PRIVACY POLICY

1. INTRODUCTION

Welcome to Luupli. We are committed to protecting your privacy and being transparent about how we collect, use, and share your personal information. This Privacy Policy explains our data practices and your rights under applicable privacy laws, including the EU General Data Protection Regulation (GDPR), UK GDPR, and the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

By using Luupli, you agree to the collection and use of your information as described in this Privacy Policy. If you do not agree with this Privacy Policy, please do not use our platform.

This policy applies globally to all Luupli users. Where specific rights or requirements apply to users in particular jurisdictions (EU/EEA, UK, California), we have included dedicated sections below.

2. WHO WE ARE

Luupli is a social media platform that enables users to share content, connect with others, and engage with creative communities. Our services are provided by Luupli, Inc., headquartered in the United Kingdom.

Data Controller: For the purposes of EU GDPR and UK GDPR, Luupli, Inc. is the data controller responsible for your personal data.

Contact Information:

• Email: dataprivacy@luupli.com
• Mailing Address: 86-90 Paul Street, London, EC2A 4NE, United Kingdom
• Data Protection Officer (DPO): dataprivacy@luupli.com

UK Information Commissioner's Office (ICO) Registration: [Registration Number - ZB597439]

3. AGE REQUIREMENT AND VERIFICATION

3.1 Minimum Age Requirement

Luupli is intended exclusively for users who are 18 years of age or older. By creating an account or using our platform, you represent and warrant that you are at least 18 years old.

We do not knowingly collect, use, or share personal information from individuals under 18 years of age. If you are under 18, you are prohibited from using Luupli or providing any information to us.

3.2 Age Verification Process

All users must undergo age verification to ensure they are 18 years of age or older. During the account registration process, you will be required to:

• Provide your date of birth
• Confirm that you meet the minimum age requirement
• In some cases, complete additional verification steps as described below

Age Verification Methods:

We use a tiered approach to age verification:

Primary Verification (All Users):

• Date of birth entry during registration
• Automated age calculation based on the current date
• Immediate rejection of registration attempts by users under 18 years of age

Enhanced Verification (When Required):

For accounts flagged by our automated systems or reported by users, we may require additional verification through one or more of the following methods:

• Government-issued identification documents (driver's license, passport, national ID card)
• Credit card verification (to confirm age without processing payment)
• Third-party age verification services that use public records and identity databases
• Facial age estimation technology (where legally permitted)

The specific verification method required may vary based on:

• Your location and applicable laws
• Risk indicators identified by our systems
• The nature of flagged content or behavior
• Previous verification attempts

Account Status During Verification:

• Accounts pending enhanced verification may have restricted functionality until verification is complete
• You will be notified via email if additional verification is required
• Verification typically completes within 24-48 hours
• You may be asked to re-verify if suspicious activity is detected

Verification Data Handling:

• Date of birth is stored for the duration of your account
• Government ID documents are processed for verification only and deleted within 30 days unless required for legal proceedings
• Third-party verification providers process data according to their privacy policies and our Data Processing Agreements
• Device identifiers are collected and stored to prevent circumvention of age restrictions (see Section 4.2 for details)

Accounts that fail age verification or are found to belong to users under 18 will be immediately suspended or terminated. For more information on what happens when an account is terminated, see Section 9 (Data Retention).

Circumvention Prevention:

To prevent circumvention of our age verification and safety measures, we collect and store unique device identifiers (device ID, advertising ID, hardware identifiers). This allows us to persistently restrict access for users who fail age verification, even if they attempt to restart the registration process or create new accounts using different email addresses or personal information.

Device identifiers for flagged devices are retained for up to 7 years to prevent repeated access attempts by underage users. This processing is based on our legitimate interests in maintaining platform safety and enforcing age restrictions (EU/UK) and is necessary to enforce our Terms of Service (California).

3.3 Non-Applicability of Children's Privacy Laws

Because Luupli is designed exclusively for users 18 years of age and older and implements age verification procedures, the following child protection regulations do not apply to our platform:

• United States - COPPA (Children's Online Privacy Protection Act): COPPA applies to websites and online services directed to children under 13 or that knowingly collect personal information from children under 13. As Luupli exclusively serves users 18 and older, COPPA does not apply.

• California - CCPA Protections for Minors Under 16: California law prohibits the sale or sharing of personal information of consumers under 16 without affirmative authorization. As all Luupli users are 18 or older, these minor-specific provisions do not apply. We do not sell or share personal information of any users without providing appropriate opt-out mechanisms.

