ANYVISION BY VR GLOBAL DATA PROTECTION POLICY

Last update: 25 May 2018

The protection of your personal data as well as your privacy is of utmost importance for us – the VR Global Inc. Thus, for the purposes of providing you with our website services and software-as-a-services, we decided to be bound by the principles included in this Data Protection Policy. We kindly invite you to read this Policy carefully as it defines basic principles and mechanisms of how we process your personal information. This is a legal document, yet, we have tried to prepare it in a clear and transparent manner in order to enhance protection of your rights, which is one of the top priorities of the VR Global.

This Data Protection Policy ("Policy") is subject to the laws of the New York State, the United States of America and has been prepared by the VR Global, Inc. 335 Madison Avenue 4th Floor, New York, NY 10017 ("VR Global", "us", "we", or "our").

The hereby Data Protection Policy applies to:

• the VR Global website and its users or visitors;
• any software-as-a-service being provided by the VR Global, defined in detail in an applicable SaaS agreement, if any, between VR Global and Client („you” or „your”), and particularly to the Software-as-a-Service which in its core function gives Client a right to access and use a web-based and mobile-based VR and 360 software to create, review, share and present VR, AR and 360 property tours for architecture, design and sales & marketing business purposes (”SaaS”).

Our SaaS service is available to customers from other countries of the World, including states which are part of the European Union (the EU) or the European Economic Area (the EEA). In accordance with the so-called General Data Protection Regulation (the GDPR), which is an act forming part of the European Union law, in order to provide services to our Clients from Europe, we are obliged to inform about a number of issues, this is directly required of us by the law.

We would like to indicate that you could use the principles of the GDPR if you use the SaaS in the EEA, or if you are a citizen of one of the EEA states. In the following part of this Policy, all persons covered by the GDPR principles on processing of personal data are going to be jointly referred to as “the EU persons”. Should you have any doubts on your rights - please do not hesitate to contact us.

If the GDPR does not concern you, we strongly invite you to carefully read the entire Data Protection Policy document. Even if the GDPR does not apply in your case (as, for example, due to the fact that you are the citizen and resident of the US and you use our SaaS service there), we would like to protect your privacy and personal information just as well and safely.

1. SIGNIFICANT CONCEPTS

In the relevant legal acts, our Data Protection Policy, as well as in other documents that we may apply while processing data, there are a number of concepts important to the protection of your rights. Depending on the country in which you use our SaaS, the manner to understand the following concepts, essential for the protection of your privacy, may vary. By processing of your personal data for the SaaS purposes, we understand the following key concepts as follows:

1. PERSONAL DATA - mean any information relating to an identified or identifiable natural person. The identifiable natural person is the one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name and surname, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The term 'personal information' is most commonly used in the US and Canada in order to indicate personal data. Further in this document, we would like to use the term 'personal data' or simply 'data' uniformly.

Typical examples of personal data are as follows: home and work addresses, telephone number, e-mail address, social security number, birth date, gender, marital status, mother's maiden name, and health data.

2. PROCESSING OF DATA - means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means. Processing of data involves in particular: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of personal data;
3. CONTROLLER OF PERSONAL DATA - within the framework of the EU law means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by the European Union or Member State law, the controller or the specific criteria for its nomination may as well be provided for by the European Union or Member State law;

The controller processing personal data for the purpose of providing our website and SaaS services is the VR Global Inc. with its registered office in New York, the United States of America, 335 Madison Avenue 4th Floor, New York, NY 10017. In all matters concerning the protection of your privacy and personal data you are welcome to contact us through the following contact details: info@vrglobal.com

At the same time, we would like to kindly inform persons from the EU that we have not appointed a data protection officer (see: Articles 37-39 of GDPR).

4. THE BASIS OF DATA PROCESSING - legally defined grounds for the processing of personal data by us.

In principle, we process your data on the basis of your consent, or because we need it to provide you with the website or SaaS service or in order to make a settlement of the agreement we concluded.

