Privacy Statement

Augmento FZCO Last updated: [DATE] Effective date: [DATE]

Draft notice: This is a working draft for internal review. Have UAE counsel review for general compliance, Brazilian counsel review for LGPD-facing experiences (CBF / Seleção Eterna), and EU counsel review if marketing into EEA/UK. A separate Portuguese-language version is required before the Brazil launch.

1. Who we are

This Privacy Statement explains how Augmento FZCO ("Augmento", "we", "us", "our") collects, uses, shares, and protects personal data when you interact with our websites, apps, App Clips, AR experiences, dashboards, APIs, SDKs, and related services (the "Services").

Data controller: Augmento FZCO Dubai Silicon Oasis, Dubai, United Arab Emirates Email: privacy@augmento.com Data Protection Officer: dpo@augmento.com

For Brazilian users (e.g. Seleção Eterna / CBF activations), Augmento acts as controller under Lei Geral de Proteção de Dados ("LGPD") and has appointed a Brazilian Data Protection Officer (Encarregado), reachable at dpo-br@augmento.com.

For Customers (Enterprise clients, sponsors, brand partners) who use our Services to deliver experiences to their own end users, Augmento generally acts as a data processor on their behalf. Their privacy notice will apply to those interactions in addition to this Statement.

2. Scope

This Statement applies to:

• Visitors to augmento.com, discover.augmento.com, and related domains.
• Users of Augmento Studio (our SaaS dashboard).
• End users of Augmento Drops experiences (treasure hunts, AR collectibles, leaderboards).
• Visitors and participants in Augmento ART experiences at galleries, exhibitions, and cultural venues.
• Participants in Custom Projects , bespoke AR/3D experiences delivered at events, venues, exhibitions, and brand activations.

It does not apply to third-party websites, apps, or services that link to, embed, or are linked from our Services. Read their privacy notices separately.

3. Information we collect

We collect the following categories of personal data:

3.1 Identity data

Name, email address, phone number, date of birth (where age verification is required), profile photo or avatar, username, country of residence.

3.2 Authentication data

Hashed passwords, OAuth tokens (e.g. Apple, Google), and session identifiers.

3.3 Behavioural data

Interactions with AR experiences: items collected, levels reached, leaderboard position, completion times, click and scroll events, pages visited, session duration, drop-off points, conversion events.

3.4 Affinity and preference data

Stated preferences, opted-in interests (e.g. football team, art genre, neighbourhood), survey responses, quiz answers, sponsor interactions.

3.5 Social-graph data (where you connect)

If you choose to connect a social account or share content, we may collect public profile fields, friend lists you authorise, and shared content metadata.

3.6 Device and technical data

IP address (which we use only to derive coarse location), device model, OS and browser version, language, timezone, screen size, app version, crash logs, performance traces, AR-capability signals (camera, gyroscope, ARKit/ARCore availability).

3.7 Location data

• Coarse location (city/region) derived from IP, used for analytics and content localisation.
• Precise GPS location only when an experience requires it (e.g. a geo-fenced treasure hunt) and only after the End User explicitly grants the permission. Precise location is processed in real time and is not retained beyond what is needed to validate the relevant action, unless the End User opts in to additional features.

3.8 Camera, sensor, and microphone data

AR experiences process camera frames, motion sensors, and (rarely) microphone input on-device. We do not transmit raw camera or microphone streams to our servers, except where a specific experience explicitly requires it (e.g. a user-initiated photo or video capture you choose to share). When that happens, it is disclosed in-experience and consent is collected.

3.9 User-generated content

Photos, videos, comments, or other content you choose to capture, upload, or share.

3.10 Payment data

For paid Subscriptions or in-experience purchases, we use third-party payment processors (e.g. Stripe). We do not store full payment card numbers on our systems. We receive transaction metadata (amount, status, last 4 digits, billing country).

3.11 Communications data

Emails, support tickets, chat messages with our team, and feedback you send us.

4. How we collect personal data

• Directly from you when you sign up, fill in a form, scan a marker, complete a quiz, or contact us.
• Automatically through cookies, SDKs, app telemetry, and server logs as you use the Services.
• From Customers and partners , for example a sponsor or rights-holder may share an attendee or member list with us so we can deliver an experience to them.
• From third parties , such as authentication providers (Apple, Google), public sources, or analytics partners.

5. Why we use personal data (purposes)

6. Legal bases for processing

Where GDPR, LGPD, or similar laws apply, we rely on the following legal bases:

• Consent , for marketing, precise location, optional camera/microphone features, and certain cookies.
• Contract , to provide the Service you signed up for.
• Legitimate interests , for analytics, product improvement, security, and limited direct marketing to existing customers, balanced against your rights.
• Legal obligation , for tax, accounting, and regulator obligations.
• Vital interests , in rare safety-related situations.

You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal.

7. AR-specific privacy notes

Augmented reality experiences raise specific privacy considerations. We commit to:

1. On-device processing by default. Camera, motion, and microphone data are processed locally by ARKit, ARCore, or the browser's WebXR/WebAR engine.
2. Explicit, contextual permissions. We request camera and location permissions only when the experience needs them, with a clear in-context explanation.
3. No silent recording. We never record audio or video without an explicit user action (e.g. you tap "Capture").
4. No facial recognition. We do not run facial-recognition or biometric-identification algorithms on people in the camera view.
5. No retention of raw frames. Raw camera frames used by tracking are not retained or transmitted, except as part of media you choose to capture and share.

