PRIVACY POLICY

Table of Contents

1. General Provisions

2. Terms and Definitions

3. User Data Processing

3.1. User Data Processing Purposes

3.2. User Data Processing Principles

3.3. User Data Categories

3.4. User Data Access

3.5. User Data Use and Disclosure

3.6. User Data Use Limitations

3.7. Use of Certain User Data Categories and the Policy Application in Various Jurisdictions

3.8. Characteristics of Sessions Generated in Service Operation

3.9. Virtual Users Notification

3.10. User Data Erasure

4. Personal Data Processing

4.1. Purposes of Personal Data Processing

4.2. Data Subjects

4.3 Legal Basis of Personal Data Processing

4.4. Data Subject Rights

4.5. Personal Data Erasure

5. Tracking Technologies

5.1. Technologies Used on Company’s Website

5.2. Technologies Used for Customer’s/ Licensee’s Personal Account Functionality

5.3. How to Delete Cookies from Your Browser

6. Data Storage and Protection

6.1. Personal Data and/or User Data Protection Measures

6.2. Personal Data and User Data Storage

7. Contact Us

1. General Provisions

Privacy Policy (hereafter referred to as the Policy) is the present document, describing the rules and procedures for processing User Data carried out by the Company during the provision of services related to assessment of fraud risk and other operational risks for the purpose of reducing financial, reputational, and other losses for the Customer’s and Licensee’s businesses and services, which are conducted online via the Internet. It also describes the Company’s policy towards Personal Data Processing and the measures taken by the Company to ensure Personal Data security for protecting human and civil rights and liberties during one’s Personal Data Processing, including protection of rights to privacy and private life.

The Policy is valid from the 1st of February, 2025.

Policy Application and Limitation of Liability of the Company

This Policy applies to using the Company software released in the last six (6) months for front-end/data collection and testing libraries, and in the last thirty-six (36) months for back-end/scoring libraries. We constantly notify Customers/Licensees of necessary updates and provide all necessary materials and assistance, including automatic update mechanisms for front-end libraries.

We reserve the right to modify this Policy at any time.

We kindly ask you to look through all updates to our Policy on a regular basis.

2. Terms and Definitions

• Authentication means a process of probabilistic fingerprinting (digital ID) of a Virtual User and/or Virtual User Device through the analysis of User Data and the comparison of User Device data and/or Virtual User Data with a set of different attributes and characteristics in order to identify fraud or other operational risks that may lead to financial, reputational, or other losses for the Customer or Licensee. This process is carried out without using Direct Identifiers and does not enable the identification of the Virtual User.
• Company (we, our) means either (i) JCSC GLOBAL DIGITAL RISK MANAGEMENT SOLUTIONS L.L.C., a legal entity registered in accordance with the legislation of the UAE, license number 1072565, or (ii) JUICYSCORE HOLDING PTE. LTD., a legal entity registered in accordance with the legislation of Singapore, UEN 202128709Z.
• Company’s Feedback Form means an application form available on the Company’s Website, designed for legal and natural persons to submit requests to the Company regarding various cooperation issues.
• Company’s Website means a website generally available through the link https://juicyscore.ai/. The website is used for posting content about the Company for informational and other purposes.
• Controller means a natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of processing Personal Data.
• Cookie means a file that usually consists of letters and numbers, located on the Device and/or transmitted from a server and loaded into the browser’s memory at the moment of submitting and/or processing the website content. Cookie files allow the website to identify the device of the site visitor.
• Customer or Licensee means legal entities or individual entrepreneurs to whom the Company provides services under a contract and/or grants a license for the Service.
• Data Subject means a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
• Device means a mobile or stationary device with Internet access used by a Virtual User to access the Web Resource.
• Direct Identifier means a unique data attribute related to the Data Subject that allows for a univocal correspondence between the attribute and the natural person.
• Do Not Track means a HTTP header that notifies whether a Virtual User indicates their willingness or refusal to be tracked or monitored while using websites or mobile applications.
• Identification means the processing of a natural person’s Personal Data in order to identify the attributes that individually or collectively allow for clear and unambiguous identification of that natural person.
• Irreversibly Changed Value means a value obtained by irreversibly removing part of the original information and then hashing the remaining information before analytical processing to avoid the possibility of restoring the original value.
• JavaScript for the purposes of this Policy means software based on the relevant programming language and included in the Service for User Data collection via the Web Resource.
• Modified Value means a value altered on the Device by adding a dynamic variable alphanumeric character set and hashing; all alterations are performed before value processing by the Company’s software.
• Natural Non-Randomness means a nonzero probability of randomly guessing a natural person.
• Personal Account means a functionality within the secured part of the Services that is created for the Customer by the Contractor and allows for receiving various technical information, statistics, and monitoring of request processing.
• Personal Data means any information relating to an identified or identifiable natural person (Data Subject).
• Personal Data Processing means any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
• SDK in this Policy means software based on the relevant programming language that is included in the Service for User Data collection from iOS and Android-family Devices via the native mobile application of a Customer or a Licensee, as well as via the mobile application JS App — Device Risk Analytics.
• Service means the combined elements of the infrastructure, server hardware, and software used by the Company to estimate the risk of fraud or other operational risks arising from the formalized actions of a Customer’s or a Licensee’s User based on User Data that does not allow for the identification of the User directly or indirectly.
• Session (or JuicySession) means a unique identifier of an Internet-session (which is not a Direct Identifier), registered on a Web Resource that is generated on the Company’s servers, is practically an enhanced token and does not contain Personal Data.
• Soliciting Activity means measures aimed at receiving and processing consumers’ requests for obtaining goods and services.
• User Data means Virtual Users’ data, collected by means of program modules applied by the respective Web Resource used by Virtual Users, which neither contain Direct Identifiers, nor allow for the identification of a natural person, directly or indirectly, without the use of data not collected using the Service functionality applied on the Web Resource.
• Virtual User (User) means a user of the Web Resource of a Customer or a Licensee whose User Data is collected from the corresponding Web Resource.
• Web Resource is a website, mobile application, or any other resource of a Customer or a Licensee, which Virtual User may have access via the Internet.

