Privacy Policy — Mira Digital Stamp Card

Effective Date: 23 May 2026 Last Updated: 23 May 2026

1. Introduction

VS Studios AB ("VS Studios", "we", "us", "our"), organisation number 559540-3865, with its registered seat at Moa Martinson's Square 6, 112 15 Stockholm, Sweden, operates the Mira digital stamp card platform ("Service").

This Privacy Policy explains how we collect, use, store, disclose, and protect personal data in connection with the Service. It applies to two categories of users:

• Merchants — businesses and individuals who register for a Mira merchant account and use the Service to create and manage digital stamp card campaigns; and
• End Users — individuals who scan QR codes, collect stamps, and interact with digital stamp cards through the Mira platform.

Please read this Policy carefully. By using the Service, you confirm that you have read and understood how we handle your personal data.

2. Data Controller

The data controller responsible for personal data processed through the Mira platform is:

VS Studios AB Moa Martinson's Square 6 112 15 Stockholm, Sweden Organisation number: 559540-3865 Email: support@miraloyalty.com

3. Legal Framework

We are committed to protecting your personal data and processing it lawfully, fairly, and transparently. We process personal data in compliance with:

• GDPR — the EU General Data Protection Regulation (Regulation (EU) 2016/679), applicable to residents of EU and EEA member states;
• Swedish Data Protection Act (Dataskyddslagen, SFS 2018:218), supplementing the GDPR in Sweden;
• Swiss nDSG / revDSG — the Swiss Federal Act on Data Protection (revised Federal Act on Data Protection, in force 1 September 2023), applicable where personal data of Swiss residents is processed;
• CCPA / CPRA — the California Consumer Privacy Act (as amended by the California Privacy Rights Act), applicable where personal data of California residents is processed; and
• other applicable national data protection and privacy laws.

4. Data We Collect

4.1 Data Collected from Merchants

When you register as a Merchant and use the Service, we collect and process the following personal and business data:

| Category | Data Points | How Collected | |---|---|---| | Identity | Business name | Provided by you at registration | | Contact | Business email address | Provided by you at registration | | Tax / Compliance | VAT number (where applicable) | Provided by you at registration | | Payment | Billing and payment information | Processed by Paddle; VS Studios does not store raw payment card data |

Note on payment data: VS Studios does not collect, store, or process payment card details directly. All payment and billing data is handled exclusively by Paddle.com Market Ltd, acting as merchant of record. Please refer to Paddle's Privacy Policy (paddle.com/privacy) for details of how your payment data is processed.

4.2 Data Collected from End Users

When you use Mira as an End User, we may collect and process the following personal data:

| Category | Data Points | How Collected | |---|---|---| | Account identity | Display name (self-chosen; does not need to be your real name) | Provided by you on registration | | Contact | Phone number | Provided by you on registration | | Authentication | Email address | Provided by you on email sign-up | | Authentication (third-party) | Authentication token via Apple Sign-In or Google Sign-In | Provided via third-party authentication service | | Loyalty activity | Stamp collection history, Stamp Card holdings, Reward redemption history | Generated automatically through your use of the Service | | Communications preference | Opt-in / opt-out status for promotional marketing | Provided by you |

Important clarifications about End User data:

1. Display name: Your display name does not have to be your real name. We do not verify the identity of End Users.
2. No current sharing with VS Studios: As of the effective date of this Policy, personal data of End Users is not shared with VS Studios beyond what is strictly necessary to operate the Service. Data is processed on infrastructure we control but is not actively reviewed or used for commercial purposes.
3. Future anonymized analytics: We may in the future use anonymized, aggregated data about End User activity for product improvement and analytics purposes. This data will be de-identified and will not be used to identify you as an individual. We will update this Policy if our practices change materially.
4. Opt-in marketing data: If you opt in to receiving promotional communications from Merchants, anonymized contact data may be shared with those Merchants as described in Section 7.1 below.

