Legal

Privacy Policy

Last updated: November 2025

Introduction

We are committed to complying with applicable data protection laws. This Privacy Policy ("Policy") explains how we collect and use your information when you use our Platform.

The Platform is not intended for users under the age of 18. We do not knowingly collect information from children under the age of 18 or knowingly allow minors under the age of 18 to use the Platform.

This Policy may be amended from time to time. We will post any change to this Policy on our Platform at a reasonable time in advance of the effective date of the change, and we will also make efforts to proactively notify you of the changes.

Contact Us

If you have any questions, comments or concerns regarding this Policy or our processing of your personal information, please contact us through the Platform or email us at info@variantnow.com.

What We Collect and Why

Scenario	Purposes	Categories of Information
Contacting us with an inquiry through the Platform or by email	Responding to your inquiries and providing you with support in your use of the Platform; maintaining our customer relations with you	Your name/username, your email address, the subject and content of your inquiry.
Usage data and analytics	Adapting the Platform to your preferences; operating and improving the Platform; our business development	Information concerning your device and your use of the Platform, e.g., IP address from which you accessed the Platform, time and date of access, type of device and browser used, language used, links clicked via a mouse or a touch screen, and actions taken while using the Platform, including the prompts you provided to the Platform's agent.

Please use discretion when deciding what personal information to share with us.

You do not have a legal obligation to provide the above Information; however, if you choose to not share this information with us, we may not be able to provide you with access to the Platform and its features or handle your inquiries.

Methods and Sources for Collecting Your Personal Information

We collect the personal information from several sources:

Directly from you, when you contact us with inquiries or provide prompts to the Platform's agent.
Through the device you use to access our Platform.

Sharing Your Personal Information

We will not share your information with third parties, except in the events listed below or when you provide us your explicit and informed consent.

Scenario	Purposes	Third Parties
Service providers who assist us with internal operations	Operating the Platform and managing our business	These companies are authorized to use your personal information only as necessary to provide services to us and not for their own promotional purposes
If you abused your rights to use the Platform or violated any applicable law	Responding to, handling, and mitigating suspected violations of law	Competent authorities, legal counsels, and advisors
If a judicial, governmental, or regulatory authority requires disclosure	Complying with a binding request from a competent authority	Competent authorities
If the operation of the Platform is organized within a different framework or entity	Enabling a structural change in our business	Target entity of merger or acquisition, legal counsels, and advisors

Data Retention and Security

We retain your information for as long as you are an active user, and thereafter as needed for record-keeping matters, but no longer than 5 years.

We will retain your information for as long as you are an active user of the Platform. Thereafter, we will still retain your personal information as necessary to comply with our legal obligations, resolve disputes, establish and defend legal claims and enforce our agreements. The overall retention period will not exceed 5 years.

We implement measures to secure your information.

We implement measures to reduce the risks of damage, loss of information and unauthorized access or use of information. However, these measures do not provide absolute information security. Therefore, although efforts are made to secure your personal information, there is no guarantee that it will be immune from information security risks.

Your Rights

As a user of our Platform, you have the following rights in relation to your personal information:

Right to review your information. You have the right to review, either by yourself or through an authorized representative or a guardian, any information we have stored about you in our databases.
Right to request to rectify your information. If, upon reviewing your information, you find your information to be incorrect, incomplete or outdated, you have the right to ask us to rectify your information or delete it. We will inform you within 30 days whether we can comply with your request.

Additional Information for Individuals in the United States

Variantnow, Inc. is providing the following additional information to users residing in the United States, pursuant to applicable state privacy laws in the U.S.

We do not sell your information to any third party, or share it for cross-context behavioral advertising. Furthermore, we do not collect, use or share sensitive information.

We keep the personal information specified below as long as necessary to operate the Platform. Following that period, we shall ensure that the information is not accessed, other than in extraordinary events such as legal disputes.

Categories of Personal Information We Collect

Below are the categories of personal information we have collected and processed over the past 12 months, and the source of that information.

Category	Details	Sources
Identifiers	Name, email address, IP address	Directly from you; through your device
Other identifying information	Your inquiries, your agent prompts	Directly from you
Internet activity information	Your activity on the Platform	Through your device

Business Purposes for Collection

We collect personal information for the following business purposes:

Providing services through the Platform.
Debugging to identify and repair errors that impair existing intended functionality.
Detecting and preventing security incidents.
Undertaking activities to verify or maintain the quality or safety of the Platform and to improve, upgrade, or enhance the Platform.

Disclosures to Third Parties

Below are the categories of personal information we shared with third parties over the past 12 months:

Our service providers — who will use it only as necessary to assist us in the internal operations of our business and the Platform, and not for their own promotional purposes.
Competent authorities, legal counsels, and advisors — if you abused your rights to use the Platform or violated any applicable law.
Judicial, governmental, or regulatory authority — if they require us to disclose your information.
Target entity of a merger or acquisition — if the operation of the Platform or our business is organized within a different framework or entity.

Your Rights (U.S. Residents)

The Right to Know. You have the right to know whether we are processing your personal information, including the categories collected, sources, purposes, third parties we share with, and specific pieces of information we collected about you.
The Right to Obtain a Copy. If your data is available in a digital format, you have the right to obtain a copy in a portable and readable format (to the extent technically feasible).
The Right to Delete. In some cases, state privacy laws provide for the right to request deletion of your personal information.
The Right to Correct. Once we receive a request and verify your identity, we will examine the veracity of the corrected information and inform you of our decision.
The Right to Opt-Out. You have the right to opt-out of solely automated processing of your personal information for profiling purposes where that processing produces a legal or similarly significant effect on you.
The Right to Non-Discrimination. You have the right not to be discriminated against for exercising your rights. We cannot deny you services, charge different prices, or provide different quality of services for exercising your rights.

Filing Requests

Should you wish to exercise your rights under applicable laws, please contact us by email at info@variantnow.com.

To verify your identity, we will ask you to provide additional information through a verification process in which you will be asked to provide us with two items of information known to you and to us.

Note: You may appoint an authorized agent to file requests on your behalf. The authorized agent must present proof that you authorized them to act on your behalf, and we will require verification of your identity.

Our Response to Your Requests

We will respond to your requests within 45 days (or within 90 days where the law permits and we determine it necessary). If we take longer than 45 days, we will inform you of the extension within the initial forty-five-day response period.

We may deny your request in the following cases:

If we believe in good faith that your request is fraudulent or an abuse of your rights.
If we conclude that the request is irrelevant based on circumstances.
If it is contrary to federal or state law.
Due to a discrepancy in the required documentation.
If fulfillment of your request is impossible or involves disproportionate effort.

