OVERVIEW

At Play Solana, privacy is treated as part of how technology should work, not as a separate formality. When you visit our website, use the PSG1 device, connect your wallet or contact our team, a limited amount of information about you is processed so that these services can function, remain secure and comply with the law. Sometimes you provide that information directly, such as when creating an account or updating your device, and sometimes it is generated automatically, for example, through diagnostic data or security logs. Everything described in the Policy exists to make that processing transparent, limited to what is necessary and grounded in clear legal purposes.

The Policy applies globally and reflects the highest standards of data protection, including those set by the GDPR in Europe, the UK framework, Brazil’s LGPD, the main U.S. state privacy acts, China’s PIPL, India’s DPDP Act, the UAE’s federal and free-zone laws, and equivalent rules in Canada, Australia, Japan and Korea. Where local law grants stronger protection, that protection always prevails.

This Policy is reviewed every year and may be updated sooner whenever legislation or our processing activities change. If significant updates occur, Play Solana will notify you in a clear and durable way, such as by email, a notice on the device or an alert on our website. Continuing to use our products or services after the effective date means you accept the revised version.

Our products are not intended for children under thirteen years of age, and use by minors between thirteen and eighteen requires parental or guardian consent whenever local law so provides. We do not knowingly collect data from children below the permitted age and erase any such data immediately once identified.

Because blockchain technologies and connected devices involve certain inherent risks, the Policy explains that transactions on the blockchain are irreversible, that Play Solana has no control over external networks, and that we are not custodians of wallets or private keys. Users remain responsible for safeguarding their wallet credentials, even though we apply strong security measures throughout our systems.

Unless your local consumer-protection laws require otherwise, this Policy and any related matters are governed by the laws of the United Arab Emirates, with the courts of Dubai as the default venue, without affecting your right to bring claims before the courts of your own residence.

WHAT DATA WE COLLECT AND WHY

Play Solana processes different types of information depending on how you interact with its ecosystem. When you create or maintain an account, we process your name, contact details, credentials and preferences so that your account can exist and remain secure. When you make a purchase or register a device, we process your order details, billing and shipping information, and payment confirmations to complete the transaction and comply with legal and tax requirements. Device-related information such as model, firmware version, system configuration, crash reports and diagnostic logs may also be processed to ensure that the PSG1 device functions correctly, receives updates and remains protected against technical failures.

When you interact with the device’s software or our services, usage data and configuration settings may be recorded to help us maintain performance and usability. If you initiate on-chain transactions, we process technical metadata such as wallet addresses, transaction identifiers, timestamps and block information only to enable those interactions, without controlling or reversing them, since blockchain data is inherently public and beyond our control. When you contact our support team, we process your messages, attachments and any information needed to provide assistance, verify warranty rights or resolve issues. If you have chosen to receive marketing communications, we process your email and subscription preferences solely with your consent, and you can withdraw it at any time.

Play Solana may also process limited location data derived from network information in order to detect fraud, apply export-control rules or deliver regionally compliant services. Sensitive personal data, such as biometric data for device security or financial identifiers used to prevent fraud, is processed only when strictly necessary, always under explicit consent or clear legal grounds. We do not knowingly collect information from minors, and any such data is erased without delay.

All of these categories of processing are carried out on lawful bases such as the performance of a contract, compliance with legal obligations, or legitimate interests like maintaining security and improving product reliability. Where processing depends on consent, that consent can always be withdrawn.

HOW AND WHEN DATA IS SHARED AND TRANSFERRED

Play Solana does not sell personal data and only shares it when doing so is essential for legitimate reasons described in the Policy. Data may be shared with trusted service providers that act on our behalf to perform functions such as payment processing, logistics and delivery, cloud hosting, analytics, customer support or diagnostics. These providers are bound by strict contractual obligations that limit their use of the information to the services we request and that require them to maintain security and confidentiality at standards equivalent to our own.

In certain cases, information must be shared with independent third parties that play a direct role in how our products function, such as application developers, blockchain networks or wallet operators. When you choose to interact with those external systems, your data becomes subject to their own privacy practices, which are outside Play Solana’s control, and we encourage you to review them carefully before proceeding. Data may also be shared with our corporate affiliates when required for internal administration or, if a merger or restructuring occurs, transferred to a successor entity under the same protections.

Legal or regulatory authorities may receive personal data if disclosure is required by law or necessary to protect rights, comply with court orders, defend against legal claims or ensure product safety. Any disclosure is limited to what is strictly necessary. Personal data may also travel across borders because Play Solana operates a global infrastructure. Whenever data leaves its country of origin, we ensure that appropriate safeguards are in place, such as the European Commission’s Standard Contractual Clauses, the UK Addendum, binding corporate rules or equivalent mechanisms recognised under local law. Transfers to countries without equivalent protections are evaluated through transfer-impact assessments and protected by additional safeguards like encryption, access controls and pseudonymisation.

We comply with regional frameworks governing such transfers, including the GDPR and UK rules for the EEA and UK, the LGPD in Brazil, the CPRA and other U.S. state laws, China’s PIPL, India’s DPDP Act, and the UAE’s federal and free-zone regulations. In all cases, personal data is not knowingly sent to sanctioned jurisdictions or restricted persons, and transactions that would breach sanctions or export-control laws are blocked.

By applying these measures, Play Solana seeks to ensure that data remains protected wherever it travels and that users maintain the same level of rights and transparency regardless of location.

RETENTION, SECURITY AND YOUR RIGHTS

Play Solana keeps personal data only for as long as it is needed to fulfil the purposes described in the Policy, to comply with legal and regulatory obligations, or to resolve disputes and enforce agreements. Retention periods differ according to the nature of the information: account and registration data remain for the lifetime of the account and for a short period afterwards to allow reactivation or handle legal claims; order and payment information is kept for as long as required by tax and accounting rules, typically several years; device and diagnostic data are retained while the product remains in active use and for a limited time afterwards for warranty or safety purposes; communications and support records are stored for a few years after a request is closed, and marketing data are kept only until you withdraw your consent or after a period of inactivity. When data is no longer required, it is deleted, anonymised or securely archived in line with applicable law.

The Policy also explains that Play Solana protects all personal data with a combination of technical and organisational measures intended to maintain its confidentiality, integrity and availability. These include encryption in transit and at rest, access controls, multi-factor authentication, security monitoring, regular vulnerability testing, and strict confidentiality obligations for staff and contractors. Third-party providers are selected and monitored to ensure equivalent safeguards, and incidents are handled through a structured response plan that includes notification to authorities and users whenever required by law. Physical facilities and backups are secured against unauthorised access, and periodic reviews are conducted to strengthen defences and adapt to evolving risks.

Under the laws referenced in the Policy, users enjoy a set of rights concerning their personal data. You may request access to the data we hold about you, ask for corrections when it is inaccurate or incomplete, request its deletion when it is no longer necessary or when consent is withdrawn, and obtain a copy in a portable format where legally applicable. You may also request restriction of processing in certain cases, object to processing based on legitimate interest, and withdraw any consent previously given. Where automated decisions are ever introduced, you will have the right to human review, to express your point of view and to contest the outcome. In jurisdictions such as California, exercising these rights will not result in discrimination or reduced service quality.

Requests can be made through the contact details provided in the Policy, and identity verification may be required to protect your privacy. We respond within the deadlines set by law (generally one month under the GDPR, fifteen days under Brazil’s LGPD and forty-five days under California’s CPRA) and we explain if a legal reason prevents immediate compliance. Users also have the right to lodge complaints with their national data-protection authority or to seek judicial remedies, although Play Solana encourages contacting us first so that any issue can be resolved directly and transparently.

CHILDREN, COOKIES, ON-CHAIN DATA AND CONTACT

Play Solana does not intentionally collect or process personal data from children below the age permitted by law. The PSG1 device and related services are not directed at users under thirteen years of age, and teenagers between thirteen and eighteen may only use them with the consent of a parent or guardian whenever local rules so require. If any information from a minor is found to have been collected without proper consent, it is removed immediately and the processing is discontinued. Parents or guardians who believe that a child has provided data can contact us at the address indicated below so that the situation can be promptly resolved.

Cookies and similar technologies are used in accordance with the explanations set out in the full Policy. Essential cookies are required for the basic operation of the site, while others help us understand performance, improve functionality or remember your preferences. You can manage or disable non-essential cookies through your browser or through the cookie banner available on our website. Choices are respected at all times, and analytical data is only used in aggregated form for legitimate purposes such as security, diagnostics or service optimisation.

Regarding blockchain interactions, the Policy makes clear that Play Solana does not control or alter the content of public ledgers. When you use the PSG1 device or compatible applications to interact with a blockchain, any resulting data recorded on-chain becomes publicly visible by design and cannot be modified or deleted by us. We therefore do not process or store private keys, seed phrases or wallet credentials, and we cannot retrieve them if lost. Users are solely responsible for protecting these elements and for understanding the transparent and irreversible nature of blockchain transactions.

For any question, concern or request about your personal data, you can reach the Play Solana privacy team using the contact details provided in the Policy. All inquiries are handled by authorised personnel under confidentiality duties. Depending on your location, you may also contact your local data-protection authority, but we always encourage you to speak with us first so that issues can be addressed directly and without unnecessary delay.

Play Solana maintains a consistent commitment to transparency, accountability and respect for privacy, applying the same standards worldwide and treating user trust as a fundamental part of how our technology operates.

The tables below summarise the main categories of personal data processed, their purposes, legal bases and retention periods, followed by an outline of user rights and safeguards for international transfers. Regional variations may apply where local law grants additional rights.

This Privacy Policy (“Policy”) is formally reviewed at least once every twelve (12) months and may be updated earlier where required by law. The English version is the sole controlling version; translations are provided for convenience only. In the event of conflict, the English version prevails.

IMPORTANT – PLEASE READ CAREFULLY

This Policy explains how Play Solana LTD, incorporated under the laws of Ras Al Khaimah Digital Assets Oasis (RAK DAO), United Arab Emirates, with its registered office at RAK DAO Business Centre, Al Rifaa, Sheikh Mohammed Bin Zayed Road, Ras Al Khaimah, United Arab Emirates (“Play Solana”, “we”, “us”, or “our”), collects, uses, stores, discloses, transfers, and protects personal data.

This Policy applies globally and covers the Play Solana website (playsolana.com and subdomains), the Play Solana online store (including checkout, payments, shipping, returns, and support), the PSG1 device (including its operating system, software, updates, and connected features), wallet integrations and on-chain interactions performed via the device, as well as communications, customer service, and marketing activities.

