Article 28(3)(a) to (h) GDPR. Transmission of personal data within the Coinis Group is conducted on the legal basis described in Section 7.4 (legitimate interests of intra-group transmission within the meaning of Recital 48 GDPR).

1.4 Where Coinis acts as processor for Business Users

Where Coinis processes personal data on behalf of a Business User (in particular User Content, audience lists, and personal data of the Business User's own customers and end-users that the Business User uploads to or generates through the Platform — the so-called "Customer-of-Customer Data"), the Business User is the controller and Coinis d.o.o. is the processor within the meaning of Article 28 GDPR. In that scenario, the relationship between the Business User and Coinis d.o.o. is governed by a Data Processing Agreement (DPA) which forms an integral part of the Coinis Terms and Conditions, and Coinis d.o.o. processes the personal data only on the Business User's documented instructions, the Business User remaining responsible for the lawfulness of its instructions and the underlying processing.

2. EU and UK regulatory representatives

Where the Services are offered to data subjects located in the European Union, the European Economic Area or the United Kingdom, or where the conduct of data subjects in those territories is monitored, Coinis acknowledges that Article 3(2) GDPR and Article 3(2) UK GDPR apply notwithstanding the place of establishment, and that Coinis is required to designate representatives in those territories pursuant to Article 27 GDPR and Article 27 UK GDPR.

Data subjects may contact the relevant representative directly on all issues related to processing for the purposes of ensuring compliance with the GDPR or the UK GDPR, in addition to or instead of contacting Coinis.

3. Data Protection Officer

Coinis has appointed, or will appoint where required by Article 37 GDPR, the UK GDPR, the DIFC DP Law No. 5 of 2020, the UAE PDPL or other applicable law, a Data Protection Officer ("DPO") to oversee Coinis's data protection compliance.

PART II — DATA SUBJECTS, CATEGORIES OF DATA, PROCESSING

4. Categories of data subjects

This Policy applies to the following categories of data subjects:

• Users — Business: authorised representatives, administrators and end-users of Business Users (for example, employees of an advertising agency or e-commerce business that uses the Coinis Platform).
• Users — Consumer: natural persons who use the Services for purposes outside their trade, business, craft or profession.
• Visitors: natural persons who visit the Coinis websites, marketing pages or download Coinis content without creating an account.
• Publishers: authorised contacts of entities participating in the Coinis Publisher Network.
• Subjects of AI-generated content: natural persons depicted, voiced or otherwise identifiable in AI Output, including subjects of Custom Avatars and individuals whose likeness, voice or other personal attributes are used by Users to generate AI Output.
• Customers-of-Customers: end-users, leads, audiences and other natural persons whose personal data is uploaded to the Platform by a User as User Content or who interact with advertising delivered through the Services.
• Job applicants and personnel: addressed in a separate HR privacy notice and outside the scope of this Policy except where personnel act in their capacity as Coinis representatives processing User personal data.

5. Categories of personal data we process

Depending on the data subject category and the Services used, Coinis processes the following categories of personal data:

5.1 Identity and account data

Name, email address, password (hashed), telephone number, postal address, country of residence, language preference, billing details, VAT identification number, company name (where applicable), job title (where applicable).

5.2 Authentication and security data

Login credentials, multi-factor authentication factors, IP address, device identifiers, browser fingerprint, session identifiers, security tokens, login timestamps, suspicious-activity flags.

5.3 Usage and product analytics

Pages visited, features used, prompts submitted, AI Outputs generated, Tokens consumed, conversion events, error reports, crash logs, performance metrics, click and tap events, A/B testing assignments. Aggregated, pseudonymised or anonymised analytics where technically feasible.

5.4 User Content and User Input

Any text, image, video, audio, voice sample, document, dataset, customer list, audience segment, brand asset, advertising creative, prompt, instruction, template, Brand Kit element or other content that you upload, generate, paste, transcribe, transmit or otherwise submit to the Platform. To the extent any such User Content or User Input contains personal data of natural persons, that personal data is processed in accordance with Article 28 GDPR (as a processor on behalf of the User as controller) and the applicable Data Processing Agreement.

5.5 Biometric data (Custom Avatars and Custom Voice)

The Coinis Platform offers two features that involve the processing of biometric data within the meaning of Article 4(14) GDPR: (a) Custom Avatars — synthetic video personas built from a photograph of an identifiable natural person, including the User themselves; and (b) Custom Voice — synthetic voice models built from a voice recording of an identifiable natural person, including the User themselves. For these features, Coinis processes:

• source photographs and voice samples uploaded by the User;
• facial-image embeddings, facial-geometry vectors and other technical representations derived from the source photographs that allow or confirm the unique identification of the natural person depicted;
• voiceprints, vocal feature vectors and other technical representations derived from the voice samples that allow or confirm the unique identification of the natural person whose voice is sampled;
• derivative outputs (the rendered Custom Avatar videos, synthesised voice clips and lip-synchronised translations) that incorporate the foregoing biometric representations.

Such processing is conducted strictly in accordance with Section 9 of the Terms and Section 11 of this Policy, on the legal basis of explicit consent of the data subject under Article 9(2)(a) GDPR or another permitted Article 9(2) derogation. Custom Avatar and Custom Voice creation is unavailable to Users located in the State of Illinois (USA), the State of Texas (USA) and the State of Washington (USA) until further notice.

5.6 AI training and model-improvement data

Subject to Section 10 of this Policy, certain non-personal aggregated and de-identified usage data, prompts, telemetry and performance signals may be used to maintain, secure, debug and improve the Services, including model performance. Coinis does not use Business User Content for training of its general-purpose AI models without prior written consent or an executed Data Processing Agreement specifically authorising such use; Consumer User Content for the AI Ad Generator is subject to the more granular controls described in Section 10.

