Privacy Policy

Effective Date: June 5, 2025

This FlirtBro (the “our”) Privacy policy (the “Privacy Policy”) demonstrates our dedication to safeguarding your privacy and the protection of your personal data when using any system or being in contractual relationship between company as a service provider and any natural person as a service user.

1. General provisions and definitions

1.1 Any person using Company’s services / systems is considered to be a client of the Company (the “Client” / “You”).

1.2 The Privacy Policy shall be applicable and interpreted in line with the Terms of service agreement (the “Agreement“). The definitions set out in the Agreement shall be applicable to this Privacy Policy.

1.3 By using the FlirtBro app (the “App”) and / or its designated website (the “Website”) or any other system / online ecosystem used by the Company to provide You services (collectively – the “System“), you agree to the Privacy Policy, which may get updated without prior notification.

1.4 You can contact the Company by sending a message via the Website in the “Contact us” section, as well as by sending us an email or inquiry to the registered address. For the matters regarding this Privacy Policy, as well as regarding any privacy matter, we recommend contacting the Company via email, by sending Your
inquiry to hello@flirtbro.com

1.5 The Company shall have the right to unilaterally modify and / or update the Privacy Policy at any time without notice. The continuous use of the Services / System by the Client shall be deemed as acceptance of Privacy Policy in the last and most updated version. Any Client shall periodically check and assess the Privacy Policy. Any updated version of this Agreement comes in force at the moment it is published at the System.

1.6 The latest version of the Privacy Policy shall be available at flirtbro.com/privacy-policy

1.8 By agreeing to the Agreement as per the rules set forth in the Agreement, You are automatically agreeing to the Privacy Policy. For the avoidance of doubt, You acknowledge understanding that by using System in any way prior to creating an Account (Clause 2. of the Agreement) or without logging-in to the System (for example, when browsing the Website), You are also bound by this Privacy Policy and Your data / information may be collected by the Company automatically.

1.9 If You disagree to be bound by the Privacy Policy in any scope or way, You must not use or must immediately cease Your use of the Services, System or any part of it, as well as its features and functionalities.

1.10 The Company values the trust that You place in the Company when using Services / System. For this reason, privacy and data security are extremely important to the Company. It is very important to the Company that You feel safe when You visit our System and use our Services, as well as in all other business transactions with the Company. As soon as You use Company’s System / Services, You entrust Company with the processing of Your personal data. The Company wants to offer You the best possible experience with the System to ensure that You can enjoy using Services now and in the future. That is why the Company wants to understand user behaviour on the System in order to continuously improve it. The processing of Your personal data is therefore not only necessary for the provision of Services, but also to improve user-friendliness. Therefore, in this Privacy Policy You are informed which personal data the Company collects from/about You, how the Company processes it and to whom the Company passes it on in detail. In addition, the Company informs you about the precautions it takes to protect Your personal data, what rights You have in this context and who You can contact regarding data protection issues.

1.11 In the light of the above, the Company strives to protect Your privacy and obliges to process Your personal data in accordance with the following rules and principles:

1.11.1 Processing shall be performed lawfully, fairly, and in a transparent manner.

1.11.2 Personal data must be adequate and limited to what is necessary in relation to the purpose for which it is processed.

1.11.3 Personal data shall be accurate and, where necessary, kept up to date.

1.12 This Privacy Policy is prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “GDPR“) and
other relevant legal acts, as well as with the best practices and principles of data protection. You can find information on applicable legal acts here: https://commission.europa.eu/law/law-topic/data-protection_en

1.13 With regard to the terms used in this Privacy Policy, such as “Processing" or "Controller", we refer to the definitions of the GDPR.

2. Applicability

2.1 This Privacy Policy applies to all persons who use the System / Services or otherwise interacts with the Company (e.g. business partners, interested parties, service providers, etc.). Generally, those persons who are hereinafter referred to as “Client” or “You”.

2.2 The Company’s System and Services are not meant for anyone under the legal age. Only people of legal age are allowed to use System, Services and register for an Account. The Company therefore do not knowingly collect personal data from minors. So, if You are under 18 years of age / under legal age under the laws imperatively applicable to You, please do not use the System / Services and do not provide us with any personal data.

