MEETLYR LTD PRIVACY POLICY INTRODUCTION & CONTROLLER INFORMATION This Privacy Policy (“Policy“) explains how Meetlyr Limited – 16878549 (“we,” “us,” “our,” or “Company“), collects, uses, discloses, retains, and protects your personal data when you visit our website at https://meetlyr.com/ (the “Website“) and use our booking application at https://app.meetlyr.com/bookings (the “App“) and any related services (collectively, the “Services“). This Policy applies to all users, including consumers, service providers, and business partners who interact with Meetlyr’s Services. We are committed to transparency and compliance with applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR), and/or the Data Protection Act 2018 (DPA 2018), and/or Privacy and Electronic Communications Regulations 2003 (PECR), and/or EU General Data Protection Regulation (In cases where applicable). Data Controller Details Meetlyr Limited Registered Address: Failsworth, Manchester, England, M35 9FD. Email: hello@meetlyr.com Telephone: +44 7878 837785 For data protection enquiries and to exercise your rights under this Policy, please contact our Data Protection Officer or relevant person (if applicable) or use the contact information provided in Section 12 below. 2. SCOPE AND GEOGRAPHIC APPLICATION This Policy applies to: United Kingdom: All users of the Website and App are subject to UK GDPR and DPA 2018. European Union: Where Meetlyr operates or provides Services to EU residents, the EU GDPR can apply in addition to or instead of UK GDPR. Users should be aware that data may be processed in the UK and (where applicable) transferred to EU Member States where we operate. Such transfers are lawful under the EU-UK adequacy decision or, where necessary, are protected by Standard Contractual Clauses (SCCs) as described in Section 8. 3. DATA WE COLLECT We collect personal data directly from you, through automated means, and from third parties. The types of personal data we collect depend on how you use our Services and include: 3.1 Information You Provide Directly Account Registration Data: Full name Email address Phone number Date of birth (where required for age verification or identity confirmation) Profile photograph ID (Optional & Only if Necessary) Username and password Short Questionnaire Booking & Service Data: Booking details (services requested, dates, times, locations, specific requirements) Cancellation and rescheduling requests Service preferences and special requests Feedback, reviews, and ratings Payment Data: Payment card details to stripe (if you choose to enter them on our App; however, we strongly recommend using PCI-compliant third-party processors) Billing address Transaction history and payment amounts Invoices and receipts Communications Data: Messages sent via our in-app messaging system Support requests and customer service interactions Email correspondence with our team Feedback and complaints Identity & Compliance Data: Government-issued identification (where required for verification or regulatory compliance) Background check results (if applicable for certain service providers) 3.2 Automatically Collected Data Technical Data: Device identifiers (device ID, hardware model, mobile network information) IP address Browser type and version Operating system Referring URL and pages visited Timestamp of visits and session duration Crash reports and performance data Usage Analytics: Features used within the App Clickstream data Search queries Interaction patterns Session recordings (with prior consent, where legally required) Cookies and Similar Technologies: First-party and third-party cookies Web beacons and pixels Local storage and similar technologies See Section 11 for detailed information on cookies and your choices. 3.3 Location Data Precise Location Data: If you grant permission through your device settings, we might use location data to: Enable location-based booking services Confirm service provider attendance Improve service recommendations Analyze usage patterns Approximate Location Data: We may infer approximate location from IP addresses and device settings. Users can disable location services at any time through device settings; however, some Services may not function optimally without location data. 3.4 Data from Third Parties We may receive personal data about you from: Payment processors (transaction details, fraud indicators) Identity verification services (identity confirmation, age verification) Background check providers (verification results for service providers) Social media platforms (only if you link your account with us) Analytics and marketing partners Law enforcement and regulatory authorities (in response to legal requests) 3.5 Special Category Data Under Article 9 of the UK GDPR and Article 9 of the EU GDPR, we generally do not collect “special category data” (data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation). Exception: If you voluntarily disclose such information in support messages or booking requests (e.g., accessibility requirements for persons with disabilities), we will process this only to fulfill your service request and will delete it when no longer necessary. 