• European Union - GDPR Age of Consent: The GDPR sets the age of consent for information society services at 16 (or lower as determined by individual member states, but not below 13). Since all Luupli users are 18 or older, parental consent requirements for children do not apply.

• United Kingdom - UK GDPR Age of Consent: The UK GDPR sets the age of consent at 13, with additional protections for children under 18. As all Luupli users are 18 or older, parental consent requirements do not apply.

• Other Jurisdictions: Similar child protection laws in other jurisdictions (including age-gating requirements, parental consent mechanisms, and restrictions on data processing for minors) do not apply to Luupli due to our 18+ age requirement.

3.4 Reporting Underage Users

If we learn that we have collected personal information from someone under 18, we will delete that information as quickly as possible and terminate the associated account.

If you believe we have information about or from someone under 18, or if you become aware of an underage user on our platform, please contact us immediately at dataprivacy@luupli.com so we can take appropriate action.

4. INFORMATION WE COLLECT

4.1 Information You Provide Directly

We collect information you voluntarily provide when you:

• Create an account (name, email address, date of birth, username)
• Complete age verification (government-issued ID or other verification documents, as required)
• Complete your profile (profile picture, bio, location, interests)
• Post content (photos, videos, text, comments)
• Communicate with others (messages in public spaces, comments)
• Contact customer support (support tickets, feedback)
• Participate in surveys or promotions

4.2 Information Collected Automatically

When you use Luupli, we automatically collect:

• Device information: Device type, operating system, unique device identifiers, mobile network information
• Log data: IP address, browser type, access times, pages viewed, referring URLs
• Usage data: Features used, content viewed, search queries, engagement metrics (likes, shares, follows)
• Location information: Approximate location based on IP address; precise location only if you grant explicit permission
• Cookies and similar technologies: Session cookies, persistent cookies, web beacons, pixels (see Section 12 for details)

4.2.1 Device Information for Safety and Compliance

To maintain the integrity of our platform and enforce our 18+ age requirement, we collect and store device information, including unique device identifiers (such as device ID, advertising ID, and hardware identifiers).

Purpose of Collection:

We use device identifiers to prevent circumvention of our age verification and safety measures. Specifically, this allows us to persistently restrict access to our services for individuals who:

• Fail to meet our 18+ age requirement during registration
• Have been found to be underage after account creation
• Attempt to create new accounts after failing age verification
• Have had accounts suspended or terminated for safety violations
• Prevent ban evasion and maintain platform integrity

Legal Basis (EU/UK):

We process device identifiers based on our legitimate interests in maintaining platform safety, enforcing age restrictions, and complying with legal obligations. These legitimate interests are not overridden by your rights and freedoms, as we use the minimum data necessary and implement appropriate security measures.

Legal Basis (California):

This collection is necessary to provide our services and enforce our contractual terms requiring users to be 18 years or older.

Data Retention:

Device identifiers for flagged devices are retained for 7 years to prevent repeated circumvention attempts. After this period, identifiers are securely deleted unless retention is required by law or ongoing legal proceedings.

Your Rights:

You may request information about device identifiers associated with you by contacting dataprivacy@luupli.com. However, we may be unable to remove device restrictions if doing so would compromise platform safety or allow circumvention of age requirements.

4.3 Information from Third Parties

We may receive information about you from:

• Age verification service providers
• Social media platforms if you connect your accounts
• Analytics providers and advertising partners
• Publicly available sources

4.4 Special Categories of Personal Data (EU/UK)

We do not intentionally collect special categories of personal data (such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation) unless you voluntarily include such information in your profile or content.

If you choose to share such information publicly, you provide explicit consent for us to process it for the purpose of displaying your profile and content to other users.

4.5 Sensitive Personal Information (California)

For California users, we may collect the following categories of sensitive personal information:

• Government-issued identification (for age verification purposes only)
• Precise geolocation data (only if you grant explicit permission)
• Account credentials (username only - Luupli is passwordless, and requires two factor authentication each time you log into your account)
• Contents of communications (messages in public spaces, comments)

Important: Luupli does not collect or use sensitive data (such as your precise location, race, or religious beliefs) to profile you or target advertisements. Age verification documents are used solely for identity verification and are not retained longer than necessary for verification purposes.