2. Applicability

3 Controller, its obligations and scope

3.1 For the purposes of applicable data protection law, the Company is typically the “data controller” of any personal information provided to the Company. Very occasionally, the Company might act on specific retainers as a “processor” (by processing personal data only in accordance with the directions of a data controller, or as otherwise permitted by law).

3.2 Privacy Policy shall be applied to the processing of personal data by data controller (the Company) located in the Republic of Poland processing the personal data of data subjects (You) residing or working within or outside the European Economic Area (the “EEA”).

3.3 If You have any questions regarding the processing of Your personal data and the exercise of Your rights under the GDPR, You can contact our team: hello@flirtbro.com

3.4 The Company might require additional identification data from You for certain inquiries order to ensure that Your personal data is only passed on to You.

3.5 The Company, as a data controller (or in some cases – data processor), has the following obligations:

3.5.1 Data transfers. The Company shall not transfer personal data to country or territory outside the EEA unless that country ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

3.5.1.1 Where adequate level of protection is not ensured, an exemptions shall be made by a) creating adequate protection through appropriate safeguards (for example, by using Standard Contractual Clauses), or 2) by getting data subject‘s explicit consent and making sure the transfer does not conflict with the nature of Art. 46 of GDPR.

3.5.2 Data processing records. The Company shall keep data processing records upon its own decision, unless such record keeping is mandatory legal requirement.

3.5.3 Data protection. The company shall ensure proper data protection requirement implementation and optimization of procedures. The Company shall be equipped with the skills and know-how for safeguarding personal data.

You can contact Company’s staff regarding data protection by sending an email to hello@flirtbro.com

3.5.4 Data breach notification. The Company strives to protect Your personal data in the best way possible. However, sometimes data breaches occur, and such event can happen for various reasons.

3.5.4.1 In the case of a data breach that would prejudice the privacy, confidentiality and security of the personal data of a data subject, the Company, as a data controller, immediately upon becoming aware of such breach, shall notify the data regulator in the Republic of Poland (see Clause 7.1.9) of such data breach.

3.5.4.2 The required notification shall include details such as: the nature, category, reasons, approximate number and records of the data breach, a description of the likely consequences of the data breach; and a description of the measures and remedial action taken by the controller to address the data breach.

3.5.5 Data retention. The Company shall not store personal data after the completion of the purpose for which such data was processed unless the identity of the data subject is no longer identifiable through the use of anonymization techniques.

3.5.6 Sensitive personal data protection. In general, the Company does not process any special categories of personal data from Clients. This includes data that reveal racial or ethnic origin, political opinions, religious or ideological convictions or trade union membership, as well as genetic and biometric data. In some cases, during provision of Services, some sensitive personal data can be provided by the Clients and recorded by the Company. Such processing of sensitive personal data takes place exclusively based on Your own choice and expressed consent, which You can revoke at any time. The Company explicitly urges You not to provide any sensitive information since it is not required by the Company to provide Services.

3.5.7 Proper agreements between controller and processor. The processor shall perform and implement the processing of personal data based on the instructions of the controller and in accordance with the contracts and agreements entered into between them, which shall specifically set out the scope, subject-matter, purpos and nature of the processing, the type of personal data, and categories of data subjects. The Company, either acting as a controller or the processor, shall make sure beforehand that such agreements are concluded and are proper for planned data processing.

4. Data categories and sources

4.1 The Company may collect personal information from You in the course of provision of the Services, when You use the System, contact us or request information from us, or as a result of Your relationship with any of our personnel or clients.

4.2 The personal information that we might process includes:

4.2.1 Contact data. When creating a new user Account or communicating with the Company (for example, by contacting our support team), we may process basic details, such as Your name, Your contact information (such as Your email address).

4.2.2 Order data. In the context of ordering Services, we might process information relating to the matter on which You are seeking our Services.

4.2.3 Financial data. In the context of ordering Services and accepting payments, as well as making refunds we might process, for example: bank details (IBAN, BIC), information about the payment service provider, payment details, transaction-ID, etc.

4.2.4 Log data. During activities on the System and while using Services, we might process, for example: IP-address, traffic data, transaction data (like deposit, payment, refund withdrawal address), computer or mobile device information, frequency, time, length of visit and other page interaction data, operating system, browser type, device type, unique device identification number, identification cookies, optionally form data, crash reports, performance data, third-party cookies, etc.