3. User Data Processing

3.1. User Data Processing Purposes

The Company processes User Data received from the Web Resources for specific purposes determined in advance by Customers or Licensees and under the assignment of a Customer or a Licensee.

The Company processes User Data while rendering services to a Customer or providing a license to a Licensee by means of Device Authentication with the aim of assessing fraud risk or any other operational risks in order to reduce financial, reputational, or any other losses for a Customer or a Licensee or/and of a Customer’s or a Licensee’s clients, to whom the services of a Customer or a Licensee are being provided via online channel through the Internet, as well as using an online-to-offline principle (mobile application — JS App — Device Risk Analytics).

3.2. User Data Processing Principles

User Data may be used to provide services by the Company to a Customer or to provide a license to a Licensee for assessing fraud risk or any other operational risks with the aim of reducing financial, reputational, or any other losses for a Customer or a Licensee or/and of a Customer’s or a Licensee’s clients, to whom the services of a Customer or a Licensee are being provided via online channel through the Internet;

The list of User Data categories processed by the Company is provided herein, open-ended, available for downloading and familiarizing, it contains parameters of the Device, software, network connection, not prohibited by configurations and settings of software;

The functioning of the Service does not imply Personal Data Processing (such as a natural person’s full name, full registered address, full mobile or phone numbers, email address, ID card, or other personal document data, as well as sensitive data such as disposable income, expenses, confession, etc.). Personal Data are not required by the Company for the operation of the Service, and shall neither be required by the Company nor provided by a Customer or a Licensee under the service contract or license contract;

User Data Processing corresponds to User safety principles during online activities and to Apple and Google application development standards;

The Company does not collect or process User Data that infringes fundamental rights and freedoms of Virtual Users;

The Company processes User Data from Web Resources only under a formalized confidential agreement or/and service agreement (contract) or license agreement (contract) concluded with a Customer or a Licensee;

The Company DOES NOT process User Data for Virtual Users Identification and does not intend to do so in the future in order to minimize risks of infringing the Virtual Users' rights and freedoms, as well as to increase the value of User Data Processing as an alternative to Personal Data Processing.

The definitions of “User Data” and “Personal Data” as stipulated above are used for the purposes of the Policy. These definitions may have different meanings in various legal jurisdictions. According to the opinion of the Company’s legal advisers, upon the introduction of relevant regulatory framework and legal precedents, any dataset may be recognized as Personal Data by decision of a court with or without performing the necessary technological expertise (for example, any HTTP/HTTPS request header without any changes made by a User and without additional data enrichment may be interpreted as Personal Data). Therefore, the Company recommends that Customers and Licensees analyze and perform the necessary independent legal expertise for assessing the compliance of the Policy with applicable law before commencing use of the Services in order to meet requirements for information distribution, collection of Users’ consents, and storage applicable in the respective legal jurisdiction.

