Rocola

Privacy Policy

This privacy policy (the “Privacy Policy”) describes how Rocola (“we”, “us” or “our”) processes your personal data as a data controller: - when you visit and use our website, - when you are using our products (“Products”) and service (“Service”), or - when you otherwise interact or come into contact with us – usually because you represent a corporate customer, supplier or a partner of ours. Rocola is the data controller of personal data that we collect and process in accordance with this Privacy Policy. We collect, process and use your personal data in compliance with applicable data protection law. This means inter alia that we need to have a legal basis for the purposes for our processing of your personal data, which in our context generally means one of the following legal bases: Performance of a contract, Performance of legal obligations, Legitimate interests, and Consent. Effective as of 22 February 2023

1. How we collect your personal data

The personal data we process relating to you is mainly collected from you when you visit and use our website and Service or when we come into contact with you – e.g. via email, telephone or personal meetings, conferences, conventions or similar occasions. We may also collect your personal data from a third party, usually from the company you represent.

2. The personal data we process

Below, we explain more about the categories of personal data we process, for what purposes we process them and what legal bases we rely on when processing your personal data, including for how long we store your personal data.

2.1 To administer user accounts

Purposes of the processing

Collect and store certain data in order to create and administrate user accounts and enable the provision of the Service.

Categories of personal data

The personal data we process consist of: - First and last name - Professional title - Email address - Business address - Account details Legal basis: The processing is necessary to conclude and perform a contract with you or the company that you represent. In relation to the streamlining of the signup process to the Service, the processing is carried out based on our legitimate interests, where our legitimate interest is to provide access to our Service as efficiently as possible. Storage period: We process and store your personal data for as long as we have a business relationship with you or the company you represent, but no longer than two (2) years after your termination of the user account. We may however need to store your personal data for a longer time for other purposes, e.g. if we need to take measures in order to establish, exercise or defend legal claims. We may also need to store your personal data for a longer time in order to fulfil our legal obligations. Sharing of personal data: We may share your personal data with our suppliers and group companies.

2.2 To create, maintain and develop potential business relationships

Purposes of the processing

Contact and communication with you for the purposes of creating, maintaining and developing our business relationship with you or the company you represent. This includes, among other things, communication via email regarding our business, services and current activities (see Section 2.6 below).

Categories of personal data

2.3 To maintain and improve our website and Service

Purposes of the processing

Collect statistical data and analyse the web traffic on our website including other technical information generated when visiting our website and using our Service, in order to develop new products and services, maintain and improve its functionality, and the user experience, to enable features and content of the Service and Products, and in order to discover and handle errors, breaches and incidents. We may also obtain information from our email newsletters, to learn whether you opened or forwarded the newsletter or clicked on any of the content, in order to assess our newsletters’ effectiveness and the content of the newsletters. To do this we use third party analytics services, such as cookies. The statistics we produce and the analysis we carry out by using these services are based on aggregated data and other de-identified or anonymized data. We may also ask that you voluntarily provide feed-back and information for our development and improvement of our Service, such as through questionnaires or interviews with you.

Categories of personal data

The personal data we process consist of: - IP-address - Other user information generated through using our Service, such as the type of Product you use including your user account credentials and your interactions with the Service, the queries you make in the Service, any user content you post, upload and/or contribute to the Service - Other technical information generated through visits on our website and Service, such as the type of unique device ID, network and computer performance, browser type, language and identifying information, transactional information enabling digital rights management, operating system, Rocola application version, the URL you are coming from, as well as the time of the visits (browser information, time zone at the place from which you visited our website, other web traffic information) - Other information that you may voluntarily provide to us for our development and improvement of our service, which may include questionnaire answers and/or recordings of our interview with you. Legal basis: Legitimate interest, where our legitimate interest is to collect information to maintain and improve the functionality, content, and security of our Service and website. Collection of information by use of cookies and similar technologies is carried out based on your consent, unless they are strictly necessary in order for you to be able to use our website in an appropriate manner. Storage period: We collect and store information on how visitors interact with our website for no longer than six (6) months and voluntarily provided feed-back and information for up to three (3) years from the time it was collected. In most cases, the collected personal data is however converted to aggregated data (anonymized data) before the said time period, in connection with us producing statistical or de-identified data. Sharing of personal data: We may share your personal data with our suppliers and group companies and to inform business partners about use of the Service and Products made available through the Service, in the form of aggregated statistics or otherwise in a format which does not reveal your identity.

2.4 Payment data

Purposes of the processing

To collect and store data for billing and administrative purposes in order to process your orders and purchases, to enable credit checks, send you invoices, and in order to be able to handle complaints, claims and warranty matters regarding orders/purchases. To do this we use third party payment processors.