By using our Services or the PSG1 Device, you acknowledge that you have read, understood, and agreed to this Policy. IF YOU DO NOT AGREE, YOU MUST IMMEDIATELY STOP USING OUR SERVICES AND DEVICE. YOUR SOLE REMEDY IS TO CEASE USE AND, WHERE APPLICABLE, RETURN THE DEVICE IN ACCORDANCE WITH OUR TERMS OF SERVICE AND YOUR NON-WAIVABLE STATUTORY RIGHTS.

Nothing in this Policy limits or excludes your rights under applicable privacy or consumer laws. Where local law affords stronger protection, that law prevails. This includes, without limitation, the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018 / UK GDPR, Brazil’s General Data Protection Law (LGPD) and Consumer Defence Code, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), the U.S. Children’s Online Privacy Protection Act (COPPA), China’s Personal Information Protection Law (PIPL), India’s Digital Personal Data Protection Act (DPDP Act), the UAE Federal Data Protection Law 2021 (including DIFC/ADGM frameworks), Canada’s PIPEDA, the Australian Privacy Act 1988, Japan’s APPI, Korea’s PIPA, and any other national or regional framework applicable to our Services.

We may amend this Policy from time to time. The effective date appears at the top. If changes are material, we will notify you in a durable medium (such as email, device notice, or website banner). CONTINUED USE OF OUR SERVICES OR DEVICE AFTER THE EFFECTIVE DATE CONSTITUTES ACCEPTANCE OF THE REVISED POLICY.

AGE RESTRICTIONS. The PSG1 Device is not intended for use by individuals under thirteen (13) years of age. The Play Solana website and store may be used by individuals aged thirteen (13) to eighteen (18) only with the consent of a parent or legal guardian, unless a higher digital age of consent applies locally (e.g., sixteen (16) in parts of the EU, fourteen (14) in Brazil). WE DO NOT KNOWINGLY COLLECT PERSONAL DATA FROM CHILDREN BELOW THE APPLICABLE LEGAL AGE. IF SUCH DATA IS IDENTIFIED, IT WILL BE ERASED WITHOUT DELAY.

RISKS OF DIGITAL AND BLOCKCHAIN TECHNOLOGIES. Use of digital devices and blockchain-based technologies involves inherent risks, including: IRREVERSIBLE BLOCKCHAIN TRANSACTIONS; VOLATILITY OF DIGITAL ASSETS; FAILURES, FORKS, REORGANISATIONS, OR EXPLOITS AT PROTOCOL LEVEL; RELIANCE ON THIRD-PARTY NETWORKS OR INFRASTRUCTURE OUTSIDE OUR CONTROL; SECURITY VULNERABILITIES, MALWARE, OR UNAUTHORISED ACCESS; AND POTENTIAL LOSS OF DATA OR FUNCTIONALITY IF UPDATES ARE NOT INSTALLED. PLAY SOLANA IS NOT A CUSTODIAN. WE DO NOT STORE, CONTROL, OR RECOVER PRIVATE KEYS, SEED PHRASES, OR WALLET CREDENTIALS. RESPONSIBILITY FOR SAFEGUARDING SUCH INFORMATION RESTS ENTIRELY WITH YOU. NO TECHNOLOGY OR NETWORK CAN BE GUARANTEED AS COMPLETELY SECURE, AND RESIDUAL RISK REMAINS DESPITE SAFEGUARDS.

GOVERNING LAW AND JURISDICTION. Unless otherwise required by mandatory consumer law, this Policy and any dispute arising from it are governed by and construed in accordance with the laws of the United Arab Emirates, with venue lying exclusively in the courts of Dubai, UAE, without prejudice to the right of consumers to bring claims in the courts of their place of residence. In case of conflict between this Policy and the Play Solana Terms of Service (Site & Store) or Terms of Use (Device & Software), this Policy prevails solely with respect to the processing of personal data.

1. DEFINITIONS

1.1 “Account” means a personal profile registered with Play Solana, enabling purchases, device setup, or access to Services, including associated credentials, preferences, and order history.

1.2 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with Play Solana Ltd.

1.3 “Applicable Law” means all laws, regulations, directives, and binding guidance relevant to personal data or consumer rights, including but not limited to the EU General Data Protection Regulation (GDPR); the UK Data Protection Act 2018 / UK GDPR; the Brazilian General Data Protection Law (LGPD) and Consumer Defence Code; the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA); the U.S. Children’s Online Privacy Protection Act (COPPA) and other U.S. state privacy laws (including Colorado, Virginia, Connecticut, Utah, and subsequent state acts in force); the Chinese Personal Information Protection Law (PIPL); the Indian Digital Personal Data Protection Act (DPDP Act); the UAE Federal Data Protection Law 2021 (including DIFC/ADGM frameworks); the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA); the Australian Privacy Act 1988 (as amended); the Japanese Act on the Protection of Personal Information (APPI); the Korean Personal Information Protection Act (PIPA); and any other national or regional privacy framework applicable in jurisdictions where Play Solana operates or its products are offered.

1.4 “Blockchain Data” means data recorded on a distributed ledger or blockchain, including wallet addresses, transaction identifiers, smart contract interactions, and on-chain metadata. Such data may be inherently public, immutable, and beyond Play Solana’s control.

1.5 “Child” or “Minor” means any individual below the age thresholds set by Applicable Law, including under thirteen (13) years of age in the United States (COPPA), under thirteen (13) for Play Solana Device use globally, under fourteen (14) in Brazil, under sixteen (16) in certain EU Member States, or under higher thresholds where mandated locally.

1.6 “Controller” means the natural or legal person which, alone or jointly with others, determines the purposes and means of processing personal data, as defined under GDPR Article 4(7) and equivalent provisions in other jurisdictions.

1.7 “Cookies and Similar Technologies” means small files, code, or scripts stored or executed on a device, including HTTP cookies, HTML5 local storage, SDKs, pixels, tags, telemetry scripts, or other tracking mechanisms.

1.8 “Customer Data” means information collected when you place an order in our Store, including billing address, shipping address, payment confirmation, delivery tracking information, and order history.

1.9 “Data Breach” means any security incident leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data, regardless of whether harm is immediately evident.

1.10 “Device” means the Play Solana PSG1 console and any future hardware product manufactured, distributed, or supported by Play Solana, including its operating system, firmware, pre-installed applications, secure elements, and connected Services.

1.11 “Durable Medium” means any medium which enables the user to store information addressed personally to them in a way accessible for future reference for a period adequate for the purposes of the information, and which allows the unchanged reproduction of the information stored (e.g., email, PDF, or printed document).

1.12 “On-Chain Interactions” means any transaction, smart contract execution, signature, or blockchain communication initiated through the Device or Play Solana Services. Play Solana does not validate, reverse, or control such interactions.

1.13 “Partner” or “Third Party” means any natural or legal person other than Play Solana, its employees, or its Affiliates, with whom Play Solana cooperates to provide Services, including payment processors, logistics providers, app developers, and analytics vendors.

1.14 “Personal Data” (also “Personal Information” or “Personally Identifiable Information”) means any information relating to an identified or identifiable natural person, as defined under GDPR Article 4(1), LGPD Article 5(I), CPRA §1798.140, PIPL Article 4, and equivalent provisions. Examples include name, email, shipping address, IP address, device identifier, or blockchain wallet address when reasonably linkable to an individual.

1.15 “Processing” means any operation or set of operations performed on personal data, whether automated or not, including collection, recording, organisation, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, or destruction, as defined under GDPR Article 4(2) and equivalent laws.

1.16 “Processor” means a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the Controller.

1.17 “Sanctioned Jurisdiction” or “Restricted Person” means any country, region, government, entity, or individual subject to trade restrictions, embargoes, or sanctions administered under Applicable Law, including but not limited to OFAC (U.S.), EU, UK, UN, and other regimes.

1.18 “Sensitive Personal Data” (also “Special Categories of Data”) means categories of data afforded additional protection under Applicable Law, including biometric identifiers, genetic data, precise geolocation, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sexual orientation, or data concerning minors.

1.19 “Services” means the Play Solana website, online Store, device-related Services, firmware and software updates, wallet integrations, on-chain interactions, customer support, and related offerings.

1.20 “Telemetry Data” means system and performance data collected from the Device or Software for purposes of diagnostics, updates, error reporting, and product improvement, subject to user settings and Applicable Law.

1.21 “Updates” means patches, firmware upgrades, software releases, or security improvements provided by Play Solana for the Device or related Services.

1.22 “User Content” means data, text, files, images, or communications voluntarily submitted by users through the Device, website, Store, or related Services.

1.23 “Wallet” means a cryptographic mechanism, whether hardware or software, enabling blockchain transactions and custody of digital assets. For clarity, Play Solana does not act as a custodian and does not store or recover private keys or seed phrases.

2. CATEGORIES OF DATA COLLECTED

2.1. Account and Registration Data. When you create or maintain a Play Solana account, we process data such as your name, email address, shipping and billing details, login credentials, and account preferences. We may also record your order history and device registration information linked to your account.

2.2. Order, Payment, and Transaction Data. When you place an order through the Play Solana Store, we process information relating to your purchase, including products ordered, payment method, billing and shipping details, order identifiers, and confirmation of payment, refund, or chargeback. Sensitive payment information, such as full credit card numbers, is not stored by Play Solana and is processed exclusively by certified third-party payment providers.

2.3. Device Data. When you use the PSG1 Device, we may process device-related information such as hardware identifiers, model, operating system and firmware version, device language and region settings, network identifiers (including IP address and MAC address), and logs of updates and error reports. Telemetry and diagnostic data, including crash reports and performance metrics, may also be processed in order to maintain and improve the Device.

2.4. Software and Usage Data. When you interact with Device software or Play Solana Services, we may collect data about application usage, configuration settings, update history, and the way you interact with support or help features.

2.5. On-Chain and Wallet-Related Data. When you initiate on-chain transactions through the Device, we may process wallet addresses, transaction identifiers, smart contract calls, and metadata such as gas fees, timestamps, and block height. BLOCKCHAIN DATA IS INHERENTLY PUBLIC, IMMUTABLE, AND OUTSIDE PLAY SOLANA’S CONTROL. PLAY SOLANA DOES NOT STORE, CONTROL, OR RECOVER PRIVATE KEYS, SEED PHRASES, OR WALLET CREDENTIALS. RESPONSIBILITY FOR THE SAFEKEEPING OF SUCH CREDENTIALS RESTS SOLELY WITH YOU.

2.6. Communication and Support Data. When you contact Play Solana for support, warranty, or inquiries, we may process correspondence, transcripts of calls or chats, attachments or screenshots you provide, and identifiers linked to your account or Device.
2.7. Marketing and Preference Data. When you opt in to receive marketing communications, we process information relating to your subscription preferences, your interactions with campaigns, and your participation in promotions, events, or surveys. Processing of such data takes place only with your consent where required by Applicable Law. YOU MAY WITHDRAW CONSENT AT ANY TIME, WITHOUT PREJUDICE TO THE LAWFULNESS OF PROCESSING BASED ON CONSENT BEFORE ITS WITHDRAWAL.