3.3. User Data Categories

The Company processes the following categories of User Data

- Collected by JavaScript (for web applications of a Customer or a Licensee, occasionally for Customer’s or Licensee’s mobile applications) and SDK (for native mobile applications of a Customer or a Licensee).

• General data related to a Customer or a Licensee, their Web Resources and the activity of the User on the Web Resource;
• Conditions and circumstances of formalized actions performed on the Customer’s or Licensee’s Web Resourсes;
• Device technical characteristics data (for example, Device make and model, screen size, memory capacity, etc.);
• Device basic software data (for example, type and operating system version, browser type and version, etc.);
• Internet-connection data being used by a Device at the moment when a User is on a Web Resource (for example, the category of IP address used, connection speed);
• Data related directly to the Virtual User (for example, UserAgent and any other fields of the web session header);
• Statistical data about Virtual User activities on the Web Resource (for example, the time when a User is on the Web Resource, the number of corrections made during the application form filling on the Web Resource);
• Statistical data about the history length and URL, previous page, where the JavaScript is installed on the Device;
• Statistical data about the categories of mobile Device applications (only via SDK);
• Statistical data about Device physical recourse utilization level;
• Statistical data about Device graphic files (only via SDK);
• Data connected with the Virtual User’s geographical location rounded to 1,000 (one thousand) meters (only via SDK);
• Modified Device MAC address (only via SDK). This attribute is not available for all integrations using an SDK version released by the Company after September 2023. For SDK versions that were released before the end of September 2023, the collection and processing of this attribute are disabled by default; such SDK versions are no longer supported by the Company. Customers are recommended to update integrations to the latest versions. If the Device MAC address is necessary for the operation of the Customer’s or Licensee’s mobile application, then the collection and processing of this parameter may be included for the execution of agreements concluded only with those Customers/Licensees who did not update the SDK libraries used after September 2023, until the libraries are updated or until the expiration of the library support period specified in Section 1 of this Policy; check applicable laws to avoid possible collection of Personal Data. Processing of this parameter cannot be enabled at the option of the Customer/Licensee;
• Modified MAC address of Wi-Fi router (disabled by default). The collection and processing of this attribute may be enabled at the Customer’s / Licensee’s discretion for agreement execution, if such collection and processing do not infringe the Virtual User’s rights and freedoms and if the processing of this attribute is not recognized as the processing of personal data in the jurisdiction of a Customer / Licensee;
• Typing rhythmical recurrence (collection and processing is disabled by default). If the typing rhythmical recurrence dataset is required for Web Resource operation and if the attribute processing does not infringe the rights and freedoms of a Virtual User and if the processing of this attribute is not recognized as the processing of personal data in accordance with the standards established by personal data laws and regulations in the jurisdiction of a Customer or a Licensee, taking into account the purposes of data processing, then collecting and processing of this attribute may be enabled at the discretion of a Customer or a Licensee;
• Alternative tracking technologies constituting IndexedDB persistent sessions. If a Customer or a Licensee needs to disable this functionality, a Customer or a Licensee shall follow the instructions contained in Company’s technical manual;
• Modified Device ID value (only via SDK);
• Statistical and binary parameters of parallel activity performed on the Device during an online session.

- Collected from the mobile User Device by the mobile application JS App — Device Risk Analytics and by the mobile SDK JuicyScore:

• Statistical data about Virtual User activities on the Web Resource (for example, the time a User spends on the Web Resource, the number of corrections made during the application form filling on the Web Resource);
• Internet connection data used by the Device at the moment a User is on a Web Resource (for example, the category of IP address used, connection speed);
• Device technical characteristics data (for example, Device make and model, screen size, memory capacity etc.);
• Data related directly to the Virtual User (for example, UserAgent and any other fields of the web session header);
• Device basic software data (for example, type and operating system version, browser type and version etc.);
• Application identifier;
• Rough location data related to the Virtual User’s geographical location, rounded to 1,000 (one thousand) meters;
• Selective list of applications installed;
• Device memory data;
• SIM card data (excluding mobile number and SIM card serial number);
• Host name;
• Device ID (modified MAC-address). This attribute is not available for all integrations using an SDK version released by the Company after September 2023. For SDK versions released before the end of September 2023, this attribute collection and processing are disabled by default; such SDK versions are no longer supported by the Company. Customers are recommended to update integrations to the latest versions. If the Device MAC address is necessary for the operation of the Customer’s or Licensee’s mobile application, then the collection and processing of this parameter may be included for the execution of agreements concluded only with those Customers/Licensees who did not update the SDK libraries used after September 2023, until the libraries are updated or until the expiration of the library support period specified in Section 1 of this Policy; check applicable laws to avoid possible collection of Personal Data. Processing of this parameter cannot be enabled at the option of the Customer/Licensee;
• Modified MAC address of the Wi-Fi router (disabled by default). Collection and processing of this attribute may be enabled at the Customer’s / Licensee’s discretion for agreement execution, if such collection and processing do not infringe the Virtual User’s rights and freedoms and if the processing of this attribute is not recognized as the personal data processing under the jurisdiction of a Customer / Licensee;
• Wi-Fi connection information;
• Internet connection information;
• Bluetooth data (data indicating whether Bluetooth is switched on or off are collected by default, collection of other data is disabled by default, verify local legislation to enable this attribute);
• Battery data;
• Mobile service provider data;
• Information about the volume of data transferred;
• Modified Device ID value (only via SDK and mobile application);
• Statistical and binary parameters of parallel activity performed on the Device during an online session;
• Modified part of the Bonjour protocol configuration data (Zero Configuration Networking protocol – “working on a network with zero configuration”);
• Information on KeyChain use.

3.4. User Data Access

A Customer or a Licensee can access the User Data only through a request from information systems of a Customer or a Licensee via secure communication channels using an account created by the Company for a Customer or a Licensee on the basis of a confidentiality agreement, a service agreement or a license agreement previously signed by both parties.

3.5. User Data Use and Disclosure

User Data disclosure occurs through sending the request from the Customer’s or Licensee’s infrastructure to the Company’s infrastructure in accordance with the technical format of interaction.

The response to the request is an API Service answer provided to the Customer or Licensee on the basis of the concluded agreement (contract).

The response to the request, above all else, contains information collected from the Web Resources of a Customer or a Licensee, as well as statistical data about visits by the Virtual User to the Web Resources of other Customers or Licensees of the Company. Source data are not transferred explicitly.

Disclosure of Data in any form other than within the framework of providing services to a Customer or providing a license to a Licensee by the Company and in the agreed format is not provided for and is prohibited.

In case a Company identifies User Data, processing of which separately or collectively infringes Users’ rights and freedoms and (or) is considered as Personal Data Processing under applicable law, and (or) User Data contains User’s Direct Identifiers processing of such User Data shall be terminated and all related User Data shall be deleted.

The Company shall not be liable for any use or non-use of data disclosed during the provision of services or licensing to a Customer or a Licensee respectively. Such data use or non-use is the sole liability of a Customer or a Licensee.

3.6. User Data Use Limitations

User data SHALL NOT be used for purposes of active target marketing to attract clients to services and products of a Customer or a Licensee (the so-called “audience segmentation”) as well as for any other purposes of the Soliciting category that are contrary to the Principles of User Data Processing and inconsistent with the purposes of User Data Processing established by this Policy. Using the results of the Service in violation of this restriction is unacceptable and prohibited, since it violates the provisions of this Policy, the terms of the contract for the provision of services, or a license contract concluded with a Customer or a Licensee, respectively, and also may constitute a violation of applicable law, depending on the jurisdiction of a Customer or a Licensee.

The Company does NOT process User Data that can enable to identify a Virtual User.

In the course of its main activities related to providing informational services and/or licensing the Company DOES NOT enrich and does not intend to enrich User Data with Personal Data to avoid the occasion of Virtual Users Identification.

3.7. Use of Certain User Data Categories and the Policy Application in Various Jurisdictions

Customers and Licensees are strongly recommended to validate the requirements of the Service and the collected User Data against compliance with requirements of their applicable (local) laws and regulations.

If the applicable laws and/or classification of data and/or associated risks adopted by a Customer or a Licensee categorizes all User Data obtained online as personal data (including the category of sensitive personal data), then a Customer or a Licensee shall, according to regulatory requirements, confirm the availability of all necessary consents from Data Subjects, the security of data processing, and compliance with other mandatory requirements (technical details on cloud data processing are available upon request).