Categories of personal data

The personal data we process consist of: - Credit card information (type of card, expiry date and last four digits) - Other financial data - Postal code - Details of your transaction history - Company name - Registration number - Phone number Legal basis: The processing is necessary to conclude and perform a contract with you or the company that you represent. Storage period: Storage period: We process and store your personal data for as long as we have a business relationship with you or the company you represent, but no longer than two (2) years from your last purchase. We may however need to store your personal data for a longer time for other purposes, e.g. if we need to take measures in order to establish, exercise or defend legal claims. We may also need to store your personal data for a longer time in order to fulfil our legal obligations. Sharing of personal data: We may share your personal data with our third-party payment processors to process your payment and to our invoicing service provider to enable credit checks and send you invoices.

2.5 Customer service matters

Purposes of the processing

To collect and store data in order to communicate with you for customer service-related purposes including to perform customer satisfaction surveys, and in order to be able to handle complaints, claims and warranty matters regarding orders/purchases.

Categories of personal data

The personal data we process consist of: - First and last name - User account credentials - Contact details such as email address, telephone number, location and business address - Professional title and information regarding the company you represent - Information that you otherwise provide us in our communications with you. Legal basis: Legitimate interests, where our legitimate interest is to be able to communicate with you for customer service-related purposes in order to provide the Service in an adequate manner. Storage period: We process and store your personal data as long as necessary in order to handle your customer service-related matter, but no longer than one (1) year after det end of the matter. Sharing of personal data: We may share your personal data with our suppliers and group companies.

2.6 Marketing and other promotion activities

Purposes of the processing

To collect and store data in order to offer to participate in sweepstakes and contests, send promotional emails or other direct marketing messages, provide information about our business, services, sales opportunities and current activities, to perform customer satisfaction surveys including consequent promotional emails or other direct marketing messages based on such surveys. Rocola may also from time to time collect personal data from third parties and use such personal data for promotional emails or other direct marketing messages to promote the Service.

Categories of personal data

The personal data we process consist of: - Email address, - First and last name Legal basis: We only send marketing messages via email to you if the content is relevant in relation to you and the company you represent. Our marketing is then based on our legitimate interests, where our legitimate interest is to be able to market ourselves and our services. Storage period: We process and store your personal data to send marketing messages via email to you as long as you have not opted out from receiving further messages. Such opt-out can be done at any time by using the link for opt-out provided in our messages. Sharing of personal data: We may share your personal data with our suppliers of marketing services and group companies.

2.7 To administer the conclusion and performance of contracts

Purposes of the processing

Administration and communication in order to conclude or perform a contract between us and you or the company you represent. This includes, among other things, invoicing and regular handling, following up and documentation of contract related matters.

Categories of personal data

The personal data we process consist of: - First and last name - Contact details such as email address, telephone number, location and business address - Professional title and information regarding the company you represent - Information that you provide to us in contract related matters with you or the company you represent, e.g. questions and feedback on contracted services. Legal basis: The processing is necessary to conclude and perform a contract with you or the company that you represent. If you are acting on behalf of someone else e.g. in the capacity of representative of a customer, partner or supplier to us, our processing is carried out based on our legitimate interests, where our legitimate interest is to conclude as well as perform the agreement with the company you represent. Storage period: We process and store your personal data for as long as we have a business relationship with you or the company you represent, but no longer than two (2) years after the last time we were in contact in our business relationship. We may however need to store your personal data for a longer time for other purposes, e.g. if we need to take measures in order to establish, exercise or defend legal claims. We may also need to store your personal data for a longer time in order to fulfil our legal obligations. Sharing of personal data: We may share your personal data with our suppliers, group companies, and advisors.

2.8 To maintain and develop existing business relationships

Purposes of the processing

Contact and communicate with you in your capacity as a representative of one of our existing customers, partners, suppliers or other business contacts, in order to maintain and develop our business relationship with you or the company you represent. This includes, among other things, regular administration and communication regarding our customer, partner and supplier agreements and communication via email about our business, services and our current activities (see Sections 2.6 and 2.7 above).

Categories of personal data

The personal data we process consist of: - First and last name - Contact details such as email address, telephone number, location and business address - Professional title and information regarding the company you represent - Information that you otherwise provide to us in our communication with you. Legal basis: Legitimate interests, where our legitimate interest is to create and thereafter maintain and develop a business relationship with you or the company you represent. Storage period: We process and store your personal data for as long as we have a business relationship with you or the company you represent, but no longer than two (2) years after the last time we were in contact in our business relationship. We may however need to store your personal data for a longer time for other purposes, e.g. if we need to take measures in order to establish, exercise or defend legal claims. We may also need to store your personal data for a longer time in order to fulfil our legal obligations. Sharing of personal data: We may share your personal data with our suppliers and group companies.