5.7 Cookies and tracking technologies

Cookies, pixel tags, web beacons, SDK identifiers, mobile advertising identifiers (IDFA, AAID), local storage entries, server-side fingerprints, postback tokens. Detailed information is set out in the Cookie Policy referenced in Section 27.

5.8 Communications and support data

Email correspondence, support chat transcripts, recordings of customer-success calls (with notice and, where required, consent), feedback, survey responses, NPS responses.

5.9 Financial and payment data

Billing details, invoicing data, payment-method tokens (we do not store full card numbers; payment is processed by PCI-DSS compliant third-party payment processors), payout details for Publishers, tax-residency declarations.

5.10 Crawler-derived data

Publicly accessible web content collected by the Coinis web crawler in accordance with robots.txt, the EU CDSM Directive Article 4(3) machine-readable opt-out for text-and-data mining, and analogous mechanisms in other jurisdictions, processed for the purposes set out in Section 10.4.

6. Sources of personal data

We collect personal data from the following sources:

• Directly from you: when you register, log in, configure your account, submit prompts, upload User Content, communicate with our support team, or otherwise interact with the Services.
• Automatically: through cookies, pixel tags, SDKs, server logs, error-monitoring tools and similar technologies as you use the Services.
• From third parties acting on your instructions: authentication providers (e.g., Google Sign-In, Microsoft Sign-In) where you use single sign-on; payment processors for billing data; identity-verification providers where applicable.
• From our Business Users (where Coinis acts as processor): Customer-of-Customer data, audience lists, advertising creatives and similar User Content that the Business User uploads to the Platform; in such case the Business User is the controller and the relationship is governed by the DPA referenced in Section 14 of the Terms.
• From publicly accessible sources: the Coinis web crawler collects publicly accessible web content under the conditions set out in Section 10.4.
• From sub-processors and service providers: technical signals (e.g., fraud-detection scores, deliverability metrics) transmitted to us by infrastructure or analytics providers acting on our documented instructions.

7. Purposes and legal bases of processing

We process personal data for the purposes and on the legal bases set out below. Where more than one legal basis is identified, Coinis selects the most appropriate basis for the specific processing operation in accordance with Article 6 GDPR and applicable equivalents.

7.1 Provision of the Services

Account creation, authentication, delivery of AI Output, processing of User Input, billing and payment, customer support.

• Legal basis (Users): performance of a contract — Article 6(1)(b) GDPR; Article 6(1)(b) UK GDPR; equivalent provisions in DIFC DP Law (Article 10(1)(b)), UAE PDPL (Article 5(2)), Swiss nFADP (Article 31(2)(a)).
• Legal basis (Customers-of-Customers, where Coinis acts as processor): the legal basis is determined by the Business User as controller and reflected in the DPA.

7.2 Compliance with legal obligations

Tax, accounting, AML/CTF screening, sanctions screening, retention of transaction records, response to lawful requests from competent authorities, fulfilment of regulatory representative obligations under Article 27 GDPR, Article 27 UK GDPR and Article 13 DSA.

• Legal basis: compliance with a legal obligation — Article 6(1)(c) GDPR.

7.3 Security, fraud prevention and abuse prevention

Detection of, investigation of and response to security incidents, fraud (including click fraud, payment fraud, account-takeover), abuse, prohibited content (Section 7 of the Terms), violations of the Acceptable Use Policy.

• Legal basis: legitimate interests — Article 6(1)(f) GDPR (interest in maintaining a secure and abuse-free service); compliance with a legal obligation — Article 6(1)(c) GDPR; performance of a contract — Article 6(1)(b) GDPR.

7.4 Intra-group transmission within the Coinis Group

Transmission of personal data from the controller (Coinis DIFC) to Coinis Group affiliates engaged as processors (in particular Coinis d.o.o. in Montenegro and Coinis Ltd in the United States, as identified in Section 1.2) for internal administrative, operational, engineering, support and similar back-office purposes.

• Legal basis: legitimate interests — Article 6(1)(f) GDPR, in conjunction with Recital 48 GDPR, which expressly recognises the legitimate interest of controllers that are part of a group of undertakings in transmitting personal data within the group for internal administrative purposes. Coinis has conducted and maintains a Legitimate Interest Assessment (LIA) addressing the three-stage purpose / necessity / balancing test as articulated in CJEU C-13/16 Rīgas satiksme. The data subject's right to object pursuant to Article 21 GDPR is preserved.

7.5 Improvement, analytics and product development

Aggregated and pseudonymised analytics on usage of the Services to improve features, identify bugs, optimise performance, and prioritise development. We do not use the content of Business User prompts, User Inputs or User Content for general-purpose AI model training without specific authorisation as described in Section 10.

• Legal basis: legitimate interests — Article 6(1)(f) GDPR, balanced against the rights and freedoms of data subjects.

7.6 Marketing communications

Sending newsletters, product updates, transactional emails, and (with consent) marketing communications about Coinis products and services.

• Legal basis: consent — Article 6(1)(a) GDPR (for marketing emails to Consumers and to new prospects), collected through a separate, granular, opt-in checkbox at the point of registration that is distinct from acceptance of the Terms and acceptance of this Policy; legitimate interests — Article 6(1)(f) GDPR for soft-opt-in marketing to existing customers in respect of similar products under Article 13(2) ePrivacy Directive 2002/58/EC and applicable national implementing law (e.g., section 22(3) PECR in the UK).

7.7 Biometric processing for Custom Avatars and Custom Voice

Processing of facial and voice biometric data for the purpose of generating Custom Avatar videos and Custom Voice clips (Section 11).

• Legal basis: explicit consent of the data subject pursuant to Article 9(2)(a) GDPR, recorded through a separate, granular, opt-in consent flow at the point of upload of the source materials, distinct from acceptance of the Terms and from any other consent.

7.8 Defence of legal claims

Establishment, exercise or defence of legal claims, including in arbitration under Section 33 of the Terms.

