STORYCHIEF'S PRIVACY POLICY

Content

1. Definitions
2. Subject
3. Which Personal Data does STORY CHIEF track/process?
4. For what purposes are your Personal Data used?
5. What does STORY CHIEF do with your Personal Data?
6. Processing legitimacy (Opt-in)
7. Your rights
8. Security of your Personal Data
9. Notification of infringements
10. Third-party Processing
11. Amendments
12. Complaints and remarks
13. Applicable law and competent Court

1. Definitions

Personal Data All information about an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by an identifier such as a name, an identification number, location data, an online identifier or by one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

STORY CHIEF is a private limited liability company STORY CHIEF NV, having its registered office at Visserij 43p, 9000 Ghent, Belgium, VAT BE 0644.941.221, RPR Ghent, department Ghent.

Tel: +32 485 08 55 13

E-mail: support@storychief.io

Processing means any operation or set of operations which is performed upon personal data or sets of personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;

2. Subject

This Privacy Policy contains the terms and conditions applicable to the processing of Personal Data that you disclose to STORY CHIEF.



3. Which Personal Data does STORY CHIEF track/process?

The following personal data is tracked/processed:

▪ Identification details (name, address, telephone number, ...);

▪ Electronic identification data (IP addresses, ...);

▪ Banking details.



STORY CHIEF does not process sensitive Personal Data.

4. For what purposes are your Personal Data used?

Your Personal Data will be kept for the following purposes:

▪ Execution or conclusion of (an) agreement(s);

▪ Relationship management (customers (CRM) and/or suppliers);

▪ Direct Marketing.



5. What does STORY CHIEF do with your Personal Data?

STORY CHIEF is concerned about the protection of your privacy and personal data.

It has therefore already taken all the initiatives it deems necessary to comply with the current privacy legislation, in particular the Act of 8 December 1992 on the protection of privacy with regard to the processing of Personal Data (hereinafter referred to as the "Privacy Act"), its implementing decrees, the amendments thereto and as recently updated and still to be amended pursuant to the General Data Protection Regulation (hereinafter referred to as the "GDPR").

STORY CHIEF undertakes to comply with this legal framework and, where necessary, to take additional measures and implement adjustments as a result of the update.

The Personal Data requested by STORY CHIEF are therefore always limited to the data that we consider necessary and sufficient for the correct performance of our services.

We strive to ensure that the Personal Data processed by us are correct and are updated in the event of any change.

Your Personal Data is always kept for a specific period of time, in function of our services and/or the legal requirements with which STORY CHIEF must comply (e.g. accounting obligations).

Finally, we guarantee adequate protection (including encryption) against unauthorized or unlawful processing and against accidental loss, destruction or damage of your Personal Data, depending on the state of the art and the sensitivity of the Personal Data concerned.



6. Processing legitimacy (Opt-in)

6.1. STORY CHIEF will only process your Personal Data if (i) you give your permission to do so in relation to one or more of the specific purposes mentioned above, (ii) the processing of your Personal Data is necessary for the performance of the services you request from STORY CHIEF (processing in the context of the performance of a contract), or (iii) STORY CHIEF can invoke a legitimate interest to this end, provided that your interests or fundamental rights and freedoms do not weigh more heavily.

For direct marketing purposes, STORY CHIEF will always request your explicit consent for the use of your Personal Data. Notwithstanding your consent, you have the right at any time to object to the processing of your Personal Data for direct marketing purposes.

6.2. If you change your mind after your opt-in, you can withdraw your consent to the further processing of your Personal Data at any time by contacting us at support@storychief.io or by sending your request to the following address:

STORY CHIEF NV

Visserij 43p

9000 Ghent

7. Your rights

7.1. General

STORY CHIEF strives for transparency with regard to the processing of your Personal Data. When STORY CHIEF processes your Personal Data, you may request us to be informed thereof in a concise and comprehensible manner.

Where applicable, you have the right to request STORY CHIEF to inspect, rectify or delete your Personal Data, or to restrict the processing you are involved in. You can also object to the processing of your Personal Data and you have a right to a data transfer.