5. Legal Basis for Processing (GDPR and nDSG)

For residents of EU/EEA member states and Switzerland, all processing of personal data is carried out on one of the following legal bases:

| Processing Purpose | Legal Basis (GDPR Art. 6) | |---|---| | Providing the Service (account creation, Stamp Card operation) | Performance of a contract (Art. 6(1)(b)) | | Merchant subscription management and billing | Performance of a contract (Art. 6(1)(b)) | | Compliance with legal obligations (e.g. VAT records, accounting) | Legal obligation (Art. 6(1)(c)) | | Sending opted-in promotional communications | Consent (Art. 6(1)(a)) | | Security monitoring, fraud prevention, error tracking | Legitimate interests (Art. 6(1)(f)) | | Anonymized product analytics and service improvement | Legitimate interests (Art. 6(1)(f)) |

Withdrawal of Consent: Where processing is based on your consent (e.g. opt-in marketing), you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of any processing carried out before the withdrawal.

Legitimate Interests Assessment: Where we rely on legitimate interests as a legal basis, we have assessed that our interests are not overridden by your fundamental rights and freedoms, taking into account the nature of the data processed and the reasonable expectations of users.

6. How We Use Your Data

6.1 Merchants

We use Merchant data to:

• Create and maintain your Merchant account;
• Enable you to create, publish, and manage Stamp Card campaigns;
• Process and administer your subscription payments via Paddle;
• Communicate with you about your account, service updates, billing matters, and changes to these policies;
• Comply with applicable legal and tax obligations, including VAT record-keeping;
• Detect, investigate, and prevent fraud, abuse, and unauthorized access.

6.2 End Users

We use End User data to:

• Create and maintain your End User account;
• Enable you to collect stamps and track Reward progress across your Stamp Cards;
• Deliver promotional communications from Merchants, where you have explicitly opted in;
• Maintain the security, integrity, and performance of the Service;
• Respond to your support requests or enquiries;
• Generate anonymized, aggregated insights that help us improve the Service.

7. Data Sharing and Disclosure

We do not sell your personal data. We may disclose personal data in the limited circumstances described below.

7.1 Sharing with Merchants (End Users Only)

If you have opted in to receiving promotional communications from a particular Merchant, we may share anonymized contact information with that Merchant for the purpose of sending you promotional materials about their business. This sharing is subject to the following conditions:

• It is voluntary — based entirely on your explicit opt-in;
• It is limited in scope — only to Merchants with whom you hold an active Stamp Card at the time of sharing;
• The data shared is anonymized — it is processed to remove or obscure direct personal identifiers before transmission;
• Upon opting out, the relevant Merchant will no longer receive your data for marketing purposes.

VS Studios does not control how Merchants use shared anonymized data for marketing. We recommend reviewing the Merchant's own privacy policy for details of their data practices.

7.2 Third-Party Service Processors

We engage the following third-party processors to provide and operate the Service. Each processor is contractually bound by data processing agreements and is required to process personal data only on our documented instructions and in compliance with applicable data protection law:

| Processor | Role | Headquarters | Privacy Reference | |---|---|---|---| | Supabase, Inc. | Database hosting and backend infrastructure | USA (EU data region used where configured) | supabase.com/privacy | | Paddle.com Market Ltd | Merchant subscription billing and payment processing (merchant of record) | United Kingdom / Global | paddle.com/privacy | | Sentry (Functional Software, Inc.) | Error monitoring, crash reporting, and performance tracking | USA | sentry.io/privacy | | Twilio Inc. | SMS and messaging delivery (e.g. phone number verification) | USA | twilio.com/legal/privacy | | Apple Inc. | Sign-In with Apple authentication | USA | apple.com/legal/privacy | | Google LLC | Sign-In with Google authentication | USA | policies.google.com/privacy | | Lovable | Application development and deployment platform | [To be confirmed by VS Studios] | [To be confirmed] |

VS Studios remains responsible for ensuring that these processors provide sufficient guarantees of appropriate technical and organizational data protection measures.

7.3 Legal and Regulatory Disclosure

We may disclose personal data if we are required to do so by applicable law, court order, or lawful request from a competent regulatory or law enforcement authority. Where permitted by law, we will notify you of such a disclosure request.