It may happen that we would be forced by law to transfer your personal data to public services - yet we always remain committed to act in accordance with the law. We are allowed to use your data to develop the VR Global through, for example, customer profile analysis, preparation of marketing strategies. In this case, the basis for the processing of your data are our legitimate business interests - the possibility to make market analysis, advertising, implementation of sales strategies, etc. as it remains a part of the fundamental right of economic freedom and the freedom to conduct a business. Nevertheless, we renounce such processing which would excessively interfere your rights and freedoms.

In the case of EU citizens, the legal grounds for data processing of personal data are explicitly set forth in the GDPR. In the case of our SaaS, depending on the circumstances that would be the following:

• Article 6(1)(a) of GDPR - the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
• Article 6(1)(b) of GDPR - processing is necessary for the performance of the agreement to which the data subject is party or in order to take steps at the request of the data subject prior to entering into the agreement;
• Article 6(1)(c) of GDPR - processing is necessary for compliance with a legal obligation to which the controller is subject;
• Article 6(1)(f) of GDPR - processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

5. PROFILING - means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to natural person, (in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements). Examples of profiling are, e.g. automatic credit rating or displaying advertisements based on previous Internet activity.

Currently we do not use your personal data to make automated decisions using the available technologies. If we change it in the future, we will update this Policy to let you know more.

6. PROCESSOR - means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. It may happen that the controller of your data, acting legally, entrusts data to third party.

Acting in compliance with the law, we may transfer your personal data to our contractors and service providers. We always provide at least the same level of security of your data and are constantly committed to choose our contractors who can guarantee a high level of protection of your privacy.

The controller of your personal data is the VR Global, however it may transfer personal data to its affiliates, primarily to the company incorporated under the Polish law, the VR Global Europe Sp. z o.o. (LLC) with its registered office in Wroclaw, Poland. We are also allowed to transfer data to entities such as companies providing accounting and tax services, our lawyers, payment companies, banks, companies providing analytical services (e.g. for the purposes of market analysis) or marketing and PR services.

7. CONSENT TO DATA PROCESSING - extremely significant concept, as most frequently we process your data based on your consent. Consent of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Please remember that your consent to the processing of your personal data by us is and would always remain voluntary. You can also withdraw your consent at any time, however without your consent to data processing we might be unable to provide you with our website and SaaS services.

2. LAW

The principles of protection of your personal data and privacy may result from both state as well as federal law.

In case of the EU citizens, the principles for the processing of personal data arise primarily from the so-called General Data Protection Regulation. It is an act of the EU law, which means that it is a regulation common to all of the EU Members. The same principles apply to all of the EU entrepreneurs. The full name of this act is as follows: Regulation of the European Parliament and of The Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (GDPR).

3. WHY AND WHAT SORT OF DATA ARE PROCESSED WHILE PROVIDING SAAS SERVICES

In our organization, we process variety of data and different categories of personal data – all for specific purposes. If we ask you for consent to process information, we inform you about the processing principles. Please do not hesitate to familiarize yourself with them carefully.

Please remember that your consent is always voluntary and you can withdraw your consent at any time without stating any reason. Please note, however, that occasionally it may turn out to be impossible to provide you with services, fulfill your order or provide some SaaS functionalities - as it might not be possible without your personal data. Therefore, you are kindly asked to fully consider whether you consciously would like to authorize us to process your personal data.

By using the VR Global website and SaaS services, you consent to the processing of your personal data for the purpose of providing services by us. However, taking care of your privacy, while executing any SaaS Agreement we always request for your consent.

In the case of our website and SaaS services, we collect and process the following data for the purposes indicated below:

SOURCE OF DATA	TYPE OF DATA THAT CAN BE COLLECTED AND PROCESSED	PURPOSE
website contact form, any other communications between us	required: name, surname, e-mail address; optional: telephone number	communications with you, negotiations of contracts, presentation of our offers and services, handling your requests
any agreement between you and VR Global	name and surname (if applicable), business name, contact address, email address, tax ID	execution and performance of an agreement
data collected during the use of website and SaaS services	IP address, number of pages visited at the website, time spent on particular pages, any server requests, cursor position	analytical purposes
cookies files (please see the information below)	identity of website and SaaS users	user identification, authentication and authorization during the session

4. LINKS TO OTHER SITES

Our Service may, from time to time, contain connections with or links to other sites that are not operated by us. If you click on a third-party link, you will be directed to that third party’s site or service. We advise you to review the privacy policy of every third-party service provider. We have no control over, and assume no responsibility for the content, privacy policies or practices of any third-party sites or services.

