[Last Modified: September 16, 2024]

This privacy policy (“Privacy Policy” or “Policy”) describes how Carambola Media Ltd. and its affiliated companies and subsidiaries (collectively shall be referred to as “Carambola”, “we”, “us”, or “our”) collect, use and disclose certain information, and the choices you can make about that information.

Carambola is the developer and owner of the technology and platform (“Platform”) that enables publishers, operating websites, applications or other digital assets (“Digital Assets” and “Publishers” respectively) to embed and share within the Digital Assets interactive units including, but not limited, online quizzes, questionnaires, surveys, feedback applications or other features (“Interactive Unit”) for the purpose of creating end user engagement. The Interactive Units can further include advertisements and other promotional content (“Ads”) provided by third party advertisers (“Advertisers”) (all together shall be referred to as “Services”).

We collect and process certain information when visitors browse our website: https://carambola.com/    (“Visitors” and “website”), we collect and use certain information about the Publishers using our Platform and Services or on behalf of the Advertiser or Publisher, such as information on the end users, the individuals watching the ads or interacting with the Interactive Units (as applicable the “end users”, “Visitors” and “Publishers” collectively shall be referred to as “you”).

This Privacy Policy applies to all information about you that we collect in connection with the Services throughout the world, and explains what data we may collect from you, how such data may be used or shared with others, how we safeguard it, and how you may exercise your rights related to your Personal Data (as defined below) under the applicable privacy laws such as the EU General Data Protection Regulation (“GDPR”) and the California Consumer Privacy Act (“CCPA”) and other US states as further detailed below.

Carambola participates in the IAB Transparency & Consent Framework and complies with its Specifications and policies. Carambola’s Vendor number within the framework is 1240.

CONTENTS

1. POLICY AMENDMENTS: 3

2. CONTACT INFORMATION AND DATA CONTROLLER INFORMATION: 3

3. DATA SETS WE COLLECT AND FOR WHAT PURPOSE: 3

4. HOW WE COLLECT YOUR INFORMATION: 6

5. COOKIES AND SIMILAR TECHNOLOGIES: 6

6. DATA SHARING – CATEGORIES OF RECIPIENTS WE SHARE PERSONAL DATA WITH: 6

7. USER RIGHTS AND OPT-OUT OPTIONS: 8

8. DATA RETENTION: 8

9. SECURITY MEASURES: 9

10. INTERNATIONAL DATA TRANSFER: 9

11. ELIGIBILITY AND CHILDREN PRIVACY: 9

12. JURISDICTION SPECIFIC NOTICES: 10

A. ADDITIONAL NOTICE TO CALIFORNIA RESIDENTS. 10

B. ADDITIONAL NOTICE TO COLORADO RESIDENTS. 10

YOUR RIGHTS UNDER CPA: 10

HOW TO SUBMIT A REQUEST  UNDER CPA?. 13

C. ADDITIONAL NOTICE TO VIRGINIA RESIDENTS. 13

HOW TO SUBMIT A REQUEST  UNDER VCDPA?. 14

D. ADDITIONAL NOTICE TO CONNECTICUT RESIDENTS. 14

HOW TO SUBMIT A REQUEST  UNDER CDPA?. 14

E. ADDITIONAL NOTICE TO UTAH RESIDENTS (effective January 2024) 15

F. NOTICE TO NEVADA RESIDENTS. 15

1. POLICY AMENDMENTS:

We reserve the right to amend this Privacy Policy from time to time, at our sole discretion. The most recent version of the Privacy Policy will always be posted on the website and the update date will be reflected in the “Last Modified” heading. We will provide notice to you if these changes are material, and, where required by applicable law, we will obtain your consent. Any amendments to the Privacy Policy will become effective within 30 days upon the display of the modified Privacy Policy. We recommend you review this Privacy Policy periodically to ensure that you understand our most updated privacy practices.

2. CONTACT INFORMATION AND DATA CONTROLLER INFORMATION:

Carambola Media Ltd. is incorporated under the laws of Israel, and is the Controller (as such term is defined under the GDPR or equivalent privacy legislation) of your Personal Data.

For any question, inquiry or concern related to this Privacy Policy or the processing of your Personal Data, you may contact as follows:

DPO CONTACT INFORMATION:

Carambola Media Ltd.