At all times when using System / Services, we collect and process the following log data:

4.2.4.1 IP address of first or the last login.

4.2.4.2 Account credentials and other information as per Clause 2 of the Agreement, including date and time of Account creation, as well as log-in date and time.

4.2.4.3 Information collected by cookies and Google Analytics (see Clause 11.), for example: access time and dates, unique device identification number, other. The mentioned data in this Clause might be collected without assigning it to the specific user.

4.2.5 Marketing data. If You visit System or our social media sites, we might process statistical and marketing data, for example: number of visitors, frequency, clicks, time, places, target groups, data from cookies and similar technologies (pixels, ClearGIFs, etc.), consumer’s behavior, interests and preferences, data on market research and target group surveys, etc.

4.2.6 Photo, video and audio data. When we attend or organize events or fairs or conduct interviews with people, or You visit our offices or our meetings and events, or You conduct video / phone conversations or other communication with our team, we may take photos and other recordings of such events / communication and process photo, video and audio data, as well as data on time, location, participant list, etc. However, we will always inform You separately about any such recordings by photographic or video images and / or audio recordings.

4.2.7 Hiring data. If You apply for a job on our System, social media (for example, via LinkedIn), we may process data that is necessary for the recruitment process, for example: contact details, curriculum vitae, qualifications, police clearance certificate, credit report, national identity documents such as passport, driver's license and the data from all of these documents, links to Your portfolio or social media platforms, etc.

5. Purpose and legal basis

5.1 All processing is carried out in accordance with the GDPR. We process Your personal data based on at least one of the legal bases mentioned below. If the Company requests the provision of other personal data not described above, this data as well as the purpose and legal basis for the collection and processing will be communicated to the Client at the point of collecting the personal data.

5.1.1 Performance of the contractual obligations under the Agreement.

A controller (the Company) / processor may process personal data without the consent of the data subject (You) to which the data relates where processing is necessary for the performance of a contract (the Agreement) to which the data subject is party or in order to take steps at the request of the data subject for entering into, amending or terminating a contract.

5.1.2 Consent.

We may ask You to provide Your consent if data subject’s (Yours) consent is relied upon as a lawful basis for the processing of Your personal data. For example, we may ask You to express consent prior to using System before the Agreement is concluded or when You are using the System without logging-in, as well as before collecting / processing any other personal data not described in this Privacy Policy.

If You have given us Your consent to the processing of Your personal data, the processing will only occur for the defined purposes and to the extent agreed in the declaration of consent.

A given consent can be revoked at any time without giving reasons with effect for the future if You no longer agree to the processing.

With Your consent, we process data for the following purposes, for example:

Direct marketing and advertising (e.g., customer satisfaction surveys, newsletters, sweepstakes, and other advertising communications).

Website analysis and tracking for advertising purposes (see also our cookie policy at the Clause 11).

Certain uses of audio, video and photo data (e.g., commercials, interviews, etc.) for marketing and other representing purposes through various channels, as well as for the provision of Services.

Application management system, recruitment process and processing of Your application.

Revoking Your consent does not affect the legality of the processing carried out based on Your consent up to the point of withdrawal.

5.1.3 Compliance with legal obligations.

Processing of personal data may also be necessary to abide by various legal obligations. Such legal obligations include, for example, the following data processing operations: contract management, accounting, and invoicing, monitoring to prevent fraud, misuse, money laundering and terrorist financing, providing information to criminal authorities in context of fiscal criminal proceedings or prosecution to official orders, assessing the working capacity of the employee or the provision of health / social care, etc.

5.1.4 Protection of legitimate interests.

Where necessary, data processing can occur beyond the performance of the contract to ensure the legitimate interests of the Company or a third party. Such a legitimate interest includes the following data processing operations:

Prevention of fraud, misuse (e.g. for illegal purposes), money laundering and terrorist financing.

Risk management and risk minimization, e.g. through inquiries to credit agencies or other.

Identification and examination of potentially incorrect or suspicious business cases and access to our Website.

Data transfer within the Company for internal administrative purposes.

Account management and processing of general Client requests and inquiries.