5. BASIC PRINCIPLES OF PERSONAL DATA PROTECTION

Processing of your personal data may each time look different, depending on what data we process, for what purpose, by what means, on what legal basis, etc. In each case, however, we are guided by a few fundamental values and principles:

1. LAWFULNESS – we always process your data in accordance with the applicable law;
2. RELIABILITY – we process your data reliably, in the organized and thoughtful manner;
3. TRANSPARENCY – we are committed to make the data processing processes transparent;
4. PURPOSEFULNESS – we always collect and process data for a specific legal purpose or purposes; we do not collect data unnecessarily;
5. ADEQUACY – we process data adequate to the purposes for which we do it; we limit the processing of data to what is necessary to achieve a specific purpose beyond which we do not cross;
6. CORRECTNESS – we take reasonable care to process only personal data which are correct and up-to-date;
7. LIMITATION OF STORAGE – in accordance with the GDPR, storage in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; we store personal data no longer than reasonably needed;
8. INTEGRITY AND CONFIDENTIALITY – we process personal data in the manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage. We use appropriate technical or organizational measures;
9. ACCOUNTABILITY – the controller of your data is responsible for compliance with the rules listed above. We keep records of how we process your personal data in order demonstrate that, if necessary.

6. INFORMATION ON YOUR RIGHTS (GDPR)

The GDPR regulation confer persons from the European Union with a number of rights that they can use while we process their personal data. If you are the person from the EU or EEA you are vested in with the following rights:

1. the right to access and receive copies of your data. You have the right to receive from us one copy of your personal data, which we process, and another – for a fee;
2. the right to rectify (to amend) your personal data;
3. the right to erase data. If you think there are no grounds for us to process your data further and you are right, you can demand erasure;
4. limitations on data processing. If you think that we have inaccurate data about you, and you do not request to erase these data, you can demand that we limit ourselves only to store this data, or to other undertake other activities that we would agree with you;
5. the right to object to the processing of personal data;
6. the right to data portability;
7. if we process your data on the basis of your consent, you have the right to withdraw your consent for processing at any time without giving any reason. This does not affect the legality of the previous processing;
8. the right to complain to the appropriate supervisory authority for our actions.

In order to exercise your rights, you must first let us know. As a first step you are kindly requested to contact in a convenient way for you with the VR Global - the controller of your personal data. To facilitate this process, we have prepared a form of your request (or statement) that you can use to communicate with us - you will find this form at the very end of this Data Protection Policy.

Regardless of how, when and in what form you would like to contact VR Global in matters relating to your privacy, please do not hesitate to read the following information, containing the rules for handling inquiries from people from the European Union resulting from the provisions of the GDPR, which we would use:

Information shall be provided in writing or otherwise, including, where appropriate, electronically. In case of explicit request of the data subject, the information shall be given orally, provided that the identity of the data subject is confirmed by other means. The controller shall refuse to request if the identification of the data subject is not possible. The controller without undue delay – and in any case within one month from receipt of the request – provides the data subject with the information on actions taken in conjunction with the request. If necessary, this period may be extended by another two months due to the complex nature of the request or the number of requests. Within one month from the receipt of the request, the controller shall inform the data subject about such extension, stating the reasons for the delay. If the data subject has forwarded his request electronically, if possible, the information is also transmitted electronically, unless the data subject requests a different form. If the controller fails to take action in relation to the request of the data subject, the controller shall immediately – no later than within one month from the receipt of the request – inform the data subject of the reasons for failure to take action and the possibility of lodging a complaint to the supervisory authority and to exercise available legal remedies before the court. Information provided by the controller as well as communication and actions taken in conjunction with handling requests are free of charge. If the data subjects' requests are manifestly unjustified or excessive, in particular, because of their continuing nature, the controller shall charge a reasonable fee, including administrative costs of providing information, communication or undertaking specific actions, or refusing to take actions in relation to the request. If the controller has reasonable doubts regarding the identity of the natural person submitting the request, the additional information necessary to confirm the identity of the data subject shall be requested.

