JuicyScore Privacy Policy

PRIVACY POLICY

1. TERMS AND DEFINITIONS

Terms not defined in this Privacy Policy shall be interpreted and used in accordance with the Applicable Law.

Agreement – means a confidentiality agreement and/or relevant agreement for purchasing the Service (license agreement or services contract) that has been agreed upon and signed by authorised representatives of both parties.

Applicable Law – means legislation applicable in jurisdictions where the Company has been legally incorporated and operates, either (i) for JCSC GLOBAL DIGITAL RISK MANAGEMENT SOLUTIONS LLC - Dubai and UAE legislation, or (ii) for JUICYSCORE HOLDING PTE LTD – Singapore legislation.

Authentication – means the process aimed at probabilistically determining a print (digital identifier or fingerprint) of the Virtual User’s Device and/or Virtual User through data analysis and comparison of data on the Virtual User’s Device with a diverse set of attributes and signs. This process is carried out without using Direct Identifiers and without Identification of the Virtual User.

Back-End Libraries – means software packages that developers use for working with server-side components of web applications.

Bonjour Protocol – means a protocol for automatically discovering services on a local network.

Company (We, Our) – means either (i) JCSC GLOBAL DIGITAL RISK MANAGEMENT SOLUTIONS L.L.C., a legal entity registered in accordance with the legislation of the UAE, license number 1072565, or (ii) JUICYSCORE HOLDING PTE. LTD., a legal entity registered in accordance with the legislation of Singapore, UEN 202128709Z.

Contact Form or Book a demo – means a form on the Website designed for sending contact details and messages to the Company for further interactions.

Cookie – means a file that usually consists of letters and numbers, located on the Device and/or transmitted from a server and loaded into the browser’s memory at the moment of submitting and/or processing the website content. Cookie files allow the website to identify the device of the site visitor.

Customer (or Licensee)– means a legal entity purchaser of the Company's Service who has entered into the relevant Agreement with the Company.

Data Subject – means a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Device – means a mobile or stationary device capable of connecting to the Internet, used by the Virtual User when accessing the Web Resource.

Device Fingerprinting – means a technology based on unique combinations of attributes. The attributes include equipment specifications, software configuration, operating system data, browser settings, and other features, such as screen resolution, plugins, and installed fonts.

Device_ID – means an anonymous identifier composed of numbers and letters. The identifier does not contain any personal information (name, email, address, etc.). It can be accessed by any application installed on the device. Unlike a device's serial number (e.g., IMEI), which is assigned by the manufacturer, the Device ID is generated by software and may change after a factory reset or application reinstallation.

Direct Identifier – means unique data attribute associated with an individual and enabling a precise match between the attribute and that individual.

Do Not Track – means an HTTP header that indicates whether a Virtual User requests that websites or mobile applications refrain from tracking or monitoring their actions.

Front-End Libraries – means collections of functions, sub-programs, and objects specific to a certain programming language, which are used in front-end development.

Identification – means the processing of a Personal Data for identifying attributes which, taken separately and/or collectively, enable unique identification of an individual.

IndexedDB – means a data storage mechanism works on the Virtual User's end only, which allows significant amounts of structured data to be stored, even when the web browser is closed or the system encounters a failure.

Information (User Data) – means details of Virtual Users collected through software modules of the Service in the form of a Modified Value, which do not include any Personal Data or Direct Identifiers.

JavaScript – means a software based on the relevant programming language embedded in the Service for collecting the Information via the Web Resource.

JuicySession – means a unique identifier of an Internet-session (which is not a Direct Identifier), registered on a Web Resource that is generated on the Company’s servers, is practically an enhanced token and does not contain Personal Data.

KeyChain – means a dedicated encrypted database for storing data (logins, passwords, authentication tokens, cryptographic keys, and other confidential data) in macOS and iOS operating systems.

Modified Value – means a value altered on the Device by adding a dynamic variable alphanumeric character set and hashing; all alterations are performed before value processing by the Company’s software.

Natural Definiteness – means a non-zero probability of randomly guessing an individual's identity.

Non-Recoverable Value – means a value derived from the irreversible deletion of part of the initial information, followed by hashing the remaining portion before analytical processing to prevent recovery of the initial value.