7.2. Right of access

When we process your Personal Data, you have the right to inspect this data and you can also request the following information from us:

▪ the processing purposes;

▪ the categories of Personal Data concerned;

▪ the recipients or categories of recipients to whom the Personal Data have been or will be disclosed, in particular recipients in third countries or international organisations;

▪ if possible, the period for which it is expected that the Personal Data will be stored or, if that is not possible, the criteria for determining that period;

▪ where we do not obtain your Personal Data directly from you, the information available on the source of your Personal Data;



If you request more than one copy, we reserve the right to charge an administrative fee for this.



7.3. Right of amendments

If you find that the Personal Data processed by us is incorrect or incomplete, you can ask us to make the necessary amendments or additions.

7.4. Right to be forgotten

You have the right to require STORY CHIEF to delete the Personal Data that we process from you, but only in one of the following cases:

▪ Your Personal Data is no longer necessary for the purposes for which it has been collected or otherwise processed by STORY CHIEF;

▪ You withdraw your consent to the processing of your Personal Data and there is no other legal basis for STORY CHIEF to further process your Personal Data;

▪ You may object to the processing of your Personal Data on account of a specific situation relating to you, unless STORY CHIEF provides compelling, legitimate grounds for the processing that outweigh your interests, rights and freedoms or that are connected with the institution, exercise or substantiation of a legal claim;

▪ Your Personal Data has been unlawfully processed;

▪ Your personal data must be deleted in order to comply with a legal obligation that rests on STORY CHIEF.



7.5. Right to limitation of Processing

In certain cases, you may request STORY CHIEF to limit the processing of your Personal Data, in particular:

▪ If you dispute the correctness of your Personal Data, for a period that allows STORY CHIEF to verify the correctness of your Personal Data;

▪ The processing would be unlawful, but you do not want your Personal Data to be deleted;

▪ STORY CHIEF no longer needs your Personal Data for processing purposes, but you need it yourself to set up, exercise or substantiate a legal claim;

▪ You may object to the processing of your Personal Data on account of a specific situation relating to you, awaiting an answer to the question whether the justifiable grounds of STORY CHIEF outweigh your interests, rights and freedoms or relating to the institution, exercise or substantiation of a claim.



Any limitation of your Personal Data will result in it being marked by STORY CHIEF for the purpose of limiting its processing in the future.

7.6. Right to transferability of your Personal Data

In certain cases, you have the right to obtain the Personal Data relating to you that you have provided to STORY CHIEF in a structured, common and machine-readable form, and you have the right to transfer that data to another data processor. The cases in question are as follows:

1. The processing of Personal Data is based on your consent or is necessary for the performance of the contract;

AND

2. Processing shall be carried out by means of automated processes.

Both of the above conditions must be met. If this is not the case, you do not have a right to transferability.

Finally, the right to transferability should not affect the rights and freedoms of others (e.g. if the data concern more than one data subject). STORY CHIEF reserves the right to refuse the transferability if it believes that the rights and freedoms of others are being harmed.

8. Security of your Personal Data

8.1. Taking into account the state of the art, the implementation costs, as well as the nature, scope, context, processing purposes and the various risks to your rights and freedoms, which vary in terms of probability and seriousness, STORY CHIEF shall ensure that it has taken - and shall update from time to time - the necessary security measures to ensure a level of security appropriate to the risk.

Where relevant, the measures taken by STORY CHIEF may include the following:

▪ the pseudonymisation and encryption of your personal data;

▪ the ability to ensure the confidentiality, integrity and availability of its processing systems and services on an ongoing basis;

▪ the possibility, in the event of an incident, of restoring the availability of, and access to, the Personal Data in a timely manner;

▪ the establishment of a procedure for periodical testing, assessing and evaluating the effectiveness of technical and organisational measures to safeguard processing.