If a Customer or a Licensee identifies a risk in the use of certain data/parameters collected within the Service and cannot disable the collection/processing of such parameters, in this case it is necessary to contact the Company's service department with a request to create an appropriate option (we will try to take into account the request within the Company's SLA).

In the event that a Customer or a Licensee conducts an independent technical audit of risks related to processing of this type of parameters (data types), it should be taken into account that the more audits are carried out, the more reasonable the assessment will be.

If a Customer or a Licensee identifies, in the course of one of these audits, a risk that exceeds multiples of the existing level of Natural Non-Randomness, it is necessary to immediately provide us with a reproducible approach confirming this risk, and the Company will take immediate measures to eliminate the risk once it is confirmed.

While performing our main activities, we have witnessed a number of specific regulations related to User Data usage in various legal jurisdictions. Therefore, we kindly ask you to pay close attention to the following User Data in terms of sensitivity of the data or consider these parameters as personal data in accordance with applicable law:

• Internet connection basic data (these data points are always present in the sessions of all companies working online as an integral part of any Internet connection);
• Modified Device MAC address (only via SDK). This attribute is not available for all integrations using an SDK version released by the Company after September 2023. For SDK versions released before the end of September 2023, collection and processing of this attribute are disabled by default; such SDK versions are no longer supported by the Company. Customers are recommended to update integrations to the latest versions;
• Typing rhythmical recurrence (collection and processing options are disabled by default);
• Alternative tracking technologies constituting of IndexedDB persistent sessions. Despite not matching completely with Cookie of Document. Cookie, LocalStorage, SessionStorage sections, persistent sessions are NOT available to third parties and, as a rule, do not have an unambiguous bijection between file name(s) and session value. Moreover, persistent session value is derived from the value of one of the online sessions to hedge against the risk of unauthorized data accidental occurrence (for hedging against the risk of producing values differing from a random set of numbers, letters, symbols, and the time of session creation) in persistent session value. This type of data may be considered as Cookie in a range of jurisdictions.
• If User Data processing carried out solely to identify the risk of fraud and other operational risks, without additional data enrichment and without the possibility of direct Identification of the Virtual User, but associated with probabilistic User or Device Authentication, is considered personal data processing under the legal jurisdiction of a Customer or a Licensee, then a Customer or a Licensee shall comply with requirements of applicable personal data legislation when handling such User Data and using the Service.

3.8. Characteristics of Sessions Generated in Service Operation

Common Sessions are not stored on the Virtual User’s Device; they are stored only in the browser memory of the Virtual User’s Device.

A Session is created at the moment when a Virtual User accesses a Web Resource of a Customer or a Licensee on the servers within the Company’s infrastructure, based on a random number generator and the timing of referencing the Company’s infrastructure. For this reason, Sessions cannot serve as Direct Identifiers of a Virtual User.

The Session Identifier depends on the random number generator as well as on the timing of referencing to the service and is similar to a random enhanced token, which is created for online payments and does not depend on the User or User’s Device.

Sessions are not synchronized with third-party sessions. Virtual Users’ Data is not enriched with third-party data, including Virtual Users’ behaviour on other Internet resources beyond the scope of the Company’s Service activity.

Based on the objectives of automated collection of User Data, the value of the “Do Not Track” flag is not taken into account during Sessions and operation of data collection program modules on a Web Resource.

3.9. Virtual Users Notification

In accordance with applicable personal data protection law, a Customer or a Licensee is obliged to notify Virtual Users of their Web Resources about Sessions generated by the Company and operating on those Web Resources, as well as about the automatic collection of User Data by means of program modules, provided by the Company. Virtual User notification shall take place prior to the commencement of data collection.

To assist Customers or Licensees in notifying Virtual Users, the Company adds the paragraph to the service contract or license contract related to notification of Users.