Personal Account – means a functionality within the secured part of the Services that is created for the Customer by the Company and allows for receiving various technical information, statistics, and monitoring of request processing.

Personal Data – means any information relating to an identified or identifiable individual (Data Subject).

Personal Data Processing - means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.

SDK – in this Privacy Policy means software based on the relevant programming language that is included in the Service for Information collection from iOS and Android-family Devices via the native mobile application of a Customer, as well as via the mobile application JS App — Device Risk Analytics.

Service – means the combined elements of the infrastructure, server hardware, and software used by the Company to estimate the risk of fraud or other operational risks arising from the formalized actions of a Customer’s Virtual User based on Information that does not allow for the identification of the Virtual User directly or indirectly.

UserAgent – means a line in an HTTP request header that identifies the browsers, applications, or operating systems connecting to the server. It may include the name and version of the client application, the operating system version, device model, and language.

Virtual User – means a user of the Web Resource of the Customer whose Information is collected on the Web Resource.

Web Resource – means a website, mobile application, or any other resource of the Customer, which the Virtual User can access via the Internet.

Web Session – means a period of the Virtual User’s interaction with the Web Resource, during which the Web Resource can “remember” certain information on the Virtual User. A session begins when the Virtual User accesses the Web Resource and ends when the Virtual User leaves the Web Resource or remains idle for an extended period.

Website – means the Company’s website accessible on the Internet. The Website is used for posting data on the Company's products and services for information and other purposes

Zero Configuration Networking Protocol – means a collection of technologies that enable automatic IP networking without requiring configuration or special servers. This protocol allows devices to automatically set up and discover each other on a network without manual intervention or a central server.

2. GENERAL PROVISIONS

Privacy Policy describes how Company interacts with the Information received during the operation of the Service, the terms of use of such Information, the technologies used by the Company, as well as the processing conditions and security measures related to the protection of Personal Data (for more information about Personal Data, see PRIVACY NOTICE.

2.1. Please note that the Services are provided under the terms of separate Agreements.

2.2. As part of the operation of the Service only the Information specified in Section 4 is collected and processed, no Personal Data is collected or processed by the Service.

2.3. The Company implements all necessary legal, organizational, and technical measures to protect the collected Information from unauthorized, illegal, or accidental access, destruction, modification, blocking, duplication, sharing, dissemination, and other unlawful actions concerning the Information.

2.4. Privacy Policy applies to the use of the Service, released within the last six (6) months for front-end libraries / data collection and testing libraries, and thirty-six (36) months for Back-End / Scoring Libraries. The Company continuously informs the Customer about necessary updates. The Company provides all required materials and assistance, including automatic update mechanisms for Front-End Libraries.

2.5. The Privacy Policy may be updated by the Company at any time, at its sole discretion, including, but not limited to, in cases where the relevant changes are related to changes in Applicable Law, as well as changes in the operation of the Service.

2.6. New versions of the Privacy Policy are published on the Website and take effect immediately upon publication unless otherwise specified in the Agreement. You can review the current version at any time on the Website: https://juicyscore.ai/en/policies/juicyscore-privacy-policy. We kindly ask you to look through all updates to the Privacy Policy on a regular basis.

2.7. This Privacy Policy will be effective from 1st October 2025.

3. CONDITIONS AND PRINCIPLES OF INFORMATION COLLECTION AND PROCESSING

3.1. The Company collects and processes Information through Web Resources in the form of Modified Values of the Virtual User's Device, only if there is an Agreement with the Customer.

3.2. The SERVICE is provided through an online channel on the Internet, as well as on the principle of "online-offline" (mobile application — JS App — Device Risk Analytics).

3.3. The processing of the Information complies with the security principles for online operation of the Virtual User and Apple and Google standards for mobile application development.

3.4. Information is used by the Company to provide services to Customers in order to:

• assessing the risk of fraud or any other operational risks;
• reduce financial, reputational or any other losses for the Customer and/or the Customer's clients, to whom the Customer provides services through an online channel on the Internet.

3.5. The list of Information collected by the Service provided in Section 4 is open, available for download. It contains device, software, and network connection parameters that are not prohibited by software configurations and settings.