2.8. Location Data. Depending on your settings, we may process approximate geolocation derived from your IP address or regional settings, or precise geolocation if you enable location services on the Device. Where required by law, such processing takes place only with your explicit consent.

2.9. Sensitive Personal Data. Play Solana generally does not collect sensitive categories of data. However, such data may arise in limited contexts, such as biometric identifiers or security features you choose to enable on the Device, financial account identifiers, or data concerning minors where parental consent is required. SUCH PROCESSING IS CARRIED OUT ONLY WITH YOUR EXPLICIT CONSENT OR WHERE STRICTLY REQUIRED BY APPLICABLE LAW.

2.10. Automatically Collected Data. When you use our Website or Store, we may process information automatically collected through cookies and similar technologies, including browser type, operating system, IP address, date and time of access, referrer URL, and identifiers stored locally. NON-ESSENTIAL COOKIES REQUIRE YOUR CONSENT, AND DISABLING THEM MAY AFFECT THE FUNCTIONALITY OF THE WEBSITE.

2.11. Third-Party Data. We may receive data about you from third parties, including logistics partners (delivery status and tracking information), payment providers (confirmation of successful or failed transactions), app developers or marketplaces integrated with the Device, and competent authorities where legally required.

2.12. Data Concerning Minors. WE DO NOT KNOWINGLY COLLECT PERSONAL DATA FROM INDIVIDUALS BELOW THE MINIMUM LEGAL AGE. Where such data is inadvertently obtained without valid consent, IT WILL BE ERASED WITHOUT DELAY.

2.13. Aggregated or Anonymised Data. We may also process data in aggregated or anonymised form that cannot reasonably be used to identify an individual. SUCH DATA IS NOT CONSIDERED PERSONAL DATA UNDER APPLICABLE LAW, PROVIDED IT CANNOT BE RE-IDENTIFIED.

3. PURPOSES OF PROCESSING AND LEGAL BASES

3.1. Account Creation and Management. We process your account and registration data, including identifiers, login credentials, preferences, and order history, to enable you to create, manage, and secure a Play Solana account. This includes verifying your identity, enforcing password and authentication requirements, managing account settings, preventing unauthorised access, and linking your Device to your account. The legal basis is the performance of a contract (Article 6(1)(b) GDPR; LGPD Article 7(V)) and, where minors are involved, compliance with applicable parental consent requirements. We also rely on our legitimate interests (Article 6(1)(f) GDPR) to maintain the integrity and security of accounts.

3.2. Order Processing, Payments, and Delivery. We process personal data relating to your orders in order to confirm purchases, handle billing, arrange shipping, calculate applicable taxes, and comply with customs requirements. This may include sharing your name, contact details, and address with logistics partners, and sharing payment confirmation with financial institutions. SENSITIVE PAYMENT CREDENTIALS ARE NEVER STORED BY PLAY SOLANA AND ARE PROCESSED EXCLUSIVELY BY CERTIFIED PROVIDERS (E.G., PCI DSS COMPLIANT). The legal basis is the performance of a contract and compliance with legal obligations (consumer protection, tax, accounting).

3.3. Operation and Maintenance of the Device and Software. We process device and software data, such as identifiers, system configuration, diagnostic logs, error reports, update status, and performance metrics, to ensure the PSG1 Device operates correctly and remains secure. Processing is necessary to deliver software and firmware updates, to correct defects, and to maintain compatibility with third-party applications. The legal basis is contract performance, combined with our legitimate interest in improving product reliability (Article 6(1)(f) GDPR). WHERE TELEMETRY EXTENDS BEYOND WHAT IS STRICTLY NECESSARY, YOUR CONSENT WILL BE REQUESTED.

3.4. On-Chain Transactions and Wallet Interactions. We process blockchain-related metadata, including wallet addresses and transaction identifiers, solely to enable you to initiate transactions via the Device. For clarity, Play Solana does not validate or reverse blockchain transactions and cannot recover lost credentials. WE DO NOT STORE, CONTROL, OR RECOVER PRIVATE KEYS, SEED PHRASES, OR WALLET CREDENTIALS. The legal basis is contract performance. In jurisdictions where blockchain identifiers are deemed personal data (e.g., EU, Brazil), we treat them as such and apply equivalent safeguards.

3.5. Customer Support, Repairs, and Warranty Services. We process communications, transcripts, and attachments provided during support interactions to resolve issues, provide technical guidance, and handle warranty or repair claims. This may require linking your communications to your account or Device identifiers. The legal basis is contract performance, combined with our legitimate interests in providing quality support. Support communications may also be retained for compliance with legal obligations (e.g., consumer law in the EU, LGPD in Brazil).

3.6. Marketing and Promotions. We process your email address, preferences, and campaign interaction data to send newsletters, promotions, or invitations. Processing occurs only with prior consent where required by law (GDPR, LGPD, CPRA “opt-in” for minors). YOU MAY OPT OUT AT ANY TIME. WE DO NOT SELL PERSONAL DATA TO THIRD PARTIES, AND WE DO NOT PROFILE YOU FOR TARGETED ADVERTISING WITHOUT YOUR CONSENT WHERE REQUIRED.

3.7. Location-Based Services. We process approximate location derived from IP addresses to enforce geoblocking (e.g., export control), provide relevant content, detect fraud, and comply with sanctions regimes. Where you enable precise location services on the Device, this processing is subject to your explicit consent. The legal basis is consent or legitimate interest, depending on jurisdiction.

3.8. Processing of Sensitive Personal Data. Sensitive data, such as biometrics used for Device security, is processed only where you choose to enable such features, and only under explicit consent (Article 9(2)(a) GDPR; LGPD Article 11). Financial identifiers may also be processed where required for fraud prevention. SUCH PROCESSING IS STRICTLY LIMITED TO WHAT IS NECESSARY AND PERMITTED BY APPLICABLE LAW.

3.9. Security, Fraud Prevention, and Abuse Detection. We process IP addresses, device identifiers, login attempts, transaction metadata, and communications to prevent fraud, detect abuse, monitor suspicious activities, and secure our networks. For example, multiple failed login attempts may trigger protective measures. The legal basis is legitimate interest (Article 6(1)(f) GDPR), balanced against your rights. IN CALIFORNIA, SUCH PROCESSING QUALIFIES AS A “BUSINESS PURPOSE” UNDER CPRA.

3.10. Compliance with Legal and Regulatory Obligations. We process personal data to comply with mandatory obligations, including tax and accounting laws, product safety rules, warranty requirements, anti-money laundering (AML) and counter-terrorist financing (CFT) regulations, and export control laws. For instance, we may retain invoice data for statutory retention periods or verify delivery addresses against sanctioned jurisdiction lists. The legal basis is compliance with legal obligation (Article 6(1)(c) GDPR; LGPD Article 7(II)).

3.11. Product Improvement, Research, and Analytics. We may process device and usage data, anonymised where possible, to understand user behaviour, identify performance issues, and develop new features. Aggregated data may be used for analytics, provided it cannot reasonably be re-identified. The legal basis is legitimate interest (product development) and, where required, consent.

3.12. Record-Keeping and Business Continuity. We may retain records of transactions, support tickets, and device updates as part of our internal record-keeping and to ensure business continuity. This includes backups, disaster recovery, and compliance audits. The legal basis is legitimate interest and legal obligation.

3.13. Other Purposes Consistent with the Above. We may process data for purposes reasonably related or compatible with those described above, including training of staff, quality assurance, or enforcement of our Terms. WHERE REQUIRED BY APPLICABLE LAW, WE WILL SEEK YOUR CONSENT OR PROVIDE FURTHER NOTICE.

4. DATA SHARING AND THIRD PARTIES

4.1. General Principle. WE DO NOT SELL PERSONAL DATA. We share personal data only where necessary to provide the Services, comply with Applicable Law, protect our rights, or where you have provided consent. All third parties receiving personal data are bound by contractual obligations to process such data securely, lawfully, and only for the purposes instructed by Play Solana.

4.2. Service Providers and Processors. We share data with trusted service providers acting as processors on our behalf, including payment processors and financial institutions (to handle transactions securely), logistics and shipping providers (to deliver products and manage returns), cloud hosting and IT providers (to maintain infrastructure and backups), analytics and diagnostics vendors (to monitor performance and detect issues), and customer support partners (to handle inquiries and warranty services). THESE PROVIDERS ARE CONTRACTUALLY RESTRICTED FROM USING YOUR DATA FOR THEIR OWN PURPOSES.

4.3. Third-Party Applications and Integrations. When you use applications, marketplaces, or wallets integrated with the Device, certain data may be shared with those third parties in order to enable functionality. For example, initiating a blockchain transaction requires disclosure of your wallet address and transaction metadata to the relevant blockchain network. SUCH THIRD PARTIES ARE INDEPENDENT CONTROLLERS OF YOUR DATA AND APPLY THEIR OWN PRIVACY POLICIES. PLAY SOLANA DOES NOT CONTROL OR TAKE RESPONSIBILITY FOR HOW SUCH PARTIES PROCESS PERSONAL DATA ONCE DISCLOSED.

4.4. Affiliates and Corporate Transactions. We may share data with our corporate Affiliates (subsidiaries and holding companies) where necessary for group operations, subject to equivalent safeguards. In the event of a merger, acquisition, reorganisation, or sale of assets, your data may be transferred to the successor entity, SUBJECT ALWAYS TO THIS POLICY AND APPLICABLE LAW.

4.5. Legal and Regulatory Disclosures. We may disclose personal data to competent authorities, courts, regulators, or law enforcement where legally required, including to comply with subpoenas, court orders, or regulatory obligations. We may also disclose data where necessary to enforce our Terms, protect our rights, defend against legal claims, prevent fraud, or ensure product safety. SUCH DISCLOSURES WILL ALWAYS BE LIMITED TO WHAT IS STRICTLY NECESSARY.

4.6. International Transfers. Where personal data is transferred across borders, including to jurisdictions outside the European Economic Area (EEA) or your country of residence, we ensure adequate safeguards are in place. These may include adequacy decisions by the European Commission, Standard Contractual Clauses (SCCs) approved by the EU or UK, binding corporate rules, or other mechanisms recognised by Applicable Law. TRANSFERS TO COUNTRIES WITHOUT EQUIVALENT PROTECTIONS ARE SUBJECT TO ADDITIONAL RISK ASSESSMENTS AND SAFEGUARDS.

4.7. Sanctioned Jurisdictions and Restricted Persons. WE DO NOT KNOWINGLY PROVIDE SERVICES TO, OR TRANSFER DATA TO, COUNTRIES, ENTITIES, OR INDIVIDUALS SUBJECT TO SANCTIONS, EMBARGOES, OR EXPORT CONTROLS. We may block transactions, accounts, or deliveries linked to sanctioned jurisdictions or persons, in line with OFAC, EU, UK, UN, UAE, and other regimes.

