Privacy Policy & Data Processing Agreement

This Privacy Policy and Data Processing Agreement (the "Policy") constitutes a legally binding and enforceable instrument between the natural person accessing, downloading, registering for, or otherwise utilising the B'local mobile application and its associated services (the "User", "Data Subject" or "You") and BL PLATFORM S.L., a limited liability company duly organised and existing under the laws of the Kingdom of Spain, with registered domicile in Barcelona, acting in its capacity as Data Controller (the "Controller", "Company", "We" or "Us").

By affirmatively interacting with the B'local mobile application, its application programming interfaces, software development kits, and supporting backend infrastructure (collectively, the "Services"), the User unequivocally stipulates to having read, fully understood, and freely consented to the data processing methodologies set out herein. Where the User does not concur with any provision, clause or technical mechanism, the User's exclusive remedy is the immediate cessation of use of the Services and the deletion of the application from all User-controlled hardware.

This Policy is drafted in compliance with, and shall be construed by reference to: (i) Regulation (EU) 2016/679 of the European Parliament and of the Council ("GDPR"); (ii) the United Kingdom GDPR and the Data Protection Act 2018 ("UK GDPR"); (iii) the Spanish Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights ("LOPDGDD"); (iv) the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"); (v) the South African Protection of Personal Information Act, 4 of 2013 ("POPIA"); (vi) the Nigeria Data Protection Act 2023 ("NDPA"); (vii) the Kenya Data Protection Act, 2019; and (viii) any further mandatory local laws of the User's jurisdiction.

For the purposes of this Policy, the capitalised terms below shall bear the ascribed meanings:

Pursuant to Article 4(7) GDPR and parallel international frameworks, BL PLATFORM S.L. acts as the primary Data Controller. The Company maintains its principal place of business and registered corporate domicile in Barcelona, Spain.

Statutory inquiries, Data Subject Access Requests ("DSARs"), erasure or portability requests, and regulatory correspondence shall be directed to the Controller.

This Policy applies extraterritorially to the Processing of Personal Data of all Users of the Services, irrespective of the User's place of residence, and irrespective of whether the Processing itself takes place within the European Economic Area. The Controller asserts compliance with the extraterritorial reach provisions of GDPR Article 3, POPIA section 3, NDPA section 2, and CCPA §1798.140.

The Controller, observing the principle of data minimisation under Article 5(1)(c) GDPR, processes the following categories of Personal Data:

The Controller does not intentionally Process Sensitive / Special Category Data within the meaning of Article 9 GDPR, save where strictly necessary and supported by an Article 9(2) lawful basis, in particular explicit consent.

Users authenticated under a verified business account ("Business Users") may, within the business dashboard, voluntarily upload additional content for the purpose of enriching the public profile of their venue. Such uploads are Processed under Article 6(1)(b) GDPR (performance of the business-account contract) and are subject to the following safeguards:

End-Users consuming a venue's profile may be exposed to short, looping audio snippets of the Business User's Vibe Playlist. Such playback is performed locally on the End-User's handset; no audio data is transmitted from the End-User to the Controller in connection with this feature.

Personal Data is Processed exclusively for the following enumerated purposes:

1. Provision, maintenance and improvement of the Services;
2. Account creation, authentication and identity verification;
3. Personalisation of recommendations, challenges and rewards;
4. Operation of the gamification, points and leaderboard infrastructure;
5. Detection, prevention and investigation of fraud, abuse and security incidents;
6. Compliance with legal, regulatory, accounting and tax obligations;
7. Establishment, exercise or defence of legal claims;
8. With separate opt-in consent: direct marketing and product research.

The Services are not directed at, nor intended for, individuals under the age of sixteen (16). In jurisdictions where the digital age of consent is set higher (e.g. eighteen (18) in certain US States or African jurisdictions), that higher threshold prevails. The Controller does not knowingly collect Personal Data from minors and will, upon verified notification, expeditiously delete any such data and terminate the relevant account. Where parental or guardian consent is statutorily required (including under COPPA for US Users under thirteen (13)), no Processing shall occur in the absence of verifiable consent.

