Privacy Policy

ANDREW TAYLOR, INDIVIDUAL ENTREPRENEUR DATA PROCESSING NOTICE ON THE PROCESSING OF PERSONAL DATA OF NATURAL PERSONS USING THE “LUCKFINDERS” MOBILE APPLICATION Version: 1.0 Békés, 2026.04.08. 1

Andrew Taylor, a sole proprietor, has set himself the goal of creating and operating the mobile application called “Luckfinders” (hereinafter referred to as the “Application”) to provide an opportunity for natural persons using the Application to get to know each other, establish contacts and communicate, in particular through search and contact functions based on geographical proximity, and by using the premium services available in the Application. With regard to the processing of personal data of natural persons who install the Application, or register and use it (hereinafter collectively referred to as the “Data Subjects”), Andrew Taylor, a sole proprietor (hereinafter referred to as the “Data Controller”), is considered a data controller. The Application can only be used after registration, however, the availability of certain functions and services may differ depending on the user status selected by the Data Subject (e.g. basic or premium membership). In view of the above, the Data Controller provides the Data Subjects with the following information in accordance with the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council (EU) on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: GDPR) and Act CXII of 2011 on the right to informational self-determination and freedom of information (hereinafter: Infotv.). The Data Controller undertakes to ensure that the data processing carried out by it complies with the requirements set out in the applicable legislation, in particular with regard to the requirement that the information provided to the Data Subjects is provided in a concise, transparent, clear and comprehensible manner and in an easily accessible form, in the form of this data processing information. . I have summarized the most important information in the data protection notice in tabular form on the last page. You can find information on withdrawing your consent to the processing of your personal data in Section V. I. The Data Controller Name: Andrew Taylor I.E. Headquaters: 5630 Békés Mátra utca 11. E-mail: info@luckcriptentertainment.com 2 II. Contact information of the Data Controller You can request information regarding the processing of your data in the following ways: - by email to the Data Controller at info@luckcriptentertainment.com; - by post to the following address: 5630 Békés Mátra utca 11. III. Purpose of data processing The purpose of data management is for the Data Controller to provide the Data Subjects with the opportunity to get to know each other, establish contact and communicate within the Application, as well as to securely operate the basic and premium functions of the application, including the identification and authentication of users and the provision of the technical and operational conditions necessary for the use of the Application. Within this framework, the direct purposes of data processing are: - identification of the Data Subject and verification of user rights; - creation and maintenance of a unique user account in the event of registration, and provision of services related to the account available in the Application; - creation and display of the user profile based on the data provided by the Data Subject; - ensuring the establishment of connections and communication between users (e.g. sending messages); - operation of search functions based on geographical proximity in order to make it easier for users to find each other; - conducting an automated video authentication process used to verify the age and identity of the Data Subject; - ensuring the safe use of the Application, preventing abuse, and monitoring and continuous development of the operation of the Application; - maintaining contact with the Data Subjects, sending notifications and information related to the operation of the Application; - enabling the use of premium services, including the technical processing of in-app purchases through Apple and Google payment systems. The above data processing purposes serve the proper functioning and operation of the Application and the establishment of secure connections between Data Subjects. IV. Scope of processed data and process description IV./1. Prerequisite for using the Application – registration 3 The Application cannot be used without registration, the functions of the Application can only be accessed after registration. Accordingly, the Data Controller does not provide “guest mode” use and does not process any substantive personal data of Data Subjects who do not complete the registration process. However, during the download of the Application and in connection with its technical operation – within the scope specified in point IV./4. – technical data may be processed. IV./2. Personal data of registered data subjects The Data Controller processes the following personal data of the Data Subjects who download the Application and register within it during the creation and use of the individual user account. Registration can be done by providing an e-mail address, using a Google and Apple account. The Data Controller processes the following personal data of the Data Subjects in connection with the registration and use of the Application: - the Data Subject's e-mail address and any additional personal data that may appear therein; - the Data Subject's full name; - basic data necessary for identification transmitted by the external service provider (Google / Apple) used during registration; - the Data Subject's date of birth (for age verification purposes); - the Data Subject's gender; - the profile picture and other images uploaded by the Data Subject; - personal data that may be included in the introductory text provided by the Data Subject; - data related to interests and contact purposes; - additional profile data voluntarily provided by the Data Subject (height, languages spoken, information about work and studies). After registration, Data Subjects can log in to their individual user account using their email, Google or Apple account. IV./3. Additional data processing related to certain functions of the Application In the case of registered Data Subjects who use certain functions of the Application, the following additional personal data is processed. In the case of video authentication: - a video recording of the Data Subject's face, head and eye movements; - the result of the automated facial recognition process (authentic / non-authentic status). When using location-based search: - the Data Subject's GPS coordinates. In the case of using communication functions in encrypted form (the Data Controller does not have access to the content of the messages): - text messages exchanged between the Data Subjects; - voice messages. 