3.6. The operation of the Service does not involve the processing of Personal Data (such as the full name of an individual, full registration address, full mobile or landline phone numbers, email address, identity card or other personal documents, as well as confidential data such as disposable income, expenses, religion, etc.). Personal Data are not required for the operation of the Service, are not requested by the Company and should not be provided by the Customer in accordance with the Agreement.

3.7. The Company does not collect or process Information that violates the fundamental rights and freedoms of Virtual Users.

3.8. The Company does not process the Information for the purpose of Identification of the Virtual Users and has no intention of doing so in the future for minimizing the risk of infringing the rights and freedoms of the Virtual Users while enhancing the value of the Information processing as an alternative to processing the Personal Data.

3.9. In this Privacy Policy there are the definitions of the “Information” and the “Personal Data”. Information within the meaning of a certain Privacy Policy does not contain Personal Data, however, in various legal jurisdictions, the types of Information listed in Section 4 may be classified as Personal Data. According to the opinion of the Company’s legal advisers, upon the introduction of relevant regulatory framework and legal precedents, any dataset may be recognized as Personal Data by decision of a court with or without performing the necessary technological expertise (for example, any HTTP/HTTPS request header without any changes made by a user and without additional data enrichment may be interpreted as Personal Data). Therefore, the Company strongly recommends that Customers check the Information collected for compliance with the requirements of the legislation on personal data of the Customer's jurisdiction.

3.10. If, in accordance with the requirements of the legislation of the Customer's jurisdiction and/or the classification of data and/or related risks adopted by the Customer, any or/and all Information received is classified as Personal Data, then the Customer must verify the availability of all necessary consents of Data Subjects, data processing security and compliance with other mandatory requirements (technical details on cloud data processing are provided upon request).

3.11. If the classification of Information accepted by the Customer classifies the Information collected by the Service as Personal Data, the Customer may, at his discretion, disable any of the types of Information specified in Section 4.

4. TYPES OF INFORMATION COLLECTED AND PROCESSED BY THE SERVICE

4.1. As part of the Company’s operation and functionality of the Service, in order to assess the risk of fraud or other operational risks that may lead to financial, reputational or other losses of the Customer, the following Information is collected and processed through JavaScript (for web applications, in some cases - for mobile applications), SDK (for native mobile applications) (Information is collected as part of the Services provided by the Customer to the Virtual Users via online Internet channel, subject to specific features of online to offline solutions (JS App – Device Risk Analytics and mobile SDK JuicyScore mobile application):

4.1.1. General data related to the Customer and their network resources (JavaScript and SDK);

4.1.2. Statistics on Virtual User activity on the Web Resource (e. g., time spent on the Web Resource, number of corrections made while completing forms on the Web Resource) (JavaScript and SDK);

4.1.3. Conditions and circumstances of formalised actions taken on the Customer’s Web Resource (JavaScript and SDK);

4.1.4. Data on the technical specifications of the Device (e. g., Device make and model, screen size, memory capacity, etc.) (JavaScript and SDK);

4.1.5. Data on the Device's basic software (e. g., type and version of the operating system, type and version of the browser) (JavaScript and SDK);

4.1.6. Data on the Internet connection used by the Device when accessing the Web Resource (e. g., category of IP address, Internet bandwidth) (JavaScript and SDK);

4.1.7. UserAgent data and other fields from the web session header (JavaScript and SDK);

4.1.8. Statistics on history length and URL, previous page where JavaScript is installed on the Device (JavaScript and SDK);

4.1.9. Statistics on categories of mobile Device applications (via SDK only);

4.1.10. Information about applications installed on the mobile Device (name, application ID, application ID in the application store, category, version, developer signature, installation date, application update date, permissions). This information is used by the Company only to identify dangerous applications on the mobile Device and is not used for fingerprinting of mobile Devices (via SDK only);

4.1.11. Extended information about connected screens (via SDK only);

4.1.12. Data associated with the geographic location of the Virtual User, approximated to one thousand (1,000) meters (via SDK only);

4.1.13. Modified МАС address of a Wi-Fi router (collection and processing of the parameter are disabled by default) (The collection and processing of this parameter may be enabled at the discretion of the Customer as part of the execution of the Agreements, if the collection and processing does not violate the rights and freedoms of the Virtual User, as well as if the processing of this parameter is not recognized as processing of Personal Data according to the laws of the Customer's jurisdiction.) (JavaScript and SDK);