We will provide you with a detailed explanation if we cannot fulfill your request. You may appeal our decision by submitting a written appeal to us at info@variantnow.com.

Variant

Welcome to Variant, a conversion rate optimization platform for e-commerce shops ("Platform"). The Platform was developed and is owned and operated by Variantnow, Inc. ("Company" or "we", "us", "our"). These Terms of Use ("Terms of Use") constitutes a binding contract between you – a legal entity (a company, a partnership, or any other legal entity) or an individual (an employee or authorized agent of an entity) (hereinafter the "Customer" or "You") and the Company, and it governs Your use of the Platform.

Please read these Terms of Use carefully before using our Platform. By using our Platform, you indicate that you have read and agree to these Terms of Use, our Data Processing Addendum and our Privacy Policy.

If You are acting on behalf of an organization to acquire a subscription to use our Platform, then You represent and warrant that You are duly authorized to enter into these Terms of Use on behalf of the organization and that You have the proper authority to legally bind the organization, by these Terms of Use.

If you have any questions, comments or concerns regarding these Terms of Use or our Platform, please contact us at info@variantnow.com.

1. Definitions

1.1. "A/B Test(s)" means a process by which the Platform enables the Customer to compare two or more variations of the Customer Shop to evaluate and measure differences in user conversion rates.

1.2. "Authorized Users" means those employees, consultants and other individuals that Customer designates and authorizes to use the Platform on its behalf.

1.3. "Customer Data" means any data derived automatically from the Customer Shop through the Shopify interface or the Customer's API, and any data the Customer manually uploads to the Platform or modifies using the Platform, whether it concerns Individuals or otherwise.

1.4. "Customer Shop" means the online shop Customer owns and operates, through which Customer presents its products to End-Users and allows End-Users to purchase products.

1.5. "End-Users" means the individuals who browse the Customer Shop.

1.6. "Intellectual Property Rights" means any and all rights in, arising out of, or associated with: (i) all patents and utility models and applications therefore, and all reissues, divisions, re-examinations, renewals, extensions, provisional, continuations, and equivalent or similar rights anywhere in the world in inventions and discoveries including without limitation invention disclosures; (ii) all copyrights, copyright registrations and applications therefore, and all other rights corresponding thereto throughout the world, including without limitation "moral" rights; (iii) all industrial designs and any registrations and applications therefore throughout the world; (iv) mask works, mask work registrations and applications therefore, and all other rights corresponding thereto throughout the world; (v) all trade secrets and other rights in know-how and confidential or proprietary information; and (vi) any similar, corresponding, or equivalent rights to any of the foregoing anywhere in the world.

1.7. "Output" means any insights, recommendations, reports, A/B Tests results, or other information provided through the Platform regarding the Customer Shop and End Users' behaviors.

2. Grant of License; Restrictions

2.1. Subject to the terms herein, the Company grants Customer a limited, non-exclusive, worldwide, non-sublicensable, non-transferrable and revocable license, to use the Platform solely for Customer's internal business purposes (the "License"). All rights not specifically granted to Customer herein are exclusively reserved to the Company.

2.2. Customer covenants that Authorized Users will use the Platform only in compliance with all applicable laws and regulations and these Terms of Use. Customer shall be liable to Company for all acts or omissions of Customer's Authorized Users.

2.3. Customer acknowledges that to use the Platform, Customer must provide Company with access to the Customer Shop and Customer Data. Access may be established either through the Shopify interface, via a custom app, collaborator access or through the Customer's private API. The Customer shall be solely responsible for any issues, errors, or loss of data resulting from incorrect API configuration, revoked access, or changes to the Customer Shop's setting.

2.4. When using the Platform, You may not, by Yourself or through others: (i) attempt to reverse engineer, decompile, disassemble, translate or otherwise seek to develop, copy or expose the Platform (including the source code), or any part thereof or assist or allow any third party to do the same; (ii) use, copy, modify, merge, distribute, transfer or sublicense the Platform or any part thereof, except as expressly authorized by us in writing; (iii) represent that You possess any proprietary interest in the Platform or any part thereof, nor delete, deface or otherwise erase any proprietary notice of the Company from the Platform or any part thereof; (iv) directly or indirectly, take any action to contest The Company's Intellectual Property rights or infringe them in any way; (v) develop any derivative services or any other services based upon all or any part of our Platform or any other proprietary or confidential information of The Company; (vi) develop or create, or permit others to develop or create, a product or service similar to or in competition with our Platform, where such competing or similar products or services involve the unauthorized use of our Confidential Information; (vii) attempt to engage in: (a) any form of testing, scanning, scraping, probing, robotic navigating, bulk extracting or hacking of the Platform; (b) breaching the security of the Platform or identifying any security vulnerabilities thereof; (c) interfering with, circumventing, manipulating, impairing or disrupting the operation, or the functionality of the Platform; (d) working around or circumventing any technical limitations in the Platform; or (e) activities which may enable features or functionalities which are otherwise disabled, inaccessible or undocumented in the Platform; (viii) use the Platform in breach of these Terms of Use; or (ix) use the Platform for any activity that constitutes, or encourages conduct that would constitute, a criminal offense, give rise to civil liability or otherwise violate any applicable law or industry standard, including any applicable laws and regulations governing copyrights, computer hacking, privacy and export control.

2.5. Customer acknowledges that we may (but are not obligated to) employ technological measures to detect and prevent fraudulent or abusive use of the Platform. We may suspend or block Your access to the Platform upon written notice, if we, in our sole discretion, suspect that You have abused Your right to use the Platform under these Terms of Use.

3. Implementation of Output; A/B Tests

3.1. The Platform generates automated Output, including recommendations and insights intended to assist You in optimizing the Customer Shop. You may choose to (a) manually review and implement Output in the Customer Shop, or (b) authorize the Platform to automatically implement Output in the Customer Shop. The Platform will not implement any Output without the Your active confirmation.

3.2. The Customer acknowledges and agrees that it remains solely responsible for reviewing, approving, and implementing any Output, and for verifying the suitability of the Output to its needs.

3.3. By implementing Output (or authorizing the automated implementation of Output), the Customer acknowledges and agrees that:

3.3.1. It has reviewed the Output and found it to be suitable to its needs. The Company shall have no liability for any loss, damage, or adverse consequence arising from the Customer's reliance on any Output provided by the Platform.

3.3.2. The Company cannot guarantee that implementing any Output will actually result in increased sales, improved operational performance, enhanced End-User engagement, or any other specific outcome.