10 Aba Even Blvd. Building C, Herzliya, 4672528, Israel.

By Email: contact@Carambo.la

3. DATA SETS WE COLLECT AND FOR WHAT PURPOSE:

You can find here information regarding the data sets we collect, purposes for which we process your data as well as our lawful basis for processing, and how the data is technically processed. In general, we may collect two types of information from you, depending on your interaction with us:

Non-Personal Data

During your interaction with our Services, we may collect aggregated, non-personal non-identifiable information, which may be made available or gathered via your access to and use of the Services (“Non-Personal Data “). We are not aware of the identity of the user from which the Non-Personal Data is collected. The Non-Personal Data being collected may include your aggregated usage information and technical information transmitted by your device, such as: the type of browser or device you use, operating system type and version, language preference, time and date stamp, country location, etc.

Personal Data

We may also collect from you, during your access or interaction with the Services, individually identifiable information, namely information that identifies an individual or may, with reasonable effort, be used to identify an individual (“Personal Data” or “Personal Information”). The types of Personal Data that we collect as well as the purpose for processing such data are specified in the table below.

For the avoidance of doubt, any Non-Personal Data connected or linked to any Personal Data shall be deemed as Personal Data as long as such connection or linkage exists.

The table below details the processing of Personal Data we collect, the purpose, lawful basis, and processing operations:

DATA SET

PURPOSE AND OPERATIONS

LAWFUL BASIS

WEBSITE

Online Identifiers:

When you access and interact   with our website, we collect certain online identifiers, such as Cookie ID,   agent ID, internet protocol (IP) address or similar unique online identifiers   generated (“Online Identifiers”).

We   process such data through our first party cookies to enable the operation   of the website, security and for fraud prevention purposes. The first party cookies are strictly   necessary.

First party cookies   are strictly necessary and processing of Online Identifiers is subject to our   legitimate interest.

Contact Information:

If you voluntarily contact us, you may   be required to provide us with certain information such as your full name,   phone number, company name, email address (“Contact   Information”), and any additional information you decide to share with us.

We process such data to respond   to your inquiry.

We process such Contact   Information subject to our legitimate interest.

We may keep such correspondence if   we are legally required to.

PUBLISHERS AND END USERS

Account Information:

Publishers are designated with an account, or are able to   register and create an account through the website, the account registration   information includes your full name, email   address and possibly you phone number.

Additionally, during the   registration process you will be required to create a username and password.

This information will be processed   when you login as well.

You represent and warrant that you   will not provide us with inaccurate, misleading or false information.

We process such data to   create you an account, provide you with account management, support and to   provide you the Services as well as to send you needed information related to   our business engagement (e.g., send you a welcome message, notify you   regarding any updates to our Services, send applicable invoices, etc.) and   additional occasional communications and updates related to the Services, as   well as to communicate with you, updates, send you   updates on new capabilities and features, and to send you invoices promotional   and marketing emails (“Direct Marketing”).

We may also use the   information in order to verify your identity.

We process such data for   the purpose of performing our contract with you, meaning, to provide the   Services and to designate your account.

Direct Marketing is   processed subject to our legitimate interest. You can opt-out at any time by using the “unsubscribe”   option.

Usage Data:

We collect certain usage   data, meaning analytic and statistics on how the Publishers use our Services and   the dashboard available through the Platform (“Usage Data”).

We   process such aggregated Usage Data with respect to the Platform and Services   in order to operate, provide, maintain, protect, manage and improve Carambola   Platform tools and Services.

We process such data subject to our   legitimate interest.

End User Data:

End users, are individuals   browsing publishers’ Digital Assets and views advertisers’ ads (“End User”),   we process certain information on End Users (“End User Data”):   identifiers, unique identifier, IP address, Privacy or Preference String, TCF   sting, the URL the End User is browsing, the interaction with the ads or the   publisher assets (viewed, clicked, etc.), country level location extracted   from the IP, type of browser, language, type of device and other technical   data.

Deliver and display contextual   content and advertising, reporting and measurements:

We use the End User Data to place contextual content, which is   not advertisement.

We share the End User Data with the advertisers so that they are   able to display relevant advertisement to you.