The Services employ a tiered hierarchy designed to privilege User autonomy and enforce privacy-by-design:

• Persistent Domicile (Home Base): The User's permanently declared geographic residence, stored in our database to bootstrap recommendations on first launch.
• Precise Hardware Telemetry (GPS): Subject to explicit, revocable OS-level authorisation. Coordinates are read on demand and never silently polled in the background.
• Ephemeral Session Overrides (Travelling Status): The User may manually declare a temporary location which takes absolute priority over GPS telemetry. Stored in volatile memory only and purged on application termination.

To preserve infrastructural integrity, the Controller deploys hidden cryptographic honey-pot fields within authentication matrices and records the timing and spatial coordinates of the User's last ten (10) screen interactions. This data is processed locally where possible and cross-referenced with backend heuristics to differentiate bona fide human operation from automated scripts. No biometric template uniquely identifying a natural person within the meaning of Article 9 GDPR is generated, stored or shared.

The Services are governed by an aggressive, automated cybersecurity framework designed to protect the platform from denial-of-service, brute-force, sybil and account-takeover incursions.

Where the autonomous threat-mitigation framework described in Article X determines that an account or device must be subjected to access restriction, the mobile application will render a full-screen, non-dismissible notice (the "Restricted-Access Notice") indicating that the User's access to the Services has been suspended. The notice:

• does not reveal the specific signals or telemetry that triggered the restriction, in order to preserve the integrity of the anti-fraud system;
• offers a "Close Application" control which, on Android devices, gracefully terminates the application process;
• offers a "Contact Support" control which opens a pre-addressed message to support@blocalapp.com and permits the User to lodge an appeal, request human review of the automated decision (Article 22(3) GDPR), or submit a Data Subject Access Request;
• advises the User of their right to obtain meaningful information about the logic involved, to contest the restriction, and to lodge a complaint with the competent supervisory authority.

The Restricted-Access Notice does not, in itself, Process additional Personal Data beyond that which is already held in connection with the User's account.

The Controller engages the following categories of Sub-Processor under Article 28 GDPR-compliant agreements:

The Controller does not sell Personal Data, does not share Personal Data for cross-context behavioural advertising within the meaning of CCPA/CPRA, and does not rent Personal Data to data brokers.

The Controller applies request rate-limiting across the entirety of its callable backend functions and public HTTP endpoints, including webhooks. The mechanism is implemented by means of short-lived counters keyed, in respect of authenticated calls, on the User's pseudonymous account identifier (UID) and, in respect of unauthenticated calls (including webhook deliveries), on the originating IP address. Where a defined threshold is exceeded within a rolling window, the corresponding request is rejected with an HTTP 429 Too Many Requestsstatus or, for callable functions, an equivalent resource-exhaustederror.

The processing of the UID and IP address for this purpose is grounded in the Controller's legitimate interest (Article 6(1)(f) GDPR) in preventing automated abuse, credential-stuffing, denial-of-service and webhook-replay incidents. Counter records are retained only for the duration of the relevant window and are not used for marketing, profiling or any purpose unrelated to abuse mitigation.

Where Personal Data is transferred outside the EEA, UK or other adequacy jurisdiction, the Controller relies upon: (i) European Commission adequacy decisions; (ii) the European Commission's Standard Contractual Clauses (Module 1–4) of 4 June 2021, supplemented by a Transfer Impact Assessment; (iii) the EU-US Data Privacy Framework where the recipient is certified; or (iv) the User's explicit, informed consent under Article 49(1)(a) GDPR. For African Users, equivalent transfer mechanisms under POPIA section 72 and NDPA section 41 are applied.

Pursuant to Articles 15–22 GDPR and the UK GDPR, the User is entitled to exercise:

• The right of access to their Personal Data;
• The right to rectification of inaccurate or incomplete data;
• The right to erasure ("right to be forgotten");
• The right to restriction of Processing;
• The right to data portability in a structured, commonly-used, machine-readable format;
• The right to object to Processing based on legitimate interest;
• The right not to be subject to solely automated decisions producing legal effects;
• The right to withdraw consent at any time without retroactive effect;
• The right to lodge a complaint with the competent supervisory authority — in Spain, the Agencia Española de Protección de Datos (www.aepd.es).