3.3.3. Output is generated through automated data analysis and predictive modeling, which are inherently subject to limitations and external factors beyond the Company's control that may affect the Platform's ability to generate Output.

3.4. The Customer acknowledges and agrees that all A/B Tests results and related Output generated by the Platform are based on statistical sampling and probabilistic modeling. Such results are inherently subject to variability and uncertainty, and may be influenced by numerous factors, including but not limited to sample size, test duration, timing, traffic composition, user demographics, external market conditions, etc. Accordingly, the Company does not guarantee that A/B Test results will be accurate, complete, representative, or predictive of future performance or user behavior. The Customer shall be solely liable for any decisions, actions, or outcomes arising from Customer's use of, or reliance on, any A/B Test results.

4. Upgrades

The Company may, but is not obligated to, offer upgrades to its Platform, including (without limitation) by adding add-on features and functionalities to it. The Company reserves the right to charge additional fees for such upgrades.

5. Fees

5.1. Use of our Platform is subject to payment of the fees applicable to your chosen subscription plan, as presented on our Shopify application page (the "Fees").

5.2. We reserve the right to change, from time to time and in our sole discretion, the available subscription plans and the fees associated therewith. We will notify you of any such changes in advance. The change will become effective a reasonable time thereafter, and in any case not before the end of the current subscription cycle.

5.3. All Customer's payment obligations are non-cancelable, and all amounts paid in connection with these Terms of Use are non-refundable (except in the case of termination due to Company's material breach of these Terms of Use).

5.4. Failure to settle any overdue fee within twenty-one (21) calendar days of its original due date will constitute a material breach of these Terms of Use and, without limiting any other remedies available to us, we may, at our sole discretion and following written notice to You: (i) suspend Customer's access to the Platform, until payment is made current; or (ii) terminate these Terms of Use. Overdue fees shall bear interest at the rate of seven percent (7%) per annum.

6. Customer Data

6.1. Customer is solely liable for the Customer Data. By using the Platform and providing Customer Data to us, Customer represents and warrants that the Customer Data: (i) only includes true, accurate, and complete details, to its best knowledge; (ii) does not contain any confidential information of third parties; (iii) does not infringe any third-party rights, including (without limitation) Intellectual Property Rights; and (iv) does not include any content that is harmful or that may constitute or give rise to a criminal offense or a civil tort.

6.2. Customer authorizes and instructs Company to process Customer Data to: (i) provide Customer with access to the Platform and its functions; (ii) generate the Output; (iii) provide support to Customer in the operation of the Platform, at Customer's request; and (iv) improve, and enhance the Platform and associated services, and market them or conduct product demonstrations to third parties, at no charge to Customer, provided that such use shall not disclose any Confidential Information of the Customer.

6.3. Customer Data may include personally identifiable information about the Customer, Authorized Users, Customer's End-Users and other third parties ("Personal Data").

6.3.1. Customer is solely responsible for obtaining the consent of End-Users and any other third parties to the processing of their Personal Data by the Company, and for documenting such consent in writing, prior to providing the Customer Data to Company;

6.3.2. The parties warrant and represent to abide by applicable data privacy and data security laws and regulations, in order to allow the Company to lawfully process the Personal Data as set out above – all, in accordance with the provisions set forth in our Data Processing Addendum.

7. Privacy

We respect your privacy. Our Privacy Policy explains how we use your Personal Data when you use the Platform. We encourage you to read it carefully.

8. Intellectual property

8.1. All Intellectual Property Rights in and to the Platform, including Company's databases and the Platform's design, graphics, computer code, algorithms, and "look and feel" (and except for Customer Data and Output), are and shall remain the exclusive property of the Company or its licensors. The Platform is licensed and not sold. The License granted to Customer hereunder does not convey to Customer any interest in or to the Platform, but only a limited right of use, revocable in accordance with the terms and conditions of these Terms of Use.

8.2. Customer owns all Intellectual Property Rights in and to the Customer Data and Output. By using the Platform, Customer grants Company a worldwide, sublicensable license to use the Customer Data and the Output for the purposes described under Section 6.2.

8.3. Unless Customer notifies Company otherwise in writing, Company may identify Customer as a customer of the Company that uses the Platform, including on Company's website and in online or offline marketing materials. Customer hereby grants Company a worldwide, non-exclusive, non-transferable, royalty-free, and free of charge license to use the Customer's name, logo, and website URL, solely for the purpose of identifying Customer as the Company's customer, as described herein.

9. Confidentiality

9.1. "Confidential Information" shall mean any and all information disclosed by one party ("Disclosing Party") to the other ("Receiving Party") regarding past, present, or future marketing and business plans, customer lists, lists of prospective customers, technical, financial or other proprietary or confidential information of the Disclosing Party, formulae, concepts, discoveries, data, designs, ideas, inventions, methods, models, research plans, procedures, designs, formulations, processes, specifications and techniques, prototypes, samples, analyses, computer programs and software, trade secrets, data, methodologies, techniques, non-published patent applications and any other data or information, and improvements and know-how related thereto.

9.2. Each party herein must hold any Confidential Information in confidence using the same degree of care, but at least a reasonable degree of care, that it uses to prevent the unauthorized disclosure of its Confidential Information. Receiving Party may use Confidential Information only for the purpose of performing its obligations under these Terms of Use.

9.3. The obligations set forth in this section shall not apply to information that: (i) is now or subsequently becomes generally available in the public domain through no fault or breach on Receiving Party's part; (ii) Receiving Party can demonstrate in its prior established records to have had rightfully in Receiving Party's possession prior to disclosure of the same by the Disclosing Party; (iii) Receiving Party can demonstrate by written records that it had rightfully obtained the same from a third party who has the right to transfer or disclose it, without default or breach of confidentiality obligations; (iv) Disclosing Party has provided its prior written approval for disclosure; or (v) Receiving Party is required to disclose pursuant to a binding order or request by court or other governmental authority, or a binding provision of applicable law, provided that, to the extent permissible, Receiving Party provide the Disclosing Party notice of the requested disclosure as soon as practicable, to allow the Disclosing Party, if it so chooses, to seek an appropriate protective or preventive order.

10. Term and Termination

10.1. The License granted to Customer hereunder shall be in effect for the duration of Customer's chosen subscription plan, and as long as Customer is subscribed to the Platform (the "Term"). Following the Term, Customer's subscription will be automatically renewed for subsequent Terms under the terms of the chosen subscription plan, unless Customer cancels the subscription prior to its expiration, by providing us with a 30-day written notice (email sufficient). The Company reserves the right to refuse to renew the Customer's subscription following its expiration, at its sole discretion.