Measures to protect our customers and partners as well as to ensure network and information security; also measures to protect our employees and property, e.g. through video surveillance and external data centers and service providers.

Processing of inquiries from authorities, lawyers, collection agencies in the context of legal prosecution and enforcement of legal claims in the context of legal proceedings.

Market research, business management and further development of services and products.

Processing of statistical data, performance data and market research data via the website, the app or social media platforms (e.g. Facebook, LinkedIn, etc.).

Processing of customer preferences (e.g. language, region) via cookies on our Website.

Direct marketing and advertising (e.g. implementation of marketing strategies).

Use of audio, video and photo data from public spaces (e.g. public events, fairs, etc.) for marketing and other representing purposes on our social media channels or our Website.

5.2 The Company may also process personal data without the consent of the data subject to which the data

relates where the data has been made public by the data subject (Article 9 of the GDPR).

6. Social media presence and other communication

6.1 The Company maintains social media presences on various platforms (see below) in order to communicate with its active customers, potential customers and interested social media users about Company’s services, products and other news. When accessing such social media platforms, the general terms and conditions and the privacy policies of these operators also apply. We would like to point out that

user data can also be processed outside of EEA or the region / location You are in. This can result in risks for users due to different legal frameworks (e.g. the en orcement of data subject rights could be made more difficult).

6.2 As part of the technical process of various social media platforms (e.g. Google, Facebook, X etc.), when You click on a content or a website You are visiting, they find out whether You are logged into Your social media account at the same time. This information is collected by social media platforms and assigned to Your social media accounts, regardless of whether You click on the content of this platform or not. By logging out of Your accounts, You can prevent these companies from associating the collected information with Your accounts.

6.3 The activities of these companies are not controlled by the Company and therefore we do not accept any liability for any damage You may suffer because of the use of Your data by these companies.

6.4 The Company may only process personal data from social media users if they communicate directly with the Company via such platforms (e.g. visitors number, posted articles, likes, direct messages, customer inquiries, comments, etc.). In these cases, the Company is also responsible for processing the personal data collected thereby. In addition to data processing by us, other providers, in particular operators of social networks and platforms, also process personal user data. We have no influence on this data processing and are not responsible for it – the data processing takes place exclusively in the area of responsibility of the other providers.

6.5 For a detailed explanation of the respective processing and the possibilities of objection (opt-out) by providers of social media networks, we refer to the respective privacy policies of the providers (see below). In the case of requests for information and the assertion of data subject rights to data processing by other providers, we point out that these can be asserted with the providers listed below. Only the providers have access to the data of the users and can directly take appropriate measures and provide information.

6.6 The Company uses the following social media accounts in order to engage with You and other third parties:

6.7 The above indicated list is non-finite and the Company is entitled to change / add social media accounts. The latest and up-to-date list of Company’s social media accounts shall be available at the System’s section “Follow Us”. The list of third-party social media networks’ privacy policies (Clause 6.6.) is provided for Your convenience only – as they are created, amended and published by third parties, You must always check whether they are up-to-date and valid versions. The Company takes no responsibility and does not guarantee that the versions indicated in the Clause 6.6. are valid or up-to-date.

6.8 You should always make sure that the social media account is Company’s before submitting or revealing any personal information of Yours while engaging in any social media communication (for example, exchanging messages or leaving a comment).

6.9 You should be aware that SMS / messaging and email services are susceptible to spoofing and phishing attacks and should be careful when reviewing messages that claim to be from the Company. You should always use communication tools in the System or contact us via email by sending an inquiry to the address hello@flirtbro.com if You are unsure about the authenticity of a communication or notice. Note that phishing attacks often occur despite SMS or email or equivalent services, via search engines or advertisements in search engines or other fraudulent links. The Company takes no responsibility for any loss due to spoofing, phishing, or other equivalent attacks.

7. Your rights

7.1 You shall be entitled to the following rights:

7.1.1 Right to withdraw Your consent and right to opt-out. In all cases You are entitled to object to and suspend to the processing of Your personal data where the processing is performed based on your consent, for example - for direct marketing purposes, and when the processing is performed for statistical survey purposes.

7.1.1.1 You have the right to revoke Your consent any time within the methods described in this Privacy Policy or by email to hello@flirtbro.com . Please note that if You withdraw Your consent, we may no longer be able to offer You all of our Services. Withdrawing Your consent does not affect the legality of the processing of Your personal data based on Your consent up to the point of withdrawal.