4.1.14. Data entry rhythm (collection and processing of the parameter are disabled by default) (The parameter can be enabled at the discretion of the Customer, taking into account the purposes of processing such data, if the data is necessary for the operation of the Web Resource, and the processing of this parameter does not violate the rights and freedoms of the Virtual User, as well as if the processing of this parameter is not recognized as processing of Personal Data according to the legislation of the Customer's jurisdiction.) (JavaScript and SDK);

4.1.15. Data on alternative technologies (e. g. IndexedD) (If a Customer needs to exclude this functionality, a Customer shall follow the instructions given in the Company’s technical documentation.) (JavaScript and SDK);

4.1.16. Modified Value of Device_ID (via SDK only);

4.1.17. Statistical and binary parameters of parallel activity on the Device during an online session (JavaScript and SDK);

4.1.18. Application identifier and a selective list of installed applications (via SDK only);

4.1.19. Information on the Device memory, with preliminary data approximation (via SDK only);

4.1.20. Information on SIM card (excluding the mobile number and SIM card serial number) (via SDK only);

4.1.21. Host name (via SDK only);

4.1.22. Information on the Wi-Fi connection (via SDK only);

4.1.23. Information on the Internet connection (via SDK only);

4.1.24. Information on Bluetooth (By default, only data indicating whether Bluetooth is enabled or disabled will be collected; collection of other data is disabled), subject to permission only and in the form of hashed values (via SDK only);

4.1.25. Information on the battery (via SDK only);

4.1.26. Information on the mobile service provider (via SDK only);

4.1.27. Information on the amount of transmitted data (via SDK only);

4.1.28. The modified portion of the Bonjour protocol configuration data (Zero Configuration Networking protocol – “zero configuration networking”) (via SDK only);

4.1.29. Information on the use of KeyChain (via SDK only).

5. RECEIPT AND USE OF INFORMATION BY THE CUSTOMER

5.1. Customers' access to Information is carried out only through a request through secure communication channels using an account issued for a Customer by the Company based on an Agreement.

5.2. Information is transferred exclusively by submitting a request from the Customer’s infrastructure to the Company’s infrastructure, following the specified technical interaction format.

5.3. A response to the request is given in the form of a response from the API Service to the extent and on the terms of the Agreement.

5.4. The response format includes, but is not limited to, the Information collected from the Customer’s Web Resources and statistics regarding the Virtual User's visits to the Customer’s Web Resources. This process does not involve explicit transmission of input data.

5.5. The Company does not provide for and prohibits any transfer of data to the Customer outside the framework established by Agreements.

5.6. If the Company detects any Information, processing of which involves individual and/or collective infringement of the Virtual Users’ rights and freedoms and/or constitutes the Personal Data processing under the Applicable Law, the processing of the Information shall be ceased, and the relevant Information shall be destroyed.

5.7. The Customer shall be solely liable for any use or non-use of the Information transferred under the Agreements, and the Company shall not be liable for any of these processes.

5.8. The Information shall not be used for active targeted marketing or customer acquisition aimed at promoting services and products of the Customer. The use of the Service deliverables in violation of the restrictions is inadmissible and prohibited.

5.9. The Company does not process the Information that allows the Virtual User to be identified.

5.10. If the Customer perceives a risk associated with any specific Information / parameters collected during the operation of the Service and cannot disable the collection / processing of such parameters, the Customer shall submit a request to the Company's Customer Service to set up the appropriate options (the Company will seek to accommodate such requests under the Agreements).

5.11. If the Customer independently conducts a technical evaluation of the risks associated with processing certain types of parameters (data types), it is important to note that the more verifications are conducted, the more validated the evaluation will be.

5.12. If the Customer identifies a risk that is many-fold higher than the existing level of the Natural Definiteness as a result of one of such verifications, it is necessary to immediately provide the Company with a reproducible approach demonstrating that risk, and the Company will take prompt measures to eliminate the risk upon confirmation.