8. Cookies and similar technologies

We use cookies, local storage, and SDK identifiers to operate, secure, and improve the Services. Categories include:

• Strictly necessary , authentication, security, load balancing.
• Functional , remembering preferences and settings.
• Analytics , Mixpanel, server logs, performance monitoring.
• Marketing , only with consent and only on properties where applicable (e.g. campaign landing pages).

You can manage non-essential cookies through our cookie banner (where shown) and your browser settings. A full cookie list is maintained at augmento.com/cookies (or available on request).

9. Sharing and disclosure

We share personal data with:

9.1 Sub-processors and infrastructure providers

• Amazon Web Services , hosting, compute, storage (regions: EU, US, ME-Central).
• Supabase , managed Postgres, auth, storage.
• Cloudflare , CDN, security, R2 object storage.
• Bunny CDN , video and asset delivery.
• Mixpanel , product analytics.
• Stripe , payment processing (where applicable).
• Apple and Google , app distribution and App Clip / Instant App delivery.

A current sub-processor list is available at augmento.com/subprocessors.

9.2 Customers (rights-holders and sponsors)

Where you participate in an experience operated by a Customer (e.g. a football federation, hospitality brand, art gallery, event organiser), aggregated and (with your consent) identified data may be shared with that Customer per their privacy notice and our Data Processing Agreement.

9.3 Professional advisors

Lawyers, accountants, auditors, and M&A advisors, under confidentiality.

9.4 In a corporate transaction

If Augmento is acquired, merges, or sells substantially all assets, personal data may be transferred to the successor, subject to this Statement (or a substantially equivalent one).

9.5 Legal and regulatory

Where required by law, court order, regulator, or to protect Augmento's rights, property, or safety, or those of users or the public.

We do not sell personal data in the conventional sense and do not engage in cross-context behavioural advertising for our own benefit. Customers may run sponsor-attributed campaigns via our infrastructure, and where this constitutes "sale" or "sharing" under California law, we provide opt-out controls (see Section 12).

10. International transfers

Augmento is based in the UAE. Personal data may be transferred to and processed in countries other than your own, including the United States, the European Union, and the United Kingdom, where our sub-processors and cloud regions are located.

Where required, we rely on:

• Standard Contractual Clauses approved by the European Commission (for EEA/UK transfers).
• LGPD-compliant transfer mechanisms for transfers from Brazil.
• Contractual safeguards and security measures with all sub-processors.

A list of countries where data may be processed and the safeguards applied is available on request from dpo@augmento.com.

11. Data retention

We retain personal data only as long as needed for the purposes described, then delete or anonymise it.

We may retain data longer where required by law, to defend legal claims, or to investigate suspected violations.

12. Your rights

Depending on where you live, you may have the following rights:

• Access , request a copy of the personal data we hold about you.
• Rectification , correct inaccurate or incomplete data.
• Erasure / "right to be forgotten" , subject to legal limits.
• Restriction , limit how we process your data.
• Portability , receive your data in a structured, machine-readable format.
• Objection , object to processing based on legitimate interests, including direct marketing.
• Withdraw consent , at any time, where processing is based on consent.
• Lodge a complaint with your local supervisory authority (e.g. the data protection authority in your country, the ANPD in Brazil, the ICO in the UK).

To exercise rights, email privacy@augmento.com or dpo@augmento.com. We will respond within 30 days (extendable by an additional 60 days for complex requests, with notice).

12.1 Brazilian users (LGPD)

You have specific rights under the LGPD, including confirmation of processing, access, correction, anonymisation/blocking/deletion of unnecessary or excessive data, portability, information about sharing, and revocation of consent. Brazilian DPO: dpo-br@augmento.com.

12.2 California residents (CCPA/CPRA)

You may request to know, delete, or correct personal information, and opt out of "sale" or "sharing". Submit requests to privacy@augmento.com with subject "California Privacy Request". We will not discriminate against you for exercising your rights.

12.3 EEA / UK residents (GDPR / UK GDPR)

You have the rights listed above. You may also lodge a complaint with your local DPA. We do not currently have an EU representative; we will appoint one if required by Article 27 GDPR.

13. Children's privacy

Our Services are not directed at children under 16 (or the equivalent age of digital consent in your country). We do not knowingly collect personal data from children under that age without verifiable parental or guardian consent. If you believe we have collected such data, contact privacy@augmento.com and we will delete it.

For experiences that may be played by minors with parental consent (e.g. family-friendly football fan experiences), additional safeguards are applied: minimal data collection, no behavioural advertising, and parental controls where required.

14. Security

We implement reasonable technical and organisational measures to protect personal data, including:

• Encryption in transit (TLS 1.2+) and at rest for sensitive datastores.
• Access controls, role-based permissions, MFA on administrative accounts.
• Network segmentation, WAF, and DDoS protection (Cloudflare, AWS).
• Regular dependency, vulnerability, and penetration scanning.
• Incident response plan with breach notification within 72 hours to relevant authorities and affected users where required.
• Sub-processors are vetted and contractually bound to equivalent standards.

No system is 100% secure. If you suspect an incident, email security@augmento.com.

15. Automated decisions and profiling

We may use automated processing to detect fraud, prevent abuse, score engagement, and personalise content. We do not make decisions producing legal or similarly significant effects on you solely by automated means without human review. You may request human review of any such decision.

16. Changes to this Statement

We may update this Privacy Statement from time to time. Material changes will be notified via in-product notice or email at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent version. Previous versions are available on request.

17. Contact

Augmento FZCO Dubai Silicon Oasis, Dubai, United Arab Emirates