We use the aggregated End User Data   to provide our publishers with insights and reports regarding their   campaigns, meaning aggregated measurements and reporting.

We process the End User Data upon consent provided through the   consent string, TCF string.

Otherwise, the aggregated data is used in our legitimate   interest in providing the Service, and conducting research for improving the   Service, all as detailed in the Legitimate Interest Claim below.

In certain aspects of our Service,   we act as the “data processor” or “service provider”, in which we will rely   on our publishers to obtain the necessary lawful basis for processing the end   user personal data.

Please note that the actual processing operation per each purpose of use and lawful basis detailed in the table above may differ. Such processing operation usually includes a set of operations made by automated means, such as collection, storage, use, disclosure by transmission, erasure, or destruction. The transfer of Personal Data to third-party countries, as further detailed in the “International Data Transfer” Section below, is based on the same lawful basis as stipulated in the table above.

In addition, we may use certain Personal Data to prevent potentially prohibited or illegal activities, fraud, misappropriation, infringements, identity thefts, and any other misuse of the Services and to enforce the Terms, as well as to protect the security or integrity of our databases and the Services, and to take precautions against legal liability. Such processing is based on our legitimate interests.

We may collect different categories of Personal Data and Non-Personal Data from you, depending on the nature of your interaction with the Services provided through the website and Platform, as detailed above. If we combine Personal Data with Non-Personal Data, the combined information will be treated as Personal Data or for as long as it remains combined.

Please further be advised that, as an end user interacting with the Interactive Unit, you might be subject to additional data collection directly on behalf of Publishers (meaning the Publishers operating the Digital Assets in which our Interactive Unit are implemented, as well as Advertisers providing the ads displayed in the Interactive Unit). We are not responsible, nor do we monitor such data collection, that shall be governed by such Publishers’ privacy policies.

4. OUR LEGITIMATE INTEREST CLAIM (DISCLOSURE AS REQUIRED BY TCF 2.2):

In addition to the information provided in the section above, we want to explain the legitimate interest at stake when we process End User Data, as it directly impacts our relationship with our Publishers and Advertisers. In most cases when we, or our Publisher, deliver interest based, cross contextual Ads through the Interactive Unit that suits to your interests and preferences, we will base the processing of Personal Data on consent, as required under applicable laws, such as ePrivacy or other regulations, and detailed in the table above, and transfer your preference to our Publishers and Advertisers. However, when we use certain data, which includes Personal Data such as Online Identifiers and Privacy or Preference Strings, for improving the services, to share the Ad Call (including the users’ preferences) with Advertisers, or technically delivering the Ads, we do so based on our legitimate interest which is essential to the sustainability of the Interactive Unit and Services. This processing was concluded in various ruling and guidelines to be based on legitimate interest and thus we did not conduct a self-assessment and relies on the DPAs, ICO, and EDPB rolling and guidelines. We understand that privacy is of utmost importance, and we are committed to protecting your rights. We adhere to applicable privacy standards and regulations, provide transparent information about our data processing practices, and you have the ability to control your preferences and opt out. We want to assure you that we conduct a careful balancing test to ensure that our legitimate interest does not unduly infringe upon your rights and freedoms.

5. HOW WE COLLECT YOUR INFORMATION:

Depending on the nature of your interaction with us, we may collect the above detailed information from you, as follows:

● Automatically, when you visit our website, interact with our Platform or use our Services, including through the use of Cookies (as detailed below) and similar tracking technologies.

● When you voluntarily choose to provide us with information, such as when you contact us, all as detailed in this Policy.

● Provided by our partners and Cookie Management Platforms implemented in our partners' assets.

6. COOKIES AND SIMILAR TECHNOLOGIES:

We use “cookies” (or similar tracking technologies) when you access our website. The use of cookies is a standard industry-wide practice. A “cookie” is a small piece of information that a website assigns and stores on your computer while you are viewing a website. Cookies can be used for various purposes, including allowing you to navigate between pages efficiently, as well as for statistical purposes, analytic purposes and marketing.