• Legal basis: legitimate interests — Article 6(1)(f) GDPR; Article 9(2)(f) GDPR for any special-category data necessary for legal claims.

8. Special categories of personal data

Coinis does not seek to process special categories of personal data within the meaning of Article 9(1) GDPR (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, sex life or sexual orientation) or data relating to criminal convictions and offences within the meaning of Article 10 GDPR, except where:

1. (i) the data subject has given explicit consent under Article 9(2)(a) GDPR — relevant for Custom Avatar creation under Section 9.3 of the Terms (biometric data; sensitive vocal characteristics where applicable);
2. (ii) the processing is necessary for reasons of substantial public interest, the establishment, exercise or defence of legal claims, or another derogation under Article 9(2) GDPR;
3. (iii) the User submits such data as User Content or User Input on its own responsibility, in which case the User as controller bears responsibility for ensuring that an appropriate Article 9(2) basis applies and Coinis acts only as a processor on documented instructions.

Users are reminded that submission of special-category data through prompts, uploads or any other channel without an appropriate basis is a breach of Section 7 and Section 10.2 of the Terms.

9. Children

The Services are not directed at children. Coinis does not knowingly collect personal data from natural persons under the age of 18, and the Terms expressly prohibit account creation by minors under that age (Section 1.3 of the Terms). Where Coinis becomes aware that personal data of a minor has been collected without an appropriate legal basis, Coinis will delete that data without undue delay. Specific national thresholds may apply: under Article 8 GDPR, where applicable, the digital age of consent in respect of information-society services offered directly to a child is 16 years (or such lower age, not below 13, as the relevant Member State has set in national law); under the United States Children's Online Privacy Protection Act (15 U.S.C. §§ 6501–6506), services directed at children under 13 are prohibited absent verifiable parental consent.

PART III — AI-SPECIFIC PROCESSING

10. AI training data and use of User Content for model improvement

10.1 Default position

Coinis does not use the content of Business User prompts, User Inputs, User Content or AI Output for the training of general-purpose AI models without (i) the prior written authorisation of the relevant Business User, recorded in the applicable Order Form or Data Processing Agreement, and (ii) where the underlying material contains personal data, an appropriate legal basis under Article 6 GDPR (and, where Article 9 data is involved, an Article 9(2) derogation).

10.2 Aggregated, pseudonymised and de-identified usage signals

Coinis processes aggregated, pseudonymised and de-identified usage signals (frequency of feature use, latency metrics, error rates, prompt-length distributions, satisfaction signals such as thumbs-up/thumbs-down) for the purposes of operating, securing and improving the Services. Where such data is irreversibly anonymised within the meaning of Recital 26 GDPR and the Article 29 Working Party Opinion 05/2014 on anonymisation techniques, it falls outside the scope of the GDPR.

10.3 Consumer-tier opt-out

Where Coinis offers consumer-tier Services and processes Consumer User Content for the purpose of model improvement on the basis of legitimate interests under Article 6(1)(f) GDPR, Consumers may exercise their right to object pursuant to Article 21 GDPR by contacting [email protected] or, where available, through an in-product control. Coinis ceases such processing upon a valid objection unless overriding legitimate grounds prevail and are documented.

10.4 Crawler activities and text-and-data mining

The Coinis web crawler collects publicly accessible web content to support the Services. The crawler:

• respects robots.txt directives in accordance with the Robots Exclusion Protocol (RFC 9309);
• respects machine-readable text-and-data mining (TDM) opt-outs in accordance with Article 4(3) of Directive (EU) 2019/790 (CDSM Directive), including the IETF "NoAI", "NoTDM" and equivalent meta-tags and the TDMRep protocol where signalled;
• does not crawl content behind paywalls, login gates or other technical access-restriction measures without authorisation;
• does not bypass technical protection measures within the meaning of Article 6 of Directive 2001/29/EC (Information Society Directive).

Coinis acts as a controller in respect of crawler-derived personal data and relies on Article 6(1)(f) GDPR (legitimate interests) as the legal basis, balanced against the rights and freedoms of data subjects in accordance with the three-stage test of CJEU C-13/16 Rīgas satiksme.

10.5 GPAI provider transparency

To the extent Coinis qualifies as a provider of a general-purpose AI model within the meaning of Article 3(63) of the EU AI Act (Regulation (EU) 2024/1689), Coinis will publish and maintain a sufficiently detailed summary of the content used for the training of such model in accordance with Article 53(1)(d) of the EU AI Act.

11. Custom Avatars, Custom Voice and biometric data

11.1 Scope of biometric processing

The Custom Avatar feature and the Custom Voice feature of the Platform involve the processing of biometric data within the meaning of Article 4(14) GDPR for the purpose of uniquely identifying a natural person, which constitutes special-category processing under Article 9(1) GDPR. The biometric processing comprises:

• for Custom Avatars: extraction of facial-geometry embeddings from one or more uploaded photographs of the data subject; storage of those embeddings; use of the embeddings to render synthesised video output that uniquely depicts the data subject; lip-synchronisation of that output to multiple languages;
• for Custom Voice: extraction of voiceprints and acoustic feature vectors from one or more uploaded voice recordings of the data subject; storage of those voiceprints; use of the voiceprints to synthesise speech that uniquely reproduces the vocal identity of the data subject in any script and any of the supported languages.

11.2 Lawful-basis architecture

Coinis processes Custom Avatar and Custom Voice biometric data only on the basis of:

• explicit consent of the data subject under Article 9(2)(a) GDPR, recorded through a separate, granular, opt-in consent flow displayed at the point of upload of the source materials and distinct from acceptance of the Terms and acceptance of this Policy, in line with EDPB Guidelines 05/2020 on consent and CJEU C-673/17 Planet49. The canonical text of that consent flow is set out in the Coinis Biometric Consent Form, available at https://coinis.com/legal/biometric-consent and reproduced verbatim in the in-product upload screen in English and (for data subjects whose habitual residence is in Montenegro) in the Montenegrin language. The consent and accompanying metadata (timestamp, IP address, user agent, document version, source-file hash) are logged for accountability purposes pursuant to Article 7(1) GDPR; or
• another applicable Article 9(2) derogation, where lawfully available and properly documented.