7.1.1.1.1 By checking the respective box during the registration process (creating an Account) or when updating after logging into Your Account, You expressly confirm that You have read the Agreement together with Privacy Policy and that You agree to the data processing described therein.

7.1.1.1.2 By checking the respective box during the registration process (creating an Account) or when updating after logging into Your Account, You expressly confirm that You have read other policies as indicated in such notice.

7.1.1.1.3 By checking the respective box during the registration process (creating an Account) or when updating after logging into Your Account for news and updates by email (including newsletter and other marketing material), You expressly consent to receiving electronic communication.

7.1.1.1.4 By checking the respective box (boxes) during the use of System for use of cookies, You expressly consent to usage of cookies as indicated in this Policy, the notice and as per Your preferences expressed by checking all / any boxes.

7.1.2 Right prior to the start of processing activities, to get information on the purpose of the processing, sectors or entities inside or outside the EEA with whom Your personal data will be shared, the appropriate safeguards used by the Company in the context of cross-border processing.

7.1.3 Right to obtain additional information upon request, including:

7.1.3.1 Confirmation whether we are processing personal data related to You.

7.1.3.2 The types of personal data of the data subject being processed.

7.1.3.3 The decisions taken on the basis of automated processing.

7.1.3.4 The rules and criteria of the periods for which the personal data will be stored and kept.

7.1.3.5 The measures to be taken upon the occurrence of a data breach.

7.1.4 Right to rectification. You are entitled to obtain the rectification of inaccurate personal data concerning You, and to have incomplete personal data completed.

7.1.5 Right to erasure. You are entitled to request the Company to delete Your personal information if:

7.1.5.1 The personal data is no longer necessary in relation to the purposes for which it was collected or processed.

7.1.5.2 You withdraw Your consent or expressed objection to processing and there are no legitimate grounds for the Company to continue the processing.

7.1.5.3 The personal data have been illegally processed.

7.1.5.4 The deletion of personal data is necessary to fulfill a legal obligation under law to which the Company is a subject.

7.1.6 Right to receive a copy and have Your personal data transmitted to another controller, if technically feasible. You shall have the right to receive the personal data concerning You that You have provided to us in a structured, commonly used and machine-readable format where the processing is based on Your consent or is necessary to fulfil a contractual obligation and implemented by automated means. You also shall have the right to have this data transmitted directly to another controller named by You, insofar as this is technically feasible and the rights and freedoms of others are not impaired. The right to data portability can only be exercised if the processing is based either on Your consent or on a (pre)contractual necessity and where the processing is automated. The right to data portability does not apply to processing which is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

7.1.7 Right to object to decisions based on automated processing. The Company usually does not use any personal data for automated decision-making including profiling (e.g. decisions that have legal effects on data subjects, or significantly affecting them in any other way that are based solely on automated processing of personal data including profiling). In case we would make such decision in any scope, You shall be entitled to object.

Additionally, You have the right to object to the processing of Your personal data at any time if the processing is based on Your legitimate interests. If You object to the processing, we will no longer process Your personal data unless we can demonstrate compelling legitimate grounds for the processing that outweigh Your interests, rights and freedoms, or the processing serves to assert, exercise or defend legal claims. The objection does not affect the legality of the processing of Your personal data based on legitimate interests until You withdraw Your consent.

7.1.8 Right to restriction of processing. You shall have the right to request that we restrict processing if one of the following conditions is met:

7.1.8.1 You dispute the accuracy of the personal data (the restriction applies for a period of time that enables the Company to verify the accuracy of the personal data).

7.1.8.2 The processing of Your personal data was unlawful, and You refuse to delete Your personal data and instead request that its use is to be restricted.

7.1.8.3 The Company no longer needs your personal data for processing purposes, but You need them to assert, exercise or defend legal claims.

7.1.8.4 You have objected to the processing of Your personal data, and it has not yet been determined whether the Company's legitimate grounds outweigh Your own.

7.1.9 Right to lodge a complaint with the State Data Protection Inspectorate of the Republic of Poland which acts as the data regulator in the Republic of Poland.