The Company recommends that one the following notification templates be used to notify Virtual Users — visitors of Web Resources, considering the name of the legal entity, which a Customer or a Licensee entered an agreement with:

• (i) “The company JCSC GLOBAL DIGITAL RISK MANAGEMENT SOLUTIONS L.L.C., license number 1072565, Registered office No. 702-06, Malak Al Hail Holding, Bur Dubai, Burj Khalifa, Dubai, UAE, email address info@juicyscore.ai, performs the collection and processing (including storage, systematization, accumulation, analysis, updating, extraction, and deletion) of user data by means of JavaScript <for the web application of a Customer or a Licensee> and SDK <for a native mobile application a Customer or a Licensee> on the web resource <the name of a Web Resource of a Customer or Licensee> in order to assess risks related to the application for obtaining a Customer’s or Licensee’s product under assignment of a Customer or a Licensee. The list of user data, as well as its content, storage, and deletion procedures are provided in the Privacy Policy, available on the website https://juicyscore.ai/en/privacy/”.
• (ii) “The company JUICYSCORE HOLDING PTE. LTD., UEN 202128709Z, Registered office #10-01, ONE GEORGE STREET SINGAPORE (049145), email address info@juicyscore.ai performs the collection and processing (including storage, systematization, accumulation, analysis, updating, extraction, and deletion) of user data by means of JavaScript <for the web application of a Customer or a Licensee> and SDK <for a native mobile application a Customer or a Licensee> on the web resource <the name of a Web Resource of a Customer or Licensee> in order to assess risks related to the application for obtaining a Customer’s or Licensee’s product under assignment of a Customer or a Licensee. The list of user data, as well as its content, storage and deletion procedures are provided in the Privacy Policy, available on the website https://juicyscore.ai/privacy/".

Customers and Licensees conducting business in EU jurisdiction shall notify their Users about Device fingerprinting mechanisms and/or external sessions running on their Web Resources. This notification shall appear before Users enter the page created with the mentioned mechanisms and/or containing the mentioned sessions. The JuicyScore data collector (JavaScript) is recommended for installation on the User’s Web Resource starting from the second page (not the landing page); JuicySessions should be classified as essential Cookies or as another obligatory data category since the Sessions are not Cookies, are not files, and are stored in web browser’s short-term memory. A Virtual User’s decline in using such Sessions should be treated as a refusal to continue visiting the Web Resource.

3.10. User Data Erasure

Since User Data collected and subsequently processed within the Company’s infrastructure may not be classified as Personal Data, deletion of such data upon a User’s request is possible only in theory, because there is no means to match technical data stored by the Company with a User’s Personal Data that might be available to a Customer or a Licensee.

Submission of a User Data deletion application is available:

- Via the feedback form on the Company’s Website (https://juicyscore.ai/) in English,

- Via written request, send to one of the following addresses, considering the name of the legal entity, which a Customer or a Licensee entered an agreement with:

• (i) Office No. 702-06, Malak Al Hail Holding, Bur Dubai, Burj Khalifa, Dubai, UAE;

• (ii) #10-01, ONE GEORGE STREET SINGAPORE (049145).

The Company commits to taking all possible measures to implement applications for User Data deletion. The application consideration time does not exceed thirty (30) calendar days from the moment of application submission.

4. Personal Data Processing

4.1. Purposes of Personal Data Processing

The Company acts as a Controller with respect to the Personal Data of Data Subjects specified in Clause 4.2 herein.

Personal Data Processing is limited to achieving specified, explicit, and legitimate purposes.

The Personal Data shall be adequate, relevant and comply with the stated purposes of processing.

Personal Data Processing incompatible with the purposes of Personal Data collection is not allowed.

The Company does not process Personal Data during the core service rendering to a Customer or while providing a license to a Licensee.

The Company processes Personal Data for the following purposes:

• Signing a contract with Data Subject and its subsequent performance;
• Conducting Company’s personnel management and record keeping;
• Maintaining corporate documentation and records in accordance with the legislation of UAE, recruitment;
• Conducting economic and administrative activities;
• Communicating with representatives of legal entities that are potential users of the Company's services and providing advice on services rendered by the Company;
• Entering into and performing the service agreement or license agreement;
• Other legitimate purposes as provided for by applicable law.

4.2. Data Subjects

The Company processes Personal Data of the following categories of Data Subjects:

• Natural persons who are job candidates;
• Natural persons who are the Company’s founders or employees;
• Natural persons who are dismissed employees;
• Natural persons working under a contract;
• Natural persons who have submitted a request via a feedback form on the Company’s Website;
• Natural persons who are contact persons of companies that are parties to executed contracts;
• Any other natural persons who have provided consent for Personal Data Processing by the Company.

4.3. Legal Basis of Personal Data Processing

The Company processes Personal Data in strict compliance with the law.