Where the data subject is a person other than the User (for example, where a Business User builds a Custom Avatar of one of its employees, brand ambassadors or talent), the User represents and warrants that it has obtained from that data subject (i) the explicit Article 9(2)(a) consent required by data-protection law and (ii) the written release required by applicable right-of-publicity laws (including, where applicable, California Civil Code §§ 3344, 3344.1, AB 2602 and AB 1836, New York Civil Rights Law §§ 50–51 and the Tennessee ELVIS Act of 2024). The corresponding contractual obligations are set out in Section 9 of the Terms.

11.3 Geographic exclusion

Coinis does not offer Custom Avatar or Custom Voice creation to Users located in the State of Illinois, the State of Texas or the State of Washington (United States), in order to mitigate compliance exposure under:

• the Illinois Biometric Information Privacy Act, 740 ILCS 14 (BIPA), section 15 of which requires a written release prior to the collection of biometric identifiers and biometric information and which carries statutory damages of USD 1,000 (negligent) or USD 5,000 (intentional or reckless) per violation, with per-scan accrual confirmed in Cothron v. White Castle System, Inc., 2023 IL 128004;
• the Texas Capture or Use of Biometric Identifier Act, Tex. Bus. & Com. Code § 503.001 (CUBI), which provides for civil penalties of up to USD 25,000 per violation enforced by the Texas Attorney General;
• the Washington biometric-privacy law, RCW 19.375, which requires notice and consent for enrolment of biometric identifiers in a commercial database and is enforced by the Washington Attorney General under the Consumer Protection Act.

In addition, Coinis does not provision biometric workloads in any AWS data-centre region located within the territory of the foregoing States, regardless of the data subject's location. Coinis reserves the right to extend or contract this geographic exclusion as the regulatory landscape evolves and as Coinis implements the BIPA-, CUBI- and RCW 19.375-specific compliance procedures necessary to lift the exclusion.

11.4 Data minimisation, security and retention

Source photographs, voice recordings, derived facial embeddings and derived voiceprints are processed in accordance with the principles of Article 5(1)(c) GDPR (data minimisation) and Article 5(1)(e) GDPR (storage limitation):

• source materials and derived biometric representations are stored encrypted at rest using AES-256 or equivalent, with key management configured so that decryption keys are held under the control of Coinis;
• access is restricted to authorised personnel under the principle of least privilege and is subject to multi-factor authentication and audit logging;
• source materials and biometric representations are retained for so long as the relevant Avatar or Voice model is maintained and in any event no longer than thirty (30) days following withdrawal of consent or deletion of the Avatar or Voice model by the User;
• derivative outputs already shared with downstream services (advertising platforms, social-media accounts of the User) are subject to the takedown propagation procedure described in Section 9.6 of the Terms.

11.5 Stock Avatars and look-alike issues

Stock Avatars are synthetic, fictional personas generated by Coinis without intentional reference to any specific natural person and pre-screened against a watch-list of public figures pursuant to Section 9.4 of the Terms. Stock Avatars do not involve the biometric processing of any User; however, where a Stock Avatar is alleged by a third party to bear an unintended resemblance to that third party in a manner that gives rise to a right-of-publicity, biometric or related claim, the look-alike takedown mechanism in Section 9.2 of the Terms applies.

11.6 AI Act transparency and synthetic-content marking

All Custom Avatar videos and Custom Voice clips generated by the Platform are marked as AI-generated synthetic content in accordance with Article 50(2) of the EU AI Act (Regulation (EU) 2024/1689), through the technical measures set out in Section 12 of this Policy (C2PA Content Credentials, invisible watermarking, IPTC photo-metadata fields, user-facing disclosures).

12. Provenance, watermarking and AI Act transparency

In accordance with Article 50 of the EU AI Act and analogous transparency obligations under other laws, Coinis implements technical measures to mark AI Output as such, including:

• C2PA Content Credentials embedding where supported by the Output format;
• invisible watermarking (e.g., SynthID-equivalent or proprietary techniques) where format and use case permit;
• IPTC photo-metadata fields signalling AI-generated content for image Outputs;
• user-facing visual or auditory disclosure where Output is published in a context where its synthetic nature is not otherwise apparent.

Where the User downstream-distributes AI Output, Section 9.5 of the Terms imposes corresponding obligations on the User to maintain or restore provenance markers.

13. Automated decision-making and profiling

Coinis does not use the personal data of data subjects to make decisions which produce legal effects concerning them or similarly significantly affect them, based solely on automated processing within the meaning of Article 22(1) GDPR, except:

1. (i) where necessary for entering into or performance of a contract between the data subject and Coinis (Article 22(2)(a) GDPR), in particular automated fraud-detection scoring of Publisher accounts, automated risk-assessment of suspicious billing or login activity, automated AUP enforcement (such as automatic content blocking and account suspension where prohibited content is detected by classifier);
2. (ii) on the basis of explicit consent (Article 22(2)(c) GDPR); or
3. (iii) where authorised by EU or Member State law that lays down suitable measures (Article 22(2)(b) GDPR).

Where Article 22 applies, the data subject has the right to obtain human intervention, to express a point of view and to contest the decision. To exercise these rights, contact [email protected]. Coinis maintains internal documentation of significant automated decisions, including logic involved and the significance and envisaged consequences of the processing.

PART IV — DISCLOSURES, TRANSFERS, RETENTION, SECURITY

14. Recipients of personal data

Coinis discloses personal data only to the categories of recipients set out below and only to the extent necessary for the relevant purpose.