4 In case of using premium services: - information regarding the existence of premium user status. (The Data Controller is not authorized to process payment data, they are processed exclusively by Apple and Google payment service providers.) IV./4. Technical and operational data In order to ensure the technical operation of the Application, the Data Controller processes the following personal data regarding the Data Subjects: - the unique device identifier generated by the Application of the smart device used by the Data Subject; - the IP address of the Data Subject; - the unique installation identifiers necessary for the operation of the Application and the delivery of “push” messages. Source of personal data: The Data Controller primarily obtains the above personal data directly from the Data Subject on a voluntary basis during the use of the Application, the registration process, and the provision of data within the Application. If the Data Subject registers with a Google or Apple account, the source of the data is the given external service provider. The Data Controller obtains data related to the technical operation of the Application from the Data Subject’s smart device in an automated manner. V. Legal basis for data processing The legal basis for the processing of personal data specified in Section IV of this Data Protection Notice is the data subject’s consent as defined in Article 6(1)(a) of the GDPR, which the Data Subject may provide by ticking the checkbox on the Application’s registration interface prior to the commencement of data processing. Biometric data for the purpose of uniquely identifying the Data Subject and personal data concerning the Data Subject’s sex life or sexual orientation are considered to be special personal data. Their processing is based on the data subject’s explicit consent as defined in Article 9(2)(a) of the GDPR. The data subject’s consent complies with the conditions set out in Recitals (32) and (42)- (43), Article 4(11) and Article 7 of the GDPR, given that: - az Érintett személyes adatait az Applikációban önkéntesen bocsátja az Adatkezelő rendelkezésére; 5 - the use of the Application is not mandatory, the Data Subject can freely decide to provide consent; - by actively checking the checkbox placed during registration, the Data Subject specifically, clearly and expressly consents to the processing of his/her personal data; - the Data Subject can decide to provide consent after reviewing this data management information; - the Data Subject can withdraw his/her consent to data management at any time. The Data Subject is entitled to submit his/her declaration of withdrawal of consent to data management to the Data Controller at any time in the following ways: - by deleting the registered user account via the Application; - by sending an electronic mail to the Data Controller’s e-mail address info@luckcriptentertainment.com; - by sending a postal item to the Data Controller’s registered office (5630 Békés The Data Controller does not impose any content or form requirements regarding the declaration of withdrawal of consent, however, the declaration must be capable of unambiguously identifying the Data Subject. Withdrawal of consent does not affect the lawfulness of data processing prior to the withdrawal of consent. VI. Duration of data processing Subject to the provisions of Article 5(1)(e) of the GDPR and Section 4(2) of the Information Act, personal data may only be processed to the extent and for the period necessary to achieve the purpose. The Data Controller shall process the personal data related to the technical operation of the Application specified in Section IV./4 of this data processing information for the period necessary for the proper operation of the Application or until the Application is deleted from the Data Subject's smart device. If the Data Subject has created a registered user account in the Application, the Data Controller shall process the personal data specified in Sections IV./2 and IV./3 of this data processing information for the duration of the user account or until the registration is deleted. After the user account is deleted, the Data Controller shall delete the personal data without undue delay, except for data that is necessary until the conclusion of a possible civil law enforcement procedure. After the retention period specified above, the Data Controller ensures the deletion of personal data by means of disposal, which in the case of electronically stored personal data is achieved by deletion without the possibility of recovery. 