5. LEGAL BASIS FOR PROCESSING (EU/UK)

5.1 Performance of a Contract

We process your personal data to provide our services to you, including account creation, age verification, content hosting, user interactions, and platform features. This processing is necessary to perform our contract with you (our Terms of Service).

5.2 Legitimate Interests

We process certain data based on our legitimate interests, which include:

• Verifying user age to comply with our 18+ requirement and prevent underage access
• Improving and developing our platform
• Ensuring platform security and preventing fraud
• Analyzing usage patterns to enhance user experience
• Communicating with you about service updates
• Enforcing our policies and protecting user safety

We have balanced these interests against your rights and freedoms and believe they do not override your fundamental rights.

5.3 Consent

We rely on your consent for:

• Marketing communications (you can withdraw consent at any time)
• Non-essential cookies and tracking technologies
• Precise geolocation data
• Processing special categories of personal data you voluntarily share

5.4 Legal Obligations

We process personal data when necessary to comply with legal obligations, such as responding to lawful requests from law enforcement, complying with court orders, meeting regulatory requirements, or enforcing age restrictions as required by law.

5.5 Vital Interests

In rare cases, we may process personal data to protect the vital interests of you or another person (e.g., emergency situations involving serious harm or threats to life).

6. HOW WE USE YOUR INFORMATION

6.1 Age verification

Verify that users are 18 years of age or older and maintain platform age restrictions

Device Information for Safety and Compliance

To maintain the integrity of our platform and enforce our 18+ age requirement, we collect and store device information, including unique device identifiers (such as device ID, advertising ID, and hardware identifiers).

Purpose of Collection:

We use device identifiers to prevent circumvention of our age verification and safety measures. Specifically, this allows us to persistently restrict access to our services for individuals who:

• Fail to meet our 18+ age requirement during registration
• Have been found to be underage after account creation
• Attempt to create new accounts after failing age verification
• Have had accounts suspended or terminated for safety violations

This collection is necessary to:

• Enforce our Terms of Service age restrictions
• Comply with our legal obligations regarding platform safety
• Protect our community from users who repeatedly attempt to circumvent our policies
• Prevent ban evasion and maintain platform integrity

Legal Basis (EU/UK):

We process device identifiers based on our legitimate interests in maintaining platform safety, enforcing age restrictions, and complying with legal obligations. These legitimate interests are not overridden by your rights and freedoms, as we use the minimum data necessary and implement appropriate security measures.

Legal Basis (California):

This collection is necessary to provide our services and enforce our contractual terms requiring users to be 18 years or older.

Data Retention:

Device identifiers for flagged devices are retained for 7 years to prevent repeated circumvention attempts. After this period, identifiers are securely deleted unless retention is required by law or ongoing legal proceedings.

Your Rights:

You may request information about device identifiers associated with you by contacting dataprivacy@luupli.com. However, we may be unable to remove device restrictions if doing so would compromise platform safety or allow circumvention of age requirements.

• Provide and improve our services: Create and manage your account, deliver requested features, personalize your experience, develop new features
• Content recommendations: Use algorithms to suggest content, users, and communities based on your interests and behavior
• Trust and safety: Detect and prevent fraud, abuse, security threats; enforce our Community Guidelines and policies; respond to legal requests
• Communications: Send service updates, notifications, marketing messages (with your consent, which you can withdraw at any time)
• Analytics: Understand how users interact with our platform, measure effectiveness of features
• Legal obligations: Comply with applicable laws and regulations
• Business operations: Accounting, audits, corporate transactions

7. HOW WE SHARE YOUR INFORMATION

7.1 Information Shared with Other Users

Your profile information and content you post are visible to other Luupli users based on your settings.

7.2 Service Providers and Processors

We share information with third-party service providers who perform services on our behalf. These providers act as data processors under GDPR and are contractually obligated to:

• Only process personal data on our instructions
• Implement appropriate technical and organizational security measures
• Maintain confidentiality
• Assist us in responding to your data rights requests

Service providers include:

• Age verification service providers
• Cloud hosting and infrastructure providers
• Content delivery networks (CDN)
• Analytics and performance monitoring
• Customer support platforms
• Communication services (email, SMS)

7.3 Advertising Partners

We may share certain information with advertising partners to display relevant ads. This includes:

• Device identifiers and IP addresses
• Inferred interests and preferences
• Engagement data

For EU/UK users: We will only share data for behavioral advertising with your explicit consent, which you can manage in your privacy settings.