5.13. Please pay careful attention to how the Information is used in terms of sensitivity or potential classification of these parameters as Personal Data:

• base data regarding Internet connections is consistently present across all sessions for all companies operating in the online environment as an integral part of any Internet connection;
• modified МАС address of the Device – data collection is no longer performed (this was previously done via SDK only). This parameter is absent for all integrations using the SDK version released by the Company after September 2023. For the SDK versions released prior to late September 2023, the collection and processing of this parameter is disabled by default, the Company no longer supports these SDK versions. It is recommended that the Customers update their integrations to more recent versions. The processing of this parameter cannot be enabled at the discretion of the Customer;
• alternative technologies in the form of IndexedDB, despite the fact that sections Document.Cookie, LocalStorage, and SessionStorage incompletely coincide with Cookie, data from IndexedDB is NOT accessible to third parties and normally does not have a clear bijection between the file(s) name and the web session value. The IndexedDB value is taken from the value of one of online web sessions for hedging the risk of inadvertently capturing unauthorised data (for hedging the risk of occurrence of values other than a random set of numbers, letters, characters, and time of the online session creation) in the IndexedDB value. This type of data may be considered as Cookie in a range of jurisdictions.

5.14. If the processing of the Information performed for the sole purpose of identifying the risks of fraud and other operational risks, without acquiring additional Information and allowing for direct Identification of the Virtual User, but rather associating with probabilistic Authentication of the Virtual User or the Device, is treated as processing of Personal Data in the legal jurisdiction of the Customer, then the Customer shall comply with legal requirements related to Personal Data in their legal jurisdiction when dealing with such Information and when using the Service.

6. JUICYSESSION

6.1. JuicySession must be stored exclusively in the memory of the Virtual User’s Device browser and it is NOT allowed to store it on Device in its original format (material irreversible changes or dynamic encryption are allowed that are not allowing data synchronisation with 3rd parties).

6.2. JuicySession is generated when the Virtual User accesses the Web Resource on the Company’s servers, based on a random number generator and the timestamp of the Company’s infrastructure call. Therefore, JuicySessions cannot serve as Direct Identifiers of the Virtual User.

6.3. The JuicySession identifier depends on the random number generator and the service call timestamp and is essentially similar to a random improved token which is generated for online payments, independent of the Virtual User or their Device.

6.4. JuicySessions are not synchronised with third-party sessions. Information shall not be enriched with third-party data, including data on the Virtual Users’ behaviour on other Internet resources beyond of the Company’s Service activity.

6.5. Considering the purposes of automated collection of the Information, the Do Not Track flag value is ignored in the operation of JuicySession and the data collection software modules operating on a Web Resource.

7. CUSTOMER INFORMING VIRTUAL USERS

7.1. In accordance with the Personal Data regulations applicable in the Customer’s legal jurisdiction and within the framework of recommended data management practices, Customer shall inform the Virtual Users of its Web Resources about JuicySessions based on these Web Resources, generated by the Company, and the automated collection of the Information using the software modules provided by the Company.

7.2. The Virtual User shall be informed before any collection of the Information begins.

7.3. To assist the Customers in fulfilling the obligation to notify the Virtual Users, the Company includes a clause regarding Virtual User notifications in the Agreement.

7.4. The Company recommends that the following format be used for notifying the Virtual Users who visit the Web Resources:

(i) “The company JCSC GLOBAL DIGITAL RISK MANAGEMENT SOLUTIONS L.L.C., license number 1072565, Registered office No. 702-06, Malak Al Hail Holding, Bur Dubai, Burj Khalifa, Dubai, UAE, email address [email protected], performs the collection and processing (including storage, systematization, accumulation, analysis, updating, extraction, and deletion) of Information (means details of Virtual Users collected through software modules of the Company’s Software Product in the form of a Modified Value, which do not include any Personal Data or Direct Identifiers) by means of JavaScript <for the web application> and SDK <for a native mobile application> on the web resource <the name of a Web Resource of a Customer > in order to assess risks related to the application for obtaining a <the name of a Customer’s product> under assignment of a <the name of a Customer>. The list of Information, as well as its content, storage, and deletion procedures are provided in the Privacy Policy, available on the website https://juicyscore.ai/en/policies/juicyscore-privacy-policy”.