4. LAWFUL BASIS FOR PROCESSING We process personal data only where we have a lawful basis under Article 6 of the UK GDPR and Article 6 of the EU GDPR. The lawful bases for our processing include: 4.1 Contractual Necessity We process data necessary to enter into and perform your booking contract, including: Account creation and management Service delivery and fulfillment Payment processing Provision of customer support 4.2 Consent Where consent is the lawful basis, we process data for: Marketing communications (email, SMS, push notifications) via PECR-compliant consent mechanisms Analytics and usage tracking (via prior opt-in for non-essential cookies) Automated profiling and personalization (where we inform you and provide opt-out mechanisms) Social media integration Consent Withdrawal: You may withdraw consent for marketing and analytics at any time by sending “unsubscribe” in communications, accessing your account preferences, or contacting us (Section 12). Withdrawal does not affect the lawfulness of processing before withdrawal. We collect explicit consent when you click the Sign up or similar consent mechanism during account registration. This consent is separate from accepting our Terms of Service. A clear link to this Privacy Policy is displayed prominently at the point of consent, and users can withdraw consent at any time without penalty (Section 4.2 – Consent Withdrawal). 4.3 Legitimate Interests We rely on legitimate interests for: Detecting and preventing fraud and abuse Improving our Services and user experience Network and IT security Analyzing usage trends and service optimization Direct marketing to existing customers via the “soft opt-in” exception under PECR Compliance with legal obligations and enforcement of rights Defending against legal claims We balance our interests against your rights and freedoms, and we do not use legitimate interest to justify marketing to new consumers without consent. 4.4 Legal Obligation We may process data to comply with: UK tax law (HMRC record-keeping requirements) Money laundering and terrorist financing regulations (KYC/AML) Court orders and regulatory requests Employment law (if you are a service provider) 4.5 Vital Interests We process data where necessary to protect your vital interests or those of others in emergency situations. 5. HOW WE USE YOUR DATA We use personal data for the following purposes: 5.1 Core Service Delivery Creating and managing your account Processing bookings and payments Delivering the requested service Communicating booking confirmations, updates, and cancellations Handling service disputes and refunds 5.2 Customer Support Responding to inquiries and complaints Troubleshooting technical issues Providing help with account management Gathering feedback through surveys and polls 5.3 Marketing & Communications Sending promotional emails (with consent or via soft opt-in for existing customers) Notifying you of service updates, features, and promotions Personalizing content and recommendations based on your usage PECR Compliance: We comply with the Privacy and Electronic Communications Regulations 2003. For marketing emails to individuals, we obtain explicit consent or rely on the soft opt-in exception (existing customers who have not opted out). For corporate recipients, we may send email marketing without prior consent but provide clear unsubscribe options. 5.4 Personalization & Analytics Tailoring your experience through usage analysis and profiling Analyzing trends to optimize our Services Creating aggregated, anonymized reports Testing new features (A/B testing) Detecting usage patterns to identify service improvements 5.5 Fraud & Security Detecting unauthorized access and fraudulent transactions Preventing abuse and misuse of Services Enforcing our Terms of Service and other agreements Protecting against security threats and malware 5.6 Legal & Regulatory Compliance Responding to government requests and legal processes Maintaining records for tax, employment, and regulatory purposes Defending against legal claims Enforcing contractual rights 5.7 Aggregated & Anonymized Data We may process anonymized data (data stripped of identifying information) without restriction for: Aggregated analytics and reporting Service improvements Research and product development Sharing with business partners and public 6. DATA SHARING & RECIPIENTS We share personal data only where necessary and permitted by law. Recipients may include: 6.1 Service Providers & Data Processors We engage third-party service providers who act as data processors and process data on our instructions, including: Payment Processing: Stripe, PayPal, or other PCI-compliant payment processors Only payment-essential data (name, billing address, transaction amount) is shared These processors maintain their own privacy policies and security standards Cloud Infrastructure: Microsoft Clarity, Cloudinary, Microsoft Azure, or similar cloud service providers Data is encrypted in transit and at rest Processors maintain international data protection certifications (ISO 27001, SOC 2) Communications: Email service providers (Mailchimp, or similar) SMS delivery services Push notification platforms Analytics & Performance: Google Analytics (aggregated, pseudonymized data) Amplitude or similar usage analytics platforms Performance monitoring services Identity & Background Verification: Didit.me or ID services (for age/identity confirmation) Background check providers (for service providers, only where required) Customer Support: Tawk or similar helpdesk platforms Support data (tickets, chat history) stored with encryption Marketing & Communications: HubSpot, Klaviyo, or similar marketing automation platforms Aggregated customer data for marketing analytics All data processors are required to: Process data only on our documented instructions Maintain adequate security measures (Article 32 UK GDPR/EU GDPR) Keep personal data confidential Assist you in exercising your data subject rights Report any data breaches within 72 hours Not engage sub-processors without our written approval Data Processing Agreements: All processors sign Data Processing Agreements (DPAs) containing Standard Contractual Clauses or equivalent protections as required by law. 6.2 Business Partners & Service Providers (Joint Controllers) We may share data with: Integration partners (calendar systems, CRM platforms) Payment partners and financial service providers Marketing partners and advertisers (only aggregated, non-identifying data unless you consent) These partners may be joint data controllers; we identify joint controllership in specific contexts and ensure transparency. 6.3 Legal & Regulatory Authorities We may disclose personal data without your consent when: Required by law (court order, subpoena, warrant, or government request) Necessary to enforce our Terms of Service or other agreements Required to protect our legal rights or those of others Necessary to prevent fraud, abuse, or security threats When feasible, we will notify you of such requests before disclosure, except where prohibited by law. 6.4 Business Transfers If Meetlyr is involved in a merger, acquisition, bankruptcy, dissolution, reorganization, or similar transaction or proceeding, personal data may be transferred as part of that transaction. You will be notified of any such change in ownership or control of your personal data and of any material changes to this Policy. Personal data will remain subject to the same level of protection unless you choose to delete your account. 6.5 Aggregated & Anonymized Data We may share aggregated, de-identified data with: Business intelligence partners Academic and research institutions Industry associations Marketing and analytics platforms The general public (via reports and insights) This data cannot identify you and is not subject to data protection regulations. 6.6 Sub-Processors & Sub-Processing Authorized sub-processors engaged by our primary processors may include: Infrastructure sub-providers (data centers, CDNs) Backup and disaster recovery services Third-party security and compliance tools We maintain a current list of authorized sub-processors at: https://meetlyr.com/subprocessors Processors must notify us before engaging new sub-processors and afford us the opportunity to object. If you object to a new sub-processor, we will work with you to find an alternative or terminate the relevant service. 7. AUTOMATED DECISION-MAKING & PROFILING 7.1 Profiling Activities We engage in profiling to enhance your experience, including: Booking Recommendations: Analyzing your booking history and preferences to suggest relevant services Dynamic Pricing: Using algorithms to optimize pricing based on demand and user patterns (if applicable) Fraud Detection: Using automated systems to identify suspicious transactions and prevent abuse User Segmentation: Categorizing users for targeted marketing and service improvements 7.2 Automated Decision-Making Restrictions (Article 22) Significant Automated Decisions: Where we use automated decision-making that produces legal or similarly significant effects on you (e.g., account termination, eligibility denial, access restrictions), you have the right to: Request human intervention Obtain an explanation of the decision logic Challenge or appeal the decision Obtain information about factors that influenced the decision Examples of significant effects: Denial of service or account suspension Eligibility determination for services or pricing Credit decisions Right to Human Review: If you object to an automated decision with significant effects, we will conduct a human review within 30 days and notify you of the outcome. 7.3 Opt-Out of Profiling You may opt out of profiling for marketing personalization by: Contacting us to Unsubscribe (Section 12) Clicking “Do Not Sell or Share My Personal Information” (if & where applicable) Delete profile Limitation: Opting out of profiling may limit the personalization and functionality of the Services. 