7.1.10 Right to contact. To exercise any of the above rights, You can send an email to hello@flirtbro.com We shall respond to Your inquiry within 30 days from the day of receiving it (with the possibility of two 30- day extensions).

7.2 In all cases we encourage You to contact us directly. We at the Company believe that best decisions can be made by mutual agreement and effort.

7.3 As a general principle of the Company, we process personal data only for the purposes for which they were collected. In exceptional cases, however, we may process Your personal data that we have collected for another purpose. In this case, before the intended processing, we will inform You of this purpose, the duration of the storage of Your personal data, the exercise of data subject rights, the possibility of revoking consent, the existence of a right to complain to the data protection authority, whether the provision of the data was necessary on legal or contractual grounds and possible consequences of non-provision and whether automated decision-making or profiling is carried out.

8. Data security

8.1 The security of data is very important to us and we are committed to protecting the data we collect. We maintain comprehensive administrative, technical and physical measures to protect Your personal data from accidental, unlawful or unauthorized destruction, loss, modification, access, disclosure or use. These

measures correspond to the highest international safety standards and are regularly checked for their effectiveness and suitability for achieving the desired safety requirements.

8.2 We have implemented the following technical, physical and organizational measures:

8.2.1 Staff training.

8.2.2 SSL encryption on our System from which we transfer personal data.

8.2.3 Ensuring the confidentiality, integrity, availability and resilience of our System and Services.

8.2.4 Use of encrypted systems.

8.2.5 Pseudonymization and anonymization of personal data.

8.2.6 Entry, access and transfer control for our offices and systems.

8.2.7 Measures of quick restoring of the personal data availability in the event of a physical or technical incident.

8.2.8 Measures for privacy by design and default on our platform such as preventing user enumeration.

8.2.9 Implementation of procedures for the regular review, assessment and evaluation of the effectiveness of the technical and organizational measures to ensure the security of processing, e.g. our bug bounty program.

8.2.10 Internal IT security practices and monitoring, internal communication and fast response approach.

8.2.11 Incident-response management.

8.3 Your personal data may be accessed, transferred and / or stored by employees or suppliers at a destination outside the country in which You are located, whose data protection laws may be of a lower standard than those in the EEA. However, we will in all circumstances protect personal data in accordance with this Privacy Policy.

8.4 If we process personal data in a third country (for example, outside the European Union (EU) or the European Economic Area (EEA)) or if this happens in the context of the use of third-party services or disclosure and / or transfer of personal data to third parties, we only transmit personal data to the performance of our (pre)contractual obligations based on Your consent, a legal obligation or our legitimate interests. Subject to legal or contractual permissions, we process or have personal data processed in a third country only if the conditions of ensuring an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data are met. This means, for example, that the processing and transmission takes place on the basis of special guarantees, such as compliance with a code of conduct or a certification mechanism as well as binding and enforceable commitments from the recipient in the third country to apply the appropriate guarantees for the protection of the data or compliance with officially recognized special contractual obligations (for example, announced by the European Commission and known as "Standard Contractual Clauses").

9. Recipients of personal data

9.1 The Company shall only transmit Your personal data to the extent described below or as part of an instruction at the time the data was collected from You. In addition, personal data that we collect about You will not be sold by us or otherwise passed on to third parties.

9.2 Within the Company, those departments or employees will receive Your personal data who need it to fulfill contractual and legal obligations and legitimate interests. We transfer personal data for the purpose of our day-to-day business operations such as account management and other processes You have requested, as well as for the efficient performance of internal administrative activities in a joint manner and for the maintenance and improvement of our products and services.

9.3 To a limited extent, we also transfer personal data to processors who provide services for us such as IT services, legal services, customer support, improvement of our website, performance of contracts, account management, accounting, invoicing, application management, marketing services and sending marketing material. Processors may only use or pass on this data insofar as this is necessary to provide services for us or to comply with legal regulations. We contractually oblige these processors to guarantee the confidentiality and security of Your personal data that they process on our behalf.

9.4 We may also transfer Your personal data (i) if we are required to do so by law or during legal proceedings, (ii) if we believe that disclosure is necessary to avoid damage or financial loss, or (iii) in connection with an investigation into suspected or actual fraudulent or illegal activities.