2.9 To fulfil legal obligations or to establish, exercise or defend legal claims

We may process your personal data in order to fulfil our legal obligations according to law or other statutes that we are subject to, or if we are subject to orders or decisions by courts or authorities, which require us to process your personal data. We may also process your personal data so that you, or the company you represent, we ourselves, or any relevant third party can establish, exercise or defend its legal claims, e.g. in connection with an ongoing dispute.

3. How we share the information we collect

Access to your personal data is limited to persons who require such access for the purposes described in Section 3 above. Your personal data will therefore be shared with the following categories of third party recipients:

3.1 Companies within our group

Personal data may be disclosed to companies in the Rocola group of companies (including subsidiaries and ultimate holding company and its subsidiaries), established both within and outside the EEA, which is required for the delivery of the Service and Product and for the purposes set forth in this Privacy Policy. If we share your personal data with other companies within our group, we will ensure that the personal data continues to be processed in line with this Privacy Policy.

3.2 Sharing with Rights Holders and Content Providers

The digital content is accessed through the Service that may be owned by us or licensed or otherwise made available to us by third parties (Rights holders and Content Providers as respectively defined in the GTC). We may share the information with such Rights Holders and Content Providers. The Rights Holders and Content Providers may process the information for purposes of administering the relationship with its stakeholders and rights holders in turn, which may involve sharing the information outside of the European Union. The Rights Holders and Content Providers are obliged to comply with applicable data protection regulation as well as with their own, at each time applicable, privacy policies. Such parties either process your personal data as data controllers according to their own terms and policies for handling personal data, or as our data processors according to our instructions. In the latter case, we enter into data processing agreements and/or take other suitable measures to ensure that your personal data is processed in line with this Privacy Policy.

3.3 Sharing with other Third Party Applications

To personalize your experience, we may share some information we have collected about you with providers of Third Party Applications, such as high-level geographic information, your musical preferences, settings and technical data. However, we take precautions to prohibit Third Party Application providers from attempting to identify you by using the information we provide to them or by collecting additional information without your consent. Please note that if you actively choose to provide Third Party Applications with additional information, such as by visiting a Third Party Application (which enables collection of your IP address), dragging and dropping a playlist into a Third Party Application, or allowing us to share precise geographic data which Third Party Application-providers request from us; or consent to collection of additional information about you by a Third Party Application provider when you for example register with or log in to the Third Party Application, the Third Party Application may be able to identify you and associate the information previously provided by Rocola with you. You agree and understand that a Third Party Application provider’s privacy policy governs its use of your information that we provide to it or that it collects from you.

3.4 Sharing with business partners and third party service providers

We may from time to time share your personal data with certain trusted business partners and third party service providers to enable them to perform functions and process user data on our behalf, consistent with Section 3 above. Such parties either process your personal data as data controllers according to their own terms and policies for handling personal data, or as our data processors according to our instructions. In the latter case, we enter into data processing agreements and take other suitable measures to ensure that your personal data is processed in line with this Privacy Policy.

3.5 Sharing with Public authorities

We will share your personal data with public authorities such as the police or the IRS when we are required to do so by e.g. applicable law or other legal statutes or orders or decisions by courts or authorities in order to fulfil the legal obligation specified therein.

3.6 Other sharing

In addition to the above, we may also share your personal data to third parties for these limited purposes: - to allow a merger, acquisition, assignment of rights and/or obligations or sale of all or a portion of our assets. When such transfer occurs, we will take actions in order to ensure that the receiving party processes your personal data in accordance with this Privacy Policy. The purpose of such sharing or processing of your personal data is to allow a (potential) buyer/investor to carry out an assessment of us as a company and, where necessary, take actions and make preparations in the event a sale, assignment or other transfer should occur, where such sharing or processing of your personal data is carried out with reference to the legitimate interests of allowing such assessment, actions and preparations by the (potential) buyer/investor; - to respond to or initiate legal process (e.g. a court order or subpoena), if we believe in good faith that it is necessary to do so; - to comply with requirements of mandatory applicable law; - to protect the safety of any person; - to protect the rights and property of Rocola, including to enforce the Agreement with you; - to address fraud, security or technical issues; - to allow other companies in our company group to use or process your information as specified in this Privacy Policy; - to inform business partners about use of the Service and Products made available through the Service, in the form of aggregated statistics or otherwise in a format which does not reveal your identity; or - if you expressly opt in to such sharing. You understand and agree that privacy policies of third parties to whom we provide information and share information with under this Section will govern all use of such information.