For California users: This sharing may constitute a "sale" or "share" under CCPA. You can opt out using the "Do Not Sell or Share My Personal Information" link.

7.4 Legal Requirements and Safety

We may disclose your information when we believe it is necessary to:

• Comply with legal obligations, court orders, or lawful government requests
• Protect the safety, rights, and property of Luupli, our users, or the public
• Detect, prevent, or address fraud, security breaches, or technical issues
• Enforce our Terms of Service, Community Guidelines, and policies, including our 18+ age requirement

7.5 Business Transfers

If Luupli is involved in a merger, acquisition, bankruptcy, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email or prominent notice on our platform before your information becomes subject to a different privacy policy.

7.6 With Your Consent

We may share your information for purposes not described in this policy with your explicit consent.

8. INTERNATIONAL DATA TRANSFERS

Luupli operates globally, and your personal information may be transferred to, stored, and processed in countries outside your country of residence, including the United Kingdom and the United States.

8.1 Transfers from EU/EEA

For users in the European Economic Area (EEA), we ensure that transfers of personal data to countries outside the EEA are protected by appropriate safeguards:

• UK Adequacy Decision: The European Commission has determined that the UK ensures an adequate level of protection for personal data.
• Standard Contractual Clauses (SCCs): For transfers to the United States and other countries, we use Standard Contractual Clauses approved by the European Commission to ensure adequate protection.
• Additional Safeguards: We implement supplementary technical and organizational measures, including encryption, access controls, and data minimization.

8.2 Transfers from UK

For users in the UK, we ensure compliance with UK GDPR requirements:

• UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs
• Adequacy regulations where applicable

Data Storage Locations:

• Primary: United Kingdom (London region)

You can obtain copies of the safeguards we use by contacting dataprivacy@luupli.com.

9. DATA RETENTION

We retain your personal information only for as long as necessary to fulfill the purposes for which it was collected and to comply with legal, regulatory, or internal policy requirements.

Retention Periods:

• Age verification data: Retained only as long as necessary to complete verification (typically 30 days), then securely deleted unless required for legal or regulatory purposes (see section 4.2 & section 6)
• Active account data: Retained for the duration of your account
• Deleted account data: Deleted or anonymized within 90 days after account deletion, except where longer retention is required by law
• Usage and analytics data: Retained for up to 2 years
• Trust & safety records: Retained for up to 7 years to prevent abuse and comply with legal obligations
• Financial and tax records: Retained for 7 years as required by law
• Backup data: Retained for 30 days on a rolling basis for disaster recovery
• Legal and financial records: As required by law (typically 7 years)

After the retention period expires, we securely delete or anonymize your personal data. In some cases, we may retain anonymized or aggregated data indefinitely for statistical and analytical purposes.

Exceptions: We may retain certain data longer if required by law, to resolve disputes, enforce our agreements, or protect against fraud and abuse.

10. SECURITY

We implement comprehensive technical and organizational security measures to protect your personal information from unauthorized access, disclosure, alteration, destruction, or loss.

Technical Measures:

• Encryption of data in transit and at rest
• Access controls and authentication mechanisms
• Regular security assessments and audits
• Employee training on data protection

Organizational Measures:

• Role-based access controls (principle of least privilege)
• Mandatory security and data protection training for all employees
• Confidentiality agreements with employees and contractors
• Incident response and breach notification procedures
• Regular security audits and compliance reviews

While we employ industry-standard security measures, no method of transmission or storage is completely secure. We cannot guarantee absolute security, but we continually work to protect your information to the best of our ability.

11. YOUR PRIVACY RIGHTS

11.1 Rights for EU/EEA and UK Users (GDPR)

• Right of Access: Request a copy of personal data and information on its usage.
• Right to Rectification: Request correction of inaccurate or incomplete personal data.
• Right to Erasure (Right to be Forgotten): Request deletion of personal data in certain circumstances (e.g., no longer necessary, consent withdrawn).
• Right to Restriction of Processing: Request limitation on data usage in certain situations (e.g., verifying accuracy, objecting to processing).
• Right to Data Portability: Receive personal data in a structured, machine-readable format for transfer to another controller.
• Right to Object: Object to processing based on legitimate interests or direct marketing; processing will cease unless compelling legitimate grounds override interests.
• Right to Withdraw Consent: Withdraw consent at any time without affecting prior lawful processing.
• Right Not to be Subject to Automated Decision-Making: Right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or significant effects, with exceptions for contract, law, or explicit consent.