8. INTERNATIONAL DATA TRANSFERS 8.1 UK to EU Transfers When we transfer personal data from the UK to EU Member States where we operate, such transfers are lawful under the EU-UK adequacy decision in most cases. No additional safeguards are required for transfers from the UK to the EU. 8.2 Transfers Outside the UK/EEA Where we transfer data to countries without an adequacy decision (e.g., certain third countries), we implement: Standard Contractual Clauses (SCCs): Transfer Impact Assessments (TIAs): Examples of Third-Country Transfers: Cloud storage in non-EEA data centers (with contractual safeguards) Analytics services located outside the UK/EU Payment processors operating globally 9. DATA RETENTION & DELETION 9.1 Retention Periods We retain personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by law. Specific retention periods are: Data Type Retention Period Reason Account Data (active users) Duration of account + 12 months post-deletion Account management, contractual obligations Booking & Service History 7 years Tax law, business records, dispute resolution Payment Records 7 years UK tax law (HMRC), fraud investigation Payment Card Details Not stored; deleted immediately by processor PCI DSS compliance, security Communications (support tickets) 3 years Customer service, dispute resolution Marketing Consent Records 5 years PECR compliance, audit trail Automated Decision Logs 2 years Transparency, Article 22 compliance Cookies & Analytics Data 13 months (except persistent features) Analytics, performance optimization Background Checks 3-5 years (service providers) Duty of care, regulatory compliance Identity Verification Data As required by AML/KYC law (typically 5 years) Money laundering prevention Note: Retention periods may be extended where required by court order or regulatory request. Meetlyr Limited is responsible for the retention periods specified above. These periods comply with UK GDPR Article 5 (storage limitation principle) and UK tax law requirements. Any material changes to retention periods will be notified to users at least 30 days in advance. For clarification on your specific data retention, please reach out to us. 9.2 Right to Erasure (“Right to Be Forgotten”) You have the right to request erasure of your personal data in the following circumstances: Data is no longer necessary for its original purpose You withdraw consent and no other lawful basis applies You object to processing based on legitimate interests Data was processed unlawfully Erasure is required by law Limitations: We may refuse erasure where: Data is necessary to fulfill legal obligations Data is needed to establish, exercise, or defend legal claims Data must be retained for fraud prevention or security Data is needed to fulfill a contractual obligation Data is part of an active investigation or regulatory audit Erasure Process: Upon receipt of a valid erasure request, we will delete identifiable data within 30 days (subject to backup retention schedules and legal holds). Some data may be pseudonymized or anonymized instead of deleted. 9.3 Backup & Archive Data Personal data in backups and archives is retained according to our backup policy (typically 30-90 days for active backups, up to 1 year for archived data). Once the retention period expires, such data is securely destroyed. 10. DATA SUBJECT RIGHTS Under the UK GDPR (Articles 15-22) and EU GDPR (Articles 15-22), you have the following rights: 10.1 Right to Be Informed You have the right to be informed about how we process your data (which this Policy satisfies). 10.2 Right of Access (Subject Access Request) You may request a copy of your personal data we hold about you. We will provide this information in a clear, structured, and commonly used electronic format (CSV or PDF or Word) within 30 days of your request. Please specify to which degree you are requesting the data. How to Request: Contact hello@meetlyr.com with your full name, registered email address, and a clear request for access. Extensions: We may extend the response period by two months for complex or voluminous requests, notifying you of the extension. 10.3 Right to Rectification You may request that we correct inaccurate or incomplete personal data. We will update records within 30 days and notify any processors or recipients of the correction. 10.4 Right to Erasure See Section 9.2 above. 10.5 Right to Restrict Processing You may request that we limit the processing of your data to storage only (restricting use for other purposes) where: You contest the accuracy of data (during verification period) Processing is unlawful and you object to deletion We no longer need the data but you require it for legal claims You have objected to processing based on legitimate interests (pending determination) During a restriction period, we will not process the data except with your consent, for legal claims, or to protect others’ rights. 10.6 Right to Data Portability You may request that we transfer your personal data to another service provider in a structured, commonly used, machine-readable format (JSON, XML, CSV). This right applies where: Processing is based on consent or contract Processing is carried out by automated means You wish to transmit data to another controller We will comply within 30 days at no charge. Where technically feasible, we will transmit data directly to another service provider. 