4. Where we process your personal data/transfer to other countries

We may process information about our users on servers located in a number of countries. Accordingly, we may share your information with other companies in our company group for the purpose of them carrying out any of the activities specified in this Privacy Policy. We may also subcontract processing to or share your information with third parties located in countries, other than your home country. Information collected within the European Economic Area (“EEA”) may, for example, be transferred to, and processed by, companies in our company group or other third parties identified above, located in a country outside of the EEA. When we transfer personal data outside of the EEA, we only do so when the countries in which the recipient is located ensures an adequate level of data protection according to the European Commission or if we have ensured that the recipient provides appropriate safeguards based on the use of standard contractual clauses that the European Commission has adopted and other appropriate measures to safeguard your rights and freedoms. We do this in order to ensure that the transfer is made in accordance with applicable data protection law. Rocola is a global company and outside of the EU/EES we/our suppliers primarily store your personal data in the United States of America.

5. Security

We are committed to protecting our users’ information and we have taken measures to ensure that your personal data is handled in a safe way. For example, access to systems where personal data is stored is limited to our employees and service providers who require it in the course of their duties. Such parties are informed of the importance of maintaining security and confidentiality in relation to the personal data we process. We maintain physical, electronic, and administrative safeguards to protect your personal data from unauthorized or inappropriate access, accidental or intentional manipulation, loss and destruction. We monitor and seek to improve our security procedures.

6. Your rights

You have rights in relation to us and our processing of your personal data. Below, you will find information about your rights and how you can exercise them. Please note that your rights apply to the extent that follows from applicable data protection legislation and that there may be exceptions to the rights where applicable. We also ask you to note that we may need more information from you in order to e.g. confirm your identity before proceeding with your request to exercise your rights. To exercise your rights or request information about them we ask that you contact us, which is most easily done via email: nrios8@gatech.edu

6.1 Right to information, access and rectification of personal data

You have the right to request information about the personal data we hold on you at any time (free of charge once a year). If your data is incorrect, incomplete or irrelevant, you can ask to have the information corrected or removed with the limitation that we cannot remove your personal data when there is a legal storage requirement, such as bookkeeping rules or when there are other legitimate grounds to keep the data, such as unsettled debts. You may access, amend and update some of the information we keep on you through your user account settings.

6.2 Right to delete your personal data

You may request that we delete your personal data without undue delay in the following circumstances: (i) the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) you withdraw your consent on which the processing is based (if applicable) and there is no other legal ground for the processing; (iii) you object to processing of personal data and we do not have any overriding legitimate grounds for processing; (iv) the processed personal data has been unlawfully processed; (v) the processed personal data has to be deleted for compliance with legal obligations. Our Service may give you the ability to delete certain information about you from within the Service. For example, you may remove certain profile information within your profile/user account settings. Please note, however, that we may need to retain certain information for record keeping purposes, to complete transactions or to comply with our legal obligations, as further described under Section 3 above.

6.3 Right to object to processing of personal data

You have the right to object to the processing of your personal data when our processing is based on our legitimate interests. If you object and we believe that we may still process the personal data, we must demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or for the establishment, exercise or defence of legal claims. Your personal data will not be processed for purposes related to direct marketing if you oppose such processing. In each promotional email to you, we will include a link which you can use to unsubscribe from further messages.

6.4 Right to restrict processing

You have the right to request that we restrict using your personal data in the following circumstances: (i) you contest the accuracy of the personal data during a period enabling us to verify the accuracy of such data; (ii) the processing is unlawful and you oppose erasure of personal data and request restriction instead; (iii) the personal data is no longer needed for the purposes of the processing, but are necessary for you for the establishment, exercise or defence of legal claims (iv) you have objected to processing in accordance with Section 7.3 above, pending the verification whether our legitimate grounds override your interests, rights and freedoms.

6.5 Right to data portability

You have the right to receive the personal data concerning you which you have provided to us when such processing is based on your consent or on a contract in order to transmit these to another service provider. This right does not exist when we base our processing on the legitimate interest ground. You also have the right to have the personal data transferred from us directly to another data controller, where technically feasible.

6.6 Right to withdraw consent

Where you gave us consent to use your personal data for a limited purpose, you can contact us to withdraw that consent. Please note, however, that this will not affect any processing that has already taken place at the time.

6.7 Right to lodge a complaint with a supervisory authority

Please note that you are always welcome to contact us if you believe that our processing of personal data is in breach of applicable data protection law. You may also at any time lodge a complaint with a supervisory authority regarding the processing of your personal data if you believe that our processing is performed in breach of applicable data protection law.

7. Exercising your rights and how to contact us

If you have any questions or comments about this Privacy Policy, or if you wish to exercise your rights as described above in Section 7, please contact us at nrios8@gatech.edu

8. Changes to the Privacy Policy

We may make changes to this Privacy Policy from time to time, so please visit this Privacy Policy regularly. If we make changes which we believe are material, we will inform you through the Service or otherwise as we find appropriate. Your continued use of the Service thereafter constitutes acceptance of the changes.