10.2. Notwithstanding the foregoing, in the event of a material breach of these Terms of Use by Customer, that has not been cured (to the extent such breach is curable) within 14 days from the receipt of a written notice thereof from the Company, the Company may immediately terminate these Terms of Use and block Customer and its Authorized Users' access to the Platform. The foregoing shall be without prejudice to any other remedy the Company may be entitled to under applicable law or agreement.

10.3. Upon termination or expiration for any reason, the License granted hereunder shall terminate, and Customer shall not be allowed to further use the Platform or any part thereof. The provisions of the Terms of Use that by their nature should survive the expiration or termination of these Terms of Use, shall so survive.

11. Warranties and disclaimers

11.1. THE PLATFORM IS DESIGNED SOLELY TO OFFER GENERAL INFORMATION AND INSIGHTS. IT IS NOT INTENDED TO PROVIDE FINANCIAL, BUSINESS OR OTHER PROFESSIONAL ADVICE, OR SUPPLANT FURTHER RESEARCH BY THE CUSTOMER. FURTHERMORE, THE OUTPUT IS GENERATED USING ARTIFICIAL INTELLIGENCE (AI) TOOLS. THE FIELD OF AI AND MACHINE LEARNING IS CONSTANTLY EVOLVING, CHANGING, AND IMPROVING. ALTHOUGH WE MAKE CONSTANT EFFORTS TO IMPROVE THE QUALITY AND ACCURACY OF THE PLATFORM'S OPERATIONS AND ENDEAVORS TO APPLY CONTINUOUS HUMAN REVIEW AND OVERSIGHT, DUE TO THE NATURE OF SUCH TECHNOLOGY, WE CANNOT GUARANTEE THAT THE OUTPUT WILL ALWAYS BE ACCURATE, COMPLETE, OR CORRECT. CUSTOMER'S RELIANCE UPON THE OUTPUT PROVIDED THROUGH THE PLATFORM IS SOLELY AT CUSTOMER'S OWN RISK. CUSTOMER ASSUMES FULL RESPONSIBILITY FOR ANY DECISIONS OR ACTIONS TAKEN BASED ON CUSTOMER'S USE OF THE PLATFORM.

11.2. THE PLATFORM IS PROVIDED "AS IS". OTHER THAN AS EXPLICITLY PROVIDED HEREIN, TO THE MAXIMUM EXTENT PERMITTED BY LAW, THE COMPANY EXPRESSLY DISCLAIMS ANY AND ALL WARRANTIES, CONDITIONS, REPRESENTATIONS, AND GUARANTEES WITH RESPECT TO THE SERVICES, WHETHER EXPRESS OR IMPLIED, ARISING BY LAW, CUSTOM, TRADE USAGE, PRIOR ORAL OR WRITTEN STATEMENTS, OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, ANY WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT, EXPECTED RESULT, QUALITY, TITLE, PERFORMANCE, SECURITY OR COMPATIBILITY. NO REPRESENTATION OR OTHER AFFIRMATION OF FACT, INCLUDING, WITHOUT LIMITATION, STATEMENTS REGARDING CAPACITY OR SUITABILITY FOR USE OF THE PLATFORM, WHICH IS NOT EXPRESSLY PROVIDED IN THESE TERMS OF USE, SHALL BE DEEMED TO BE A WARRANTY BY THE COMPANY FOR ANY PURPOSE, OR GIVE RISE TO ANY LIABILITY OF THE COMPANY WHATSOEVER.

12. Limitation of liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW AND EXCEPT FOR BREACH OF CONFIDENTIALITY OBLIGATIONS, THE COMPANY AND ITS EMPLOYEES, DIRECTORS, OFFICERS, SHAREHOLDERS, LICENSORS, ADVISORS, AND ANYONE ACTING ON THEIR BEHALF (COLLECTIVELY, OUR "STAFF"), WILL NOT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, STATUTORY OR PUNITIVE DAMAGES, LOSSES (INCLUDING LOSS OF PROFIT AND LOSS OF DATA), COSTS, EXPENSES AND PAYMENTS, EITHER IN TORT (INCLUDING NEGLIGENCE), CONTRACT, OR IN ANY OTHER FORM OR THEORY OF LIABILITY, ARISING FROM, OR IN CONNECTION, WITH THESE TERMS OF USE AND THE PLATFORM, EVEN IF THE COMPANY IS ADVISED OF THE POSSIBILITY OF SUCH DAMAGE, LOSS, COSTS, EXPENSES OR PAYMENTS. WITHOUT DEROGATING FROM THE AFORESAID, IN NO EVENT WILL THE COMPANY'S CUMULATIVE LIABILITY HEREUNDER EXCEED THE AMOUNT PAID OR PAYABLE TO THE COMPANY BY CUSTOMER DURING THE TWELVE MONTHS PRECEDING THE EVENT PURPORTEDLY GIVING RISE TO THE DAMAGE.

13. Indemnity

13.1. Company shall indemnify, defend and hold harmless Customer and its directors, officers, employees and independent contractors ("Customer Indemnified Parties") from and against any and all costs, liabilities, losses and expenses, incurred by a Customer Indemnified Party, including, but not limited to, reasonable attorneys' fees, resulting from any claim, suit or action brought by a third party against a Customer Indemnified Party alleging that the Platform infringes or misappropriates any currently existing Intellectual Property Rights. This indemnity obligation shall not apply to: (i) Customer or its Authorized Users' negligence, abuse or misuse of the Platform; (ii) Customer or its Authorized Users' use of the Platform other than as specified in these Terms of Use; (iii) any alterations, modifications or adaptations of the Platform performed by anyone other than the Company; (iv) any unauthorized combination or interfacing of the Platform with other hardware or software; or (v) causes beyond the reasonable control of Company.

13.2. Customer shall indemnify, defend and hold harmless Company, and its directors, officers, employees and independent contractors (the "Company Indemnified Parties") from and against any and all costs, liabilities, losses and expenses, incurred by a Company Indemnified Party, including, but not limited to, reasonable attorneys' fees, resulting from any claim, suit or action brought by a third party against a Company Indemnified Party relating to: (i) Customer's breach of its obligations under these Terms of Use; (ii) infringement or misappropriation of any Intellectual Property Rights by Customer and its Authorized Users in connection with their use of the Platform; and (iii) Customer's breach of any applicable laws and regulations in connection with Customer and its Authorized Users' use of the Platform hereunder.

