HOSTS DATA PRIVACY NOTICE Last Modified: July 1, 2020. INTRODUCTION As part of the Agency and Facilitation Services Agreement, Host-Guest Agreement, IML SLU (collectively "we", or "the Company") provides this Hosts' Data Privacy Notice ("Privacy Notice") to explain our practices regarding the collection, use, transfer and other processing of certain personal data about the hosts ("Host Data"), as described in more detail below. Please note you are under a legal obligation to provide the Company with some of the Host Data (as specified below), whereas providing the remainder of the Host Data is subject to your own free will and consent and to your relationship with the Company. This Privacy Notice applies to current and former Hosts. It is important that you read this notice, together with any other privacy notice we may provide on specific occasions when we are collecting or processing personal information about you, so that you are aware of how and why we are using such information. In this Privacy Notice, you can learn about: I. INTRODUCTION II. HOST DATA III. SOURCES OF HOST DATA IV. PURPOSES OF USE OF HOST DATA V. SHARING HOST DATA WITH THIRDS PARTIES VI. SAFEGUARDING PERSONAL INFORMATION VII. INTERNATIONAL TRANSFER OF HOST DATA VIII. YOUR RIGHTS IX. RETENTION OF HOST DATA X. CHANGES TO THE PRIVACY NOTICE XI. HOW TO CONTACT US XII. NOTICE FOR CALIFORNIA RESIDENTS We encourage you to read the Privacy Notice carefully and use it to make informed decisions. By visiting the Company's websites, mobile apps or other online properties, or by creating an account through our Services, you hereby agree to the Privacy Notice. HOST DATA During your contractual relationship with the Company, it is routine for us to collect, process and store Host Data. Although not an exhaustive list, this will include: PERSONAL INFORMATION: including legal name and contact information (full name, home address, phone number), date of birth, government identification numbers (driver's license), citizenship/residency, personal status, photos and other data collection permitted or required by local law; ADDITIONAL IDENTIFICATION INFORMATION: including any name (other than the Host's legal name) ever used by the Host, including the Host's maiden name, alias, nickname, stage name, or professional name; a legible hard copy or legible digitally scanned or other electronic copy of a hard copy of the identification document examined and, if that document does not contain a recent and recognizable picture of the Host, a legible hard copy of a Picture Identification Card (as this term is defined below); a copy of the depiction (including live cams or advertising) and, where the depiction is published on an Internet computer site or service, a copy of any URL associated with the depiction. If no URL is associated with the depiction, the records shall include another uniquely identifying reference associated with the location of the depiction on the Internet; and for any Host in a depiction performed live on the Internet, a copy of the depiction with running-time sufficient to identify the performer in the depiction and to associate the performer with the records needed to confirm his or her age. PICTURE IDENTIFICATION CARD: including a document issued by either: (a) the United States, a US State government, or a political subdivision thereof, or a United States territory, that bears the photograph, the name of the individual identified, and the date of birth of the Host, and provides specific information sufficient for the issuing authority to confirm its validity, such as a passport, permanent resident card (commonly known as a "Green Card"), or employment authorization document issued by the United States, a driver's license or other form of identification issued by a State or the District of Columbia; or (b) a foreign government-issued equivalent of any of the documents listed above when the person who is the subject of the picture identification card is a non-U.S. citizen located outside the United States at the time of original production and the producer maintaining the required records, whether a U.S. citizen or non-U.S. citizen, is located outside the United States on the original production date. The picture identification card must be valid as of the original production date. PAYMENT INFORMATION: including bank information, garnishments and deductions, and other related information. PERFORMANCE AND TALENT INFORMATION: including qualifications, evaluations, developmental planning, security policy permissions, communication data and other talent management and team based assessments. APPLICATIONS/RECORDS: In addition, the Company collects and maintains different types of personal information, including the personal information contained in medical history questionnaires and evaluations. SOURCES OF HOST DATA We generally collect the Host Data directly from the Hosts. From time to time, the Company may receive personal information about the Hosts collected from third parties we do business with in the course of our business interactions, such as regulatory bodies. In those circumstances, the Company will take reasonable steps to ensure that those third parties have represented to us that they have the right to disclose the Host Data to us. In other cases not currently anticipated, we will notify you of where the data came from unless you are already aware of this information. PURPOSES OF USE OF HOST DATA The Company uses and otherwise processes Host Data to the extent necessary or appropriate for the following purposes: Administering and managing all aspects of our relationship, including, but not limited to finance, accounting and compensation management; Information technology support; Cyber security programs; Security reasons (including ensuring the security of company-held information), such as to detect fraudulent or illegal behaviour, including for the purpose of conducting security screenings; Compliance activities; Conducting a due diligence of the Company in the event of a third party contemplating the purchase or investment in the Company; Establishing, managing or terminating the our contractual relationship; Identifying and communicating with you; Complying with applicable laws, including judicial or administrative orders. SHARING HOST DATA WITH THIRD PARTIES The Company shares the Host Data, including as stated below: THIRD PARTY SERVICE PROVIDERS: We share personal data with third party service providers, for all the purposes listed above. These third party service providers have access to Host Data as needed to perform their functions, but they are not permitted to use it for other purposes. The Company also seeks to (i) exercise appropriate due