Privacy Policy of Waffo Group

Personal Identifiers. We collect identifiers such as your name, email address, mailing address, and phone number.

Account Information. When you create an account, we collect your username, password, and profile information.

Payment Information. We collect billing details such as your name, billing address, and payment method. We do not store complete credit card numbers.

Subscription Information. For subscriptions, we collect billing preferences, subscription tier, auto-renewal settings, and payment authorization details.

Communications. We collect messages, emails, and attachments you send to us.

Usage Data. We automatically collect information about how you use our Merchant of Record services, including pages viewed, links clicked, search terms, and session duration.

Device Information. We automatically collect technical information including device type, operating system, browser type, screen resolution, and unique device identifiers.

Location Information. We may collect your general location based on your IP address, or more precise location if you grant permission.

Cookies and Tracking Data. We collect information through Cookies and similar technologies about your browsing activities and preferences.

Third-Party Information. We may receive information about you from social media platforms, business partners, and public sources.

AI Software Data. If applicable, AI software you purchase may process your input data, collect usage information, generate outputs, and (where permitted) use anonymized data to improve AI models. Review the software developer's privacy policy for details.

Third-Party EULAs. When purchasing AI software, you may need to accept the developer's End User License Agreement (EULA). This is a separate agreement between you and the developer, not part of this Privacy Policy. Review EULA terms before accepting, as they may contain additional data collection provisions. If you disagree with a EULA, contact us about refund options before accepting.

EULA Disclaimer. Waffo is not a party to third-party EULAs and makes no warranties regarding their terms. We are not responsible for third-party data practices and shall not be liable for any claims arising from your acceptance of third-party EULAs. Disputes regarding EULAs are solely between you and the software developer. You agree to indemnify and hold Waffo harmless from claims arising from your acceptance of third-party EULAs or use of third-party software products.

Expertise and Professional Information. Where relevant to our relationship with you (such as if you are a Supplier representative or business partner), we may collect records of your expertise, professional history, qualifications, and information about your professional relationships with other individuals or institutions.

Consent Records. We collect records of any consents you have given, together with the date and time, means of consent, and any related information (e.g., the subject matter of the consent).

Employer Details. Where you interact with us in your capacity as an employee of a Third Party (such as a Supplier or corporate customer), we may collect the name, address, telephone number, and email address of your employer, to the extent relevant.

Content and Advertising Data. We collect records of your interactions with our online advertising and content, records of advertising and content displayed on pages shown to you, and any interaction you may have had with such content or advertising (e.g., mouse clicks, forms you complete), and any touchscreen interactions.

Views and Opinions. We collect any views and opinions that you choose to send to us, or publicly post about us on social media platform.

Direct Collection from Users. We collect Personal Information that you voluntarily provide to us when you create an account, make purchases, contact us via email or telephone, subscribe to our communications, provide us with your business card, participate in meetings, at trade shows, during visits from sales or marketing representatives, at events we attend or, subscribe to our communications, or otherwise interact with our Merchant of Record services.

Automatic Collection. We automatically collect certain information when you access or use our Merchant of Record services, including Usage Data, Device Information, and data through Cookies and other Tracking Technologies.

Cookies and Tracking Technologies. We use Cookies, Web Beacons, and similar Tracking Technologies to collect information about your browsing activities and preferences across our Merchant of Record services and other websites.

Combined Information. We may combine information collected through different methods and sources to provide and improve our Merchant of Record services, personalize your experience, and for other purposes described in this Privacy Policy.

Creation of Personal Data. We also create Personal Data about you in certain circumstances, such as records of your interactions with us, details of your past transactions and purchase history, and inferences about your preferences and behaviour. We may also combine Personal Data from any of our websites, products, or services, including where that data is collected from different sources.

Data Minimisation. We take reasonable steps to ensure that your Personal Information that we Process is limited to the Personal Information reasonably necessary in connection with the purposes set out in this Privacy Policy.

Service Provision and Operation. We use Personal Information to provide, maintain, and improve our Merchant of Record services, including to process transactions, authenticate users, and deliver requested features and functionality.

Communication. We may use Personal Information to communicate with you regarding our Merchant of Record services, respond to your inquiries, send administrative notices, and provide customer support.

Personalization and User Experience. We use Personal Information to personalize your experience with our Merchant of Record services, including customizing content, recommendations, and advertisements based on your preferences and usage patterns.