8.2. STORY CHIEF's products and services run on worldclass infrastructure hosted at Amazon data centers running on Amazon Web Service (AWS) technology. STORY CHIEF's data centers are located in Ireland and data never leaves Europe. Amazon data centers provide physical security 24/7, stateoftheart fire suppression, redundant utilities and biometric devices to ensure that our customers' data is safe and secure. Amazon continually reviews and refines their procedures to comply with the latest security standards. STORY CHIEF's data and services are housed in the same physically secure AWS facilities as Netflix, Expedia, AirBnB and Yelp. Amazon maintains security certifications with:

SOC 1 / ISAE 3402

SOC 2

SOC 3

FISMA, DIACAP, and FedRAMP

CSM Levels 15

PCI DSS Level 1

ISO 9001 / ISO 27001

8.3. STORY CHIEF guarantees that it has also taken adequate measures to ensure that any natural person acting under its authority or under the authority of the processor and, in the performance of his/her duties or instructions for STORY CHIEF or the processor, gains access to your Personal Data, only processes it on the instructions of STORY CHIEF, unless he/she is obliged to do so by law.

9. Notification of infringements

9.1. STORY CHIEF is required by law to report any breach of your Personal Data to the supervisory authority without unreasonable delay and, if possible, no later than 72 hours after it becomes aware of it.

For Belgium, this regulatory authority is the Data Protection Authority (hereinafter referred to as the "DPA"), having its registered office at 1000 Brussels, rue de la presse 35 (Tel: +32 (0)2 274.48.00; Fax: +32 (0)2/274.48.35; email: contact@apd-gba.be). The DPA is an independent body that oversees the protection of privacy in the processing of Personal Data.

9.2. Where appropriate, and where the breach is likely to pose a high risk to your rights and freedoms, STORY CHIEF undertakes to report the breach of your Personal Data to you as well, unless one of the following conditions is met:

▪ STORY CHIEF has taken appropriate technical and organizational protection measures to make your Personal Data incomprehensible to unauthorized persons (encryption, pseudonymization, etc.) and these measures have been applied to your Personal Data to which the breach relates;

▪ Following the ascertainment of the infringement, STORY CHIEF has taken the necessary measures to ensure that the infringement is no longer likely to pose a high risk to your rights and freedoms;

▪ the communication would require a disproportionate effort. In that case, STORY CHIEF will instead make a public announcement or take a similar measure on the basis of which you will be informed equally effective.

10. Third-party Processing

10.1. For certain processing activities STORY CHIEF depends on the services of third parties for the correct performance of its services. In this respect, STORY CHIEF guarantees that it has concluded an agreement with its direct subcontractors for the processing of Personal Data (hereinafter referred to as the "Processor Agreement"), and has obtained at least a written guarantee from this third party that they will at all times act in accordance with the applicable privacy legislation, in particular the Privacy Act and the GDPR.

By means of a Processing Agreement, these third parties undertake, when processing your Personal Data in the context of an assignment outsourced to them by STORY CHIEF, to act in full compliance with the applicable privacy legislation, in particular the Privacy Act and the GDPR.

10.2. STORY CHIEF may rely on certain third party service providers who have their own privacy policies regarding the information it needs to provide to them for your purchase related transactions, such as payment gateways and other payment transaction processors.

Where appropriate, we encourage you to review the privacy policies of these service providers so that you understand how your Personal Data is handled by these providers.

Please note in particular that certain providers may be located in a jurisdiction other than Belgium or the European Union or may have facilities there. When you choose to proceed with a transaction involving the services of an external service provider, your information may be subject to the laws of the jurisdiction or jurisdictions in which that service provider or its facilities are located.

11. Amendments

STORY CHIEF reserves the right to change this Privacy Policy without prior individual notice. Therefore, please check this policy regularly.

12. Complaints and remarks

12.1. If you have a complaint or remark about this Privacy Policy or the processing of your Personal Data by STORY CHIEF, or if you notice a breach of the processing of your Personal Data, please contact STORY CHIEF in first instance.

This can be done by sending an e-mail to support@storychief.io or by sending your complaint to the following address:

STORY CHIEF NV

Visserij 43p

9000 Ghent

STORY CHIEF undertakes to deal with your complaint as a matter of urgency, but reserves the sovereign right to decide whether it is well-founded.

12.2. If you wish, you can also address your complaint to the DPA (Tel: +32 (0)2 274.48.00; Fax: +32 (0)2/274.48.35; email: contact@apd-gba.be).

13. Applicable law and competent Court

13.1. Applicable law

This Privacy Policy is subject to Belgian law.

13.2. Competent Court

The courts of the judicial district of Ghent, Ghent department, shall have exclusive jurisdiction over any dispute ensuing from this Agreement between the parties.