14. Governing Law and Jurisdiction

14.1. These Terms shall be governed by the laws of the State of Delaware, without reference to its conflict of laws rules. Any and all disputes, claims or controversies between Company and Customer regarding these Terms of Use or the use of the Platform, which are not amicably resolved, shall be settled through binding arbitration (rather than in court) by telephone, online or based solely upon written submissions without in-person appearance, administered by the American Arbitration Association (AAA), under its Commercial Arbitration Rules (which are available at www.adr.org). The substantive laws of arbitration shall be the laws of the State of Delaware.

14.2. Judgment on the award rendered by the arbitrator(s) may be entered in any court having jurisdiction thereof. The Federal Arbitration Act and Federal Arbitration Law apply to these Terms of Use. Payment of filing, administration and arbitrator fees will be governed by the AAA's Commercial Arbitration Rules. These fees will be shared equally, unless the arbitrator: (i) determines that the claims are frivolous, in which case the claimant shall bear all such fees arising from the frivolous claim; or (ii) determines that the fees should be allocated differently.

14.3. The parties hereby acknowledge, agree and covenant that any disputes shall only be adjudicated in arbitration on an individual basis, and not in class, collective, consolidated or representative proceedings. Notwithstanding the foregoing, a party may assert an impleader claim against the other party pursuant to the indemnity clause, in any court adjudicating a third-party claim against the other party.

15. Miscellaneous

15.1. Non-affiliation with Shopify. The Company is not affiliated in any way with Shopify Inc. ("Shopify"), and these Terms of Use do not govern Your relationship with Shopify. Shopify is not liable for: (i) operating and providing the Platform or any services associated therewith; any fault in the Platform or any harm resulting from its installation or use, or from the access, use, distribution or storage of Customer Data; and (iii) providing support for installation or use of the Platform.

15.2. Electronic notices. If you are an individual residing in the United States, by agreeing to these Terms you also agree to the use of email ("Electronic Record") to send you legally required notices. You may withdraw your consent to use an Electronic Record by notifying us at info@variantnow.com and indicating your withdrawal of consent, your full name and postal address. To access and retain a copy of this disclosure or the Electronic Record in which we send you any legal required notices, you will need (i) a computer with a web browser and Internet access and (ii) either a printer or storage space on such device. To request a paper copy of this disclosure or the Electronic Record in which we send you any legal required notices, contact us at info@variantnow.com and indicate your request, your full name and postal address. We will charge you the cost of first-class mail-international, for each paper copy you request. To update the contact details we use to contact you electronically, contact us at info@variantnow.com and indicate your full name, your old email address and new email address.

15.3. Assignment. Neither party may assign or delegate, any of its rights or obligations under these Terms of Use without the prior written consent of the other party, provided that Company may assign its rights and obligations under these Terms of Use to a purchaser of all or substantially all of its assets or share capital relating to these Terms of Use.

15.4. Independent Contractors. The parties are independent contractors. Neither party shall be deemed to be an employee, agent, partner or legal representative of the other for any purpose and neither shall have any right, power or authority to create any obligation or responsibility on behalf of the other.

15.5. Force Majeure. Except for Customer's obligation to make payment of any Fees due and owing hereunder, neither party shall be liable for any failure or delay in the performance of its obligations hereunder on account of strikes, shortages, riots, insurrection, fires, flood, storm, explosions, earthquakes, telecommunications outages, acts of God, war or military operation, terrorism, governmental action, or any other cause which is beyond the reasonable control of such party (each, a "Force Majeure Event"). If a Force Majeure Event persist for more than sixty (60) consecutive days, either party may terminate these Terms of Use with immediate effect upon written notice to the other party.

15.6. Waiver. The failure of either party to require performance by the other party of any provision shall not affect the full right to require such performance at any time thereafter; nor shall the waiver by either party of a breach of any provision hereof be taken or held to be a waiver of the provision itself.

15.7. Severability. If any provision of these Terms of Use is held by a court of competent jurisdiction to be contrary to law, such provision shall be changed and interpreted to best accomplish the objectives of the original provision, to the fullest extent allowed by law. The remaining provisions of these Terms of Use shall remain in full force and effect.

15.8. Entire Agreement. These Terms of Use and all Addendums hereto constitute the entire and exclusive statement of the understanding between the parties with respect to the subject matter hereof. These Terms of Use supersede and govern any other prior or collateral agreements with respect to the subject matter hereof. Any amendments to these Terms of Use must be in writing and executed by both parties.

Overview

This Data Processing Addendum ("Addendum") supplements and is incorporated by reference into the Terms of Use (the "Terms"). This Addendum is entered into by and between you – the entity or individual using the Platform ("Customer") and Variantnow, Inc. ("Company") and sets forth the parties' respective obligations regarding the processing of personal data in connection with the Customer's use of the Platform. In the event of any conflict between the Terms and this Addendum, the provisions of this Addendum shall prevail with respect to the processing of personal data.

Capitalized terms used but not defined in this DPA shall have the meanings given to them in the Terms.

This Addendum applies as follows:

Part	Is applicable and in force?
Part One – General provisions	Always applies and in force
Part Two – U.S. Privacy State Laws	Only if the Customer is an entity covered by a US state privacy law, then Part Two applies and is in force.
Part Three – EU/EEA or UK GDPR	Only if the Customer is a Controller under EU GDPR or UK GDPR, then Part Three applies and is in force.
Part Four – Israeli Privacy Protection Regulations (Information Security)	Only if the Customer is subject to Israeli law regarding the personal data that Company processes on its behalf, then Part Four applies and is in force.

Part 1 — General Provisions

1. Scope. This Addendum and any of its Parts apply where Company processes any Customer Data that is or may be personally identifiable to Customer personnel, End-Users or any other individual, whether pseudonymized or directly identifying ("Customer Personal Data"), on behalf of Customer and under Customer's instructions.

2. Order of Precedence. In the event of any conflicting provisions between this Addendum and the Terms or any other agreement in place between the parties, the provisions of this Addendum prevail. In the event of any conflicting provisions between this Part 1 and Part 2, Part 3 or Part 4, the provisions of Part 2, Part 3 or Part 4 (accordingly) prevail.

3. Data security. Considering the state of the art, the costs of implementation and the nature, scope, context and purposes of Company's processing of Customer Personal Data, Company will implement and maintain reasonable security procedures and practices appropriate to the nature of the Customer Personal Data, in order to protect the Customer Personal Data from unauthorized access, destruction, use, modification, or disclosure (including data breaches).

Customer agrees that, without limitation of Company's obligations set out herein, Customer is responsible for its use of the Platform, including making appropriate use of the Platform to ensure a level of security appropriate to the risk in respect of the Customer Personal Data.