Analytics and Research. We use Personal Information to analyse usage patterns, conduct research, generate statistics, and improve our Merchant of Record services through data analysis and performance monitoring.

Marketing and Promotional Activities. We may use Personal Information to send you marketing communications, promotional offers, and newsletters about our Merchant of Record services or those of our partners, subject to your communication preferences and applicable opt-out rights.

Security and Fraud Prevention. We use Personal Information to detect, prevent, and investigate fraud, security breaches, and other potentially prohibited or illegal activities, and to protect the safety and security of our Merchant of Record services and users.

Legal Compliance. We use Personal Information to comply with applicable laws, regulations, legal processes, and governmental requests, including responding to subpoenas, court orders, and law enforcement inquiries.

Business Operations. We may use Personal Information for general business operations, including accounting, record-keeping, internal reporting, and business continuity planning.

Aggregated and De-identified Data. We may aggregate or de-identify Personal Information to create datasets that do not identify individual users, which may be used for any lawful business purpose without restriction.

Compliance Checks. We use Personal Information to fulfil our regulatory compliance obligations, conduct 'Know Your Client' checks, confirm and verify your identity, use credit reference agencies, and screen against government and law enforcement agency sanctions lists and other legal restrictions.

Management of IT Systems. We use Personal Information for management and operation of our communications, IT and security systems, including audits (such as security audits) and monitoring of such systems to ensure their proper functioning and security.

Investigations. We may use Personal Information to detect, investigate, and prevent breaches of our policies and terms of service, and criminal offences, in accordance with applicable law.

Establishment, Exercise and Defence of Legal Claims. We use Personal Information for the management of legal claims, establishment of facts and claims (including collection, review and production of documents, facts, evidence and witness statements), and the exercise and defence of legal rights and claims, including in connection with formal legal proceedings.

Merchant of Record Functions. As a Merchant of Record, we use Personal Information to process transactions on behalf of our Suppliers, manage customer billing and payment processing, collect and remit applicable taxes, handle refunds and chargebacks, provide transaction receipts and invoices, and maintain records required for regulatory compliance.

Waffo may share your Personal Information with Third Parties only in the circumstances described in this section and in accordance with applicable law:

Aggregate and De-identified Information. We may share aggregate, anonymous, or de-identified information that cannot reasonably be used to identify you for research, analytics, or marketing purposes.

Consent. We may share Personal Information for other purposes with your explicit consent or at your direction.

Waffo uses Cookies and other Tracking Technologies on its Merchant of Record services to enhance user experience, analyze usage patterns, and provide personalized content and advertising.

Cookies are small text files stored on your device that help us recognize your browser and remember certain information about your preferences or past actions.

We also use Web Beacons and similar technologies, which are small electronic files that allow us to count users who have visited certain pages and track email opens and clicks.

Third Party Cookies. Third-party service providers, including analytics and advertising partners, may also place Cookies and Tracking Technologies on our Merchant of Record services with our permission.

Cookies Management. You can control Cookie settings through your browser preferences, though disabling certain Cookies may limit the functionality of our Merchant of Record services. Most web browsers automatically accept Cookies, but you can modify your browser settings to decline Cookies or alert you when Cookies are being sent. For more information about managing Cookies, please visit your browser's help section or consult resources such as www.allaboutcookies.org.

Cookie Consent (EEA, UK, and Swiss Users). If you are located in the European Economic Area, United Kingdom, or Switzerland, we will obtain your consent before placing non-essential Cookies on your device, in accordance with the GDPR and the Privacy and Electronic Communications Directive.

Security Measures. Waffo implements appropriate technical, administrative, and physical security measures designed to protect Personal Information against unauthorized access, disclosure, alteration, and destruction.

Technical Safeguards. Security measures include, but are not limited to, encryption of data in transit and at rest, secure socket layer (SSL) technology, firewalls, access controls, and regular security monitoring systems.

Administrative Controls. Waffo maintains administrative safeguards including employee training on data protection, background checks for personnel with access to Personal Information, and policies governing data handling and access.

Physical Security. Physical safeguards include secured facilities, restricted access to data storage areas, and environmental controls to protect against unauthorized physical access to Personal Information.

Third-Party Security. Waffo requires Third Parties that process Personal Information on its behalf to implement appropriate security measures and to comply with applicable data protection requirements.

Security Limitations. While Waffo employs reasonable security measures, no method of transmission over the internet or electronic storage is completely secure, and Waffo cannot guarantee absolute security of Personal Information.