The specific cookies we currently use on our website, are detailed in the table below:

COOKIE NAME

PURPOSE

EXPIRY

Google   Analytic

Performance   Cookies (Analytics)

1 Year

Mixpanel

Hotjar

7. DATA SHARING – CATEGORIES OF RECIPIENTS WE SHARE PERSONAL DATA WITH:

We share your data with third parties, including the Publishers or service providers that help us provide our Services. You can find here information about the categories of such third-party recipients.

CATEGORY   OF RECIPIENT

DATA   THAT WILL BE SHARED

PURPOSE OF SHARING

Advertisers

End User Data

We provide such information to our Advertisers,   so they will be able to bid for content that best suits such a web-page, as a   part of our Services. We will further present aggregated data about end users’   interaction with the ads, to provide reports to our Publishers.

The Advertisers is required to   secure the data and to use the data for pre-agreed purposes only, while   ensuring compliance with all applicable data protection regulations.   Carambola and the Advertiser has engaged in the Module II of the Standard   Contractual Clauses.

The transferred data shall be   encrypted when transferred.

Publisher

End User Data

Providing reports and analytic to   the Publisher.

The Publisher is required to secure   the data and to use the data for pre-agreed purposes only, while ensuring   compliance with all applicable data protection regulations. Carambola and the   Publisher has engaged in the Module II of the Standard Contractual Clauses.

The transferred data shall be   encrypted when transferred

Service Providers

All data

We may disclose Personal   Data to our trusted agents (such as legal counsel) and service providers   (including, but not limited to, our Cloud Service Provider, Analytics Service   Provider, CRM provider, etc.) so that they can perform the requested services   on our behalf. Thus, we share your data with third party entities, for the   purpose of storing such information on our behalf, or for other processing   needs. These entities are prohibited from using your Personal Data for any   purposes other than providing us with requested services.

Any acquirer of our business

All data

We may share Personal   Data, in the event of a corporate transaction (e.g., sale of a substantial   part of our business, merger, consolidation or asset sale). In the event of   the above, our affiliated companies or acquiring company will assume the   rights and obligations as described in this Policy.

Affiliated Companies

All Data

We   may share aggregate or Non-Personal Data with our affiliated companies and   additional third parties in accordance with the terms of this Policy. We may   store any type of information on our servers or cloud servers, use or share   Non-Personal Data in any of the above circumstances, as well as for the   purpose of providing and improving our Services, aggregate statistics,   marketing and conduct business and marketing analysis, and to enhance your   experience.

Legal and law enforcement

Subject to law enforcement authority request.

We may disclose certain data to law enforcement, governmental   agencies, or authorized third parties, in response to a verified request   relating to terror acts, criminal investigations or alleged illegal activity   or any other activity that may expose us, you, or any other user to legal   liability, and solely to the extent necessary to comply with such purpose.

When we share information with services providers and Publishers, we ensure they only have access to such information that is strictly necessary for us to provide the Services. These parties are required to secure the data they receive and to use the data for pre-agreed purposes only while ensuring compliance with all applicable data protection regulations (such service providers may use other non-personal data for their own benefit).

8. USER RIGHTS AND OPT-OUT OPTIONS:

We acknowledge that different people have different privacy concerns and preferences. Our goal is to be clear about what information we collect so that you can make meaningful choices about how it is used. We allow you to exercise certain choices, rights, and controls in connection with your information. Depending on your relationship with us, your jurisdiction and the applicable data protection laws that apply to you, you have the right to control and request certain limitations or rights to be executed. Please note, if you are an individual who interacts with a Publisher and you contact us regarding your rights, you will be directed to contact the applicable Publisher as the “controller” of the Personal Data.

For additional rights under various jurisdictions, please refer to Section ‎13 “JURISDICTION-SPECIFIC NOTICES” herein below. For detailed information on your rights and how to exercise your rights, please see the Data Subject Request Form (“DSR”) available HEREor send it to: contact@Carambo.la.

Further, you may execute certain rights without the need to fill out the DSR Form, such as: You can correct or delete the Contact Information or Account information at any time, through the account settings, You can you can opt-out from receiving our emails by clicking “unsubscribe” link, You can withdraw consent for processing End User Data for analytics or marketing purposes, at any time be using the cookie settings on the website, Use the “Do Not Sell or Share My Information” through the first-party business, i.e., through the cookie consent manager presented on the Publisher's website, etc.