7. INFORMATION ON YOUR RIGHTS (PERSONS FROM OUTSIDE OF THE EU AND THE EEA)

We would like to look after the security of all our Clients, website visitors and SaaS users equally. If the provisions of GDPR do not apply to you, you can still request that your personal data to be rectified if they are incorrect; to abandon processing them - if there is no grounds for it; to amend personal data - if they are changed. Should you like to amend anything or you simply wish to find out more, please do not hesitate to contact VR Global.

8. PROCESSING OF PERSONAL DATA BELONGING TO CHILDREN

Our website and SaaS services are designed and reserved for adults only. It is the law of the country you are a citizen of which determines if you are an adult. Usually, depending on the country you are the citizen of, you must be at least 18 or 21 years old in order to be able to use our services. If you are not an adult – you are not allowed to enter into any SaaS Agreement with us on the basis of which you would be provided with SaaS services. Under no circumstances such agreements shall be concluded by persons who are not at least 16 years old. We do not collect or process personal data of children, including, in particular, personal data of persons under 16 years of age.

9. COOKIES

As part of our Internet services and SaaS services, we are allowed to use cookies. It is a standard practice. These are, in principle, small files saved in the memory of your device which you are using while visiting our website and using our SaaS. Cookies collect various information, which - depending on their character or content - may enable us to perform a number of actions, e.g. automatic login to the website, automatic filling out of forms, return to the place on the website where the reading has ended, etc.

Information about the cookies we use on our website and in our SaaS services:

• AspNetCore.Antiforgery – a temporary cookie file used to verify correctness of sent HTML forms in order to protect against breaking into the website service with a use of machine methods;
• ARRAffinity – a cookie file used by a server to connect user sessions with a specific server instance. It aims to evict a situation in which a user is automatically redirected to a server instance to which has no authorization;
• Anyvision.Session – user session information cookie file, allowing to identify a user during a session;
• Token - JWT token, used to authenticate a user after a login. Together with a session cookie allows to identify a user in the system.

10. MAINTAINING OUR PERSONAL DATA PROTECTION SYSTEM. NEW PRODUCTS, SERVICES AND ACTIONS

If we would like to make changes to operation of the SaaS or website, we commence to offer new products, services, we are willing to change the way we process your personal data, there may appear a need to review our existing data protection principles. We monitor how our activities may affect the security of your privacy. In particular, if we predict that our activities may in some way affect your privacy, we carry out appropriate risk assessments (Privacy Risk Assessment). If we create new products, services and implementations of new configurations and settings of the SaaS – we accept such configurations and settings that do not expose you to the processing of personal data beyond what is necessary to use our solutions (Privacy by Default), whereas the products and services themselves are created according to the same principle (Privacy by Design). If we make changes to our functioning, and if there exist such a need, we also audit our data protection principles - in order to enhance protection of information about you.

11. WHO IS BOUND BY THIS DATA PROTECTION POLICY

We strive to familiarize all our staff with this policy, in particular those who have access to any personal data. Our employees and fellows are obliged to observe rules and principles which we apply in order to protect your data and we are committed to process your data with full respect of the law and in accordance with the main principles of our Policy indicated above. Only selected employees of the VR Global have access to your data.

We follow these principles, you use them. Just like we created our SaaS services for you.