• Coinis personnel: authorised employees, contractors and authorised agents of Coinis acting under appropriate confidentiality obligations and need-to-know access controls.
• Sub-processors: infrastructure, hosting, communication, analytics, payment, anti-fraud, customer-support and similar service providers acting on our documented instructions, listed in Annex II of this Policy. Each sub-processor is engaged under a written contract that imposes obligations equivalent to those of Article 28(3) GDPR.
• Coinis DIFC as billing processor: Coinis DIFC processes a limited subset of personal data (name, billing email, billing address, VAT number, payment-method tokens) for contracting, invoicing, payment processing, accounting and tax-record retention, as set out in Section 1.2.
• Other Coinis Group affiliates acting as processors: Coinis Ltd (United States) and other affiliated entities of the Coinis Group as identified in Section 1.3 and Annex II, in each case acting solely on the documented instructions of the controller pursuant to intra-group Data Processing Agreements that satisfy Article 28(3) GDPR. The legal basis for transmission within the Coinis Group is set out in Section 7.4 (legitimate interests under Recital 48 GDPR).
• Professional advisers: auditors, accountants, legal counsel and similar advisers under duties of confidentiality.
• Competent authorities: supervisory authorities, courts, tax administrations, sanctions authorities and law-enforcement bodies, where Coinis is required by law to disclose personal data or where disclosure is necessary to establish, exercise or defend legal claims.
• Successors in interest: in connection with a merger, acquisition, restructuring, sale of assets or insolvency, where personal data is transferred as part of the relevant transaction, subject to the recipient assuming obligations not less protective than those in this Policy.

Coinis does not sell personal data within the meaning of Cal. Civ. Code § 1798.140(ad) (CCPA/CPRA) and does not share personal data for cross-context behavioural advertising within the meaning of Cal. Civ. Code § 1798.140(ah). Where the Coinis Publisher Network involves the transmission of audience data to advertisers, Coinis acts on the documented instructions of the Business User as controller pursuant to Article 28 GDPR and the relevant DPA.

15. Hosting infrastructure and storage location

Coinis's primary hosting infrastructure is provided by Amazon Web Services, Inc. ("AWS"), a sub-processor listed in Annex II. AWS is self-certified under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework (collectively, the "Data Privacy Framework" or "DPF"). Personal data is stored and processed in one or more of the following AWS regions, depending on the data subject's location, the Service requested and Coinis's data-residency configuration in force at the relevant time:

• AWS U.S. regions (e.g., us-east-1 N. Virginia, us-east-2 Ohio, us-west-2 Oregon) — for non-EU/non-UK data subjects by default and, where Section 16 transfer mechanisms apply, also for EU/UK data subjects;
• AWS European regions (e.g., eu-central-1 Frankfurt, eu-west-1 Ireland) — where Coinis has elected to provide regional data residency for EU/UK data subjects, for Business Users with executed regional-residency Order Forms, and for backups intended to remain within the EEA;
• AWS Middle East region (me-central-1 UAE) — for limited operational and disaster-recovery purposes, including hosting close to the Coinis DIFC place of establishment.

Coinis does not knowingly store or process personal data of Custom Avatars in any AWS region located in the State of Illinois or the State of Texas, in order to mitigate compliance exposure under the Illinois Biometric Information Privacy Act (740 ILCS 14) and the Texas Capture or Use of Biometric Identifier Act (Tex. Bus. & Com. Code § 503.001), regardless of the data subject's location.

16. International transfers

16.1 Recognition that transfers occur

The data controller (Coinis d.o.o.) is established in Montenegro, which is not a Member State of the European Economic Area and which has not received an adequacy decision from the European Commission under Article 45 GDPR or from the United Kingdom Secretary of State under Article 45 UK GDPR. Personal data of data subjects located in the European Economic Area, the United Kingdom, Switzerland or other jurisdictions may, depending on the Service used and the Coinis Group affiliate involved in execution, be transferred to and processed in third countries other than Montenegro, including in particular the United States (in the AWS regions identified in Section 15) and the United Arab Emirates (Coinis DIFC, as billing processor). Where the GDPR, the UK GDPR or the Swiss nFADP applies extraterritorially under Article 3(2) GDPR (and equivalent provisions), such transfers constitute international transfers within the meaning of Chapter V GDPR and the equivalent provisions of the UK GDPR and the Swiss nFADP. Transfers from Montenegro itself are governed by Articles 47–49 of the Data Protection Law of Montenegro.

16.2 Transfer mechanisms relied upon

Coinis relies on the following transfer mechanisms, alone or in combination, depending on the recipient and the relevant exporting jurisdiction:

1. Adequacy decisions and Data Privacy Framework: for transfers to recipients in the United States that are self-certified under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF or the Swiss-U.S. DPF (Article 45 GDPR; Commission Implementing Decision (EU) 2023/1795). Coinis's primary U.S. sub-processor (AWS) is so certified;
2. Standard Contractual Clauses: Commission Implementing Decision (EU) 2021/914 of 4 June 2021, applying the relevant Module (typically Module 2 — controller-to-processor — for sub-processor relationships, and Module 3 — processor-to-processor — for processor sub-engagements). For UK transfers, the UK International Data Transfer Agreement (IDTA) issued by the Information Commissioner's Office on 21 March 2022 or the UK Addendum to the EU SCCs is used. For Swiss transfers, the EU SCCs as adapted by the FDPIC guidance are used (Article 46(2)(c) GDPR; Article 17(1)(d) Swiss nFADP);
3. Article 49 derogations: only where the conditions of Article 49 GDPR are strictly met, in particular for occasional and non-repetitive transfers necessary for the performance of a contract concluded in the interest of the data subject or for the establishment, exercise or defence of legal claims;
4. DIFC and UAE export rules: transfers from the DIFC to other jurisdictions are conducted in accordance with Articles 26 and 27 of the DIFC DP Law No. 5 of 2020; transfers from the UAE onshore to other jurisdictions are conducted in accordance with Articles 22 and 23 of the UAE Federal Decree-Law No. 45 of 2021.