4.8. Research, Analytics, and Aggregated Data. We may share aggregated or anonymised data with partners, researchers, or the public for purposes such as understanding device performance, improving Services, or analysing blockchain usage patterns. SUCH DATA CANNOT REASONABLY BE USED TO IDENTIFY YOU AND IS NOT CONSIDERED PERSONAL DATA UNDER APPLICABLE LAW, PROVIDED IT CANNOT BE RE-IDENTIFIED.

4.9. Consent-Based Sharing. In certain cases, such as joint promotions, marketing campaigns, or optional integrations, WE WILL SHARE DATA ONLY WITH YOUR EXPLICIT CONSENT. YOU MAY WITHDRAW CONSENT AT ANY TIME, WITHOUT AFFECTING THE LAWFULNESS OF PRIOR SHARING.

4.10. Residual Risks of Third-Party Processing. Despite safeguards, once data is shared with independent third parties (including blockchain networks, wallet providers, or external applications), PLAY SOLANA CANNOT FULLY CONTROL HOW SUCH DATA IS PROCESSED. USERS ARE STRONGLY ADVISED TO CAREFULLY REVIEW THE PRIVACY PRACTICES OF SUCH THIRD PARTIES BEFORE ENGAGING WITH THEIR SERVICES.

5. INTERNATIONAL DATA TRANSFERS

5.1. General Principle. Play Solana operates a global ecosystem. This means that your personal data may be transferred to, stored in, or accessed from countries outside your country of residence, including jurisdictions that may not provide the same level of protection as your home country. Transfers may occur, for example, when data is stored on cloud servers abroad, when logistics partners deliver Devices across borders, or when blockchain transactions are processed by nodes outside your jurisdiction. WHERE PERSONAL DATA IS TRANSFERRED, WE IMPLEMENT SAFEGUARDS TO ENSURE A LEVEL OF PROTECTION CONSISTENT WITH APPLICABLE LAW.

5.2. Transfers from the European Economic Area (EEA) and the United Kingdom. For transfers from the EEA or UK to countries without an adequacy decision from the European Commission or UK Government, we rely on safeguards such as the European Commission Standard Contractual Clauses (SCCs), including modules adapted to controller-to-controller and controller-to-processor transfers; the UK International Data Transfer Addendum; binding corporate rules where applicable; and supplementary measures such as strong encryption, key separation, access minimisation, and data pseudonymisation. WE ALSO CONDUCT TRANSFER IMPACT ASSESSMENTS (TIAs) TO EVALUATE THE LEGAL ENVIRONMENT OF THE RECIPIENT COUNTRY, INCLUDING RISKS OF ACCESS BY PUBLIC AUTHORITIES, AND ADJUST SAFEGUARDS ACCORDINGLY.

5.3. Transfers from Brazil (LGPD). Where data originates in Brazil, we rely on mechanisms authorised by the ANPD, including contractual clauses, consent, or international cooperation agreements. Sensitive data is transferred abroad only under explicit consent or strict necessity. USERS IN BRAZIL MAY REQUEST FURTHER INFORMATION ON SAFEGUARDS THROUGH OUR PRIVACY CONTACT AT LEGAL@PLAYSOLANA.COM
.

5.4. Transfers from the United States. We may transfer personal data across U.S. state lines or internationally for processing. Where U.S. state privacy laws (including CPRA, Colorado, Virginia, Connecticut, Utah, and others entering into force after 2023) impose additional obligations, WE ENSURE EQUIVALENT PROTECTIONS THROUGH SERVICE PROVIDER CONTRACTS, AUDIT RIGHTS, AND SECURITY SAFEGUARDS.

5.5. Transfers from China (PIPL). For data originating in China, cross-border transfers are subject to PIPL requirements, including mandatory government security assessments for large-scale or sensitive transfers, certifications by authorised bodies, or contractual clauses with overseas recipients. PLAY SOLANA DOES NOT KNOWINGLY TRANSFER DATA FROM CHINA WITHOUT FULL COMPLIANCE WITH THESE REQUIREMENTS.

5.6. Transfers from India (DPDP Act). Under the Indian DPDP Act, data may only be transferred outside India in accordance with rules prescribed by the Indian Data Protection Board. WE COMPLY WITH ALL SUCH RESTRICTIONS AND IMPLEMENT CONTRACTUAL SAFEGUARDS WHERE REQUIRED.

5.7. Transfers from the UAE and Free Zones. Transfers from the UAE are regulated by Federal Law No. 45/2021, while DIFC and ADGM free zones have independent frameworks aligned with GDPR principles. WE ENSURE THAT ANY TRANSFER OUT OF THE UAE IS BASED ON ADEQUACY FINDINGS OR APPROPRIATE SAFEGUARDS, CONSISTENT WITH THE REQUIREMENTS OF APPLICABLE LAW.

5.8. Transfers from Other Jurisdictions. We also comply with local requirements in Canada (PIPEDA), Australia (Privacy Act 1988), Japan (APPI), Korea (PIPA), and other jurisdictions, applying contractual or consent-based conditions where necessary. WHERE REQUIRED, WE IMPLEMENT SUPPLEMENTARY SAFEGUARDS SUCH AS ENCRYPTION, ACCESS RESTRICTIONS, AND DATA MINIMISATION TO PROTECT TRANSFERRED DATA.

5.9. Sanctions and Export Controls. WE DO NOT KNOWINGLY TRANSFER PERSONAL DATA TO SANCTIONED JURISDICTIONS OR RESTRICTED PERSONS. Transfers that would contravene OFAC (U.S.), EU, UK, UN, OR UAE SANCTIONS REGIMES ARE BLOCKED, AND WE RESERVE THE RIGHT TO SUSPEND OR TERMINATE SERVICES WHERE EXPORT CONTROL LAWS PROHIBIT TRANSFER OR DELIVERY.

5.10. Residual Risks and Government Access. Although we apply strict safeguards, transfers to third countries may still expose data to access by public authorities under foreign laws. WE CANNOT ELIMINATE THESE RISKS ENTIRELY. USERS SHOULD BE AWARE THAT IN SOME JURISDICTIONS, GOVERNMENT AGENCIES MAY HAVE BROADER POWERS TO ACCESS DATA THAN IN THEIR COUNTRY OF RESIDENCE.

5.11. Right to Obtain Information. You have the right, under GDPR (Articles 13–15), LGPD (Article 18), and similar laws, to request details of the safeguards we apply to cross-border transfers, including a copy of the relevant SCCs or contractual commitments. REQUESTS SHOULD BE DIRECTED TO OUR PRIVACY CONTACT AT legal@playsolana.com.

5.12. User Consent Where Required. In some jurisdictions, such as Brazil and certain sectors under GDPR, explicit consent may be required for international transfers. WHERE APPLICABLE LAW REQUIRES EXPLICIT CONSENT, WE WILL OBTAIN IT IN ADVANCE. YOU MAY WITHDRAW CONSENT AT ANY TIME, WITHOUT AFFECTING THE LAWFULNESS OF TRANSFERS ALREADY COMPLETED.

6. DATA RETENTION AND DELETION

6.1. General Principle. Play Solana retains personal data only for as long as necessary to fulfil the purposes described in this Policy, to comply with legal or regulatory obligations, to resolve disputes, and to enforce agreements. WHEN PERSONAL DATA IS NO LONGER REQUIRED, WE DELETE, ANONYMISE, OR SECURELY ARCHIVE IT, IN ACCORDANCE WITH APPLICABLE LAW AND INDUSTRY STANDARDS.

6.2. Retention by Category of Data.

• Account and Registration Data: Retained for the lifetime of your account and up to six (6) years after closure, to allow for reactivation, handle disputes, and comply with statutory limitation periods.

• Order, Payment, and Transaction Data: Retained for at least seven (7) years after the transaction, or longer where tax, accounting, or consumer laws require (e.g., EU VAT Directive, Brazilian tax law, U.S. IRS rules).

• Device and Software Data: Retained for as long as you actively use the Device, plus up to two (2) years for diagnostic and warranty purposes, unless you request earlier deletion.

• On-Chain and Wallet Data: Blockchain data is public and cannot be erased by Play Solana. Metadata we process (e.g., logs of transactions initiated via the Device) is retained for up to three (3) years, unless longer retention is required for AML/CFT or fraud prevention.

• Communication and Support Data: Retained for a minimum of three (3) years after closure of the support ticket, and longer where consumer law requires (e.g., EU Directive 2019/771 on sale of goods, Brazilian CDC).

• Marketing and Preference Data: Retained until you withdraw consent or opt out, and in any event no longer than two (2) years after your last interaction with Play Solana marketing, unless local law permits longer.

• Location Data: Retained only as long as necessary for the session, unless stored as part of Device logs for diagnostics (in which case up to two (2) years).

• Sensitive Personal Data: Retained only for the minimum period strictly necessary and deleted or anonymised as soon as the purpose is fulfilled, unless law requires longer storage.

• Cookies and Automatically Collected Data: Retention periods vary by type (session cookies deleted when you close the browser; persistent cookies retained up to two (2) years, unless you delete them earlier).

6.3. Legal and Regulatory Retention Requirements. Certain jurisdictions impose minimum or maximum retention periods. For example: GDPR (EU/EEA) requires data to be kept no longer than necessary (Article 5(1)(e)); LGPD (Brazil) permits retention for legal or regulatory obligations (Article 16); CPRA (California) requires businesses to disclose retention periods and prohibits indefinite storage without justification; PIPL (China) requires data to be deleted once purposes are fulfilled, unless otherwise provided by law; DPDP (India) imposes a storage limitation principle requiring erasure when no longer necessary.

6.4. Criteria Used to Determine Retention. We determine retention periods based on: (i) the nature and sensitivity of the data; (ii) the purpose of processing and whether that purpose can be achieved by other means; (iii) statutory retention obligations (e.g., tax, AML, warranty, consumer protection); (iv) limitation periods for legal claims; and (v) our legitimate interests in maintaining records for security, auditing, and continuity.

6.5. Secure Deletion and Anonymisation. When retention periods expire, personal data is either securely deleted using industry-standard methods; irreversibly anonymised so that it can no longer be linked to an individual; or archived in a restricted-access environment if required by law.

6.6. User Rights Regarding Retention. You have the right, under GDPR, LGPD, CPRA, PIPL, and equivalent laws, to request erasure of your personal data. WE WILL HONOUR SUCH REQUESTS EXCEPT WHERE RETENTION IS REQUIRED BY LAW (E.G., FOR TAX OR LEGAL OBLIGATIONS) OR WHERE OVERRIDING LEGITIMATE INTERESTS EXIST. You may also request information about specific retention periods applicable to your data.