(ii) “The company JUICYSCORE HOLDING PTE. LTD., UEN 202128709Z, Registered office #10-01, ONE GEORGE STREET SINGAPORE (049145), email address [email protected] performs the collection and processing (including storage, systematization, accumulation, analysis, updating, extraction, and deletion) of Information (means details of Virtual Users collected through software modules of the Company’s Software Product in the form of a Modified Value, which do not include any Personal Data or Direct Identifiers) by means of JavaScript <for the web application> and SDK <for a native mobile application> on the web resource <the name of a Web Resource of a Customer > in order to assess risks related to the application for obtaining a <the name of a Customer’s product> under assignment of a <the name of a Customer>. The list of Information, as well as its content, storage, and deletion procedures are provided in the Privacy Policy, available on the website https://juicyscore.ai/en/policies/juicyscore-privacy-policy”.

7.5. Customers conducting business in EU jurisdiction shall notify their Virtual Users about Device fingerprinting mechanisms and/or external sessions running on their Web Resources. This notification shall appear before Users enter the page created with the mentioned mechanisms and/or containing the mentioned sessions. The JuicyScore data collector (JavaScript) is recommended for installation on the Web Resource starting from the second page (not the landing page); JuicySessions should be classified as essential Cookies or as another obligatory data category since the JuicySessions are not Cookies, are not files, and are stored in web browser’s short-term memory. A Virtual User’s decline in using such JuicySessions should be treated as a refusal to continue visiting the Web Resource.

8. DELETION OF INFORMATION COLLECTED BY SERVICE

8.1. Since the Information collected and processed within the Company’s infrastructure is not categorised as Personal Data, the deletion of the Information upon requests from the Virtual Users is only hypothetically possible because it is not feasible to clearly link the technical data collected by the Company to the Personal Data of the Virtual Users available to the Customers.

8.2. Submission of an Information deletion application is available:

• Via the Contact form (Book a demo) on the Website (https://juicyscore.ai) in English,
• Via written request, send to one of the following addresses, considering the name of the legal entity, which a Customer entered an agreement with:

• (i) Office No. 702-06, Malak Al Hail Holding, Bur Dubai, Burj Khalifa, Dubai, UAE;

• (ii) #10-01, ONE GEORGE STREET SINGAPORE (049145).

The Company commits to taking all possible measures to implement applications for Information deletion. The application consideration time does not exceed thirty (30) calendar days from the moment of application submission.

9. PRIVACY NOTICE

The Company respects your right to privacy and is committed to protecting the Personal Data. The Company has developed this PRIVACY NOTICE as part of its security measures pertaining to the protection of Personal Data. The Company recommends that all Website visitors read this PRIVACY NOTICE before using the Contact form, subscribing to news, and entering into Agreements that may include, but are not limited to, the collection, use, and storage of Personal Data.

9.1. SCOPE

This PRIVACY NOTICE is developed according to the Applicable Law and its implementing rules and regulations. It is intended to inform you about our privacy procedures and practices, including who we are and how and why we obtain, use, and share your personal information. It also explains your rights in relation to your Personal Data and how to contact us in relation to this PRIVACY NOTICE.

9.2. APPLICABILITY

This PRIVACY NOTICE applies to all individuals (i) who visit/ access our Website and its related features, (ii) do, or offer to do business with us, and/or (iii) apply for jobs with the Company.

Throughout our Website, we may link to other websites owned and operated by certain trusted third parties, which may also gather information about you in accordance with their own separate privacy policies. For privacy information relating to those third-party websites, please consult their privacy policies as appropriate.

9.3. PRIVACY NOTICE OVERVIEW

With the commitment to adopting the highest standards of integrity and transparency when it comes to data protection and privacy controls, the Company has developed this PRIVACY NOTICE which provides:

• the types of Personal Data;
• how the Personal Data is collected and used, and why Personal Data is used;
• details pertaining to with whom we share of Personal Data;
• how long Personal Data is stored;
• the measure undertaken towards the protection of Personal Data;
• the rights of Data Subject.

9.4. COLLECTING AND PROCESSING OF PERSONAL DATA

9.4.1. The types of Personal Data. Personal Data which the Company may collect and process are following:

• Name; Company; Business email; Country; Phone number; Email;
• Records of the consents you may have provided;
• Your educational and professional background, employment history, and any other information provided through CVs, or during interviews.