16.3 Transfer Impact Assessment

In line with the judgment of the Court of Justice of the European Union of 16 July 2020 in Case C-311/18 ("Schrems II"), and the EDPB Recommendations 01/2020 on supplementary measures, Coinis has conducted and maintains a Transfer Impact Assessment (TIA) in respect of transfers to the United States, addressing in particular the legal framework of Section 702 of the U.S. Foreign Intelligence Surveillance Act (50 U.S.C. § 1881a), Executive Order 12333, the Clarifying Lawful Overseas Use of Data Act ("CLOUD Act", 18 U.S.C. § 2713) and the safeguards introduced by Executive Order 14086 of 7 October 2022 (Enhancing Safeguards for United States Signals Intelligence Activities) and the redress mechanism through the Data Protection Review Court. A copy of the TIA is available to data subjects and Business Users on reasonable request to [email protected], subject to redactions necessary to preserve trade secrets, security-sensitive information and the privacy of third parties.

16.4 Supplementary measures

Coinis applies a layered set of supplementary measures, including:

• encryption of personal data at rest using AES-256 or equivalent, with key management configured so that decryption keys are held under the control of Coinis (and, where feasible, in EU-located key-management infrastructure);
• encryption of personal data in transit using TLS 1.2 or higher with modern cipher suites and certificate pinning where appropriate;
• pseudonymisation of personal data where technically feasible, in accordance with Article 4(5) GDPR;
• strict access controls, including least-privilege role-based access, multi-factor authentication, just-in-time access for elevated operations and full audit logging;
• contractual commitments from sub-processors to challenge unlawful government access requests, to notify Coinis of any binding access requests where lawful, to publish transparency reports and to comply with the EDPB Recommendations 02/2020 on the European Essential Guarantees;
• organisational measures, including a written sub-processor approval procedure, periodic audits of sub-processors, an internal incident-response procedure and dataflow inventories.

16.5 Right to obtain a copy of safeguards

Where transfers are made on the basis of Article 46 GDPR appropriate safeguards (in particular SCCs), data subjects may obtain a copy of the relevant safeguards, with reasonable redactions, by contacting [email protected]. References to such transfers also appear in Annex II (Sub-processors) of this Policy.

17. Retention periods

Coinis retains personal data only for as long as necessary for the purposes for which it is processed, and in any event no longer than the periods set out below, unless a longer retention period is required by law or is necessary for the establishment, exercise or defence of legal claims.

• Account and identity data: for the duration of the contractual relationship and seven (7) years after termination, in line with general statutes of limitation for contract claims (e.g., Article 2224 French Code Civil; section 5 UK Limitation Act 1980; § 195 BGB extended in commercial contexts).
• Billing, invoicing and tax records: for the period required by applicable tax and accounting law (typically 7–10 years; e.g., section 147 German Abgabenordnung; UAE Federal Decree-Law No. 8 of 2017 on VAT, Article 78).
• Authentication, security and audit logs: up to twenty-four (24) months for security analysis and incident-response purposes, with longer retention only for confirmed incidents.
• User Content and AI Output: for the duration of the contractual relationship and ninety (90) days following deletion of the relevant Account, after which content is irreversibly deleted from production systems; backups follow a rolling deletion schedule consistent with our backup policy.
• Custom Avatar source materials and biometric embeddings: only for so long as the Avatar is maintained, and in any event no longer than thirty (30) days following withdrawal of consent or deletion of the Avatar, in encrypted form throughout.
• Marketing data and consents: until consent is withdrawn or the data subject becomes inactive for a continuous period of twenty-four (24) months, whichever is earlier; records of consent are retained for the duration of the underlying processing plus three (3) years for accountability purposes (Article 7(1) GDPR).
• Cookies and tracking identifiers: see the Cookie Policy for individual retention periods of each cookie or similar technology; in no case longer than thirteen (13) months for analytics or advertising cookies set by Coinis.
• Crawler-derived content: retained only for so long as necessary to provide the Services; data identified as withdrawn through robots.txt, TDM opt-outs or rights requests is removed within a reasonable time.
• Records of data subject requests: for three (3) years following completion, for accountability under Article 5(2) and Article 24 GDPR.

18. Security of processing

Coinis implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR, including:

• encryption of personal data at rest and in transit;
• ongoing confidentiality, integrity, availability and resilience of processing systems;
• ability to restore availability and access to personal data in a timely manner in the event of a physical or technical incident;
• regular testing, assessing and evaluating of the effectiveness of the technical and organisational measures, including vulnerability scans and penetration testing;
• identity-and-access management with role-based access control, multi-factor authentication and audit logging;
• written information-security policies, including secure-development guidelines, change-management, vendor risk management, and an incident-response plan;
• security awareness training of personnel and confidentiality undertakings;
• alignment with recognised industry standards (such as ISO/IEC 27001, ISO/IEC 27018 for cloud privacy and SOC 2 Type II reporting from primary sub-processors).

19. Personal data breach notification

In the event of a personal data breach within the meaning of Article 4(12) GDPR, Coinis will:

• notify the competent supervisory authority without undue delay and, where feasible, not later than seventy-two (72) hours after becoming aware of the breach, in accordance with Article 33(1) GDPR, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons;
• notify the affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms, in accordance with Article 34(1) GDPR;
• notify Business Users acting as controllers without undue delay after becoming aware of a breach affecting their data, in accordance with Article 33(2) GDPR and the relevant DPA;
• document the facts of the breach, its effects and the remedial action taken, in accordance with Article 33(5) GDPR.