6.6A. Post-Termination Anonymisation. Where you permanently cease using our Services or delete your account, you may request that Play Solana anonymise or pseudonymise residual data relating to your profile or preferences, provided that such anonymisation does not conflict with legal obligations or legitimate interests. ONCE ANONYMISED, THE DATA WILL NO LONGER BE CONSIDERED PERSONAL DATA UNDER APPLICABLE LAW.

6.7. Residual Risks. Although Play Solana deletes or anonymises data according to the principles above, RESIDUAL COPIES MAY REMAIN IN BACKUPS OR LOGS FOR A LIMITED PERIOD, AFTER WHICH THEY ARE OVERWRITTEN. SUCH COPIES ARE NOT ACTIVELY PROCESSED AND ARE SUBJECT TO STRICT ACCESS CONTROLS.

6.8. Logs, Backups, and Disaster Recovery. In addition to the above, Play Solana maintains backup copies and system logs as part of its disaster recovery and business continuity processes. THESE BACKUPS AND LOGS ARE RETAINED FOR LIMITED PERIODS AND ARE AUTOMATICALLY OVERWRITTEN OR DELETED IN ACCORDANCE WITH OUR SECURITY POLICIES. They are not actively processed except where strictly necessary to restore Services following an outage or incident, and they remain subject to strict technical and organisational safeguards.

7. DATA SUBJECT RIGHTS

7.1. General Statement. In accordance with Applicable Law, you have a series of rights regarding the personal data we process about you. THESE RIGHTS ARE NOT UNLIMITED, AND IN SOME CIRCUMSTANCES WE MAY RESTRICT THEIR EXERCISE WHERE NECESSARY TO PROTECT THE RIGHTS AND FREEDOMS OF OTHERS, TO COMPLY WITH LEGAL OBLIGATIONS, OR TO PRESERVE THE INTEGRITY OF AN INVESTIGATION. Requests to exercise rights must be submitted through the contact details set out in this Policy, and we will acknowledge and respond within the deadlines prescribed by law. For example, under the GDPR the response period is one month, under the LGPD it is fifteen (15) days, and under the CPRA it is forty-five (45) days. NOTHING IN THIS POLICY SHALL BE INTERPRETED AS RESTRICTING OR EXCLUDING ANY NON-WAIVABLE STATUTORY RIGHTS YOU MAY HAVE UNDER APPLICABLE LAW.

7.2. Right of Access. You have the right to obtain confirmation as to whether or not Play Solana processes personal data concerning you. Where we do, you are entitled to receive a copy of such data together with information about the purposes of processing, the categories of data involved, the recipients to whom the data has been disclosed, the envisaged retention periods, the safeguards applied in the context of international transfers, and, where the data has not been collected directly from you, the sources from which it originated. Access will be provided in a structured and intelligible format, SUBJECT ALWAYS TO THE LIMITATION THAT DISCLOSURE MUST NOT ADVERSELY AFFECT THE RIGHTS AND FREEDOMS OF OTHERS.

7.3. Right to Rectification. You have the right to request that we correct any personal data that is inaccurate and to have incomplete data completed. Play Solana will implement such corrections without undue delay and will also endeavour to notify third parties to whom the data has been disclosed so that they may update their own records, UNLESS SUCH NOTIFICATION IS IMPOSSIBLE OR WOULD INVOLVE DISPROPORTIONATE EFFORT.

7.4. Right to Erasure (“Right to be Forgotten”). You may request the deletion of your personal data in specific circumstances, including when the data is no longer necessary for the purposes for which it was collected, when you withdraw consent and no other legal basis for processing exists, when you have successfully exercised your right to object, when the processing was unlawful, or when deletion is required by Applicable Law. HOWEVER, WE MAY RETAIN DATA WHERE NECESSARY FOR COMPLIANCE WITH LEGAL OBLIGATIONS SUCH AS TAX AND ACCOUNTING RULES, FOR THE ESTABLISHMENT, EXERCISE, OR DEFENCE OF LEGAL CLAIMS, FOR EXERCISING FREEDOM OF EXPRESSION OR INFORMATION, OR FOR REASONS OF PUBLIC INTEREST SUCH AS HEALTH, SCIENTIFIC RESEARCH, OR ARCHIVAL REQUIREMENTS.

7.5. Right to Restriction of Processing. You have the right to request that we restrict the processing of your personal data in certain situations. This includes circumstances where you contest the accuracy of the data (allowing us time to verify it), where the processing is unlawful but you prefer restriction rather than deletion, where we no longer need the data for the purposes of processing but you require it for the establishment, exercise, or defence of legal claims, or where you have objected to processing and verification of overriding legitimate grounds is pending. DURING THE PERIOD OF RESTRICTION, WE WILL STORE YOUR DATA BUT WILL NOT OTHERWISE PROCESS IT, EXCEPT WITH YOUR CONSENT OR AS REQUIRED FOR LEGAL CLAIMS OR THE PROTECTION OF THE RIGHTS OF OTHERS.

7.6. Right to Object to Processing. You may object at any time, on grounds relating to your particular situation, to the processing of your personal data that is based on our legitimate interests or on the performance of a task carried out in the public interest. If you object, WE WILL CEASE SUCH PROCESSING UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS THAT OVERRIDE YOUR INTERESTS, RIGHTS, AND FREEDOMS, OR UNLESS THE PROCESSING IS NECESSARY FOR THE ESTABLISHMENT, EXERCISE, OR DEFENCE OF LEGAL CLAIMS. WHERE DATA IS PROCESSED FOR DIRECT MARKETING PURPOSES, YOU HAVE AN UNCONDITIONAL RIGHT TO OBJECT, AND UPON OBJECTION WE WILL CEASE ALL SUCH MARKETING COMMUNICATIONS WITHOUT DELAY.

7.7. Right to Data Portability. You have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and to transmit that data to another controller without hindrance from us. This right applies where the processing is based on consent or on a contract and is carried out by automated means. WHERE TECHNICALLY FEASIBLE, YOU MAY ALSO REQUEST THAT WE TRANSMIT THE DATA DIRECTLY TO ANOTHER CONTROLLER. This right does not apply where it would adversely affect the rights or freedoms of others.

7.8. Right to Withdraw Consent. Where processing is based on your consent, YOU HAVE THE RIGHT TO WITHDRAW THAT CONSENT AT ANY TIME. Withdrawal does not affect the lawfulness of processing carried out prior to the withdrawal. WE WILL IMPLEMENT YOUR CHOICE PROMPTLY AND ENSURE THAT NO FURTHER PROCESSING BASED ON CONSENT OCCURS ONCE IT HAS BEEN WITHDRAWN.

7.9. Right Not to be Discriminated Against. In jurisdictions such as California under the CPRA, YOU HAVE THE RIGHT NOT TO BE DISCRIMINATED AGAINST FOR EXERCISING YOUR PRIVACY RIGHTS. This means that Play Solana will not deny services, charge different prices, or provide a different quality of service solely because you have exercised your data protection rights. WHERE DIFFERENTIATION IS PERMITTED BY LAW (FOR EXAMPLE, WHERE THE PROVISION OF CERTAIN SERVICES REQUIRES THE PROCESSING OF PERSONAL DATA THAT YOU HAVE REQUESTED US TO DELETE), WE WILL EXPLAIN THIS CLEARLY.

7.10. Right to Human Review of Automated Decisions. Where Applicable Law provides, including under the GDPR, LGPD, and other frameworks, YOU HAVE THE RIGHT NOT TO BE SUBJECT TO A DECISION BASED SOLELY ON AUTOMATED PROCESSING THAT PRODUCES LEGAL EFFECTS CONCERNING YOU OR SIMILARLY SIGNIFICANTLY AFFECTS YOU. If such decisions are made, YOU HAVE THE RIGHT TO REQUEST HUMAN INTERVENTION, TO EXPRESS YOUR POINT OF VIEW, AND TO CONTEST THE DECISION. Play Solana does not engage in automated decision-making that produces legal or equivalent effects without appropriate safeguards. IF SUCH SYSTEMS ARE INTRODUCED, THEY WILL BE SUBJECT TO EXPLICIT NOTICE AND CONSENT. For avoidance of doubt, PLAY SOLANA DOES NOT CURRENTLY ENGAGE IN BEHAVIOURAL PROFILING OR TARGETED ADVERTISING BASED ON AUTOMATED DECISION-MAKING. If such practices are introduced in the future, they will be implemented only with explicit consent and subject to robust safeguards, including transparency reports and user opt-out mechanisms.

8. EXERCISE OF RIGHTS AND COMPLAINT PROCEDURES

8.1. Submitting a Request. Requests to exercise your data protection rights must be submitted through the contact channels specified in this Policy. YOU MAY CONTACT US BY EMAIL AT LEGAL@PLAYSOLANA.COM
, BY POSTAL ADDRESS, OR THROUGH IN-DEVICE OR WEBSITE FORMS WHERE AVAILABLE. To protect your privacy and security, WE MAY REQUIRE YOU TO VERIFY YOUR IDENTITY before fulfilling a request, for example by confirming account credentials, providing proof of identity, or using device-based authentication.

8.2. Response Times. We will respond to your request within the timeframes established by Applicable Law. Under the GDPR, the deadline is one (1) month, extendable by a further two (2) months in complex cases. Under the LGPD in Brazil, the deadline is fifteen (15) days. Under the CPRA in California, the deadline is forty-five (45) days, extendable by a further forty-five (45) days with notice. Under the PIPL in China, responses must be provided without undue delay. WHERE APPLICABLE LAW SETS A SPECIFIC PERIOD, WE WILL COMPLY WITH THAT STANDARD.

8.3. Limitations and Refusals. YOUR RIGHTS MAY BE LIMITED WHERE NECESSARY TO PROTECT THE RIGHTS AND FREEDOMS OF OTHERS, TO COMPLY WITH OVERRIDING LEGAL OBLIGATIONS, OR TO PRESERVE THE INTEGRITY OF INVESTIGATIONS AND REGULATORY PROCESSES. Where we refuse a request, in whole or in part, WE WILL PROVIDE A REASONED EXPLANATION, UNLESS PROHIBITED BY LAW. Examples include refusal of deletion requests where retention is mandated by tax law, or denial of access requests where disclosure would reveal trade secrets or personal data of other individuals.

8.4. Costs. Exercising your rights is free of charge. HOWEVER, WHERE REQUESTS ARE MANIFESTLY UNFOUNDED OR EXCESSIVE, WE MAY CHARGE A REASONABLE FEE OR REFUSE TO ACT, AS PERMITTED BY APPLICABLE LAW (E.G., GDPR ARTICLE 12(5)).