9.5 If the Company acts together with other parties as joint controller (e.g. processing of data for jointly defined purposes within a group of associated entities), we may provide those parties with personal data if applicable and based on at least one of the legal bases mentioned above under Clause 5. In case of a joint controllership, we transfer Your personal data only based on a sufficient agreement with our partners.

9.6 The Company may transmit Your personal data to another person at the request of the person concerned with Your consent for the transfer or for the purpose of fulfilling the contract or in order to take steps at the request of the data subject prior to entering into a contract.

10. Retention period

10.1 Unless otherwise indicated in the notice / consent form, the Company shall keep Your personal information only for as long as necessary to:

10.1.1 To provide You with the Services You have ordered and to ensure proper use of System / Account.

10.1.2 To comply with laws, including mandatory data collection periods.

10.1.3 To support a claim or defence in court or to act in other judicial proceeding.

10.2 In all cases Account data as per Clause 2 of the Agreement, including identification data (if applicable) shall be saved for the whole duration of You being the Client, and for at least 6-month period from the day the Account was terminated.

11. Cookie policy

11.1 Our System operating now and in the future use cookies.

11.2 Insofar as those cookies are not strictly necessary for the provision of our System and Services, we will ask You to consent to our use of cookies when You first visit our System.

11.3 Cookies

11.3.1 A cookie is a file containing an identifier (a string of letters and numbers) that is sent by a web server to a web browser and stored by the browser. The identifier is then sent back to the server every time the browser requests a page from the server.

11.3.2 Cookies may be either "persistent" cookies or "session" cookies: a persistent cookie will be stored by a web browser and will remain valid until its set expiration date, unless deleted by the user before the expiration date; a session cookie, on the other hand, will expire at the end of the user session, when the web browser is closed.

11.3.3 Cookies may not contain any information that identifies a user personally, but personal data that we store about You may be linked to the information stored in and obtained from cookies.

11.4 Cookies that we use. We use cookies for the following purposes:

11.4.1 Authentication and status – we use cookies to identify You when You visit our System and as You navigate our System, and to help us determine if You are logged into our System / Account.

11.4.1.1 For the purposes of the identification of You as a user we use the following Necessary cookies, that help make our System usable by enabling basic functions like page navigation and access to secure areas of our System. The System cannot function properly without these cookies:

Cookie name

Purpose

Expiry

test_cookie

Used to check if the user's browser supports cookies.

1 day

CookieConsent

Stores the user's cookie consent state for the current domain.

1 year

AWSALB

Registers which server-cluster is serving the visitor. This is used in context with load

balancing, in order to optimize user experience.

7 days

AWSALBCORS

Registers which server-cluster is serving the visitor. This is used in context with load

balancing, in order to optimize user experience.

7 days

AWSALBTGCORS

Registers which server-cluster is serving the visitor. This is used in context with load

balancing, in order to optimize user experience.

7 days

_ym_d

Contains the date of the visitor's first visit to the website.

1 year

_ym_isad

This cookie is used to determine if the visitor has any adblocker software in their browser

– this information can be used to make website content inaccessible to visitors if the

website is financed with third-party advertisement.

1 day

11.4.2 Personalization – we use cookies to store information about Your preferences and to personalize our System for You.

11.4.3 For the purposes of personalization we use the following Preference cookies, that enable our System to remember information that changes the way the System behaves or looks, like Your preferred language or the region that You are in:

Cookie name

Purpose

Expiry

sentryReplaySession

Registers data on visitors' website-behaviour. This is used for internal analysis and

website optimization.

Session

1/i/adsct

Collects data on user behaviour and interaction in order to optimize the website

and make advertisement on the website more relevant.

Session

_ym_viso

Saves information of actions that have been carried out by the user during the

current visit to the website, including searches with keywords included.

1 day

_ym_synced

Tracks the user’s interaction with the website’s search-bar-function. This data can

be used to present the user with relevant products or services.

Persistent

11.4.4 Security – we use cookies as an element of the security measures used to protect user accounts, including preventing fraudulent use of login credentials, and to secure our System and Services generally.