Data Breach Response. In the event of a data breach that compromises the security of Personal Information, Waffo will take appropriate remedial measures and provide notification as required by applicable law.

Regular Security Reviews. Waffo conducts regular assessments of its security practices and updates security measures as necessary to address evolving threats and maintain data protection standards.

If you provide Sensitive Personal Data to us, you must ensure that it is lawful for you to disclose such data to us, and you must ensure a valid legal basis applies to the Processing of those Sensitive Personal Data.

Deletion and Backup. When Personal Information is no longer needed for the purposes for which it was collected, Waffo will securely delete or anonymize such information in accordance with our data destruction procedures. Certain information may be retained in backup systems for up to ninety (90) days after deletion from active systems, after which it will be permanently destroyed.

Aggregate Data. Waffo may retain anonymized or aggregated data indefinitely for statistical, research, or business intelligence purposes, provided such data cannot reasonably be used to identify individual Users.

Third-Party Data Retention. Please note that data transferred to third-party software developers, publishers, or service providers in connection with your subscription may be subject to the data retention policies of those third parties. Waffo has no control over and is not responsible for the data retention practices of third parties. You should review the privacy policies of the specific software products you use to understand how your data will be retained by third-party developers or publishers after your subscription ends.

Requests for Early Deletion. You may request deletion of your Personal Information prior to the expiration of the applicable retention period by contacting us using the information provided in Section 14. However, we may be required to retain certain information for legal, regulatory, or legitimate business purposes, and we will inform you if we are unable to fulfil your deletion request in whole or in part.

Data Export. Prior to or within thirty (30) days following termination or cancellation of your subscription, you may request a copy of your Personal Information in a portable format by contacting us using the information provided in Section 14. After this period, we cannot guarantee that all data will be available for export.

Right to Access. You have the right to request confirmation of whether we Process your Personal Information and to obtain access to such Personal Information. Upon verification of your identity, we will provide you with a copy of your Personal Information in our possession.

Right to Correction. You may request correction of inaccurate or incomplete Personal Information we maintain about you. We will make reasonable efforts to correct such information promptly upon verification of the requested changes.

Right to Deletion. You may request deletion of your Personal Information in certain circumstances, including when the information is no longer necessary for the purposes for which it was collected or when you withdraw consent where consent was the basis for Processing.

Right to Data Portability. Where technically feasible, you may request to receive your Personal Information in a structured, commonly used, and machine-readable format for transfer to another service provider.

Exercising Your Rights. To exercise any of these rights, please contact us using the information provided in Section 14. We will respond to your request within a reasonable timeframe and in accordance with applicable law.

Verification Requirements. We may require verification of your identity before processing requests related to your Personal Information to protect against fraudulent requests.

No Discrimination. We will not discriminate against you for exercising any of your privacy rights under applicable law.

8(A) Additional GDPR Rights (EEA, UK, and Swiss Residents).

8(A).3 Data Protection Officer. Contact us at the details in Section 14 to exercise GDPR rights or ask about our data protection practices.

8(B) California Consumer Privacy Act (CCPA) Rights.

8(B).3 Business Purposes. We collect Personal Information for the purposes described in Section 3, including fulfilling orders, processing payments, customer support, personalization, marketing, analytics, security, and legal compliance.

8(B).4 Use of Personal Information. We may use the categories of Personal Information described above for the following business or commercial purposes: advancing our commercial or economic business interests through our services and products; maintaining and servicing customer accounts; auditing customer activity on our websites; processing or fulfilling orders and transactions as Merchant of Record; processing, managing, and accounting for transactions; providing customer support; verifying customer information; for short term, transient uses (such as contextual advertising); to understand and enhance your experience on our websites by utilizing analytic services; advertising our services; linking or combining it with information received from third parties; performing internal research for technological development; ensuring and improving the quality and safety of our services and products; debugging to address impairments to operational functionality; detecting security incidents; complying with applicable law and law enforcement requirements; protecting against malicious, deceptive, fraudulent or illegal activity; and defending against or bringing legal action, claims and other liabilities.

8(B).6 Disclosures of Personal Information. We do not sell any Personal Information to third parties within the meaning of the CCPA. We have disclosed and will disclose Personal Information to the following categories of recipients for business purposes: (i) legal and regulatory authorities; (ii) accountants, auditors, consultants, lawyers and other professional advisors; (iii) third-party Processors (such as payment services providers); (iv) any relevant party for the establishment, exercise or defence of legal claims; (v) any relevant party for the prevention, investigation, detection or prosecution of criminal offences; (vi) any relevant Third Party provider where our websites use Third Party advertising, plugins or content; and (vii) Suppliers to the extent necessary to provide a Product requested by you.

8(B).7 Sale and Sharing. We may "share" certain Personal Information with advertising partners for targeted advertising. We do not "sell" data for monetary consideration. Opt out via the "Do Not Sell or Share My Personal Information" link on our website.

8(B).8 Retention. We retain Personal Information as described in Section 7.

8(B).9 Submitting CCPA Requests. Submit requests by emailing us (Section 14), calling us, or through our website. We will verify your identity before processing. We respond within 45 days (extendable by another 45 days with notice).

8(B).10 Right to Know About Personal Information. Consumers have the right to request that we disclose the following information, in a readily useable format, covering the 12 month period preceding the request: the categories of Personal Information we collected about you; the purposes for which the categories of Personal Information will be used; the categories of sources for the Personal Information; the categories of third parties with whom we share Personal Information; our business or commercial purpose for collecting Personal Information; the specific pieces of Personal Information we collected about you; and the categories of Personal Information we have disclosed for a business purpose.

8(B).11 Right to Request Deletion. Consumers have the right to request that we delete any Personal Information that we have collected from them, subject to certain exemptions under applicable laws. We may keep a record of deletion requests solely as a record of compliance.

8(B).12 Right to Correct Inaccurate Records. Consumers have the right to request that we use commercially reasonable efforts to correct any inaccurate Personal Information.

8(B).13 Right to Opt Out of Sale or Sharing. Please note that we do not sell or share your Personal Information within the meaning of the CCPA.

8(B).14 Right to Limit Use of Sensitive Personal Information. Consumers have the right to direct a business to limit its use and disclosure of Sensitive Personal Information. Please note that we will only collect and use Sensitive Personal Information where it is absolutely required to do so in the course of our relationship with you, and all information collected is subjected to record retention timeframes based on law and industry standards.

8(B).15 Right to Non-Discrimination. Consumers have the right to be free from discrimination when they exercise their Consumer rights under the CCPA. We do not offer financial incentives or a price or service difference to incentivise consumers to provide personal information.

8(B).16 Authorised Agent. Under the CCPA, you may appoint an authorised agent to submit requests to exercise your rights on your behalf. Should you choose to do so, we will require your authorised agent to provide us with signed permission demonstrating that they are authorised to submit a request on your behalf. Should your authorised agent fail to submit proof of authorisation, we will deny their request.

8(B).17 California "Shine the Light" Law. California residents may request information about disclosure of Personal Information to third parties for direct marketing purposes by contacting us at Section 14.

International Transfers. As an online software reseller operating globally, Waffo transfers, stores, and processes your Personal Information in countries other than your country of residence, including the United States and other countries where our software suppliers, developers, payment processors, and service providers are located. These countries may have different data protection laws than those in your country of residence.

Your Rights Regarding International Transfers. You may contact us using the information provided in Section 14 to request information about international transfers of your Personal Information and the safeguards we have implemented.

Third Party Links and Merchant of Record services. Our Merchant of Record services may contain links to websites, applications, or services operated by third parties, including software developers, publishers, and other vendors, that are not owned or controlled by Waffo. This Privacy Policy does not apply to any third-party websites, applications, or services, including the websites of software developers and publishers whose products we resell, even if accessed through links provided on our Merchant of Record services. We are not responsible for the privacy practices, content, or security measures of any third-party websites or services. Third-party services may have their own privacy policies and terms of use that govern the collection, use, and disclosure of your Personal Information when you interact with such services. We encourage you to review the privacy policies and terms of use of any third-party websites or services before providing any Personal Information or using such services. Some third-party services are integrated into our Merchant of Record services, including payment processors, analytics providers, social media platforms, and software licensing and activation systems provided by developers. Your interactions with integrated third-party services are governed by the respective Third Party's privacy policy and terms of service, not this Privacy Policy. We do not endorse or make any representations about third-party websites or services, and any reliance on such third-party services is at your own risk.

Direct Marketing. We Process Personal Information to contact you via email, telephone, direct mail, or other communication formats to provide you with information regarding websites, products, or services that may be of interest to you. We also Process Personal Information for the purposes of displaying content tailored to your use of our websites, products, or services. If we provide websites, products, or services to you, we may send or display information to you regarding our websites, products, or services, upcoming promotions, and other information that may be of interest to you, subject always to obtaining your prior opt-in consent to the extent required under applicable law.

Change your Preferences. You may change your preferences or unsubscribe from our promotional email list at any time by clicking on the unsubscribe link included in every promotional electronic communication and updating your communication preferences. Please note that it may take up to thirty (30) days to process your unsubscribe request during which time you may continue to receive communications from us. After you unsubscribe, we will not send you further promotional emails, but we will continue to contact you to the extent necessary for the purposes of any websites, products, or services you have requested (for example, we may send you emails about your transactions or our ongoing business relationship).

Changes to Privacy Policy. Waffo reserves the right to modify, update, or revise this Privacy Policy at any time in its sole discretion to reflect changes in our data practices, legal requirements, or business operations. When we make changes to this Privacy Policy, we will update the "Effective Date" at the top of this document to indicate when the revised policy becomes effective.

Effective Date of Change. Material changes to this Privacy Policy will become effective thirty (30) days after we provide notice, unless a longer notice period is required by applicable law. Non-material changes, including minor clarifications, formatting updates, or changes that do not affect your rights, will become effective immediately upon posting of the revised Privacy Policy.

Objection to Change. Your continued use of our Merchant of Record services after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. If you do not agree to the changes, you should discontinue use of our Merchant of Record services and may contact us to delete your Personal Information in accordance with your rights under Section 8 of this Privacy Policy.

Suppliers' Terms of Use. All use of our Merchant of Record services is subject to the relevant Supplier's terms of use. We recommend that you review the applicable Suppliers' terms of use to ensure that you are aware of your obligations and where applicable, regularly in order to review any changes we might make from time to time as this may influence your rights under this Privacy Policy.

Terms of Sale. All sales of Products are subject to our Buyer Terms and Conditions. We recommend that you review these regularly, in order to review any changes we might make from time to time as this may influence your rights under this Privacy Policy.

Waffo Entities. There are several Waffo entities that act as controllers of Personal Data for the purposes of this Privacy Policy. The Personal Data controller is the entity that decides how and why Personal Data is Processed and has primary responsibility for complying with applicable data protection law. Depending on your location and interactions with us, the relevant controllers may be any one or a combination of the following Waffo entities:

Waffo.com Limited Email: support@waffo.ai Mailing Address: RM 1903, 19/F LEE GARDEN ONE, 33 HYSAN AVENUE CAUSEWAY BAY, HONG KONG

Contact Information. If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, you may contact the relevant Waffo entity using the methods listed above.

Response. We will respond to privacy-related inquiries within thirty (30) days of receipt, or as otherwise required by applicable law.

Requests. For requests to exercise your privacy rights under Section 8, please include sufficient information to verify your identity and specify the nature of your request.

Your right to Complain. If you are not satisfied with our response to your privacy inquiry, you may have the right to file a complaint with the appropriate regulatory authority in your jurisdiction.

Cookies means small text files placed on your device to store information about your preferences and activities.

Device Information means information about your device, such as hardware model, operating system, and unique identifiers.

Personal Information means any information that can identify, relate to, or be linked to an individual or household.

Privacy Policy means this privacy policy as it may be amended from time to time.

Process, Processing or Processed means any operation performed on Personal Information, whether or not by automated means, including collection, use, storage, disclosure, transfer, or deletion.

Supplier means a party which has appointed Waffo to be its Merchant of Record and reseller of its Products.

Product means the Supplier's software product(s) and/or digital content and any subsequent updates and upgrades thereto agreed to be resold or distributed by us as Merchant of Record.

Merchant of Record means the licensed reseller of software and digital products, being the business carried on by us, whereby we act as the seller of record for transactions, handling payment processing, tax obligations, and customer relationships on behalf of Suppliers.

Sensitive Personal Data means Personal Data about race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, biometric data, physical or mental health, sexual life, any actual or alleged criminal offences or penalties, national identification number, or any other information that is deemed to be sensitive under applicable law.

Third Party means any individual or entity other than you or Waffo.

Tracking Technologies means cookies, web beacons, pixel tags, and similar technologies used to collect information about your use of our Merchant of Record services.

Usage Data means information about how you use our Merchant of Record services, including pages visited, features used, time spent, and interaction patterns.

User or you means any individual who accesses or uses our Merchant of Record services.

Web Beacons means small electronic files that allow us to count page visitors and track email engagement.