PRIVACY POLICY Version: 1.2 Effective Date: December 2025 ================================================================================ 1. INTRODUCTION KERNEL247EE OU (DBA: IDPhotoCapture) (hereinafter — "Company", "we", "us") is a software development company that creates and maintains digital photography and imaging solutions. This privacy policy describes how we process information in accordance with Regulation (EU) 2016/679 (GDPR) and applicable data protection laws. This policy applies to all products and services offered by IDPhotoCapture, including but not limited to the inPhoto application and related services. ================================================================================ 2. IMPORTANT CLARIFICATION: WHAT OUR APPLICATIONS DO NOT DO Our desktop applications are designed with privacy as a core principle. They: - Do not collect any personal data from users within the applications - Do not upload photos, documents, or user files to our servers - Do not use analytics, tracking, or cookies to monitor users - Do not request access to system data without explicit user consent - All user-generated content remains exclusively on the user's computer under their full control Our websites also do not automatically collect personal data and do not use tracking systems. ================================================================================ 3. WHAT DATA WE PROCESS AND WHERE IT COMES FROM 3.1 Data Related to Purchase and Licensing When you purchase a license for our products, we receive the following information: - Email address - Name or organization name - Payment information (processed by FastSpring payment system, not by us) - License information (product type, license type, activation date, expiration date) Data sources: - Automatically through the FastSpring payment platform (their privacy policy applies to payment information) - Manually, when a customer contacts us for special arrangements, bulk purchases, or custom solutions We do NOT verify the accuracy of provided data — responsibility for information accuracy rests with the customer. 3.2 Technical Support Data If you contact our technical support: - Email address (from your request) - Problem description - System information or technical details (if you provided them voluntarily) - Product usage information relevant to resolving your issue 3.3 Technical Error Reports Our applications may send anonymous error reports (optional): - Reports are completely anonymized and contain no identifying information - It is impossible to link a report to a specific user or organization - Reports are used exclusively to improve application stability and performance ================================================================================ 4. DATA STORAGE AND SECURITY 4.1 Where Data is Stored User-generated content (photos, documents, files): - Storage location: Exclusively on user's computer - Control: Full user control License and purchase data: - Storage location: Company internal database - Control: Protected by encryption, limited access Support information and tickets: - Storage location: Internal support management system - Control: Limited access (support staff only) Technical error reports: - Storage location: Protected logging server (anonymized) - Control: Retained for 90 days 4.2 Security Measures - Encryption in transit: All data transfers use HTTPS encryption - Access control: Only authorized employees have access to personal data - Backup: Regular data backups to ensure availability and integrity - Audit: Regular monitoring and logging of access to personal data - Data minimization: We collect only the minimum data necessary for service delivery ================================================================================ 5. PURPOSES OF DATA PROCESSING AND LEGAL BASIS License management and activation: - Legal basis: Contract performance - Retention period: While license is active + 12 months after termination Technical support and troubleshooting: - Legal basis: Contract performance and legitimate interests - Retention period: 24 months Sending product updates and announcements (if consent given): - Legal basis: Consent - Retention period: Until consent is withdrawn Product improvement (anonymous error reports): - Legal basis: Legitimate interests - Retention period: 90 days Compliance with legal and tax requirements: - Legal basis: Legal obligation - Retention period: As required by law Fraud prevention and system security: - Legal basis: Legitimate interests - Retention period: As necessary ================================================================================ 6. DATA SHARING WITH THIRD PARTIES 6.1 Parties We Do NOT Share Data With - Marketing and advertising companies - Analytics platforms (except for anonymized technical reports) - Social networks - Data brokers or information resellers - Any commercial partners without explicit data processing agreements 6.2 Parties We May Share Data With Service providers: Companies that help us deliver our services (cloud hosting providers, email service providers), but only under appropriate Data Processing Agreements (DPA) and with equivalent data protection standards FastSpring: Payment processor (in accordance with their privacy policy) By legal requirement: When required by applicable law, court order, or legitimate government request In case of merger, acquisition, or sale: If the company is transferred to another organization, personal data is transferred with the same level of protection and with appropriate legal safeguards ================================================================================ 7. USER RIGHTS (GDPR) You have the following rights under GDPR: 7.1 Right of Access You can request a copy of all personal data we hold about you. 7.2 Right to Rectification If your data is inaccurate or incomplete, you can request correction or completion. 7.3 Right to Erasure ("Right to be Forgotten") In certain cases, you can request deletion of your personal data (except where we are required to retain it by law). 7.4 Right to Restrict Processing You can request that we limit how we use your data for specific purposes. 7.5 Right to Data Portability You can request your personal data in a structured, commonly used, machine-readable format for transfer to another service provider. 7.6 Right to Object You can object to the processing of your data for certain purposes, particularly for marketing communications. 7.7 Rights Related to Automated Decision Making You have the right not to be subject to decisions based solely on automated processing that produces legal or similarly significant effects. To exercise any of these rights, please contact us at the address provided in section 10. ================================================================================ 8. RETENTION POLICY We retain personal data only as long as necessary to fulfill the purposes for which it was collected, unless a longer retention period is required by law. Specific retention periods are outlined in section 5. After the retention period, data is securely deleted or anonymized. ================================================================================ 9. INTERNATIONAL DATA TRANSFERS If you are located outside the European Economic Area (EEA) and your data is transferred to a location outside the EEA, we ensure appropriate safeguards in accordance with GDPR, including: - Standard Contractual Clauses (SCCs) as approved by the European Commission - Adequacy decisions where applicable - Your explicit consent where required ================================================================================ 10. CHILDREN'S PRIVACY Our products and services are not intended for individuals under 13 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child under 13, we will immediately delete such data and take appropriate steps to inform parents or guardians. ================================================================================ 11. CONTACT INFORMATION 11.1 Data Controller KERNEL247EE OU (DBA: IDPhotoCapture) Moisa tee 67 Kohtla-Jarve Ida-Virumaa Estonia 30326 Registration number: 12273074 Email: info@idphotocapture.com Website: www.idphotocapture.com 11.2 Data Protection Officer (DPO) If you have questions about how we process your personal data or wish to exercise your rights, please contact us: Email: info@idphotocapture.com Response time: We aim to respond to all data subject requests within 30 days. 11.3 Complaints to Data Protection Authority You have the right to lodge a complaint with the data protection authority in your country of residence or jurisdiction. The relevant authority will depend on your location. You may contact your local data protection authority or use GDPR resources to find the appropriate regulator. ================================================================================ 12. POLICY CHANGES We reserve the right to update this privacy policy to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by updating the date at the bottom of this policy and, where appropriate, by providing additional notice (such as through email). Material changes will be communicated with at least 30 days' notice before taking effect. Your continued use of our products and services after such changes means you accept the updated policy. ================================================================================ 13. CONTACT FOR INQUIRIES AND COMPLAINTS If you have any questions, concerns, or complaints about this privacy policy or our privacy practices: Email: info@idphotocapture.com Address: Moisa tee 67, Kohtla-Jarve, Ida-Virumaa, Estonia 30326 We will make every effort to resolve your concerns promptly and fairly. ================================================================================ Last Updated: December 2025