8.5. Representation and Minors. Where permitted by law, rights may be exercised by an authorised representative, such as a legal guardian, attorney, or mandated agent. IN THE CASE OF MINORS, RIGHTS MAY BE EXERCISED BY PARENTS OR LEGAL GUARDIANS IN ACCORDANCE WITH APPLICABLE LAW.

8.6. Supervisory Authorities and Complaints. YOU ALSO HAVE THE RIGHT TO LODGE A COMPLAINT WITH A COMPETENT DATA PROTECTION AUTHORITY IF YOU BELIEVE YOUR RIGHTS HAVE BEEN VIOLATED. The competent authority depends on your place of residence:

• In the European Union: the national Data Protection Authority of your Member State (e.g., CNPD in Portugal, CNIL in France, BfDI in Germany).

• In the United Kingdom: the Information Commissioner’s Office (ICO).

• In Brazil: the National Data Protection Authority (ANPD).

• In California: the California Privacy Protection Agency (CPPA).

• In China: the Cyberspace Administration of China (CAC).

• In India: the Data Protection Board of India.

• In the UAE: the national or free zone authority (Federal Data Office, DIFC Commissioner of Data Protection, ADGM Office of Data Protection).

• In other jurisdictions: the authority designated by Applicable Law.

You may contact us first and we will seek to resolve your complaint directly, BUT YOU RETAIN THE RIGHT TO APPROACH THE SUPERVISORY AUTHORITY AT ANY TIME.

8.7. Judicial Remedies. In addition to administrative complaints, YOU MAY ALSO HAVE THE RIGHT TO SEEK JUDICIAL REMEDIES BEFORE NATIONAL COURTS, DEPENDING ON YOUR JURISDICTION, WHERE YOU BELIEVE YOUR RIGHTS HAVE BEEN INFRINGED.

9. SECURITY MEASURES

9.1. General Commitment. Play Solana is committed to protecting the confidentiality, integrity, and availability of personal data. IN LINE WITH GDPR ARTICLE 32, LGPD ARTICLE 46, CPRA REQUIREMENTS ON “REASONABLE SECURITY PROCEDURES,” AND EQUIVALENT PROVISIONS WORLDWIDE, WE ADOPT TECHNICAL AND ORGANISATIONAL MEASURES INTENDED TO ENSURE A LEVEL OF SECURITY APPROPRIATE TO THE RISKS OF PROCESSING. These measures are designed to prevent accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

9.2. Technical Measures. Personal data processed by Play Solana is protected through encryption both in transit (for example, TLS protocols for web traffic) and at rest (for example, AES-256 encryption for stored files). Wherever possible, personal data is pseudonymised or minimised to reduce exposure in the event of a breach. Access to systems is restricted through multi-factor authentication, strong password policies, and periodic key rotation. OUR INFRASTRUCTURE INCORPORATES FIREWALLS, ANTI-MALWARE, INTRUSION DETECTION AND PREVENTION SYSTEMS, LOGGING AND MONITORING, AND AUTOMATED ALERTS FOR UNUSUAL ACTIVITY. SECURITY TESTING, INCLUDING VULNERABILITY SCANS AND PENETRATION TESTS, IS CONDUCTED ON A REGULAR BASIS.

9.3. Organisational Measures. We maintain internal data protection policies, access control procedures, and incident response protocols. Staff who handle personal data are subject to strict confidentiality obligations and receive mandatory training on information security, data protection, and phishing awareness. Access to personal data is role-based and granted strictly on the principle of least privilege. SECURITY RESPONSIBILITIES ARE DEFINED AT MANAGEMENT LEVEL, AND COMPLIANCE IS REVIEWED THROUGH INTERNAL AUDITS AND, WHERE APPLICABLE, THIRD-PARTY CERTIFICATIONS.

9.4. Supply Chain and Vendor Security. Personal data is also processed by third-party service providers such as cloud hosting companies, payment processors, logistics partners, and customer support vendors. BEFORE ENGAGING SUCH PROVIDERS, PLAY SOLANA CARRIES OUT DUE DILIGENCE AND SECURITY RISK ASSESSMENTS. Contracts include obligations for providers to implement equivalent technical and organisational measures, to notify Play Solana of incidents without undue delay, and to submit to audits or certifications. DATA IS NOT TRANSFERRED TO PROVIDERS WHO CANNOT DEMONSTRATE COMPLIANCE WITH RECOGNISED SECURITY STANDARDS (SUCH AS ISO/IEC 27001 OR SOC 2).

9.5. Physical Security. Where data is stored or processed on physical servers or offices controlled by Play Solana or its providers, PHYSICAL SAFEGUARDS ARE APPLIED. These include restricted access to facilities, surveillance systems, environmental controls, visitor management, and secure disposal of physical media.

9.6. Incident Response and Breach Notification. We maintain and periodically test an incident response plan to detect, investigate, and mitigate potential data breaches. THIS PLAN INCLUDES PREDEFINED ESCALATION PROCEDURES, INTERNAL REPORTING LINES, AND EXTERNAL COMMUNICATION PROTOCOLS. If a personal data breach occurs, Play Solana will notify the competent supervisory authority within the timelines required by law (for example, within seventy-two (72) hours under the GDPR) and, where required, will notify affected individuals without undue delay, providing details of the breach, its likely consequences, and the measures taken or proposed to address it. SIMILAR OBLIGATIONS APPLY UNDER THE LGPD (BRAZIL), CPRA (CALIFORNIA), AND PIPL (CHINA).

9.7. Residual Risks and User Responsibilities. Although Play Solana applies advanced safeguards, NO SYSTEM CAN BE MADE ENTIRELY IMMUNE TO SECURITY THREATS. In particular, blockchain interactions involve inherent risks beyond our control, including network-level vulnerabilities and public visibility of transaction data. USERS REMAIN SOLELY RESPONSIBLE FOR SECURING THEIR WALLETS, PRIVATE KEYS, AND SEED PHRASES. PLAY SOLANA DOES NOT AND CANNOT RECOVER SUCH CREDENTIALS. Users should also take reasonable steps to protect their Devices, such as installing updates promptly, using strong passwords, and avoiding the use of compromised networks.

9.8. Continuous Improvement and Reviews. SECURITY MEASURES ARE NOT STATIC. Play Solana regularly evaluates and updates its technical and organisational safeguards in response to evolving threats, technological changes, and regulatory expectations. Reviews are conducted at least annually, and more frequently following incidents, changes in processing activities, or updates to legal requirements. RESULTS OF REVIEWS ARE USED TO STRENGTHEN OUR CONTROLS AND IMPROVE RESILIENCE AGAINST EMERGING RISKS.

10. CHILDREN AND MINORS

10.1. General Rule. The Play Solana PSG1 Device, the Play Solana Store, and all related Services are designed for use only by individuals aged thirteen (13) or older. CHILDREN UNDER THIS AGE MUST NOT USE THE DEVICE, ACCESS THE STORE, OR OTHERWISE INTERACT WITH PLAY SOLANA SERVICES. Play Solana does not knowingly collect, solicit, or process personal data from children under thirteen (13). WHERE WE BECOME AWARE THAT SUCH DATA HAS BEEN COLLECTED WITHOUT VALID PARENTAL CONSENT AS DEFINED BY APPLICABLE LAW, WE WILL DELETE IT WITHOUT UNDUE DELAY AND MAY TAKE ADDITIONAL STEPS TO RESTRICT ACCESS.

10.2. Global Variations in Digital Age of Consent. The digital age of consent is not uniform across jurisdictions. While thirteen (13) is the minimum in the United States (COPPA), certain jurisdictions impose stricter thresholds. In Brazil, the LGPD sets the relevant age at fourteen (14). In parts of the European Union, Article 8 of the GDPR permits Member States to raise the threshold up to sixteen (16). In China, the PIPL requires parental consent for minors under fourteen (14). In India, the DPDP Act introduces special obligations for data of children, which are expected to apply under eighteen (18). In the United Arab Emirates, the Federal Data Protection Law and free-zone frameworks also impose specific conditions for processing minors’ data. PLAY SOLANA APPLIES THESE HIGHER THRESHOLDS WHEREVER APPLICABLE LAW SO REQUIRES.

10.3. Adolescents Aged 13 to 18. Where minors between thirteen (13) and eighteen (18) are permitted to use digital services under local law, Play Solana requires that their use of the Device or Services occurs with parental or guardian knowledge and consent. Although the Device does not contain parental control features, GUARDIANS REMAIN RESPONSIBLE FOR SUPERVISING MINORS AND FOR ENSURING LAWFUL USE. BY PERMITTING A MINOR TO USE THE DEVICE OR SERVICES, PARENTS AND GUARDIANS ACKNOWLEDGE AND ACCEPT RESPONSIBILITY FOR THE MINOR’S COMPLIANCE WITH THIS POLICY AND THE TERMS OF SERVICE.

10.4. Absence of Technical Parental Controls. The PSG1 Device does not currently include technical parental controls. Play Solana does not monitor or restrict content accessed by minors beyond the contractual prohibition on under-thirteen (13) use. PARENTS AND GUARDIANS MUST THEREFORE TAKE INDEPENDENT MEASURES TO SUPERVISE MINORS’ USE. PLAY SOLANA DISCLAIMS RESPONSIBILITY FOR MISUSE BY MINORS WHERE GUARDIANS HAVE FAILED TO EXERCISE ADEQUATE SUPERVISION, EXCEPT WHERE APPLICABLE LAW IMPOSES MANDATORY LIABILITY.

10.5. Marketing and Profiling Restrictions. PLAY SOLANA DOES NOT DESIGN OR DIRECT MARKETING COMMUNICATIONS TO CHILDREN UNDER THIRTEEN (13), NOR DOES IT KNOWINGLY ENGAGE IN PROFILING OF MINORS FOR ADVERTISING PURPOSES. Where minors aged thirteen (13) to eighteen (18) subscribe to marketing communications, processing will take place only where lawful parental consent has been provided. WE DO NOT KNOWINGLY SHARE MINORS’ PERSONAL DATA WITH THIRD PARTIES FOR MARKETING OR ADVERTISING PURPOSES.

10.6. Special Protection under Applicable Law. Play Solana complies with the enhanced protections required by laws applicable to minors’ data. This includes: COPPA in the United States, prohibiting collection from children under thirteen (13) without verified parental consent; GDPR Article 8 and related Member State implementations, requiring parental authorisation for minors below the applicable threshold; LGPD Articles 14 and 18 in Brazil, establishing special safeguards for minors under fourteen (14); PIPL Articles 15 and 31 in China, requiring parental consent for minors under fourteen (14) and imposing protective obligations; and the DPDP Act in India, requiring stricter processing rules for children, anticipated to apply to all under eighteen (18). PLAY SOLANA IMPLEMENTS THESE PROTECTIONS WHEREVER APPLICABLE LAW SO REQUIRES.