9.4.2. How the Personal Data is collected.

9.4.2.1. The Company collects Personal Data directly:

• when we are approached with any offer relation to our products and services;
• when a Website visitor enters their Personal Data on our Website or contacts us by e-mail, through our Website, by phone or by other means of communication;
• when a Website visitor subscribes to the Company's newsletter or uses the form «Book a demo»;
• when receiving you application and/or CV if you apply for a job for the Company.

9.4.2.2. The Company collects Personal Data indirectly:

From your browsing activity on our Website through necessary and analytical Cookies which is a small text file that is placed onto your Device (e.g. computer, smartphone, or another electronic device) when you use our Website. We have specified in detail about the Cookies used on the Website in our Cookie Policy available at the link: https://juicyscore.ai/en/policies/juicyscore-cookie-policy.

9.4.2.3. Purposes of Personal Data Collection and Use:

The Company may process Personal Data for the following legitimate purposes:

• providing/receiving products and services, and performing contractual obligations;
• employment, secondment, and outsourcing contracts signing;
• making available to you our newsletters;
• protecting business interest, performing our legal and contractual obligations, and enforcing our right;
• providing customer support, and monitoring and improving the quality of our products and services;
• analyzing how you use our Website so, that we can create user-friendly browser functionality.

9.4.2.4. The Company may share Personal Data with the following parties after being satisfied that they have appropriate measures for data security and protection:

• auditors, banks, and professional advisors;
• Should the need arise, the Company may share Personal Data with law enforcement authorities or other government officials as a matter of compliance and/ or legal obligation or to protect its rights and property.

9.4.3. Terms of Personal Data Storage

The Company keeps the records of Personal Data for no longer than it is required for the purpose it was collected, including for the purposes of satisfying legitimate interest, legal, accounting, or reporting requirements according to laws and regulations or used subject to mandatory retention periods prescribed under the applicable laws. When deciding how long to keep Personal Data after the conclusion of the relationship, the Company considers its legal obligations and regulators' expectations.

9.4.3.1. The Company shall store and retain all Personal Data, on the Company’s systems and cloud servers located according to the rules specified in clause 11.3.

9.4.4. Protection of Personal Data

The Company is committed to ensuring that Personal Data is adequately protected. To prevent unauthorized access or disclosure, the Company has put in place suitable administrative, physical, and technical controls to safeguard the personal information under its control. To protect the confidentiality and integrity of your personal information, the Company may use physical and cybersecurity measures that comply with Applicable Law.

9.4.5. The rights of Data Subject

The Company understands the importance of keeping Personal Data accurate and up to date. Therefore, the Company guarantees the Data Subject the set of rights:

9.4.5.1. Right to access information: Data Subject retains the right to access Personal Data provided to us.

9.4.5.2. Right to rectification: Should Personal Data available with the Company be incomplete or inaccurate, Data Subject retains the right to request rectification of such information.

9.4.5.3. Right to erasure: Data Subject retains the right to request the erasure of Personal Data on certain specific grounds where:

• Personal Data is no longer necessary to be retained in line with the specific purpose for which it was collected; or
• Data Subject objects or withdraws consent for further processing of Personal Data and there is no legitimate reason for us to deny Data Subject request.

9.4.5.4. Right to restrict processing. Data Subject retains the right to request the restriction of processing of Personal Data in cases whereby:

• Personal Data in our records is inaccurate and needs to be rectified; or
• Data Subject contests the purpose for processing Personal Data.

This means that the Company will only continue to store Personal Data without any further processing till the reason for Data Subject request to restrict processing is addressed.

9.4.5.5. Right to object: Data Subject retains the right to object and/ or stop processing in cases where Personal Data is collected for:

• marketing purposes; and/ or
• statistical survey purposes unless it pertains to the public interest.

You may choose to opt out of receiving marketing communications and/ or withdraw your subscription to the Company’s newsletter by contacting us directly.

9.4.5.6. Right to data portability: Data Subject has the right to request a copy and/ or transfer of Personal Data from us in a structured, commonly used, and machine-readable format.