To opt out from cross contextual ads you can further use these links: the Network Advertising Initiative’s (“NAI”) website: NAI consumer opt-out and the Digital Advertising Alliance’s (“DAA”) website: DAA opt-out page. Or the European Interactive Digital Advertising Alliance (“EDAA”) website: Your Online Choices page.

9. DATA RETENTION:

We retain Personal Data we collect as long as it remains necessary for the purposes set forth above, all in accordance with applicable laws, or until an individual expresses a preference to opt-out.

Other circumstances in which we will retain your Personal Data for longer periods of time include: (i) where we are required to do so in accordance with legal, regulatory, tax, or accounting requirements; (ii) for us to have an accurate record of your dealings with us in the event of any complaints or challenges; or (iii) if we reasonably believe there is a prospect of litigation relating to your Personal Data. Please note that except as required by applicable law, we may at our sole discretion, delete or amend information from our systems, without notice to you, once we deem it is no longer necessary for such purposes.

10. SECURITY MEASURES:

We work hard to protect the Personal Data we process from unauthorized access, alteration, disclosure, or destruction. We have implemented physical, technical, and administrative security measures for the Services that comply with applicable laws and industry, such as encryption using SSL, we minimize the amount of data that we store on our servers, restricting access to Personal Data to Carambola employees, contractors, and agents, etc. Note that we cannot be held responsible for unauthorized or unintended access beyond our control, and we make no warranty, express, implied, or otherwise, that we will always be able to prevent such access.

Please contact us at: contact@Carambo.la if you feel that your privacy was not dealt with properly, in a way that was in breach of our Privacy Policy, or if you become aware of a third party's attempt to gain unauthorized access to any of your Personal Data. We will make a reasonable effort to notify you and the appropriate authorities (if required by applicable law) in the event that we discover a security incident related to your Personal Data.

11. INTERNATIONAL DATA TRANSFER:

Our data servers in which we host and store the information are located in the Israel. The Company’s HQ are based in Israel in which we may access the information stored on such servers or other systems such as the Company’s ERP, CRM, Salesforce, and other systems. In the event that we need to transfer your Personal Data out of your jurisdiction, we will take appropriate measures to ensure that your Personal Data receives an adequate level of protection as required under applicable law. Furthermore, when Personal Data that is collected within the European Economic Area ("EEA") is transferred outside of the EEA to a country that has not received an adequacy decision from the European Commission, we will take necessary steps in order to ensure that sufficient safeguards are provided during the transferring of such Personal Data, in accordance with the provision of the standard contractual clauses approved by the European Union. Thus, we will obtain contractual commitments or assurances from the data importer to protect your Personal Information, using contractual protections that EEA and UK regulators have pre-approved to ensure your data is protected (known as standard contract clauses), or rely on adequacy decisions issued by the European Commission. Some of these assurances are well-recognized certification schemes.

12. ELIGIBILITY AND CHILDREN PRIVACY:

The Services are not intended for use by children (the phrase "child" shall mean an individual that is under the age defined by applicable law, which concerning the EEA is under the age of 16, and with respect to the US, under the age of 13), and we do not knowingly process children's information. We will discard any information we receive from a user that is considered a "child" immediately upon discovering that such a user shared information with us. Please contact us at: contact@Carambo.la if you have reason to believe that a child has shared any information with us.

13. JURISDICTION SPECIFIC NOTICES:

A. ADDITIONAL NOTICE TO CALIFORNIA RESIDENTS

Thissection applies only to California residents. Pursuant to the California Consumer Privacy Act of 2018 (“CCPA”) effective November 2020, and as amended by the CPRA, effective January 1, 2023.

Pleasesee the CCPA Privacy Notice which discloses the categories of personal information collected, purpose of processing, source, categories of recipients with whom the personal information is shared for a business purpose, whether the personal information is sole or shared, the retention period, and how to exercise your rights as a California resident.

B. ADDITIONAL US STATES NOTICE

Residents of certain U.S. states (depending on the applicable state law, acting in an individual or household context and not in a commercial or employment context or as a representative of business), including Colorado, Connecticut, Virginia, and Utah, may have additional rights under applicable privacy laws and be entitled to additional disclosures.