10.7. Reporting and Remedies. If you believe that Play Solana has inadvertently collected data from a child below the applicable minimum age without valid consent, YOU SHOULD NOTIFY US IMMEDIATELY THROUGH THE CONTACT DETAILS PROVIDED IN THIS POLICY. Upon verification, Play Solana will erase such data without undue delay and will take steps to prevent further collection. PARENTS AND GUARDIANS MAY ALSO REQUEST ACCESS, CORRECTION, OR DELETION OF DATA RELATING TO THEIR CHILDREN, IN LINE WITH APPLICABLE LAW.

10.8. Residual Risks. Although Play Solana enforces age restrictions and avoids processing minors’ data, ONLINE ENVIRONMENTS AND ON-CHAIN INTERACTIONS INHERENTLY PRESENT RISKS THAT CANNOT BE FULLY CONTROLLED. Parents and guardians must be aware that BLOCKCHAIN TRANSACTIONS ARE PUBLIC AND IRREVERSIBLE, and that no technical safeguards currently exist in the Device to block minors from attempting such transactions. PLAY SOLANA STRONGLY RECOMMENDS THAT PARENTS SUPERVISE DEVICE USE BY MINORS AT ALL TIMES.

11. COOKIES AND SIMILAR TECHNOLOGIES

11.1. General Use. Play Solana uses cookies and similar technologies across its Website, Store, and Device-related Services. Cookies are small text files that a website or application places on your browser or device. Similar technologies include software development kits (SDKs), tracking pixels, tags, scripts, JavaScript libraries, local storage objects, and device identifiers. THESE TOOLS ALLOW PLAY SOLANA TO RECOGNISE YOUR DEVICE, MAINTAIN SECURE SESSIONS, REMEMBER USER PREFERENCES, IMPROVE THE STABILITY AND SECURITY OF SERVICES, AND MEASURE PERFORMANCE.

11.2. Categories and Purposes. Cookies and similar technologies are used for several distinct purposes:

• Strictly Necessary Cookies: Essential for the functioning of the Website and Store. They enable you to move around the site, use shopping carts, place orders, authenticate into your account, and access secure areas. WITHOUT THEM, CORE SERVICES CANNOT BE PROVIDED.

• Functional or Preference Cookies: These remember your settings, such as language, region, currency, and device configuration. They enhance your user experience but are not strictly necessary.

• Analytics and Performance Cookies: These collect aggregated information on how users interact with the Website, Store, or Device Services. Examples include measuring page load times, error reports, or identifying frequently accessed features. THIS DATA HELPS US IMPROVE USABILITY, STABILITY, AND PERFORMANCE.

• Advertising and Targeting Cookies: These track browsing behaviour to deliver relevant advertising, limit the number of times you see an ad, and measure the effectiveness of campaigns. They may be set by us or by third-party partners. PLAY SOLANA DOES NOT KNOWINGLY SERVE TARGETED ADVERTISING TO MINORS AND DOES NOT KNOWINGLY SELL OR SHARE PERSONAL DATA OF MINORS.

11.3. Legal Bases and Jurisdictional Requirements. The legal basis for strictly necessary cookies is our legitimate interest in providing the requested Services. ALL OTHER COOKIES REQUIRE PRIOR CONSENT WHERE MANDATED BY APPLICABLE LAW. In the European Union and the UK, consent must be explicit before non-essential cookies are set, pursuant to the e-Privacy Directive and GDPR. In Brazil, the LGPD requires express consent for any cookies not strictly necessary. In California and other U.S. states, the CPRA and equivalent laws treat certain uses of cookies as a “sale” or “sharing” of personal data, granting users an opt-out right. In China under the PIPL, and in India under the DPDP Act, explicit informed consent is also required for non-essential cookies or tracking.

11.4. Consent Mechanisms. Where required, Play Solana provides a cookie banner and a consent management platform (CMP) that allows you to accept or reject different categories of cookies. YOU MAY WITHDRAW YOUR CONSENT AT ANY TIME by adjusting your preferences through the CMP, through your device settings, or by deleting cookies directly in your browser. WITHDRAWAL OF CONSENT DOES NOT AFFECT THE LAWFULNESS OF PROCESSING CARRIED OUT BEFORE WITHDRAWAL.

11.5. Third-Party Cookies and SDKs. Some cookies and SDKs are operated by third parties, such as analytics providers (e.g., to measure engagement), advertising partners, payment processors, or logistics providers integrated into the checkout flow. These third parties may process your data under their own privacy policies, which we encourage you to review. PLAY SOLANA REQUIRES CONTRACTUAL GUARANTEES THAT SUCH THIRD PARTIES COMPLY WITH APPLICABLE LAW, LIMIT THEIR USE OF DATA TO SPECIFIED PURPOSES, AND PROVIDE EQUIVALENT LEVELS OF SECURITY.

11.6. Duration and Persistence. Cookies may be session-based or persistent. Session cookies are temporary and expire when you close your browser or end a session on the Device. Persistent cookies remain on your device for a predefined period or until you delete them. The duration varies: some expire after a few hours or days, while others may last up to two (2) years. PLAY SOLANA SEEKS TO MINIMISE PERSISTENCE WHEREVER POSSIBLE AND PERIODICALLY REVIEWS RETENTION PERIODS FOR COOKIES AND SDK IDENTIFIERS.

11.7. Management and Opt-Out Options. You can manage cookies in several ways. Through the Play Solana CMP, you can toggle categories of cookies on or off. Most browsers also allow you to disable or delete cookies at any time. You may also use global opt-out mechanisms provided in certain jurisdictions (such as the “Do Not Sell or Share My Personal Information” link required under the CPRA, or the Global Privacy Control browser signal). DISABLING OR REFUSING NON-ESSENTIAL COOKIES MAY AFFECT YOUR EXPERIENCE, BUT DISABLING STRICTLY NECESSARY COOKIES MAY PREVENT CORE SERVICES FROM FUNCTIONING.

11.8. Local Legal Notices.

• European Union / UK: Non-essential cookies require explicit prior consent, and refusal must not degrade essential Services.

• Brazil: Express consent is required under the LGPD, and users must be able to revoke consent easily.

• California and Other U.S. States: Users have the right to opt out of the “sale” or “sharing” of data via cookies; Play Solana provides the mechanisms required under the CPRA and equivalent laws.

• China: The PIPL requires that users are informed and give explicit consent before cookies and tracking technologies are applied.

• India: The DPDP Act requires informed and explicit consent for cookies not strictly necessary to deliver the requested service.

• Other Jurisdictions: We comply with consent, opt-out, or notice obligations as required under local law.

11.9. Residual Risks and Transparency. Even where consent frameworks and technical controls are applied, COOKIES AND SDKS MAY INVOLVE DATA FLOWS TO THIRD PARTIES AND ACROSS BORDERS. USERS SHOULD BE AWARE THAT DISABLING COOKIES MAY NOT FULLY PREVENT ALL FORMS OF TRACKING, PARTICULARLY WHERE EXTERNAL APPLICATIONS, BLOCKCHAIN INTERACTIONS, OR NETWORK-LEVEL MONITORING ARE INVOLVED. PLAY SOLANA CONTINUES TO EVALUATE THE USE OF COOKIES AND SIMILAR TECHNOLOGIES AND WILL UPDATE THIS POLICY IN LINE WITH EVOLVING BEST PRACTICES AND REGULATORY GUIDANCE.

12. CONTACT, DATA PROTECTION OFFICER, AND POLICY UPDATES

12.1. Contacting Play Solana. If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your personal data, YOU MAY CONTACT PLAY SOLANA EXCLUSIVELY AT legal@playsolana.com, by postal mail at our registered office, or through our Website form available at playsolana.com/compliance. These contact points are maintained exclusively for privacy-related matters and are monitored regularly. COMMUNICATIONS WILL BE ACKNOWLEDGED WITHOUT UNDUE DELAY, AND WE WILL PROVIDE SUBSTANTIVE RESPONSES WITHIN THE LEGAL DEADLINES APPLICABLE IN YOUR JURISDICTION.

12.2. Data Protection Officer (DPO) or Privacy Team. Where Applicable Law requires, Play Solana appoints a Data Protection Officer. The DPO is responsible for monitoring internal compliance, advising on data protection obligations, conducting data protection impact assessments, and serving as a point of contact with supervisory authorities. UNTIL SUCH APPOINTMENT IS FORMALLY MADE, YOU MAY DIRECT ALL COMMUNICATIONS TO OUR PRIVACY TEAM USING THE CONTACT DETAILS PROVIDED ABOVE. Once a DPO is designated, their identity and contact details will be updated in this Policy and, where required, notified to the relevant supervisory authorities, such as the CNPD in Portugal, the ICO in the United Kingdom, the ANPD in Brazil, and other regulators worldwide.

12.3. Complaints and Escalation. You are encouraged to contact Play Solana first if you believe your data protection rights have been infringed. WE WILL MAKE GOOD-FAITH EFFORTS TO RESOLVE YOUR COMPLAINT PROMPTLY AND TRANSPARENTLY. If you are not satisfied with our response, you retain the right to escalate the matter to the competent supervisory authority in your jurisdiction, as described in Section 8 of this Policy. NOTHING IN THIS POLICY LIMITS YOUR RIGHT TO LODGE A COMPLAINT DIRECTLY WITH A DATA PROTECTION AUTHORITY OR TO SEEK JUDICIAL REMEDIES BEFORE A COURT OF COMPETENT JURISDICTION.

12.4. Policy Review and Updates. This Privacy Policy is a living document and is reviewed at least once every twelve (12) months, even where no changes are required, to ensure ongoing compliance with legal, technical, and organisational developments. It is also updated earlier whenever significant changes occur in our Services, in the categories of data processed, or in Applicable Law. The “Effective Date” shown at the top of this Policy indicates the date on which the current version entered into force. WHERE CHANGES ARE MATERIAL - SUCH AS EXPANDING THE CATEGORIES OF PERSONAL DATA COLLECTED, INTRODUCING NEW FORMS OF PROCESSING, OR MODIFYING USERS’ RIGHTS - WE WILL PROVIDE SPECIFIC NOTICE USING A DURABLE MEDIUM, INCLUDING EMAIL, DEVICE NOTIFICATIONS, OR BANNERS ON THE WEBSITE. In addition to material changes, WE MAY ALSO NOTIFY YOU OF MINOR CHANGES WHERE THEY AFFECT SPECIFIC DATA PROCESSING ACTIVITIES OR INTRODUCE NEW TYPES OF DATA COLLECTION, EVEN IF SUCH CHANGES DO NOT SUBSTANTIALLY ALTER YOUR RIGHTS. Notice may be provided through our compliance hub at playsolana.com/compliance or other appropriate means. In such cases, YOU WILL HAVE AN OPPORTUNITY TO REVIEW THE CHANGES BEFORE THEY TAKE EFFECT. CONTINUED USE OF OUR SERVICES OR DEVICE AFTER THE EFFECTIVE DATE OF SUCH CHANGES CONSTITUTES ACCEPTANCE OF THE REVISED POLICY.