12. TRANSFER OF DATA TO THIRD COUNTRIES AND INTERNATIONAL ORGANIZATIONS

The VR Global, Inc. is the company incorporated under the US law. The data you provide to us shall be processed primarily in the United States. VR Global may also have affiliates in various countries around the World, including in Wroclaw, Poland. In this case, your data shall also be processed in the country in which we have affiliates. In addition, the SaaS is a technologically complex service. For its correct or enhanced operation, we can take advantage of various possibilities offered by technology and IT infrastructure, which may involve the temporary transfer of your data to servers, end devices, etc. located in other countries.

No matter where your data is processed, we are striving to provide equal level of data security everywhere. In particular, we select our contractors - providers of infrastructure and IT services - choosing only those who can guarantee the high level of protection of your privacy.

13. SECURITY OF YOUR DATA

We protect your data best as we can. We use appropriate to the level of risk (which may involve processing of your data) technological, organizational and physical safeguards. Depending on the circumstances, we may use different types of security: IT security, encryption, pseudo anonymization, physical security or well-organized internal principles of processing of personal data only by concretely authorized persons. We protect your data in particular against accidental loss, modification or unauthorized disclosure to third parties.

14. DATA RETENTION

We store and process your data for as long as it is necessary for the purposes for which we do it. We might be obliged by law to keep data for a specific minimum period - we comply with such requirements. In principle, we process your data as long as it is necessary to provide and settle the SaaS or other services.

15. PERSONAL DATA BREACH

In the case where there would be a breach of the personal data protection of a person from the European Union, we would inform this person if this breach may actually have a serious impact on his/her rights, freedoms as well as privacy. In principle, legal provisions require us to inform two entities in the event of the breach of personal data protection: the appropriate supervisory authority and the personal data subject. At the same time, if the privacy of such a person and its other rights are not at risk (the law directly indicates the following cases: the controller implemented appropriate technical and organizational protection measures and these measures have been applied to the personal data the breach relates to, in particular measures such as encryption, preventing from reading by persons without authorized access to these personal data; the controller applied measures to eliminate the probability of the high risk of violation of the rights or freedoms of the data subject) there is no need to worry and in accordance with provisions of law we do not have to inform this person separately.

If a notification of the breach of data protection which concerns person from the European Union would involve a disproportionate effort, a public communication is issued or a similar measure whereby the data subjects are informed about the breach in an equally effective manner.

16. CHANGES TO THIS PRIVACY POLICY

This Policy is effective as of 25 May 2018 and will remain in effect in its current wording until we amend or change it in any manner. In case of any changes – we will let you know about, either by email message or by posting the new Policy on our website, as reasonably practicable. We reserve the right to update or change our Policy at any time. If you continue to use our services after any change of Policy, it means that you agree with such changes.

INFORMATION FOR PERSONS FROM THE EUROPEAN UNION WITHIN THE MEANING OF THE VR GLOBAL SAAS DATA PROTECTION POLICY

Information shall be provided in writing or otherwise, including, where appropriate, electronically. In case of explicit request of the data subject, the information shall be given orally, provided that the identity of the data subject is confirmed by other means. The controller shall refuse to request if the identification of the data subject is not possible. The controller without undue delay – and in any case within one month from receipt of the request – provides the data subject with the information on actions taken in conjunction with the request. If necessary, this period may be extended by another two months due to the complex nature of the request or the number of requests. Within one month from the receipt of the request, the controller shall inform the data subject about such extension, stating the reasons for the delay. If the data subject has forwarded his request electronically, if possible, the information is also transmitted electronically, unless the data subject requests the different form. If the controller fails to take action in relation to the request of the data subject, the controller shall immediately – no later than within one month from the receipt of the request – inform the data subject of the reasons for failure to take action and the possibility of lodging a complaint to the supervisory authority and to exercise available legal remedies before the court. Information provided by the controller as well as communication and actions taken in conjunction with handling requests are free of charge. If the data subjects' requests are manifestly unjustified or excessive, in particular, because of their continuing nature, the controller shall charge a reasonable fee, including administrative costs of providing information, communication or undertaking specific actions, or refusing to take actions in relation to the request. If the controller has reasonable doubts regarding the identity of the natural person submitting the request, the additional information necessary to confirm the identity of the data subject shall be requested.