"Personal Data" under applicable US privacy laws, generally means any information that is linked or reasonably linkable to an identified or identifiable individual (and usually does not include publicly available information that is lawfully made available from government records, or that a consumer has otherwise made available to the public; de-identified or aggregated consumer information; or information excluded from the states laws scope, such as: HIPAA, GBPA, non-profit entities, etc.)

“Sensitive Data” means data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life, sexual orientation, citizenship, or immigration status; The processing of genetic or biometric data for the purpose of uniquely identifying an individual; Personal Data collected from a known child; Precise geolocation data.

We are required to provide you with a clear and accessible privacy notice that includes the categories of Personal Data processed, purpose of processing, instructions for exercising consumer rights and appealing decisions, categories of Personal Data shared with third parties, categories of third parties with whom data is shared, and any sale of data or targeted advertising.

Categories of Personal Data & Categories of third parties with whom Personal Data is shared:

Under Section 3 of this Privacy Policy “Data we Collect and the Purpose of Use”, we describe our collection and processing of Personal Data, the categories of Personal Data that are collecting and processing, and the purposes for which Personal Data is processed, stored or used.

Additionally, we detail and disclose the categories of third parties we share Personal Data with for business purposes. We will not collect additional categories of Personal Data or use the Personal Data we collected for a materially different, unrelated, or incompatible purpose without obtaining your consent.

“Sale” of Personal Data:

Under US privacy laws, in principal, the term “sale” is referring to disclosing or making available Personal Data to a third-party in exchange for monetary or other valuable consideration, including for targeted advertising purposes. We do not “sell” information as most people would commonly understand that term, we do not, and will not, disclose your Personal Data in direct exchange for money or some other form of payment however, subject to the definition of the term “Sale” under US privacy laws, we may “sell” the following categories of Personal Data when we use cookies or other third-party advertising services:

Identifiers – online identifiers such as IP and Cookie ID;

Internet and electronic network activity information – such as your engagement with our Interactive Unit and Ads.

Geolocation data - derived from IP (country level).

Consumer Rights:

Residents of certain U.S. states, including Colorado, Connecticut, Virginia, and Utah, may have additional rights under applicable privacy laws, subject to certain limitations, which may include:

● Access- the right to confirm whether we are processing their Personal Data and to obtain a copy of their Personal Data in a portable and, to the extent technically feasible, readily usable format.

● Delete - the right to delete their Personal Data provided to or obtained by us.

● Correct - the right to correct inaccuracies in their Personal Data, taking into account the nature and purposes of the processing of the Personal Data.

● Opt-Out -to opt out of certain types of processing, including: (i) to opt out of the “sale” of their Personal Data; (ii) to opt out of targeted advertising by us; and (iii) to opt out of any processing of Personal Data for purposes of making decisions that produce legal or similarly significant effects.

Section 7 “Users Rights” provides additional information regarding your principal rights.

Exercising Your Privacy Rights:

You may submit a request to exercise most of your privacy rights under U.S. state privacy laws by contacting us at: privacy@urban-vpn.com.

When you submit a request, we will take steps to verify your identity and your request by matching the information provided by you with the information we have in our records. In some cases, we may request additional information to verify your identity, or where necessary to process your request. If we are unable to verify your identity after a good faith attempt, we may deny the request and, if so, will explain the basis for denial and how to remedy any deficiencies, where applicable.

Authorized agents may initiate a request on behalf of another individual by contacting us at privacy@urban-vpn.com; authorized agents will be required to provide proof of their authorization and we may also require that the relevant consumer directly verify their identity and the authority of the authorized agent.

If we decline to take action on your request, we shall so inform you without undue delay, within the timeframe set out under applicable law. Our notification will include a justification for declining to take action and instructions on how you may appeal. Within the timeframe set out under applicable law of our receipt of your appeal, we will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, you may submit a complaint to the applicable authority or Attorney General of your jurisdiction (including - Colorado AG at https://coag.gov/file-complaint/; Connecticut Attorney General at: https://www.dir.ct.gov/ag/complaint/ or (860) 808-5318; Virginia Attorney General at https://www.oag.state.va.us/consumercomplaintform).