10.7 Right to Object You may object to processing of your personal data on the grounds of legitimate interests or direct marketing. Marketing Objection: You may opt out of marketing communications by: writing “unsubscribe” in marketing emails Adjusting preferences in your account settings Contacting hello@meetlyr.com Legitimate Interest Objection: You may object to other processing based on legitimate interests. We will cease processing unless we demonstrate compelling legitimate interests or legal obligations that override your objection. 10.8 Right Not to Be Subject to Automated Decision-Making See Section 7.2 above. You have the right to human intervention, explanation, and review of significant automated decisions. 10.9 Right to Lodge a Complaint If you believe we have violated your data protection rights, you may lodge a complaint with the: UK: Information Commissioner’s Office (ICO) – Website: https://ico.org.uk EU Member States: Your national data protection authority (contact information available at https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/enforcement-and-penalties/competent-authorities_en) 11. COOKIES & SIMILAR TRACKING TECHNOLOGIES 11.1 What Are Cookies? Cookies are small text files stored on your device that allow websites and apps to recognize you and remember your preferences. We also use similar technologies including web beacons, pixels, local storage, and mobile device identifiers. 11.2 Types of Cookies We Use Cookie Type Purpose Consent Required? Strictly Necessary Session management, security, fraud prevention, basic functionality No Functional Remembering preferences, language settings, saved searches Optional (with consent) Analytics Measuring usage, traffic analysis, performance optimization Yes Marketing/Advertising Targeted ads, retargeting, social media integration Yes (explicit opt-in) Third-Party Ad networks, social platforms, analytics partners Yes (explicit opt-in) Strictly Necessary Cookies are exempt from consent requirements under the ePrivacy Directive and GDPR. 11.3 Your Consent Choices On Your First Visit: Our cookie banner allows you to: Accept all cookies Reject non-essential cookies Customize your preferences (granular consent by category) We do not use dark patterns (e.g., pre-checked boxes, delayed rejection buttons, or manipulative UI) to pressure cookie acceptance. 11.4 Managing Cookie Preferences You may: Adjust cookie preferences anytime by clicking the cookie banner or accessing your account settings Change browser settings to reject or warn about cookies Use browser extensions to block tracking (e.g., Privacy Badger, uBlock Origin) Delete cookies from your device Note: Disabling cookies may impair certain Website/App functionality. 11.5 Third-Party Cookies Third-party services used may set their own cookies, including: Google Analytics (privacy-enhanced mode: https://policies.google.com/privacy) Amplitude, Mixpanel (usage analytics) Facebook Pixel, Google Ads (advertising) Intercom, Zendesk (customer support) Stripe (payment processing) We include links to their privacy policies below (Section 13). 11.6 Cookie Retention Session Cookies: Deleted when you close your browser Persistent Cookies: Retained for up to 13 months (analytics/marketing) or as specified Marketing Cookies: Cleared upon opt-out; historical consent records retained for 5 years 12. DATA SECURITY & PROTECTION MEASURES 12.1 Technical & Organizational Safeguards We implement comprehensive security measures to protect personal data against unauthorized access, loss, alteration, or destruction: Encryption: Data in transit: TLS 1.2+ encryption for all connections (HTTPS) Data at rest: AES-256 encryption for sensitive data (payment, identity, health information) End-to-end encryption for confidential communications where applicable Access Controls: Role-based access control (RBAC): Only authorized personnel access personal data Principle of least privilege: Employees access only necessary data Multi-factor authentication (MFA) for all administrative accounts Regular access reviews and audit trails Security Infrastructure: Firewalls and network segmentation Intrusion detection and prevention systems (IDPS) Distributed denial-of-service (DDoS) protection Regular vulnerability scanning and penetration testing Security information and event management (SIEM) Data Integrity: Regular backups (tested recovery) Data validation and checksums Change management and version control Personnel Security: Data protection training for all employees Confidentiality agreements and NDAs Background checks for staff with data access Incident response procedures and drills Vendor Management: Due diligence on all processors and sub-processors Contractual security obligations (Data Processing Agreements) Regular security audits and compliance reviews Incident notification requirements 12.2 PCI DSS Compliance For payment card processing: We do not store full card details on our systems (tokenization) Payment processing is outsourced to PCI-DSS Level 1-certified processors (Stripe, PayPal, etc.) We maintain strict network segregation and access controls Regular security assessments and audits are conducted 13. DATA BREACH NOTIFICATION 13.1 Our Breach Obligations In the event of a personal data breach (unauthorized access, loss, or disclosure), we will: To the Supervisory Authority (UK ICO or EU DPA): Notify within 72 hours of becoming aware of a breach that poses a