Personal Data Processing shall be lawful only if and to the extent that at least one of the following applies:

• the Data Subject has given expressed consent to the Personal Data Processing for one or more specific purposes;
• Personal Data Processing is necessary for the performance of a contract to which the Data Subject is a party or in order to take steps at the request of the Data Subject prior to entering into a contract;
• Personal Data Processing is necessary for compliance with a legal obligation to which the Company is subject;
• Personal Data Processing is necessary to protect the vital interests of the Data Subject or of another natural person;
• Personal Data Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the Company;
• Personal Data Processing is necessary for the purposes of the legitimate interests pursued by the Company or by a third party, or to achieve socially significant goals provided that such processing does not infringe the fundamental rights and freedoms of the Data Subject.

4.4. Data Subject Rights

The Data Subject has the right to:

• Obtain information related to one’s Personal Data Processing, including the purposes of processing, categories of Personal Data concerned in order, form and terms set by Personal Data regulations;
• Require: rectification of inaccurate Personal Data; to have incomplete Personal Data completed, including by means of providing a supplementary statement; erasure of Personal Data that is no longer necessary for the purposes for which they were collected or otherwise processed; restriction of processing of Personal Data concerning the Data Subject, or to object to such processing;
• Receive the Personal Data concerning him or her, which he or she has provided to a Company, in a structured, commonly used and machine- readable format;
• Take the measures prescribed by law in order to protect one’s rights;
• Withdraw a consent to Personal Data Processing;
• Exercise any other rights provided for by the Personal Data regulations.

4.5. Personal Data Erasure

Personal Data Erasure is available through applications submitted:

- Via the feedback form on the Company’s Website (https://juicyscore.ai/);

- Via a request in written form sent to one of the following addresses considering the name of the legal entity, which a Customer or a Licensee entered an agreement with:

• (i) Office No. 702-06, Malak Al Hail Holding, Bur Dubai, Burj Khalifa, Dubai, UAE;

• (ii) #10-01, ONE GEORGE STREET SINGAPORE (049145).

The Company commits to taking all possible measures to implement the received applications for deleting the Personal Data. The application consideration time shall not exceed thirty (30) calendar days from the moment of application submission.

Personal Data shall be erased upon reaching the purposes of Personal Data Processing or in case of the Data Subject withdrawal of consent for Personal Data Processing, provided that:

• It has not been otherwise agreed upon in the contract, a party and beneficiary and guarantor of which is the Data Subject;
• The Company has no right to process Personal Data without the Data Subject consent pursuant to national personal data legislation;
• It has not been otherwise stated in any other agreement between the Company and the Data Subject;
• The storage of Personal Data is required by laws and regulations (e.g., data on salary, taxes, financial transactions).

5. Tracking Technologies

5.1. Technologies used on the Company’s Website

We use various tracking technologies on the Company’s Website, such as scripts for collecting and processing information related to Website visitors while they stay on the Website, such as IP address, location (country or city), type and version of the Device operating system, type and version of the Device browser, type and resolution of the display, source of traffic, operating system and browser language, and others.

Cookies are not used on the Company’s Website in the meaning of files, stored in the relevant section Document. Cookies, LocalStorage, SessionStorage of browser database. Alternative tracking technologies are not used on the Company’s Website, such as persistent sessions in IndexedDB, Device Fingerprinting, or ETag marks.

Types of tracking technologies used on the Company’s Website:

• IndexedDB: The storage period is indefinite. This method of persistent sessions use is set up on the feedback form to enable data deletion upon request;
• Device Fingerprinting: The storage period is three (3) months. The Device Fingerprinting mechanism is set up on the feedback form to enable data deletion upon request. In the SDK settings, it is possible to disable Device Fingerprinting tools based on graphics and media and are different from the those commonly accepted in the financial sector, as well as to disable different types of Device Fingerprinting formed on the Virtual User’s Device (for a more detailed description, please refer to the Company’s technical documentation provided during the execution of the agreement concluded with the Customer/Licensee).

Please note that the use of User Data solely to assess the risk of fraud or other operational risks in order to reduce financial, reputational, or other losses for the businesses and services of the Customer or the Licensee, as well as for security purposes, is not regarded by the Company as tracking. Therefore, the value of the “Do Not Track” flag is not taken into account during the operation of Sessions and data collection software modules running on the Web Resource.

If the storage of a constant session (persistent session) in the browser memory of the User’s Device infringes the requirements of personal data legislation established in legal jurisdiction of a Customer or a Licensee, this technology may be disabled.