7.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of all or substantially all of our assets, personal data held by VS Studios may be transferred to the acquiring or successor entity. We will notify you of any such transfer via email and/or a prominent notice on the Service prior to the transfer taking effect, and the successor entity will be required to handle your data in accordance with this Policy or an equivalent policy offering at least the same level of protection.

8. International Data Transfers

VS Studios is established in Sweden, within the European Union. Where personal data is transferred to third-party processors located outside the EU/EEA (including to processors in the United States), we ensure that such transfers are subject to appropriate safeguards in accordance with GDPR Chapter V, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission;
• Adequacy decisions by the European Commission where the receiving country is deemed to offer an adequate level of protection; or
• Other lawful transfer mechanisms recognized under the GDPR.

Swiss residents: Transfers of personal data outside Switzerland are governed by equivalent safeguards as required under the revised Federal Act on Data Protection (nDSG) and guidance issued by the Federal Data Protection and Information Commissioner (FDPIC).

California residents (CCPA/CPRA): We disclose personal information to third-party processors as described in this Policy. We do not sell or share personal information (as defined under the CCPA/CPRA) for cross-context behavioral advertising purposes.

9. Data Retention

We retain personal data for no longer than is necessary to fulfill the purposes for which it was collected, unless a longer retention period is required or permitted by applicable law.

| Data Category | Retention Period | |---|---| | Merchant account data (business name, email, VAT) | Duration of active subscription + 7 years (Swedish Accounting Act / Bokföringslagen) | | Merchant billing records (held by Paddle) | As required by Paddle and applicable tax law | | End User account data | Until account deletion, or 3 years of account inactivity, whichever is earlier | | Stamp and redemption history | For the duration of the End User account | | Marketing consent records | Until consent is withdrawn + 3 years thereafter | | Error and crash logs (Sentry) | 90 days, or as configured | | SMS verification logs (Twilio) | As required by Twilio's data retention policies |

Upon account deletion, we will delete or irreversibly anonymize personal data within 30 days, subject to any retention obligations imposed by applicable law (e.g. accounting or tax records).

10. Your Rights

10.1 Rights of EU / EEA Residents (GDPR)

If you are located in the EU or EEA, you have the following rights in relation to your personal data:

• Right of Access (Art. 15): You have the right to request a copy of the personal data we hold about you, together with supplementary information about how it is processed.
• Right to Rectification (Art. 16): You have the right to request correction of any inaccurate or incomplete personal data we hold about you.
• Right to Erasure (Art. 17): You have the right to request deletion of your personal data ("right to be forgotten"), subject to any legal obligations that require us to retain it.
• Right to Restriction of Processing (Art. 18): You have the right to request that we restrict the processing of your personal data in certain circumstances (e.g. while accuracy is contested).
• Right to Data Portability (Art. 20): You have the right to receive personal data you have provided to us in a structured, commonly used, machine-readable format, and to transmit that data to another controller.
• Right to Object (Art. 21): You have the right to object to processing of your personal data based on our legitimate interests. You also have the right to object at any time to processing for direct marketing purposes, with immediate effect.
• Right to Withdraw Consent: Where processing is based on your consent, you may withdraw that consent at any time without affecting the lawfulness of prior processing.
• Right to Lodge a Complaint: You have the right to lodge a complaint with the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY) at imy.se, or with the data protection supervisory authority in your country of habitual residence, place of work, or the location of an alleged infringement.

10.2 Rights of Swiss Residents (nDSG)

If you are a resident of Switzerland, you have the right to:

• Request information about the personal data we hold about you and how it is processed;
• Request correction of inaccurate data;
• Request deletion or restriction of processing of your personal data, subject to applicable legal obligations;
• Object to certain types of processing;
• Receive your data in a portable format;
• Lodge a complaint with the Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch.

10.3 Rights of California Residents (CCPA / CPRA)

If you are a California resident, you have the following rights under the CCPA / CPRA:

• Right to Know: The right to know what personal information we collect, use, disclose, and share about you.
• Right to Delete: The right to request deletion of your personal information, subject to certain exceptions.
• Right to Correct: The right to request correction of inaccurate personal information.
• Right to Opt Out of Sale / Sharing: The right to opt out of the sale or sharing of your personal information. We do not sell or share personal information as defined under the CCPA/CPRA.
• Right to Limit Use of Sensitive Personal Information: The right to limit our use of sensitive personal information to purposes permitted by law.
• Right to Non-Discrimination: You have the right not to be discriminated against for exercising any of your CCPA/CPRA rights.