11.2 Rights for California Users (CCPA/CPRA)

• Right to Know: Request disclosure of categories and specific pieces of personal information collected, sources, purposes, and third parties shared with.
• Right to Delete: Request deletion of personal information, subject to exceptions (e.g., legal obligations, fraud prevention, security).
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: Opt out of sale or sharing personal information for cross-context behavioral advertising; Global Privacy Control (GPC) signals are honored.
• Right to Limit Use of Sensitive Personal Information: Limit use and disclosure of sensitive personal information to purposes necessary to provide services.

11.3 How to Exercise Your Rights

Right to Non-Discrimination: You will not be denied service, charged different prices, or provided different quality of service for exercising your privacy rights.

Methods: You can exercise your rights by emailing dataprivacy@luupli.com or by using the in-app privacy settings and controls.

Identity Verification: To protect your privacy and security, we will verify your identity before processing requests. This may involve asking for additional information such as account details or government-issued identification.

Authorized Agents: You may designate an authorized agent to make requests on your behalf. The agent must provide proof of authorization, and we may still require direct identity verification from you.

Response Time:

• EU/UK: We will respond within 1 month, extendable to up to 3 months for complex requests.
• California: We will respond within 45 days, extendable to 90 days with prior notice.

No Fee: We do not charge a fee for processing rights requests, except when requests are manifestly unfounded, excessive, or repetitive.

11.4 Right to Lodge a Complaint (EU/UK)

If you are in the EU/EEA or UK and believe we have not handled your personal data in accordance with the law, you have the right to lodge a complaint with your supervisory authority:

• UK: Information Commissioner's Office (ICO) at https://ico.org.uk/
• EU: Contact your national data protection authority

We encourage you to first contact us at dataprivacy@luupli.com so we can address your concerns directly.

SUMMARY OF CALIFORNIA RIGHTS

• RIGHT TO KNOW: Request information about personal information collected, used, and shared
• RIGHT TO DELETE: Request deletion of your personal information
• RIGHT TO CORRECT: Request correction of inaccurate information
• RIGHT TO OPT-OUT: Opt out of sale/sharing of personal information
• RIGHT TO LIMIT: Limit use of sensitive personal information
• RIGHT TO NON-DISCRIMINATION: No discrimination for exercising your rights

Contact for California Privacy Inquiries:

• Email: dataprivacy@luupli.com

12. STORAGE AND TRACKING TECHNOLOGIES

Luupli prioritizes your privacy by avoiding traditional tracking cookies. We use high-performance local storage (MMKV) to enhance your experience.

12.1 Local Storage (MMKV)

Luupli stores essential data directly on your device using MMKV. This storage is solely to persist your login session and save your app preferences. This data is not shared with third parties for tracking purposes.

12.2 Data Deletion

Because data is stored locally via MMKV, it is typically wiped automatically if you delete the app or manually clear the app data within your operating system settings. We do not maintain a cloud backup of this specific local cache unless otherwise stated.

13. THIRD-PARTY LINKS AND SERVICES

Luupli may contain links to third-party websites, applications, or services that are not operated by us. We are not responsible for the privacy practices or content of these third parties. Please review their privacy policies before providing any information. This Privacy Policy applies only to information collected by Luupli.

14. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons.

How We Notify You:

• We will post the updated policy with a new "Last Updated" date
• For material changes, we will send you an in-app notification or email
• We may display a prominent notice on our platform

For EU/UK users, if changes require new consent (e.g., new purposes or new categories of recipients), we will seek your consent before implementing the changes.

Your continued use of Luupli after the updated policy takes effect constitutes your acceptance of the changes. If you do not agree with the updated policy, please discontinue use of our platform.

15. CONTACT US

If you have questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

• Email: dataprivacy@luupli.com
• Data Protection Officer: dataprivacy@luupli.com
• Mailing Address: Luupli, Inc., 86-90 Paul Street, London, EC2A 4NE, United Kingdom

Response Time: We aim to respond to all privacy inquiries within 10 business days.