Requests are honoured free of charge within thirty (30) calendar days, extendable by sixty (60) days where necessary.

California residents enjoy, in addition to the rights enumerated above: (a) the right to know the categories and specific pieces of Personal Information collected; (b) the right to delete Personal Information; (c) the right to correct inaccurate Personal Information; (d) the right to opt-out of sale or sharing (the Controller does neither); (e) the right to limit use of Sensitive Personal Information; and (f) the right to non-discrimination for exercising these rights. Equivalent rights are extended to residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA) and other US States as their respective comprehensive privacy statutes enter force.

Shine the Light (Cal. Civ. Code §1798.83): the Controller does not disclose Personal Information to third parties for their direct marketing purposes.

South Africa (POPIA): Users are entitled to the rights set out in sections 23–25 of POPIA and may lodge complaints with the Information Regulator (inforegulator.org.za).

Nigeria (NDPA 2023): Users may exercise rights under sections 34–37 of the NDPA and refer complaints to the Nigeria Data Protection Commission.

Kenya (DPA 2019): Users may exercise rights under Part V of the Kenya Data Protection Act and refer complaints to the Office of the Data Protection Commissioner.

Other African Jurisdictions: equivalent protections under Egyptian Law 151/2020, Moroccan Law 09-08, and the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention) are honoured where applicable.

The Controller has implemented appropriate measures pursuant to Article 32 GDPR, including:

• AES-256 encryption at rest;
• TLS 1.3 encryption in transit, with HSTS preloading;
• Argon2id password hashing with per-user salt;
• Role-based access control with least-privilege provisioning;
• Quarterly penetration testing by independent auditors;
• Continuous vulnerability scanning and dependency monitoring;
• Documented Incident Response Plan and Business Continuity Plan;
• Mandatory data protection training for all personnel.

In the event of a Personal Data breach likely to result in a risk to the rights and freedoms of natural persons, the Controller shall notify the competent supervisory authority without undue delay and, where feasible, not later than seventy-two (72) hours after becoming aware of the breach, in accordance with Article 33 GDPR. Where the breach is likely to result in a high risk, affected Users shall be notified directly without undue delay pursuant to Article 34 GDPR.

The mobile application does not employ HTTP cookies in the traditional browser sense, but does utilise functionally-equivalent persistent local storage, secure keychain entries, and SDK identifiers. Non-essential trackers are activated only following granular, opt-in consent obtained through the in-app consent management interface, in compliance with Article 5(3) of Directive 2002/58/EC ("ePrivacy") as transposed by Spanish Law 34/2002 (LSSI).

In furtherance of the principles of data minimisation (Article 5(1)(c) GDPR) and privacy-by-design (Article 25 GDPR), the Services implement a client-side personalisation mechanism, colloquially denominated the "Unseen First" logic, which operates exclusively within the local storage environment of the User's handset and does not entail any additional server-side Processing of Personal Data.

19bis.2 Operational Logic. Upon each fetch operation, the application partitions the candidate content set into "unseen" and "seen" sub-collections, randomises the ordering within each sub-collection, and concatenates them such that previously-unviewed items are prioritised in the User's feed. Where the locally-cached content set is composed entirely of previously-seen identifiers, the fifteen (15) minute in-memory cache is bypassed and a fresh request is dispatched to the backend in order to surface novel content.

19bis.3 Data Locality & Non-Transmission. The identifiers comprising the Unseen First register are never transmitted to, persisted by, or otherwise made available to the Controller's backend infrastructure, Sub-Processors or any third party. They remain at all times under the exclusive custody of the User's device and outside the technical reach of the Controller.

19bis.4 User Control & Erasure. The User may, at any time and without justification, extinguish the Unseen First register by (i) clearing the application's local data through the operating system settings; (ii) uninstalling the application; or (iii) invoking the in-app "Clear Cache" functionality where exposed. Such action will reset the personalisation logic and cause previously-viewed content to be eligible for re-surfacing.