4. Sub-processors. Customer authorizes Company to use third party sub-processors and service providers for processing Customer Personal Data within the scope of the Terms and this Addendum. Company will bind sub-processors to a written agreement that requires the sub-processors to process the Customer Personal Data in a manner consistent with Company's obligations under this Addendum and any applicable laws. Company shall be liable to Customer for the sub-processors' compliance with their obligations.

5. Data subject requests. Company shall, without undue delay, pass on to Customer requests that it receives (if any) from data subjects regarding their personal information.

6. Return or deletion of information. Upon expiration or termination of the Terms, or earlier at Customer's written request, Company shall, within thirty (30) days, delete or destroy some or all of the Customer Personal Data in its possession (at Customer's choice), and shall instruct its third-party suppliers to do the same with respect to the Customer Personal Data in their possession (if any). Upon Customer's request, Company will furnish written confirmation that the Customer Personal Data has been deleted pursuant to this section. Notwithstanding the foregoing, Company may retain a copy of Customer Personal Data to the extent required by applicable law, or for the establishment, exercise, or defense of legal claims, provided that any obligations applicable to Company under this Addendum shall remain in full force and effect for as long as the Company continues to possess Customer Personal Data.

7. Disclosure. Unless legally prohibited, Company will provide Customer prompt notice of any request it receives from authorities to produce or disclose Customer Personal Data it has processed on Customer's behalf, so that Customer may contest or attempt to limit the scope of production or disclosure request.

8. Data Breaches. Company shall without undue delay notify Customer of any actual or reasonably suspected accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data, that it becomes aware of (a "Security Incident"). Company will investigate the Security Incident, and take all reasonable measures to mitigate the Security Breach and prevent its reoccurrence. Company will cooperate in good-faith with Customer on issuing any statements or notices regarding such Security Incident, to authorities and data subjects.

9. Limitation of Liability. The parties' liability shall be as set out in the Terms. Notwithstanding the foregoing, Company's aggregate liability arising from a Security Incident involving Customer Personal Data that results from (a) Company's breach of this Addendum, or (b) Company's gross negligence or willful misconduct, shall not exceed two (2) times the fees paid or payable by Customer to Company under the Terms during the twelve (12) months preceding the event giving rise to the claim.

10. Indemnity.

10.1. Company shall defend, indemnify, and hold harmless Customer from and against any third-party claims, damages, fines, penalties, costs, and expenses, including reasonable attorneys' fees, to the extent arising from: (i) Company's material breach of this Addendum; or (ii) Company's gross negligence or willful misconduct, in each case resulting in a Security Incident involving Customer Personal Data. Customer shall promptly notify Company of any such claim, give Company sole control of the defense and settlement of the claim, and provide reasonable cooperation at Company's expense.

10.2. Customer Indemnity. Customer shall defend, indemnify, and hold harmless Company from and against any third-party claims, damages, fines, penalties, costs, and expenses, including reasonable attorneys' fees, to the extent arising from Customer's failure to obtain all required rights, consents, or provide required notices for the Company to lawfully process Customer Personal Data as contemplated under the Terms and this Addendum.

Part 2 — U.S. State Privacy Laws

1. Definitions. In this Part, the following terms shall be interpreted as follows:

1.1 "Applicable Data Protection Laws" means, as applicable to the relevant Personal Data and its Processing thereof under the Terms, any United States State privacy laws, including the CPRA and other laws in the United States, such as (but not limited to): Virginia Consumer Data Protection Act, Connecticut Act Concerning Personal Data Privacy and Online Monitoring, Utah Consumer Privacy Act, and the Colorado Privacy Act.

1.2 "CPRA" means the California Privacy Rights Act (Cal. Civ. Code §1798.100 et seq., Cal. Civ. Code §1798.140 or the regulations at 11 C.C.R. §7000 et seq).

1.3 "Collect" (and its cognate terms) means buying, renting, gathering, obtaining, receiving, or accessing any Personal Information pertaining to a Consumer by any means. This includes obtaining information from the Consumer, either actively or passively, or by observing the Consumer's behavior or interaction.

1.4 "Consumer" means a natural person, including in their professional or work capacity.

1.5 "Personal Data" or "Personal Information" means 'personal data' or 'personal information' (as these terms are defined in Applicable Data Protection Laws) that Company Processes on behalf of the Customer within the scope of the performance of the Terms.

1.6 "Process" (and its cognate terms) means any operation or set of operations that are performed on Personal Information or on sets of Personal Information, whether by automated means or otherwise.

1.7 "Sell" (and its cognate terms) means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer's Personal Information for monetary or other valuable consideration.

1.8 "Share" (and its cognate terms) means sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a Consumer's Personal Information for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions for cross-context behavioral advertising in which no money is exchanged.

1.9 "Subprocessors" means third parties authorized under this Addendum to Process Personal Data as part of the provision of services through the Platform.

2. Subprocessors. Before Company engages any new Subprocessor, Company will notify Customer of the engagement. If Customer objects to such engagement in a written notice to Company within fifteen (15) days of being informed thereof, on reasonable grounds relating to the protection of Personal Data, Customer and Company will cooperate in good faith to find a mutually acceptable resolution to address such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe using reasonable and good faith efforts, Customer may, as its sole and exclusive remedy, terminate the Terms by providing written notice to Company.

3. Data Subject Rights. If Company receives any requests from data subjects in relation to that data subject's Personal Data, Company will pass on such request to Customer and Customer will be responsible for responding to any such request. Taking into account the nature of Company's Processing of Personal Data, Company will provide Customer with reasonable assistance as necessary for Customer to perform its obligations under Applicable Data Protection Laws to fulfill requests filed by data subjects.

4. Proof of Compliance.

4.1 Upon reasonable request by Customer, Company shall make available to Customer all information in its possession necessary to demonstrate Company's compliance with its obligations under Applicable Data Protection Laws.

4.2 Company shall allow, and cooperate with, reasonable assessments by Customer or Customer's designated assessor, of Company's policies and technical and organizational measures in support of the obligations under Applicable Data Protection Laws, using an appropriate and accepted control standard or framework and assessment procedure for such assessments.

4.3 Company must promptly notify Customer if it determines that it can no longer meet its obligations under this Addendum or Applicable Data Protection Laws.

5. Customer Responsibilities. Customer represents and warrants to Company that (a) Customer has established or ensured that another party has established a legal basis for Company's Processing of Personal Data contemplated by this Addendum; (b) all notices have been given to, and consents and rights have been obtained from, the relevant data subjects and any other party as may be required by Applicable Data Protection Laws and any other laws for such Processing; and (c) Personal Data does not and will not contain any protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA), or any biometric information.