INTERPRETATION

All uses of the word "including" mean "including but not limited to" and the enumerated examples are not intended to in any way limit the term which they serve to illustrate. Any email addresses set out in this policy may be used solely for the purpose for which they are stated to be provided, and any unrelated correspondence will be ignored. Unless otherwise required by law, we reserve the right to not respond to emails, even if they relate to a legitimate subject matter for which we have provided an email address. You are more likely to get a reply if your request or question is polite, reasonable and there is no relatively obvious other way to deal with or answer your concern or question (e.g. FAQs, other areas of our website, etc.).

Our staff are not authorised to contract on behalf of Luupli Limited, waive rights or make representations (whether contractual or otherwise). If anything contained in an email from a Luupli Limited address contradicts anything in this policy, our terms or any official public announcement on our website, or is inconsistent with or amounts to a waiver of any Luupli Limited rights, the email content will be read down to grant precedence to the latter. The only exception to this is genuine correspondence expressed to be from the Luupli Limited legal department.

ADDENDUM FOR CALIFORNIA RESIDENTS

This addendum supplements our Privacy Policy for California residents and provides additional disclosures required under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).

AGE RESTRICTIONS AND CALIFORNIA MINORS

Important: Because Luupli exclusively serves users who are 18 years of age or older, certain CCPA provisions specifically related to minors do not apply:

• CCPA § 1798.120(d) - Sale/Sharing of Information of Minors Under 16: This provision prohibits businesses from selling or sharing personal information of consumers under 16 without affirmative authorization. As all Luupli users are 18 or older, this provision does not apply.

• California Business & Professions Code § 22580 et seq. - Removal Rights for Minors: This law allows minors under 18 to request and obtain removal of content they posted. Since all Luupli users are 18 or older, these removal rights do not apply.

CATEGORIES OF PERSONAL INFORMATION WE COLLECT

CCPA Category	Examples	Collected?
Identifiers	Name, email, username, IP address, device ID	YES
Personal Records	Date of birth, phone number, Gender	YES
Commercial Information	Purchase history, subscriptions (if applicable), Luupli Wallet balance, Transactions, rewards, payouts	IF APPLICABLE
Internet Activity	Search queries on Luupli, engagement data on Luupli	YES
Geolocation Data	Approximate/precise location (if permitted)	YES
Sensory Information	Photos, videos, audio (user-generated content)	YES
Inferences	Preferences, interests, behavioral profiles	YES
Sensitive Personal Info	Government ID (age verification), approximate geolocation, account credentials	YES

BUSINESS AND COMMERCIAL PURPOSES

• Verifying user age (18+ requirement)
• Providing and improving our services
• Personalizing user experience and content recommendations
• Detecting and preventing fraud, abuse, and security threats
• Communicating with users
• Analyzing platform usage and performance
• Complying with legal obligations

THIRD PARTIES WITH WHOM WE SHARE INFORMATION

• Age verification service providers
• Service providers (cloud hosting, analytics, customer support)
• Advertising and marketing partners
• Law enforcement and regulatory authorities (when required by law)
• Third parties in connection with business transactions

SALE OR SHARING OF PERSONAL INFORMATION

We do not sell personal information for monetary consideration. However, sharing information with advertising partners may constitute a "sale" or "share" under California law.

Categories that may be "sold" or "shared":

• Identifiers (device ID, IP address)
• Internet activity (browsing history, engagement data)
• Inferences (interests, preferences)

To opt out: Use the "Do Not Sell or Share My Personal Information" link or enable Global Privacy Control (GPC).

RETENTION PERIODS

• Age verification data: 30 days (unless required for legal purposes)
• Account data: Duration of account plus 90 days after deletion
• Usage and analytics data: Up to 2 years
• Trust & safety records: Up to 7 years for compliance purposes
• Legal and financial records: As required by law (typically 7 years)

SUMMARY OF CALIFORNIA RIGHTS

• RIGHT TO KNOW: Request information about personal information collected, used, and shared
• RIGHT TO DELETE: Request deletion of your personal information
• RIGHT TO CORRECT: Request correction of inaccurate information
• RIGHT TO OPT-OUT: Opt out of sale/sharing of personal information
• RIGHT TO LIMIT: Limit use of sensitive personal information
• RIGHT TO NON-DISCRIMINATION: No discrimination for exercising your rights

Contact for California Privacy Inquiries:

• Email: dataprivacy@luupli.com

TERMS OF USE

Please also see our Terms of Use which set out the terms, disclaimers, and limitations of liability governing your use of Luupli Limited.