19bis.6 Lawful Basis. To the extent that the Unseen First register constitutes Processing within the meaning of Article 4(2) GDPR, such Processing is grounded in the Controller's legitimate interest (Article 6(1)(f) GDPR) in providing a non-repetitive, content-fresh User experience, which interest is not overridden by the rights and freedoms of the User given the strictly on-device, pseudonymous and User-controllable nature of the mechanism.

In furtherance of data minimisation, performance and battery-economy objectives, the mobile application maintains a series of additional local caches within the device's persistent key-value store (AsyncStorage), orchestrated by a client-side state-management layer (Zustand). These caches operate as a read-through copy of data that already lawfully resides within the User's account and do not give rise to any new category of Personal Data.

19ter.4 Batched Analytics Writes. View-count and save-count telemetry generated by the User's interactions (e.g. viewing a venue or event) is buffered locally and dispatched to the backend in atomic batches once a small threshold of events is reached. Each underlying view is still recorded individually server-side, such that dashboard accuracy is preserved; only the network-transport layer is optimised. Buffered events that have not yet been transmitted at the time of application termination are reconciled on the next launch.

19ter.5 User Control. The User may extinguish any of the above caches at any time by clearing the application's local data, uninstalling the application, or signing out, which triggers a programmatic reset of the local stores.

Where a User activates a control which would cause the operating system to open a third-party destination outside the Services (including, without limitation, third-party booking systems, ticketing providers, the Controller's public website for the purposes of consulting the present Policy or the Terms & Conditions, or the business-onboarding portal), the mobile application first renders a branded, modal "Leaving Application" notice. The notice identifies the third-party destination, informs the User that they are about to be redirected outside the Controller's environment, and requires affirmative confirmation before the redirection is performed.

The Controller is not responsible for, and this Policy does not apply to, the data-processing practices of any third-party destination so accessed. Users are encouraged to consult the privacy policy of the recipient service prior to confirming the redirection.

Direct marketing communications are dispatched only following the User's explicit, freely given, specific, informed and unambiguous opt-in. Each communication includes a one-click unsubscribe mechanism in conformity with Article 21(3) GDPR and Article 22 LSSI. Withdrawal of consent does not affect the lawfulness of Processing prior to such withdrawal.

The Controller employs algorithmic systems for fraud scoring, recommendation generation and eligibility validation in the gamification framework. Decisions producing legal effects or significantly affecting the User (notably, the Auto-Kill protocol) are subject to human review on request. The User is entitled to obtain meaningful information about the logic involved, as well as the significance and envisaged consequences of such Processing, pursuant to Article 22 GDPR. The Controller commits to compliance with the EU Artificial Intelligence Act (Regulation (EU) 2024/1689) as its provisions enter into force.

22.1 Inherent Fallibility. Notwithstanding the implementation of AES-256 encryption, TLS transit protocols and automated threat frameworks, the User acknowledges that no digital architecture is wholly impervious to zero-day exploits or cyber-kinetic events.

22.2 Maximum Cap. To the maximum extent permissible under applicable mandatory law, and without prejudice to non-waivable consumer rights, the Controller's cumulative liability arising out of or in connection with this Policy shall be capped at the greater of (i) the total consideration paid by the User to the Controller in the twelve (12) months preceding the event giving rise to liability, or (ii) Fifty Euros (€50.00).

The Controller reserves the right to amend, alter or supplement this Policy at any time. Material amendments shall be communicated via in-app notification at least thirty (30) days prior to entry into force. Continued use of the Services following such notice constitutes binding ratification of the revised instrument.

This Policy shall be governed by and construed in accordance with the laws of the Kingdom of Spain. The Courts of Barcelona shall have exclusive jurisdiction over any dispute arising from or in connection with this Policy, without prejudice to the User's non-waivable right to bring proceedings in the courts of their place of residence pursuant to Regulation (EU) 1215/2012 (Brussels I bis) or equivalent local consumer protection statutes.