6. CPRA Obligations.

6.1 Company must not Sell or Share any Personal Information it Processes.

6.2 Company is prohibited from retaining, using, or disclosing the Personal Information that it Processes for any commercial purpose other than Company's Business Purposes permissible under the CPRA, unless Company is otherwise required under applicable law. Additionally, Company is prohibited from retaining, using, or disclosing the Personal Information that it Collects pursuant to the Terms outside the direct business relationship between Company and Customer and Company's Business Purposes permissible under the CPRA, unless Company is otherwise required under applicable law.

Part 3 — EU/EEA & UK GDPR

1. Capitalized terms used in this Part 3 but not defined herein or in the Terms shall have the meaning ascribed to them in the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) applicable as of 25 May 2018 and any national law supplementing the GDPR, and the UK Data Protection Act 2018 under the European Union (Withdrawal) Act 2018 as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419); these shall collectively be referred to in this Part 3 as "Data Protection Law".

2. Customer commissions, authorizes and requests that Company Process the Customer Personal Data under the instructions of Customer as the data Controller. Company will Process the Personal Data as a Data Processor, only on Customer's behalf. Company and Customer are each responsible for complying with the Data Protection Law as applicable to their roles.

3. Company will Process the Personal Data only on instructions from Customer documented in this Addendum or otherwise provided in writing, which instructions must be consistent with the nature and characteristics of the Platform. The foregoing applies unless Company is otherwise required by law to which it is subject (and in such a case, Company shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest). Company shall immediately inform Customer if, in Company's opinion, an instruction is in violation of Data Protection Law.

4. The nature and purposes of the Processing activities are the provision of services through the Platform to the Customer. The Data Subjects will be determined by the Customer.

5. Company will make available to Customer all information in its disposal necessary to demonstrate compliance with the obligations under Data Protection Law, shall maintain all records required by Article 30(2) of the GDPR, and shall make them available to the Customer upon request.

6. Where applicable considering the nature of the Personal Data Processed by Company, Company will follow Customer's instructions to accommodate Data Subjects' requests to exercise their rights in relation to their Personal Data, including accessing their data, correcting it, restricting its processing or deleting it, within the boundaries of the Platform's capabilities and features. If such instructions entail costs or expenses to Company, the parties shall first come to an agreement regarding Customer's reimbursement of Company for such costs and expenses. Company will pass on to Customer requests that it receives from Data Subjects regarding their Personal Data Processed by Company. Any request from Data Subjects arising out of the processing of Personal Data by Company, including but not limited to rectification, erasure, and blocking of Personal Data, portability requests and objection, has to be asserted to Customer. Customer is solely liable for responding to Data Subjects on such requests.

7. Customer authorizes Company to engage another sub-processor for carrying out specific processing activities, provided that Company informs Customer at least 10 business days in advance of any new or substitute sub-processor, in which case Customer shall have the right to object, on reasoned grounds, to that new or replaced sub-processor. If Customer so objects, Company may not engage that new or substitute sub-processor for the purpose of Processing Personal Data, and Company may either select another sub-processor in which case the above procedure shall repeat, or if it so chooses, terminate the Terms with no liability to Customer for such premature termination. At the outset, Customer authorizes Company to engage with the sub-processors listed in Schedule I below.

8. Without limiting the foregoing, in any event where Company engages another sub-processor, Company will ensure that the same data protection obligations as set out in this Addendum are likewise imposed on that other sub-processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of applicable Data Protection Law. Where the other sub-processor fails to fulfil its data protection obligations, Company shall remain fully liable to Customer for the performance of that other sub-processor's obligations.

9. Company and its other sub-processors will only Process the Personal Data in member states of the European Economic Area, in territories or territorial sectors recognized by an adequacy decision of the European Commission (or the UK ICO) as providing an adequate level of protection for Personal Data pursuant to Article 45 of the GDPR, or using adequate safeguards as required under Data Protection Law governing cross-border data transfers (e.g., Model Clauses).

10. Company is situated in a territory not recognized by an adequacy decision of the European Commission or the UK's Information Commissioner's Office (ICO) as providing an adequate level of protection for Personal Data pursuant to Articles 45 of the GDPR. Therefore, the parties hereby enter into (i) in relation to Personal data originating from the EU, MODULE TWO of the Standard Contractual Clauses ("SCCs"), and (ii) in relation to Personal Data originating from the UK, the "International Data Transfer Addendum to the EU Commission Standard Contractual Clauses" issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018 ("UK Addendum"); all, as specified in Schedule I of this Part 3.

11. Company will ensure that its staff authorized to Process the Personal Data are contractually bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

12. Within 21 days of Customer's written request, Company shall allow for and contribute to audits, including carrying out inspections conducted by Customer or another auditor mandated by Customer in order to establish Company's compliance with this Addendum and the provisions of the applicable Data Protection Law as regards the Personal Data that Company processes on behalf of Customer. Such audits or inspections shall be carried out during Company's ordinary business hours, not more than one business day per year (unless Data Protection Law or a supervisory authority mandate more frequent audits or inspections), shall be conducted with minimal disruption to Company's business activities, and be subject to confidentiality undertakings satisfactory to Company.

13. Company will assist Customer with the preparation of data privacy impact assessments and prior consultation as appropriate (if needed).

Schedule I — Standard Contractual Clauses and UK Addendum

1. SCCs

1.1. In Section II (Obligations of the Parties), Clause 9(a) for MODULE TWO: GENERAL WRITTEN AUTHORISATION. The data importer has the data exporter's general authorisation for the engagement of sub-processor(s) from an agreed list.

1.2. In Section IV (Final Provisions), Clause 17 for MODULE TWO: Transfer controller to processor: The parties agree that this shall be the law of Ireland.

1.3. In Section IV (Final Provisions), Clause 18(b) for MODULE TWO: Transfer controller to processor: The parties agree that those shall be the courts of Ireland.

1.4. In Annex I, for MODULE TWO: Transfer controller to processor:

1.4.1. Data Exporter: Customer. Activities relevant to the data transferred under these Clauses: an organization using the Platform. Role: controller.

1.4.2. Data Importer: Company. Activities relevant to the data transferred under these Clauses: provider and operator of the Platform. Role: processor.

1.4.3. Description of Transfer: personal data transferred in the course of and for the purpose of providing services through the Platform.

1.4.4. Categories of personal data transferred: online identifiers (such as cookie and visitor identifiers, and device identifiers); device and browser data (such as user agent and operating system; excluding IP address); and behavioral and usage data (such as page views, clicks, conversions, and experiment assignments).