5.2. Technologies used for Customer’s/ Licensee’s Personal Account Functionality

The Company uses Cookies to maintain the operation of the Customer/Licensee's Personal Account, created for interaction with the Customer/Licensee under the concluded agreement. At the same time, the Customer/Licensee is required to obtain the consent of individuals whose contact details are indicated in agreement with the Customer / Licensee and who interact with the Company through the Personal Account to process personal data and transfer such data to the Company in order to fulfill obligations under concluded contracts.

For the protection of the Customer’s/Licensee’s Personal Account, persistent sessions (IndexDB and Device Fingerprinting) are applied; application instructions are described in Clause 5.1 herein.

5.3. How to Delete Cookies from Your Browser

You can withdraw your consent to Cookie storage by changing your browser settings.

You can find instructions about Cookie management published by providers of Microsoft Edge, Google Chrome, Safari (for computers, mobile devices), and Firefox, respectively.

6. Data Storage and Protection

6.1. Personal Data and/or User Data Protection Measures

The Company takes all necessary legal, organizational, and technical measures to protect the collected data from unauthorized, illegal, or accidental access, deletion, changing, blocking, copying, providing, or distribution of data, which may include:

• Limiting and regulating the staff who have access to the Personal Data and/or User Data via the Feedback form on the Company’s Website;
• Designating a person responsible for the organization of Personal Data and/or User Data Processing; designation of a person responsible for the security of Personal Data or/and User Data;
• Familiarizing employees who are directly in charge of Personal and/or User Data processing with the provisions of the applicable legislation and this Policy;
• Organizing the accounting, storage, and circulation of media that contain information about Personal and/or User Data;
• Identifying threats to Personal Data security during processing and developing threat models;
• Developing a Personal Data protection system based on threat models;
• Testing the readiness and effectiveness of information security tools;
• Controlling users’ access to informational resources, software, and hardware used for information processing;
• Registering and accounting for the activities of information system users;
• Protecting information system access with passwords;
• Physically separating the storage and processing systems for Personal Data and User Data and preventing combined storage, processing or/and any other activities;
• Applying tools to control access to communicational ports, output information devices, removable media as well as external memories;
• Antivirus control, using a firewall, information backups;
• Providing data recovery, modified or deleted as a result of illegal access.

6.2. Personal Data and User Data Storage

Personal Data storage is carried out in a manner that allows for the identification of the Data Subject and for a period no longer than it is required for the purposes of Personal Data Processing unless otherwise provided for by applicable Personal Data regulations. The terms of Personal Data storage are established subject to compliance with requirements of Personal Data regulations or provisions of a contract, party and beneficiary or guarantor of which is the Data Subject. Personal Data shall be deleted after the expiration of the storage period unless otherwise is required by laws and regulations.

User Data collected from Web Resource, in respect of which there was NO request to the Service for User risk assessment from a Customer or a Licensee, are stored for not more than thirty (30) days from the moment of collection.

User Data collected from the Web Resource in respect of which there was a request from a Customer or Licensee for User risk assessment, is stored for not more than two (2) years from the moment of collection.

In order to comply with applicable legislation or/and current business practices and regulations all the raw data, including User Data, are localized in the following regions where the Service is used (determined based on the Virtual User’s IP address location): USA, European Union, UAE, Singapore, India, and other locations. For data processing and storage, the Company uses physical infrastructure within its network, situated in the regions where the Service is used. Moreover, all Customers and Licensees are provided with the functionality of forced raw data localization in one of the selected global locations, including UAE or Singapore.

The Company is not the owner of User Data, processed in Company’s IT-systems and provides its secure storage based on the service contract signed with a Customer or the license contract signed with a Licensee.

7. Contact Us

• (i) JCSC GLOBAL DIGITAL RISK MANAGEMENT SOLUTIONS L.L.C. (license number 1072565)

Registered and mailing address: Office No. 702-06, Malak Al Hail Holding, Bur Dubai, Burj Khalifa, Dubai, UAE

E-mail address for messages on Personal Data Processing and User Data issues: info@juicyscore.ai

• (ii) JUICYSCORE HOLDING PTE. LTD (UEN 202128709Z)

Registered and mailing address: #10-01, ONE GEORGE STREET SINGAPORE (049145)

E-mail address for messages on Personal Data Processing and User Data issues: info@juicyscore.ai

You may contact our DPO at + 65 6978 6805