6 VII. Data processors, recipients, data transfer VII./1. Data processors The Data Controller uses the following data processors to process the personal data of the Data Subjects: - to Supabase Inc. (registered office: 3500 S Dupont Hwy, Dover, DE 19901, USA, further information: https://supabase.com/privacy) to provide backend services, database management, storage and authentication services necessary for the operation of the Application. Supabase stores and technically processes all personal data collected by the Application and the data is stored on Supabase's EU infrastructure. - to Rackhost Zrt. (registered office: 6722 Szeged, Tisza Lajos körút 41., e-mail: info@rackhost.hu) to provide IT infrastructure and storage services related to the operation of the Application. - to Google Ireland Limited (registered office: Google Building Gordon House, Barrow Street, Grand Canal Dock, Dublin 4, D04 V4X7, Ireland, further information: https://policies.google.com/privacy?hl=hu) for the purpose of ensuring electronic communication (e-mail contact and communication) between the Data Controller and the Data Subjects. VII./2. Recipients The Data Controller may transfer the personal data of the Data Subjects to the following recipients only to the extent necessary for the operation of the Application: - to Apple Distribution International Ltd. (registered office: Hollyhill Industrial Estate, Hollyhill, Cork, Ireland, further information: https://www.apple.com/legal/privacy/) and Google Payment Ireland Limited (registered office: 70 Sir John Rogerson's Quay, Dublin 2, Ireland, further information: https://policies.google.com/privacy) for the purpose of processing purchases within the Application, through the payment systems of the Apple App Store and the Google Play store. The Data Controller is not authorized to process payment data (e.g. bank card data), which are processed exclusively by the relevant payment service providers in accordance with their own data processing terms. - in the event of possible contact with the Data Subject by post, to Magyar Posta Zrt. (registered office: 1138 Budapest, Dunavirág utca 2-6., adatvedelem@posta.hu) regarding delivery data. The Data Controller does not transfer the personal data of the Data Subjects to third parties for marketing, advertising or business acquisition purposes. VII./3. Data transfer to a third country The Data Controller does not intentionally transfer the personal data of the Data Subjects to a third country outside the European Economic Area (EEA). If the data processor used by the Data Controller – in particular Supabase, Apple or Google – carries out part of the data processing operations outside the EEA, the data transfer may only 7 take place subject to the application of the guarantees set out in Chapter V of the GDPR (in particular the European Commission’s adequacy decision or the general contractual terms and conditions). VII./4. Use of additional data processors The Data Controller does not use any additional data processors beyond those specified in this data processing information. In the event of involving an additional data processor, the Data Controller will inform the Data Subjects in advance or without undue delay in accordance with legal requirements.

VIII. How the data is processed The Data Controller processes the personal data of the Data Subjects exclusively electronically, using IT systems. During data processing, the Data Controller uses partially automated data processing operations in order to ensure the proper functioning of the Application. Certain functions of the Application – in particular the video authentication procedure – use automated decision-making. Within this framework, the system determines whether the Data Subject is an authenticated user or not using an automated facial recognition procedure based on a video recording made by the Data Subject. Automated decision-making is aimed solely at authenticating the user account and does not have any legal effect or significant consequences for the Data Subject. During the operation of the Application, the Data Controller performs profiling with respect to certain functions in order to serve the needs of users (Data Subjects) as professionally as possible. Only the Data Controller is entitled to access the processed personal data, and the data processors used by it may only access the data to the extent necessary to fulfill their contractual obligations. The Data Controller pays special attention to the confidentiality, integrity and availability of personal data and, to this end, applies appropriate technical and organizational measures to ensure that it prevents unauthorized access, alteration, transmission, disclosure or deletion. Personal data is processed and stored in secure IT systems used by the Data Controller, primarily on Supabase servers. Only the Data Controller has access to the Supabase system, and does not provide access to third parties. The Data Controller processes and stores personal data exclusively in electronic form; paperbased data processing does not take place. 8 After the retention period specified in Section VI. of this data processing notice has expired, the Data Controller deletes the personal data irretrievably, so that their subsequent recovery is not possible. IX. Disclosure The Data Controller does not disclose the personal data specified in Section IV of this data protection notice. Certain profile data voluntarily provided by Data Subjects within the Application will only become visible to other registered Data Subjects as part of the intended use of the Application, but will not be disclosed by the Data Controller in this case either. X. Rights of the Data Subject in connection with the processing of data X.1. Right to withdraw consent (Article 7 of the GDPR) The Data Subject has the right to withdraw consent to any data processing at any time, where the processing of the Data Subject's personal data is based on the Data Subject's consent. It is important that the withdrawal of consent does not affect the lawfulness of the data processing carried out before the withdrawal of consent. In the event that the Data Subject withdraws consent, it is possible that the Data Controller will not be able to provide certain services to the Data Subject, and if relevant, the Data Controller will inform the Data Subject of this when withdrawing consent. The exercise of this right by the Data Subject does not affect the further processing of personal data processed by the Data Controller on other legal grounds. The method of withdrawing consent is detailed in Section V of this Data Protection