Exercising Your Rights: To exercise any of the rights described above, please contact us at support@miraloyalty.com. We will verify your identity before responding to your request. We will respond within 30 days of receipt of a verifiable request (or within such longer period as permitted by applicable law, with notice to you). We will not charge a fee for responding to requests, except where permitted by law in the case of manifestly unfounded or excessive requests.

11. Opt-In and Opt-Out of Marketing Communications

If you are an End User, you may opt in to receiving promotional communications from Merchants through your Mira account. Your opt-in status is entirely voluntary.

You can opt out at any time by updating your communication preferences in your Mira account settings.

Opting out will be processed promptly. After opt-out, your anonymized contact data will no longer be shared with the relevant Merchant(s) for marketing purposes. Please note that if you opt in to multiple Merchants, you must opt out of each individually, or use the global opt-out setting in your Mira account.

12. Cookies and Tracking Technologies

The Mira platform may use cookies and similar tracking technologies (such as local storage and session tokens) to:

• Maintain your authenticated session;
• Remember your preferences and settings;
• Monitor application performance and diagnose errors (via Sentry).

We do not use tracking cookies for third-party advertising or cross-site behavioral tracking.

You can manage or disable cookies through your browser or device settings. Disabling certain cookies may affect the functionality of the Service, including your ability to remain logged in.

13. Children's Privacy

The Service is not directed to children under the age of 16. We do not knowingly collect personal data from individuals under 16. If you are a parent or guardian and believe that a child under 16 has provided us with personal data, please contact us immediately at support@miraloyalty.com and we will delete that data without undue delay.

14. Security

VS Studios implements appropriate technical and organizational security measures to protect personal data against unauthorized access, accidental loss, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit using TLS/HTTPS;
• Access controls, authentication mechanisms, and role-based access to personal data;
• Real-time error monitoring and security event detection via Sentry;
• Data minimization — we collect only the data necessary for the purposes described in this Policy;
• Regular review of security controls and data processing practices.

No system of data transmission or storage is completely secure. In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, VS Studios will notify you and the relevant supervisory authority without undue delay and, in any event, within 72 hours of becoming aware of the breach, as required by applicable law.

15. Links to Third-Party Services

The Service integrates with and may contain links to third-party services (including Apple, Google, and Paddle). This Privacy Policy does not govern the data practices of those third parties. We encourage you to review the privacy policies of any third-party services you interact with.

16. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our data practices, legal obligations, or the features of the Service. We will notify you of any material changes by:

• Sending an email to the address associated with your account; and/or
• Displaying a prominent notice within the Service,

at least 14 days before the changes take effect (or a longer period where required by applicable law).

The "Last Updated" date at the top of this Policy reflects the most recent revision. Your continued use of the Service after the effective date of any revised Policy constitutes your acknowledgement of the revised Policy.

17. Contact and Data Subject Requests

For any questions about this Privacy Policy, to exercise your data rights, or to submit a data subject access, erasure, portability, or correction request, please contact us:

VS Studios AB Moa Martinson's Square 6 112 15 Stockholm, Sweden Organisation number: 559540-3865 Email: support@miraloyalty.com

We aim to respond to all enquiries and data subject requests within 30 days of receipt. For complex or multiple requests, we may extend this period by up to a further 60 days, in which case we will inform you of the extension and the reasons for it within the initial 30-day period.

You also have the right to contact the relevant supervisory authority directly:

• Sweden (EU): Integritetsskyddsmyndigheten (IMY) — imy.se
• Switzerland: Federal Data Protection and Information Commissioner (FDPIC) — edoeb.admin.ch
• EU (ODR Platform): ec.europa.eu/consumers/odr

This Privacy Policy was prepared for VS Studios AB in connection with the Mira digital stamp card platform.