risk to individuals’ rights and freedoms Include: nature of breach, affected individuals, consequences, measures taken To Affected Individuals (High-Risk Breaches): Notify directly, without undue delay, if the breach poses a high risk to rights and freedoms Include: description of the breach, potential consequences, measures taken to mitigate risk Provide notifications in clear, plain language Documentation: Maintain records for regulatory inspection Document the assessment process, risk evaluation, and actions taken 13.2 What Constitutes a “Risk to Rights and Freedoms” A breach is likely to result in risk if it could lead to: Financial loss Identity theft Fraud Discrimination Loss of confidentiality or privacy Blackmail or exploitation Reputational damage Other significant disadvantage 13.3 Your Rights if Breached If your data is breached, you may: Request confirmation that a breach occurred Obtain details about the breach and remedial actions Exercise your rights to access, rectification, or erasure Lodge a complaint with the ICO or your national DPA Pursue civil claims for damages 14. THIRD-PARTY LINKS & SERVICES Our Website and App may contain links to third-party websites and services (e.g., social media platforms, payment processors, booking references) that are not operated by Meetlyr. This Policy does not apply to third-party services. Your Responsibilities: Review the privacy policies of third-party services before providing personal data We are not responsible for third-party privacy practices or security measures Linking to a third-party does not constitute endorsement Social Media Integration: If you link your social media account (Facebook, Google, etc.) with Meetlyr: We access only the information you authorize Check your social media privacy settings to control what information is shared You may disconnect your social account anytime 15. CHILDREN & MINORS 15.1 Age Restrictions Our Services are not intended for children under 13 years of age (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children under 13. 15.3 Child Data Breach If we become aware that we have collected data from a child under 13 without parental consent, we will: Cease collection immediately Delete such data within 30 days Notify parents/guardians where feasible Report Child Data: Contact hello@meetlyr.com immediately. 16. EXERCISING YOUR RIGHTS 16.1 How to Submit Requests By Email: hello@meetlyr.com (include “Data Subject Request” in subject line) By Mail: Meetlyr Limited Privacy Team Failsworth, Manchester, England, M35 9FD. United Kingdom 16.2 Verification & Response We will verify your identity before processing your request (to prevent unauthorized access) We will respond within 30 days of receipt of a valid request Extensions: For complex requests, we may extend up to two months (notifying you of the extension) Costs: Requests are free; we will not charge fees unless requests are manifestly unfounded or excessive 16.3 Request Evidencing We maintain detailed records of all data subject requests, including: Date received and response deadline Type of request Information provided Response date and method Any extensions or denials Justifications for any refusals These records are available for supervisory authority inspection. 17. DIRECT MARKETING & COMMUNICATIONS 17.1 Email Marketing (PECR Compliance) For Individuals: New customers: Explicit opt-in consent required before sending marketing emails Existing customers: We may send marketing via “soft opt-in” (with clear unsubscribe option in every message) provided: You have purchased or negotiated to purchase a similar service You have not previously opted out You receive a simple way to opt out with each message For Corporate Recipients (businesses): No prior consent required (but unsubscribe option mandatory) We may not disguise our identity We provide a valid contact address for opt-outs 17.2 SMS & Push Notifications Explicit opt-in consent required before sending SMS or push notifications for marketing Clear opt-out mechanism provided in every message Frequency capped to prevent spam 17.3 Unsubscribe & Preference Management You may opt out of marketing communications by: accessing the “unsubscribe” link or writing unsubscribe in marketing emails Replying to SMS with “STOP” Adjusting notification settings in your mobile device or account Contacting hello@meetlyr.com We will remove you from marketing lists within 10 business days and will not send further marketing to that address. Note: Service-related communications (booking confirmations, customer support, security alerts) are not optional and will continue. 