11.4.5 Analysis – we use cookies to help us to analyze the use and performance of our System and Services.

11.4.5.1 For the purposes of analysis of our System we use the following (i) Statistic cookies, that help understand how visitors interact with System by collecting and reporting information anonymously; and (ii) Marketing cookies, that are used to track visitors across websites:

Cookie name

Purpose

Expiry

_tt_enable_cookie

Used by the social networking service, TikTok, for tracking the use of

embedded services.

1 year

_ym_retryReqs

Registers statistical data on users' behaviour on the website. Used for

internal analytics by the website operator.

Persistent

_ym3:0_reqNum

Registers statistical data on users' behaviour on the website. Used for

internal analytics by the website operator.

Persistent

ymex

Registers data on visitors' website-behaviour. This is used for internal

analysis and website optimization.

1 year

Sets a unique ID for the session. This allows the website to obtain data on

visitor behaviour for statistical purposes.

400 days

tt_appInfo

Used by the social networking service, TikTok, for tracking the use of

embedded services.

Session

tt_pixel_session_index

Used by the social networking service, TikTok, for tracking the use of

embedded services.

Session

tt_sessionId

Used by the social networking service, TikTok, for tracking the use of

embedded services.

Session

lastExternalReferrer

Detects how the user reached the website by registering their last URL-

address.

Persistent

lastExternalReferrerTime

Detects how the user reached the website by registering their last URL-

address.

Persistent

sync_cookie_image_decide

Used for data-synchronization with advertisement networks.

Session

_fbp

Used by Facebook to deliver a series of advertisement products such as

real time bidding from third party advertisers.

3 months

_ttp

Used by the social networking service, TikTok, for tracking the use of

embedded services.

1 year

_ym_uid

This cookie is used to collect non-personal information on the visitor's

website behavior and non-personal visitor statistics.

1 year

metrika_enabled

Used to track visitors on multiple websites, in order to present relevant

advertisement based on the visitor's preferences.

Session

1/i/adsct

Collects data on user behaviour and interaction in order to optimize the

website and make advertisement on the website more relevant.

Session

_yasc

Collects data on the user across websites - This data is used to make

advertisement more relevant.

10 years

sync_cookie_image_finish

Used for data-synchronization with advertisement networks.

Session

yuidss

Collects information on user behaviour on multiple websites. This

information is used in order to optimize the relevance of advertisement on

the website.

400 days

11.4.6 Other cookies – we might also use other cookies that are not listed in the clauses above. We reserve the right to amend the list of the usable cookies by amending the respective clauses of this Privacy Policy.

11.4.6.1 Other cookies:

Cookie name

Provider

Expiry

personalization_id

twitter.com

400 days

IDE

doubleclick.net

400 days

pagead/1p-user-list/#

google.com

Session

muc_ads

t.co

400 days

_ttp

tiktok.com

1 year

guest_id

twitter.com

400 days

guest_id_ads

twitter.com

400 days

guest_id_marketing

twitter.com

400 days

_ab_data_2

flirtbro.com

Persistent

an_uuid

flirtbro.com

400 days

QuizResultsValueAnswers

flirtbro.com

Persistent

11.4.7 Cookie consent – we use cookies to store Your preferences in relation to the use of cookies more generally.

11.5 Our service providers use cookies and those cookies may be stored on Your computer when You visit our System, for example Google Analytics, Facebook Pixel, etc.

11.6 Managing cookies. Most browsers allow You to reject and delete cookies. The methods for doing this depend on the browser and its version. You can however obtain up-to-date information about blocking and eleting cookies via these links (links are provided only for Your convenience; You shall always make sure

You have reached up-to-date content of third parties):

11.6.1 (Chrome).

11.6.2 (Firefox).

11.6.3 (Opera).

11.6.4 (Internet Explorer).

11.6.5 (Safari).

11.6.6 (Edge).

11.7 Cookies preferences. You can manage Your preferences relating to the use of cookies on our System.

11.8 Service provider. The Company uses third party service provider Cookiebot. It is a plug-and-play

compliance solution that detects and controls all cookies and trackers in use on a website, and

automatically manages end-user consents. You can find more information here: https://www.cookiebot.com/en/privacy-policy/

You can contact us via email, by sending Your inquiry to hello@flirtbro.com, or bysending us an letter to our registered address:

Polorix Sp. z o.o.

Mazowiecka 11 / 49, 00-052 Warszawa, Polska