Notice. X.2. The Data Subject's right to prior information (Articles 13-14 of the GDPR) If personal data are collected from the Data Subject, the Data Controller shall, at the time of obtaining the personal data, inform the Data Subject about basic information about the Data Controller, the purpose of the planned processing of personal data, the legal basis for the processing, and any data transfer operations. The Data Controller shall also inform the Data Subject about additional information regarding the processing of his/her data, including, among others, the duration of data storage, the rights of the Data Subject, and the right to file a complaint with the authority. The Data Controller shall ensure the enforcement of the Data Subject's right to prior information by publishing this Data Processing Notice and by providing it to the Data Subject before the start of the data processing operation. X.3. Right of access (Article 15 of the GDPR) 9 The Data Subject has the right to request access to his/her personal data, to receive a copy of his/her personal data processed by the Data Controller and to check whether the data processing is carried out lawfully by the Data Controller. X.4. Right to rectification (Article 16 of the GDPR) The Data Subject has the right to request the rectification of his/her personal data processed by the Data Controller. Pursuant to this right, the Data Subject has the right to have incomplete or inaccurate personal data processed by the Data Controller corrected, provided that in such a case it becomes necessary to verify the authenticity of the newly transmitted data. 10 X.5. Right to erasure – to be forgotten (Article 17 of the GDPR) The Data Subject has the right to request the erasure of his/her personal data processed by the Data Controller. The exercise of this right entitles the Data Subject to request the Data Controller to erase his/her personal data if there are no good reasons for their further processing. The Data Subject also has the right to request the erasure of his/her personal data if he/she has successfully objected to the processing of his/her personal data, if the Data Controller has processed his/her personal data unlawfully, or if the Data Controller is obliged to erase the Data Subject’s personal data under Hungarian law. However, the Data Controller is entitled to refuse to comply with the erasure request in certain cases, of which the Data Subject is obliged to inform him/her accordingly. X.6. Right to restriction of data processing (Article 18 of the GDPR) The Data Subject has the right to request restriction of the processing of his/her personal data if the Data Controller is engaged in unlawful data processing and the Data Subject does not want the data to be deleted and instead requests restriction of the use of the data. The Data Subject also has the right to restriction of data processing if he/she disputes the accuracy of the data processed by the Data Controller. X.7. Right to data portability (Article 20 of the GDPR) The Data Subject has the right to request the transmission of his/her personal data to himself/herself or to another data controller, and has the right to transmit these data to another data controller. The Data Subject may exercise this right if the data processing is carried out by automated means and the processing of the personal data is necessary for the performance of a legal obligation to which the Data Controller is subject, or if the processing is based on the Data Subject's consent. In this case, the Data Controller shall provide the Data Subject's personal data in a structured, commonly used, machine-readable format. XI. Information on the consequences of failure to provide data The provision of personal data specified in Section IV of this data protection notice is a prerequisite for using the Application. If the Data Subject does not provide the personal data required for registration and use of the Application, the Data Subject will not be able to create a user account or will not be entitled to use the functions of the Application. Certain functions of the Application – in particular the creation of a user profile, locationbased search services, communication options and video authentication – can only be used if the necessary personal data is provided. Failure to provide data will result in partial or complete unavailability of these functions. 11 The Data Subject has the right to decide on the use of the Application at any time and to withdraw his/her consent to the processing of his/her personal data, however, in this case he/she will not be able to use the services provided by the Application or will only be able to use them to a limited extent. 12 XII. Legal remedies If the Data Subject considers that the data processing violates the provisions of the GDPR or the Infotv., or considers the way in which the Data Controller handles his/her personal data to be offensive, we recommend that he/she first contact the Data Controller with his/her complaint. Your complaint will always be investigated. If, despite the investigation of your complaint or if the deadline for responding has expired without result, you complain about the way in which we handle your data, or if you wish to contact an authority directly, you can file a complaint with the National Data Protection and Freedom of Information Authority (address: 1055 Budapest, Falk Miksa utca 9-11., postal address: 1363 Budapest, Pf.: 9. e-mail: ugyfelszolgalat@naih.hu, website: www.naih.hu). You also have the option of contacting a court in order to protect your data, which will proceed with the case as a matter of urgency. In this case, you are free to decide whether to file your claim with the court of your place of residence (permanent address) or your place of stay (temporary address) (http://birosag.hu/torvenyszekek). You can find the court of your place of residence or stay at http://birosag.hu/ugyfelkapcsolatiportal/birosag-kereso. Békés, 2026.04.08. Andrew Taylor I.E.

Email: info@luckcriptentertainment.com