12.5. Version Control and Language. This Policy may be provided in multiple languages. IN CASE OF INCONSISTENCY OR AMBIGUITY BETWEEN TRANSLATIONS, THE ENGLISH VERSION SHALL PREVAIL TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW. Where mandatory consumer protection laws require local-language versions to prevail, those versions will govern. WE MAINTAIN AN ARCHIVE OF PREVIOUS VERSIONS OF THIS POLICY AND WILL PROVIDE COPIES ON REQUEST SO THAT YOU CAN TRACK HISTORICAL CHANGES.

12.6. Limitations of Play Solana’s Responsibility. While Play Solana endeavours to respond promptly to all inquiries and to keep this Policy up to date, RESIDUAL RISKS REMAIN IN ANY DIGITAL ENVIRONMENT. OUR OBLIGATIONS UNDER THIS POLICY ARE LIMITED BY APPLICABLE LAW, AND NOTHING HEREIN CREATES RIGHTS OR REMEDIES BEYOND THOSE GRANTED UNDER MANDATORY DATA PROTECTION LEGISLATION.

12.7. Future Regulatory Adaptation. Privacy and data protection laws continue to evolve rapidly, particularly with respect to blockchain technologies and artificial intelligence. PLAY SOLANA IS COMMITTED TO ADAPTING ITS PRACTICES AND THIS POLICY PROMPTLY TO COMPLY WITH NEW LEGAL OR REGULATORY REQUIREMENTS, AND TO PROVIDE TIMELY NOTICE OF SUCH ADAPTATIONS TO USERS.

13. ON-CHAIN DATA AND BLOCKCHAIN RISKS

13.1. Nature of Blockchain Data. When you use the PSG1 Device or Play Solana Services to initiate transactions, interact with smart contracts, or otherwise operate on a blockchain, CERTAIN DATA—INCLUDING WALLET ADDRESSES, TRANSACTION IDENTIFIERS, METADATA SUCH AS GAS FEES, AND TIMESTAMPS—IS PUBLISHED TO A DECENTRALISED LEDGER. SUCH DATA IS BY DESIGN PUBLICLY VISIBLE, PERMANENTLY RECORDED, AND BEYOND THE CONTROL OF PLAY SOLANA.

13.2. No Custody of Credentials. PLAY SOLANA DOES NOT GENERATE, STORE, OR HAVE ACCESS TO YOUR PRIVATE KEYS, SEED PHRASES, OR WALLET CREDENTIALS. YOU ARE SOLELY RESPONSIBLE FOR SECURING YOUR WALLET AND ENSURING THAT YOU RETAIN THE INFORMATION NECESSARY TO ACCESS IT. PLAY SOLANA CANNOT RECOVER LOST CREDENTIALS AND WILL NOT BE ABLE TO REVERSE OR CANCEL BLOCKCHAIN TRANSACTIONS ONCE INITIATED.

13.3. Public Visibility and Linkability. Blockchain data is inherently transparent. ALTHOUGH WALLET ADDRESSES MAY NOT DIRECTLY IDENTIFY INDIVIDUALS, IN MANY JURISDICTIONS—INCLUDING THE EUROPEAN UNION, BRAZIL, AND UNDER GUIDANCE IN CALIFORNIA—THEY MAY QUALIFY AS PERSONAL DATA WHEN REASONABLY LINKABLE TO AN INDIVIDUAL. This means that your blockchain activity could be analysed or correlated by third parties to infer identity, patterns of behaviour, or holdings. PLAY SOLANA CANNOT PREVENT SUCH ANALYSIS AND EXPRESSLY WARNS USERS OF THIS RESIDUAL RISK.

13.4. Legal and Regulatory Implications. The status of blockchain data under privacy and financial regulations is evolving. Authorities in multiple jurisdictions, INCLUDING THE EU, BRAZIL, THE U.S., AND CHINA, HAVE INDICATED THAT BLOCKCHAIN DATA MAY FALL UNDER PRIVACY LAWS WHEN ASSOCIATED WITH INDIVIDUALS. By using Play Solana Services, YOU ACKNOWLEDGE THAT BLOCKCHAIN TRANSACTIONS MAY HAVE LEGAL IMPLICATIONS BEYOND PLAY SOLANA’S CONTROL, INCLUDING TAX, FINANCIAL REPORTING, OR SANCTIONS COMPLIANCE OBLIGATIONS.

13.5. Responsibility of Users. YOU REMAIN RESPONSIBLE FOR SAFEGUARDING YOUR CREDENTIALS, VERIFYING THE AUTHENTICITY OF SMART CONTRACTS, AND ENSURING THAT YOUR USE OF BLOCKCHAIN NETWORKS COMPLIES WITH APPLICABLE LAW. THIS INCLUDES REFRAINING FROM INTERACTIONS WITH SANCTIONED ADDRESSES, RESTRICTED JURISDICTIONS, OR UNLAWFUL CONTENT STORED ON A BLOCKCHAIN.

13.6. Residual Risks. DESPITE ALL MEASURES TAKEN BY PLAY SOLANA, RESIDUAL RISKS REMAIN UNAVOIDABLE IN BLOCKCHAIN ENVIRONMENTS. These include the risk of permanent publication of personal data, the inability to delete or correct information once recorded, and exposure to third-party analytics or surveillance. USERS SHOULD CAREFULLY EVALUATE THESE RISKS BEFORE INITIATING ON-CHAIN TRANSACTIONS.

14. MISCELLANEOUS, GOVERNING LAW, AND SEVERABILITY

14.1. Relationship with Other Agreements. This Privacy Policy must be read together with the Play Solana Terms of Service (Device), the Terms of Use (Website and Software), and the Terms and Conditions (Store). THESE DOCUMENTS REGULATE DISTINCT BUT RELATED ASPECTS OF YOUR RELATIONSHIP WITH PLAY SOLANA. In the event of conflict between this Policy and those agreements regarding the processing of personal data, THIS POLICY SHALL PREVAIL. NOTHING IN THIS POLICY SHALL BE INTERPRETED AS LIMITING RIGHTS OR OBLIGATIONS EXPRESSLY SET OUT IN THE TERMS OF SERVICE OR TERMS OF USE.

14.2. Governing Law and Jurisdiction.
THIS PRIVACY POLICY, AND ANY DISPUTE, CONTROVERSY, OR CLAIM (CONTRACTUAL OR NON-CONTRACTUAL) ARISING OUT OF OR RELATED TO THE PROCESSING OF PERSONAL DATA BY PLAY SOLANA, SHALL BE GOVERNED BY AND CONSTRUED IN ACCORDANCE WITH THE LAWS OF THE UNITED ARAB EMIRATES AS APPLIED IN THE EMIRATE OF RAS AL KHAIMAH, WITHOUT REGARD TO CONFLICT-OF-LAW PRINCIPLES THAT WOULD REQUIRE THE APPLICATION OF ANOTHER JURISDICTION’S LAWS.

CONSUMERS. IF YOU QUALIFY AS A CONSUMER UNDER APPLICABLE LAW, NOTHING IN THIS POLICY DEPRIVES YOU OF THE PROTECTION AFFORDED TO YOU BY THE MANDATORY PROVISIONS OF THE LAW OF YOUR COUNTRY OF RESIDENCE. YOU RETAIN THE RIGHT TO INVOKE SUCH PROTECTIONS AND TO BRING CLAIMS BEFORE THE COURTS OF YOUR PLACE OF RESIDENCE.

BUSINESS USERS. IF YOU ARE NOT A CONSUMER, ANY DISPUTE, CONTROVERSY, OR CLAIM ARISING OUT OF OR IN CONNECTION WITH THIS POLICY SHALL BE FINALLY RESOLVED BY ARBITRATION UNDER THE RULES OF THE DUBAI INTERNATIONAL ARBITRATION CENTRE (DIAC), WHICH RULES ARE DEEMED INCORPORATED BY REFERENCE INTO THIS CLAUSE. THE SEAT OF ARBITRATION SHALL BE DUBAI, UNITED ARAB EMIRATES. THE LANGUAGE OF ARBITRATION SHALL BE ENGLISH. THE ARBITRAL TRIBUNAL SHALL CONSIST OF ONE ARBITRATOR, UNLESS OTHERWISE AGREED. THE ARBITRAL AWARD SHALL BE FINAL AND BINDING, AND JUDGMENT UPON THE AWARD MAY BE ENTERED IN ANY COURT OF COMPETENT JURISDICTION. NOTHING IN THIS CLAUSE PREVENTS PLAY SOLANA FROM SEEKING URGENT INJUNCTIVE, CONSERVATORY, OR EQUITABLE RELIEF IN ANY COMPETENT COURT.

REGULATORS AND AUTHORITIES. NOTHING IN THIS SECTION AFFECTS YOUR RIGHT TO LODGE COMPLAINTS WITH A COMPETENT DATA PROTECTION AUTHORITY, AS FURTHER DESCRIBED IN SECTION 8 OF THIS POLICY.

14.3. Non-Waivable Rights. NOTHING IN THIS POLICY SHALL EXCLUDE OR LIMIT RIGHTS GRANTED TO YOU BY MANDATORY DATA PROTECTION LAWS, including but not limited to the GDPR in the European Union, the LGPD in Brazil, the CPRA and equivalent state laws in the United States, the PIPL in China, and the DPDP Act in India. In case of conflict between this Policy and such laws, THE LATTER SHALL PREVAIL.

14.4. Severability. If any provision of this Privacy Policy is held invalid, illegal, or unenforceable by a competent authority, THAT PROVISION SHALL BE DEEMED MODIFIED TO THE MINIMUM EXTENT NECESSARY TO RENDER IT VALID AND ENFORCEABLE. If modification is not possible, THE PROVISION SHALL BE DEEMED DELETED. THE VALIDITY AND ENFORCEABILITY OF THE REMAINING PROVISIONS SHALL REMAIN UNAFFECTED.

14.5. Entirety and Language. This Privacy Policy constitutes the entire agreement between you and Play Solana Ltd concerning the processing of personal data, WITHOUT PREJUDICE TO ADDITIONAL NOTICES PROVIDED AT THE POINT OF COLLECTION OR AS REQUIRED BY LAW. This Policy may be made available in multiple languages for convenience. IN THE EVENT OF DISCREPANCIES BETWEEN TRANSLATIONS, THE ENGLISH VERSION SHALL PREVAIL TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW.