Quidkey - Website Privacy Notice

Bnqz Inc. and its affiliates (collectively, “Quidkey”, the “Company” or “we”, “us”, “our”) is committed to maintaining the security, confidentiality and integrity of the personal data in our control and complying with applicable data protection laws, including the EU and the UK General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act of 2018 (“CCPA”).

This Privacy Policy (“Policy”) explains how information about you is collected, stored, processed, and used by us in connection with your use of our Website provided directly from your accessing, using and filling out of the Beta registration (collectively, the “Website”). The Website is not directed to users under the age of 18. We do not knowingly collect information or data from children under the age of 18 or knowingly allow minors under the age of 18 to use the Service. By using any aspect of the Website, you warrant that you are 18 years of age or older, have read and have the legal capacity to understand this Policy.

This Policy may be amended from time to time. If the revised version requires notice in accordance with applicable law, we will provide you with a 30-day prior notice by posting notice of the change or revised Policy on the Privacy Policy page of our Website. If you are a new Website user or are receiving this Policy for the first time and there is an upcoming change described on the Privacy Policy page at the time you receive this Policy, such upcoming change will apply to you on the indicated effective date.

Contact us

Quidkey has a dedicated team focused on data protection issues. If you have any questions, comments or concerns regarding this Policy or our processing of your personal information, please contact us at privacy@quidkey.com.

We collect the personal information from several sources:

• Through your interactions with and use of the Website, including both information you provide to us and information we derive from such usage;
• When provided to us through our email, online contact form or registration forms;
• Through the device you use to access our Website, including through third party cookies and analytics tools, such as Google Analytics.

You are not legally obligated to provide us with your personal information, but if you do not, we will not be able to handle or respond to your inquiry, or to provide our Website functionalities.

We will retain your information for as long as needed to provide you with our Website and/or as necessary to comply with our contractual and legal obligations, resolve disputes, and enforce our agreements.

We will retain your information for as long as needed for the purposes identified in this Policy, including to operate the Website, to comply with our legal obligations, resolve disputes, establish and defend legal claims, enforce our agreements and protect against fraudulent activity. The specific retention periods depend on the nature of the information and why it is collected and processed and the nature of the legal requirement.

We will retain your personal data for the longest of the following periods:

• Seven years from the collection of the personal data;
• Any statute of limitations applicable thereto;
• Any applicable legal retention periods; and
• Any ongoing or otherwise not yet final judicial or administrative proceedings.

Subsequent to the applicable retention period, we will either delete, anonymize or otherwise store your personal data in a way that would no longer allow for your direct identification or in an archived format. We implement measures to secure your information.

We implement measures to reduce the risks of damage, loss of information and unauthorized access or use of information, such as customary SOC 2 standards, Strong Customer Authentication (SCA) standards, as applicable, encryption and HTTPS. However, these measures do not provide absolute information security. Therefore, although efforts are made to secure your personal information, there is no guarantee that it will be immune from information security risks.

For privacy requests, you can email us directly at privacy@quidkey.com. Once we receive your request, we will verify it by requesting that you confirm certain personal information. You may also be entitled to submit a request through an authorized agent.

To the extent we are acting on behalf of a third party, you can exercise these rights directly with such third party. As the case may be, we will indicate such third party when you replay to your inquiry.

We will not discriminate against you if you exercise these privacy rights, or deny, charge different prices for, or provide a different quality of our Website if you choose to exercise these rights.

Do Not Track (DNT)

This is a privacy preference that users can set in some web browsers, allowing users to opt out of tracking by websites and online services. At the present time, the World Wide Web Consortium, or W3C, has not yet established universal standards for recognizable DNT signals, and therefore Quidkey and the Website do not recognize DNT.

The Website is not directed to children under 18 (or other age as required by local law), and, except for limited circumstances set forth below, we do not knowingly collect personal information from children. If you learn that your child has provided us with personal information without your consent, you may contact us as set forth herein. If we learn that we have collected a child's personal information in violation of applicable law, we will promptly take steps to delete such information or, if appropriate and possible, seek written consent from such child's guardian.

The following sections apply when the processing of your personal data is subject to the data protection framework of the UK (UK GDPR), the EEA (EU GDPR) and/or Switzerland (FADP).

Controller

If you are a merchant, partner, website visitor or other individual that Quidkey has a direct relationship with and you are located in the EU or UK, Bnqz, Inc. is the controller of your personal data. If you provide your information to a merchant that utilizes the Website, the merchant is your data controller and we are acting as a processor on their behalf.

International data transfers

Personal Data we collect is stored on infrastructure provided by Google Cloud Platform (GCP), which may be located within the United States, the United Kingdom (UK), the European Union (EU) or Australia (“Storage Locations”).

To facilitate processing your information through the Website and by our service providers, it may be necessary to collect, process and transfer your information across borders to Storage Locations in countries as applicable by each jurisdiction. Some of these jurisdictions do not offer a level of data protection deemed “adequate” by EU, UK and Swiss standards. Consequently, when applicable, we do so under the terms of a data transfer agreement which contains standard data protection contract clauses with adequate safeguards determined by the EU Commission and UK Information Commissioner's Office, including implementing the EU Commission's Standard Contractual Clauses and Standard Contractual Clauses adopted pursuant to or permitted under Article 46 of the UK GDPR. You may request a copy of such data transfer mechanism, expunged of any elements not relevant to data protection aspects, by contacting privacy@quidkey.com.

Data subject rights

You have the following rights under such framework:

1. Right to Access and receive a copy of your personal information that we process.
2. Right to Rectify inaccurate personal information we have concerning you and to have incomplete personal information completed.
3. Right to easily, freely and at any time withdraw your consent when such consent is the legal basis for the processing of your personal data. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
4. Right to opt-out of the sharing of your personal information for marketing purposes.
5. Right to Data Portability, that is, to receive the personal information that you provided to us, in a structured, commonly used, and machine-readable format, which has been processed (i) under the consent or necessity for the performance of a contract legal basis and (ii) by electronic means. You have the right to transmit this data to another person or entity. Where technically feasible, you have the right to have your personal information transmitted directly from us to the person or entity you designate.
6. Right to Object to our processing of your personal information based on our legitimate interest. However, we may override the objection if we demonstrate compelling legitimate grounds, or if we need to process such personal information for the establishment, exercise, or defense of legal claims.
7. Right to Obtain Human Intervention, to express your point of view and contest to a decision which was made as a result of the profiling of your information.
8. Right to Restrict us from processing your personal information (except for storing it): (a) if you contest the accuracy of the personal information (in which case the restriction applies only for a period enabling us to determine the accuracy of the personal information); (b) if the processing is unlawful and you prefer to restrict the processing of the personal information rather than requiring the deletion of such data by us; (c) if we no longer need the personal information for the purposes outlined in this Policy, but you require the personal information to establish, exercise or defend legal claims; or (d) if you object to our processing based on our legitimate interest (in which case the restriction applies only for the period enabling us to determine whether our legitimate grounds for processing override yours).
9. Right to be Forgotten. Under certain circumstances, such as when you object to our processing of your personal information based on our legitimate interest and there are no overriding legitimate grounds for the processing, you have the right to ask us to erase your personal information. However, notwithstanding such request, we may still process your personal information if it is necessary to comply with our legal obligations, or for the establishment, exercise, or defense of legal claims.

You also have the right to not be subject to a decision exclusively based on automated decision making.

In certain jurisdictions, such as France, you may also provide us with directive on how your personal data may be used post-mortem.

If you wish to exercise any of these rights, please contact us through the channels listed in this Policy.

We do not charge a fee to give you access to your Personal Data or to exercise any of the other rights described above. We may, however, charge a reasonable fee if your request for access is clearly unfounded or excessive or we may refuse to comply with the request.

If you are in the EEA or UK, or otherwise granted rights under the EU GDPR or UK GDPR, you may contact our representative under Art. 27 GDPR at the following email address: QuidKey.GDPR.REPRESENTATIVE@klgates.com

When you contact us, we reserve the right to ask for reasonable evidence to verify your identity before we provide you with information. Where we are not able to provide you with information that you have asked for, we will explain the reason.

While we would appreciate you contacting us to resolve any issue you may have relating to the processing of your personal data by us, you have the right to lodge a complaint with your local data protection authority.

• If you are in the EU, then according to Article 77 of the GDPR, you can lodge a complaint to the supervisory authority, in the Member State of your residence, place of work or place of alleged infringement of the GDPR. For a list of supervisory authorities in the EU, see the EDPB list of supervisory authorities.
• If you are in the UK, you can lodge a complaint to the Information Commissioner's Office (ICO) pursuant to the ICO complaint instructions.
• If you are in Switzerland, you can lodge a complaint to the Federal Data Protection and Information Commissioner (FDPIC) pursuant to the FDPIC complaint instructions.

The following Section applies to individuals residing in certain U.S. states, including, but not limited to, California, Colorado, Connecticut, Utah, Virginia and Nevada, and supplements the information contained in this Policy.

In addition to the rights provided in the Policy above, the California Consumer Privacy Act of 2018 (“CCPA”) and other U.S. state based privacy laws, specifically the Colorado Privacy Act, the Connecticut Act Concerning Personal Data Privacy and Online Monitoring, the Utah Consumer Privacy Act, Nevada Revised Statutes Chapter 603A and the Virginia Consumer Data Protection Act (collectively with the CCPA, the “US State Privacy Laws”) provides certain U.S. residents with specific rights regarding their personal information, subject to limited exceptions. Under the US State Privacy Laws, “personal information” includes information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. We may also collect personal information that may be covered by other laws, rules and regulations, including but not limited to the Gramm-Leach-Bliley Act and its related implementing regulations, and, therefore, such personal information may be exempt from the provisions of US State Privacy Laws.

Although some categories of data collected by us may be exempt from the CCPA or other US State Privacy Laws, for purposes of US State Privacy Laws, we do not “sell” your personal information to third parties for direct marketing purposes. The full list of categories of personal information we collect and why can be found above under “What We Collect and Why”.

Your Rights and Choices

Subject to certain restrictions and depending on where you live, you may have some or all of the following rights to access, correct and/or delete the personal information that we collect about you. You may also have the right to designate an agent to exercise these rights on your behalf, subject to verification of that agency relationship, which may require our collecting of additional information, such as a government issued ID, to verify your identity before processing your request to protect your information. This section describes how to exercise those rights and our process for handling those requests, including our means of verifying your identity. If you would like further information regarding your legal rights under applicable law or would like to exercise any of them, please contact us at privacy@quidkey.com.

• Right to request access to your personal information: You may have the right to request that we disclose to you the personal information we collect, use, or disclose about you, and information about our data practices.
• Right to request deletion of your personal information. You may have the right to request that we delete personal information that we have collected about you. However, as described herein under “Data retention and security”, we may retain certain personal information as authorized under applicable law, such as personal information required as necessary to provide our services, comply with applicable law and/or our contractual obligations, protect our business and systems from fraudulent activity and to debug and identify errors that impair existing functionality.
• Sales of personal information: You may opt out of the sale of your personal information. We do not "sell" your personal information as we understand that term to be defined by US State Privacy Laws and their respective implementing regulations.
• Non-discrimination rights: You may have the right to not be discriminated against for exercising their rights as described in this section. We will not discriminate against you for exercising your rights described herein.