17.4 Soft Opt-In Exception Under PECR Regulation 22, we may send marketing emails to existing customers who purchased a similar product/service without explicit consent, provided: ✓ We gave you a simple way to opt out when we first collected your contact details (at signup, purchase, or data collection) ✓ You have purchased or negotiated to purchase a similar product or service from Meetlyr ✓ You have not previously opted out ✓ We provide a clear unsubscribe option in every marketing email ✓ Your marketing preference is not for a substantially different product or service You may opt out anytime. We will remove you from marketing lists within 10 business days. NOTE: Soft opt-in does NOT apply to: – Prospective customers who have never purchased from us – Contacts acquired from third-party marketing lists – Marketing of substantially different services from what you previously purchased 18. LEGITIMATE INTERESTS BALANCING TEST Where we rely on legitimate interests as the lawful basis (Section 4.3), we balance our interests against your rights as follows: Our Legitimate Interests: Fraud detection and prevention Network and IT security Service optimization and analytics Direct marketing to existing customers Enforcement of rights and contracts Cost reduction and efficiency Your Interests & Rights: Privacy and confidentiality Autonomy and freedom from surveillance Data security Reasonable expectations Vulnerable population protections Our Balancing Assessment: We apply privacy by design principles We collect only necessary data (minimization) We use technical safeguards (encryption, access controls) We provide transparency and opt-out mechanisms We do not sell data to third parties for profit We restrict profiling for high-risk decisions Opt-Out Mechanisms: You may object to legitimate-interest-based processing by contacting hello@meetlyr.com. 19. UPDATES TO THIS POLICY We may update this Privacy Policy at any time to reflect changes in our practices, technology, legal requirements, or other factors. Please note, We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or other factors. Material changes (e.g., new purposes, new recipients, international transfers) will be notified to you via email or prominent notice on the Website at least 30 days before taking effect. Minor clarifications may be updated without notice. The version published on https://meetlyr.com is the current version. Your continued use of the Services constitutes acceptance of the updated Policy. Changes & Your Rights: Material changes (e.g., new purposes, new recipients, international transfers) will be notified to you via email or prominent notice on the Website at least 30 days before taking effect Minor clarifications may be updated without notice Your continued use of the Services constitutes acceptance of the updated Policy You may review previous versions by contacting hello@meetlyr.com Last Updated: January, 2026 20. FINAL PROVISIONS 20.1 Severability If any provision of this Policy is found to be invalid or unenforceable, that provision will be modified to the minimum extent necessary to comply with applicable law, and the remainder of the Policy will continue in full force and effect. 20.2 Entire Agreement This Privacy Policy, together with our Terms of Service, constitutes the entire agreement between you and Meetlyr regarding the processing and protection of your personal data. 20.3 Governing Law & Jurisdiction This Policy is governed by the laws of the United Kingdom (for UK data subjects) or where local laws prevail. END OF PRIVACY POLICY Effective Date: January, 2026 Note: This Privacy Policy is current as of January 2026. Meetlyr Limited reserves the right to update, modify, or amend this Privacy Policy at any time. To ensure you have the most current and legally binding version of this Privacy Policy and our Terms of Service, please always contact the Meetlyr team before relying on this document for legal or compliance purposes. Material changes (including changes to data processing purposes, new data recipients, changes to retention periods, or new international data transfers) will be communicated to you via email or prominent notice on the Website at least 30 days before taking effect. Your continued use of Meetlyr’s Website and App constitutes acceptance of the current Privacy Policy and Terms of Service. ANNEX A: SUBPROCESSOR LIST Primary Subprocessors as of January 22, 2026: Service Category Processor/Subprocessor Location Processing Activity Cloud Infrastructure Hostinger or other EU/UK Data Centers Data storage, backup, hosting Cloud Infrastructure Cloudinary or other EU/UK Data Centers Data storage, backup, hosting Payment Processing Stripe or other UK/EU Payment processing, card tokenization Email Communications Mailchimp or other US (under Data Privacy Framework) Email delivery, marketing emails Analytics Google Analytics, Meta, Clarity, etc. or other US/EU (privacy-enhanced) Usage analytics, aggregated data Customer Support Tawk US/EU Support ticket management, storage Identity Verification Didit or other UK/EU Identity verification, background checks SMS Delivery Local SMS provider US SMS delivery, notifications Note: This list might not be up-to date. In such case please contact Meetlyr team at: Hello@meetlyr.com ANNEX B: COOKIE CONSENT RECORD Consent records are maintained for a minimum of 5 years as required by PECR and GDPR audit requirements. Records include: Date and time of consent Cookie categories consented to Consent method (banner, settings, account) IP address (hashed for privacy) Consent string / identifier Version of Privacy Policy accepted -----------------------------------------------------------------------------------------------------------------------------------------------------------