1.4.5. Categories of data subjects whose personal data is transferred: end-users and visitors of the Customer Shop.

1.4.6. Sensitive data transferred: none.

1.4.7. The frequency of the transfer: ongoing.

1.4.8. Nature of the processing: collecting and recording the data, hosting the data, organizing the data, adapting or altering the data, consulting or retrieving the data, disclosing and transferring the data – all, as required to fulfill the purposes of processing herein.

1.4.9. Purpose(s) of the data transfer and further processing: provision of the Platform's functionalities.

1.4.10. The period for which the personal data will be retained: personal data will be retained for the duration of the Term of the Terms of Use (or earlier, if Customer requests to delete the data).

1.4.11. Transfers to (sub-) processors:

Name	Subject matter and nature of Processing Activities	Duration of transfer
Google Cloud	Infrastructure hosting, data storage, backup and disaster recovery	Throughout the term of the agreement
Vercel	Application hosting and content delivery	Throughout the term of the agreement
Neon	Managed database services (PostgreSQL)	Throughout the term of the agreement

1.5. Competent Supervisory Authority: the supervisory authority in the EU member state where the data exporter's EU representative under Article 27 of the GDPR is located.

1.6. In Annex II, for MODULE TWO: Transfer controller to processor: the data importer implements the following technical and organisational measures:

Personal data is minimized and processed only as necessary for the provision of the Services
Sensitive data (e.g., passwords) is hashed using industry-standard algorithms (e.g., bcrypt) and never stored in plaintext
Personal data is encrypted in transit using TLS 1.2+ and at rest using industry-standard encryption
Access to personal data is restricted to authorized personnel on a need-to-know basis
Role-based access control (RBAC) is enforced across systems
Multi-factor authentication (MFA) is required for all production systems
Systems are hosted in secure cloud environments with network-level protections (firewalls, VPC isolation)
Regular security patching and updates are applied
Access and system activity are logged and monitored for unauthorized access or anomalies
Logs are retained in accordance with internal security policies
Regular vulnerability assessments and security reviews are conducted
Incident response procedures are in place to detect, respond to, and remediate security incidents
All data transmitted between systems is encrypted using HTTPS (TLS), with HTTP access disabled

2. UK Addendum

2.1. Company and Customer hereby assent to the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0, in force 21 March 2022, including their "part 2: mandatory clauses"), issued by the Commissioner under S119A(1) of the UK Data Protection Act 2018 (https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf), as follows:

2.1.1. In Table 1: Parties – The Start date shall be the date that the Parties entered into the Terms and this Addendum. The Parties' details and Key Contact shall be as identified in the preamble to this Addendum.

2.1.2. In Table 2: Selected SCCs, Modules and Selected Clauses – the version of the Approved EU SCCs which the International Data Transfer Addendum is appended to, is the Standard Contractual Clauses as specified in Section 1 above.

2.1.3. In Table 3: Appendix Information – See Sections 1.4 and 1.6 above.

2.1.4. In Table 4: Ending this Addendum when the Approved Addendum changes: Importer.

Part 4 — Israeli Law

1. Definitions. In this Part, the following terms shall be interpreted as follows:

1.1 "Applicable Law" means the Israeli Protection of Privacy Law, 5741-1981 (hereinafter – the "Privacy Law") and the regulations promulgated thereunder (and in particular the Protection of Privacy Regulations (Information Security), 5777 - 2017), the guidelines of the Registrar of Databases, and in particular Guidelines No. 2/2011 regarding the use of outsourcing for processing of personal data, as well as any legislative or administrative provision or directive that will apply to Company in connection with Processing Personal Data.

1.2 "Database" means a collection of Personal Data held by physical, digital, magnetic or optical means.

1.3 "Personal Data" means information, data and data sets that relates to an individual, which information is Processed by Company on behalf of the Customer.

1.4 "Processing" (and its derivatives) mean the collection, access, retention, modification, use, disclosure and transfer of Personal Data.

2. General Provisions

2.1 Company shall grant its employees access to the Database, subject to conducting training activities regarding privacy protection and information security obligations under Applicable Law and this Addendum.

2.2 Company shall not grant access to the Personal Data to its employees, before reviewing and confirming, within the boundaries of Applicable Law, that their background, integrity, and reliability are suitable for a position granting them access to Personal Data.

2.3 Company undertakes to manage access rights to Personal Data, including by way of providing its employees with 'Least Privileges' based on their 'Need to Know', for the purpose of carrying out their tasks, and shall take measures in order prevent access by unauthorized individuals to Personal Data. In addition, Company will maintain an up-to-date listing of all individuals authorized to access or use the Database and will prevent access to any individual who does not have a need to be exposed to the Personal Data.

2.4 Company shall develop, implement, and enforce an information security policy that covers at least the following topics ("Information Security Policy"):

2.4.1 Guidelines regarding the physical protection of the Database systems and the sites in which they are located;

2.4.2 Guidelines regarding the management and monitoring of access authorizations and actions taken in the Database;

2.4.3 Mapping of all the of the security measures taken by Company regarding the Database;

2.4.4 Guidelines for individuals authorized to access Personal Data and Database;

2.4.5 A review of the risks to which the Personal Data is exposed to as part of Company's ongoing activities including instructions regarding the means of recording, monitoring, and identifying threats to which the Database systems are exposed;

2.4.6 Instructions and procedures regarding the mitigation and management of a Personal Data breach;

2.4.7 Instructions and procedures regarding the use of removable devices.

2.5 Company shall map the operational environment of the Database. In this regard, Company shall prepare an inventory list that includes all the systems, Platform, interfaces, infrastructures of hardware components and communications components that Company operates in the Database environment for the ongoing operation of the Database (the "Database Systems"). Company shall update the list of inventories specified in this section from time to time and shall only disclose the document to those individuals who require access to it for the performance of their job functions. However, Company shall update the foregoing list in any case in which substantial changes to the operating environment are implemented in the Database or in the manner in which Personal Data is Processed.

2.6 In the event of a Personal Data breach, Company will provide a notification to Customer within a reasonable time after becoming aware of any Personal Data breach.

2.7 If required by Applicable Law, Company shall provide Customer, at least every 12 month or upon Customer's request, a written approval according to which it performs and fulfills its obligations pursuant to this Addendum and the provisions of Applicable Law. Company shall fully cooperate with Customer in providing all information and assistance reasonably requested by Customer in connection with data security issues and practices and supplementary documents, so as to allow Customer to properly address information security, privacy and regulatory matters relating to the Database.