9.5. To exercise the above rights, please contact us using the methods specified in Section 12.

We will respond to your request as soon as possible, but no later than 30 calendar days from the date of your request.

We may reject your request in relation to Personal Data under certain circumstances including it is beyond the purview of the purpose and processing of Personal Data collected by the Company.

9.6. CONSENT

By sending and delivering Personal Data you consent to its use in accordance with this PRIVACY NOTICE.

10. TECHNOLOGIES USED BY THE COMPANY AT THE WEBSITE AND IN THE CUSTOMER’S PERSONAL ACCOUNT

10.1. The Website (in the Contact Form) uses various technologies, such as scripts for collecting and storing data on the Website visitors while they are present on the Website: IP address, location (country or city), type and version of the operating system on the Device, type and version of the browser on the Device, type of the Device and its display resolution, traffic source, language of the operating system and the browser, etc.

10.2. Details about the Cookies used on the Website are specified in our Cookie Policy available at the link: https://juicyscore.ai/en/policies/juicyscore-cookie-policy.

10.3. The Company uses alternative technologies, such as persistent sessions in IndexedDB, Device Fingerprinting, and ETags.

10.4. Types of technologies used on the Website:

• IndexedDB, storage period – persistently. This method of using persistent sessions on the Contact Form is designed to allow for data deletion upon request.
• Device Fingerprinting, storage period – 6 months. The Device Fingerprinting mechanism is set up on the feedback form to enable data deletion upon request.

10.5. Please note that the use of Information solely to assess the risk of fraud or other operational risks to reduce financial, reputational, or other losses for the businesses and services of the Customer, as well as for security purposes, is not regarded by the Company as tracking. Therefore, the value of the Do Not Track flag is not taken into account during the operation of JuicySession and data collection software modules running on the Web Resource.

10.6. If the storage of a constant session (persistent session) in the browser memory of the Virtual User’s Device infringes the requirements of personal data legislation established in legal jurisdiction of a Customer, this technology may be disabled.

10.7. The Company uses Cookies to maintain the operation of the Customer's Personal Account, created for interaction with the Customer under the Agreement. At the same time, the Customer is required to obtain the consent of individuals whose contact details are indicated in Agreement and who interact with the Company through the Personal Account to process personal data and transfer such data to the Company to fulfill obligations under the Agreement.

10.8. For the protection of the Customer’s Personal Account, persistent sessions (IndexDB and Device Fingerprinting) are applied; application instructions are described in Clause 10.4.

11. STORAGE OF INFORMATION RECEIVED BY THE SERVICE

11.1. The Information collected from the Web Resource for assessing the risk of the Virtual User for which the Customer DID NOT make a Service request shall be stored for no more than thirty (30) days from the date of collection.

11.2. The Information collected from the Web Resource for assessing the risk of the Virtual User for which the Customer made a Service request shall be stored for no more than two (2) years from the date of collection.

11.3. To comply with Applicable Law or/and current business practices and regulations all the raw data, including Information, are localized in the following regions where the Service is used (determined based on the Virtual User’s IP address location): USA, European Union, UAE, Singapore, India, and other locations. For data processing and storage, the Company uses physical infrastructure within its network, situated in the regions where the Service is used. Moreover, all Customers are provided with the functionality of forced raw data localization in one of the selected global locations, including UAE or Singapore.

11.4. The Company hereby specifies that it is not the owner of the Information collected through the Service and processed within its IT systems. The Company ensures the secure storage of the Information under the Agreement with the Customer.

12. CONTACT INFORMATION

(i) JCSC GLOBAL DIGITAL RISK MANAGEMENT SOLUTIONS L.L.C. (license number 1072565) Registered and mailing address: Office No. 702-06, Malak Al Hail Holding, Bur Dubai, Burj Khalifa, Dubai, UAE

E-mail address for messages on Personal Data Processing and User Data issues: [email protected]

(ii) JUICYSCORE HOLDING PTE. LTD (UEN 202128709Z)

Registered and mailing address: #10-01, ONE GEORGE STREET SINGAPORE (049145)

E-mail address for messages on Personal Data Processing and User Data issues: [email protected]

You may contact our DPO at + 65 6978 6805