Equivalent obligations under the UK GDPR, the DIFC DP Law No. 5 of 2020 (Article 41), the UAE PDPL (Article 9), the Swiss nFADP (Article 24) and applicable U.S. state breach-notification laws (e.g., Cal. Civ. Code § 1798.82, N.Y. Gen. Bus. Law § 899-aa, 815 ILCS 530/10) are also observed.

PART V — DATA SUBJECT RIGHTS

20. Rights under the GDPR and UK GDPR

Where you are located in the European Economic Area or the United Kingdom, or where the GDPR or UK GDPR otherwise applies to the processing, you have the following rights, subject to the conditions and limitations set out in those Regulations:

• Right of access: to obtain confirmation as to whether or not personal data concerning you are being processed and, where that is the case, access to the personal data and the information specified in Article 15 GDPR.
• Right to rectification: to obtain rectification of inaccurate personal data and to have incomplete personal data completed (Article 16 GDPR).
• Right to erasure ('right to be forgotten'): to obtain erasure of personal data concerning you in the circumstances set out in Article 17 GDPR.
• Right to restriction of processing: under the conditions of Article 18 GDPR.
• Right to data portability: to receive personal data concerning you in a structured, commonly used and machine-readable format and to transmit those data to another controller, where the conditions of Article 20 GDPR are met.
• Right to object: to object on grounds relating to your particular situation to processing based on Article 6(1)(e) or (f) GDPR, including profiling, and at any time to processing for direct-marketing purposes (Article 21 GDPR).
• Rights related to automated decision-making: not to be subject to a decision based solely on automated processing in the circumstances of Article 22 GDPR; to obtain human intervention, to express your point of view and to contest the decision.
• Right to withdraw consent: at any time, without affecting the lawfulness of processing based on consent before its withdrawal (Article 7(3) GDPR).
• Right to lodge a complaint: with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement (Article 77 GDPR).

21. Rights under the DIFC DP Law

Where the DIFC Data Protection Law No. 5 of 2020 applies to the processing, you have rights of access, rectification, erasure, restriction, objection, portability, the right not to be subject to automated decisions and the right to lodge a complaint with the DIFC Commissioner of Data Protection, in each case as set out in Articles 32 to 39 of the DIFC DP Law.

22. Rights under the UAE PDPL

Where UAE Federal Decree-Law No. 45 of 2021 applies to the processing, you have rights of information, access, correction, deletion, restriction, objection, portability and rights in relation to automated decisions, in each case as set out in Articles 13 to 19 of that Law and the Executive Regulations thereunder.

23. Rights under U.S. state privacy laws

Depending on your state of residence in the United States, you may have additional rights, including:

• California (CCPA/CPRA, Cal. Civ. Code §§ 1798.100 et seq.): right to know, right to delete, right to correct, right to opt out of sale or sharing, right to limit use of sensitive personal information, right to non-discrimination, right of access to specific pieces of personal information.
• Virginia (VCDPA, Va. Code § 59.1-575 et seq.), Colorado (CPA, C.R.S. § 6-1-1301 et seq.), Connecticut (CTDPA, Conn. Gen. Stat. § 42-515 et seq.), Utah (UCPA, Utah Code § 13-61-101 et seq.), Texas (TDPSA), Oregon, Montana, Iowa, Tennessee, Indiana, Delaware, New Hampshire, New Jersey, Maryland, Minnesota, Rhode Island, Kentucky and other States as their laws come into force: rights of access, deletion, correction (where provided), portability, opt-out of targeted advertising, opt-out of sale, opt-out of profiling for decisions producing legal or similarly significant effects, and the right to appeal a denial of a request, in each case as set out in the relevant state law.
• Illinois (BIPA, 740 ILCS 14): rights in relation to biometric identifiers and biometric information; Coinis does not knowingly collect such data of Illinois residents (see Section 11).

To exercise these rights, contact [email protected] or use any state-specific request mechanism made available on our website. Coinis will respond within the period required by the applicable state law (typically 45 days, with one-time extensions where permitted).

24. Rights under the Swiss nFADP

Where the Swiss Federal Act on Data Protection of 25 September 2020 (nFADP) applies, you have rights of information, access, rectification, deletion, restriction, opposition and rights in relation to automated decisions, in each case as set out in Articles 25 to 32 of the nFADP, and the right to lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC).

25. How to exercise your rights

You may exercise the rights described in Sections 20 to 24 by contacting [email protected] or by writing to the postal address in Section 1. Coinis will respond to a verifiable request without undue delay and in any event within the period required by the applicable law (one (1) month under the GDPR and UK GDPR, with a possible extension of up to two (2) further months for complex requests; 45 days under most U.S. state laws, with permitted extensions).

Coinis may request additional information reasonably necessary to verify your identity and the legitimacy of your request, in accordance with Article 12(6) GDPR. Coinis will not charge a fee for the first request in any rolling twelve (12)-month period; manifestly unfounded or excessive requests, in particular because of their repetitive character, may be subject to a reasonable fee or refusal in accordance with Article 12(5) GDPR.

26. Right to lodge a complaint

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State or jurisdiction of your habitual residence, place of work or place of the alleged infringement. The list of EU/EEA supervisory authorities is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en. The UK supervisory authority is the Information Commissioner's Office (ICO), https://ico.org.uk. The DIFC supervisory authority is the Commissioner of Data Protection of the DIFC, https://www.dp.difc.ae. The UAE supervisory authority is the UAE Data Office. The Swiss supervisory authority is the FDPIC, https://www.edoeb.admin.ch.

PART VI — COOKIES AND TRACKING TECHNOLOGIES

27. Cookies and similar technologies

Coinis uses cookies and similar technologies (collectively, "cookies") to operate, secure and improve the Services. The detailed list of cookies, their purpose, retention period, third-party providers and the categorisation (strictly necessary, functional, analytics, advertising) is set out in the separate Coinis Cookie Policy available on the Coinis website.

In jurisdictions where prior consent is required for the storage of, or access to, information on a user's terminal equipment (in particular Article 5(3) of Directive 2002/58/EC, ePrivacy Directive, as transposed into national law), Coinis collects valid consent through a cookie-consent management platform that meets the requirements of EDPB Guidelines 05/2020 on consent and CJEU C-673/17 Planet49. Strictly necessary cookies are placed without consent in accordance with Article 5(3) ePrivacy Directive.

28. Consent management

Where consent is the legal basis for a particular processing operation, you may withdraw consent at any time by adjusting your preferences in the cookie-consent banner, by changing your account settings or by contacting [email protected]. Withdrawal of consent does not affect the lawfulness of processing before the withdrawal.

29. Global Privacy Control and Do Not Track

Coinis honours the Global Privacy Control (GPC) signal as a valid opt-out of sale or sharing of personal information for residents of jurisdictions that recognise such signals, including California (CPRA Regulations § 7025) and Colorado. Coinis does not currently respond to legacy "Do Not Track" browser signals as the standard remains non-uniform.

PART VII — FINAL PROVISIONS

30. Changes to this Policy

Coinis may update this Policy from time to time to reflect changes in our processing activities, in applicable law, or in the corporate or operational footprint of Coinis. The updated version will be made available on the Coinis website and will become effective on the date stated in the "Effective date" field at the head of the document, unless a later effective date is specified. Where the changes are material, Coinis will notify data subjects in advance through reasonable means (including, where appropriate, by email to the address associated with the Account or by prominent notice on the Coinis website).

31. Governing law for this Policy

This Policy and any non-contractual obligations arising out of or in connection with it are governed by the law of Montenegro (the place of establishment of the controller), without prejudice to (a) the application of mandatory data protection law of the data subject's habitual residence in accordance with Section 0.4, including the GDPR, the UK GDPR, the Swiss nFADP and applicable U.S. state privacy laws where they apply extraterritorially or by the law of the data subject's habitual residence, (b) the application of overriding mandatory provisions in accordance with Article 9 of Regulation (EC) 593/2008 (Rome I) where applicable, and (c) the right of data subjects to lodge a complaint with the supervisory authority of their habitual residence and to exercise judicial remedies in accordance with Article 79 GDPR (and equivalent provisions of other applicable laws), as preserved in Section 26 of this Policy.

32. Contact

• Privacy and DPO contact: [email protected]
• General notices: [email protected]
• Postal address: Coinis Limited, Unit IH-00-01-01-OF-01, Level 1, Innovation One, Dubai International Financial Centre, Dubai, United Arab Emirates.

ANNEXES

Annex I — Categories of personal data — overview

This Annex provides an overview of the principal categories of personal data processed by Coinis by data subject category. It is illustrative and does not limit the broader categories described in Section 5.

• Users (Business and Consumer): identity and account data; authentication and security data; usage and product analytics; User Content and User Input; communications and support data; financial and payment data.
• Visitors: IP address; device identifiers; cookie identifiers; pages visited; referrer; UTM parameters; consent records.
• Publishers: identity and contact data; KYC and AML data where applicable; payment and tax-residency data; performance metrics; fraud signals.
• Subjects of AI-generated content (including Custom Avatar subjects): name; image and likeness; voice samples; biometric embeddings; consent records; takedown-request data.
• Customers-of-Customers: data submitted by Business Users (controller) and processed by Coinis as processor under Article 28 GDPR; categories vary by Business User instructions.

Annex II — Sub-processors

Coinis engages the following sub-processors. The current detailed list, including name, location, function and applicable transfer mechanism, is maintained at the URL referenced at the foot of this Annex and updated from time to time. Business Users may subscribe to receive notice of additions or replacements in accordance with Article 28(2) GDPR and the relevant DPA.

Intra-group Coinis processors

• Coinis DIFC (Dubai International Financial Centre, UAE) — billing, invoicing, payment processing, accounting and tax-record retention; processes a limited subset of personal data (name, billing email, billing address, VAT number, payment-method tokens) on the documented instructions of Coinis d.o.o. as controller; transfer mechanism for transfers from the EEA, the United Kingdom or Switzerland: EU SCCs Module 2 (controller-to-processor), UK IDTA / Addendum and Swiss SCCs adaptation as applicable; legal basis for transmission: Article 6(1)(b) GDPR (performance of the service contract billed by Coinis DIFC) and Article 6(1)(f) GDPR in conjunction with Recital 48 GDPR (intra-group transmission).
• Coinis Ltd (United States) — sales, customer success, marketing operations and U.S.-market support; transfer mechanism: EU-U.S. DPF / UK Extension / Swiss-U.S. DPF where Coinis Ltd is self-certified, otherwise EU SCCs Module 2 with Transfer Impact Assessment.
• Other Coinis Group affiliates.

External sub-processors

• Hosting and infrastructure: Amazon Web Services, Inc. (AWS) — primary hosting; data residency by region as described in Section 15; transfer mechanism: EU-U.S. DPF / UK Extension / Swiss DPF and SCCs Module 2.

Annex III — Data subject request form

To submit a data subject request, please send an email to [email protected] containing the following information. Coinis may request additional verification information.

1. Your full name and a means of contact (email and, optionally, postal address).
2. The country of your habitual residence and, if applicable, the State of residence within the United States.
3. The Coinis Account or other identifier with which your personal data is associated (where you have an Account).
4. The right(s) you wish to exercise (access, rectification, erasure, restriction, portability, objection, opt-out of sale or sharing, opt-out of automated decisions, withdrawal of consent, complaint, other).
5. A description of the personal data or processing activity to which the request relates, sufficient to enable Coinis to identify the relevant data.
6. Where you act on behalf of another data subject, evidence of your authority to do so.

Coinis will acknowledge receipt of your request without undue delay and respond within the time period required by applicable law.