diligence in the selection of such service providers, and (ii) require via contract or otherwise that such service providers maintain adequate technical and organizational security measures to safeguard the Host Data, and process the Host Data only as instructed by the Company. EXTERNAL ADVISORS - the Company also shares the Host Data with its external advisors (e.g., lawyers, accountants, and auditors), subject to confidentiality provisions and as necessary. REGULATORY BODIES: We also share personal data with certain regulatory bodies to meet local statutory requirements (e.g. tax authorities, regulatory registration bodies, etc.), such as with governmental agencies and regulators (including tax authorities), social organizations (including a social benefits agency), courts and other tribunals, and government authorities, to the extent permitted or required by applicable law; PREVENT FRAUD AND CRIMINAL ACTIVITIES, LEGAL REQUESTS AND INVESTIGATIONS: We sometime disclose data when such disclosure is deemed necessary by the Company to detect or prevent criminal activities or fraud, to comply with any statute, law, rule or regulation of any governmental authority or any order of any court of competent jurisdiction. BUSINESS TRANSFERS: As we continue to develop our business, we might sell or buy companies, subsidiaries, or business units. If the Company organizes its activities with another entity or in the event of a corporate transaction (such as in the sale of a substantial part of our business, merger, consolidation or asset sale), the Company shall have the right to transfer to such entity the Host Data, provided that the other entity confirms that it shall be bound by the provisions of this Privacy Notice; LEGAL DISPUTES - If the Company receives a notice of legal proceedings against it, in the context of any dispute, claim, suit, demand or legal proceedings, if any, between the Company and you. SAFEGUARDING PERSONAL INFORMATION The Company takes great care in implementing and maintaining the security of your personal data. To ensure the safety of our users' information, and prevent unauthorized use of any such information the Company employs industry standard practices and procedures such as compliance checks to ensure the policy is being adhered, data protection impact assessments, internal audits of processing activities etc. Individuals within the human resources, legal, finance and accounting, security, communications, and information technology departments will receive access to Host Data when necessary in connection with their job responsibilities, and subject to the Company's internal security framework. As an additional safeguard to, the Company employs a Data Protection Officer ("DPO"). The DPO has the power to insist on company resources for data protection matters and has as a deep knowledge of data protection regulation and law privacy requirements. The DPO's responsibility includes, among other things: privacy and security compliance advice, notify authorities of a data breach incident, conducting awareness and training programs, etc. The DPO's contact information is listed below. INTERNATIONAL TRANSFERS OF HOST DATA Since the Company operates globally, it may be required to transfer Host Data to service providers and affiliates in jurisdictions that outside the European Economic Area ("EEA"). These service providers and affiliates may use Host Data for the purposes described in Section III, including supporting payment processing, finance, accounting and human resources, global directory, and corporate compliance activities. The Company is taking ongoing measures to ensure that such service providers and affiliates have implemented appropriate safeguards to protect the security of Host Data. The data protection and other laws of these countries may not be as comprehensive as those in the European Union − in these instances we will take steps to ensure that a similar level of protection is given to your Host Data and that such transfer is in accordance with EU privacy and data protection regulations. If you want to learn more about the details of these safeguards you should get in touch with us using the contact details at the bottom of this notice. YOUR RIGHTS This section addresses certain rights you may exercise with respect to your Host Data. You can get more information in relation to your rights using the contact details below. Right of access You have the right to access the information we hold about you, including supplementary information about your Host Data. Correcting or erasing your information You have the right to ask us (and third parties to whom we transfer your personal information) to rectify your personal information if it becomes inaccurate or incomplete. In addition, note that you are responsible to update the Company if there are any changes or inaccuracies in your Host Data. You may also have the right to have incomplete personal data completed, including by means of providing a supplementary statement. Whether or not this is appropriate in any particular case depends on the purposes for which your information is being processed. You have the right to ask us to erase your personal information if: your personal information has been processed unlawfully by us; or your personal information is no longer necessary for the purposes for which it was collected by us; or where you object to processing (see below) and there is no overriding legitimate interest for continuing to process your personal data. We need to notify any third parties with whom we have shared your information that you have made a rectification or erasure requests. We will take reasonable steps to do this, but this may not always be possible or may involve disproportionate effort. Restricting processing of your information You have the right to restrict our processing of your personal information if: you contest the accuracy of the personal information held by us (for a period enabling us to verify the accuracy of the data); our processing activities are unlawful; or we no longer need your personal information but you would like us to retain it to ensure its continued availability to you in connection with any legal claims. Right to object to processing You can object to our processing your personal data under certain circumstances including where processing takes place in line with the Company's legitimate business interests as set out above. Where you object to processing, we must stop processing your personal data unless we can show that our legitimate ground for processing of your personal data overrides your interests or where we need to process the data to establish, exercise or defend legal claims. Data portability You have rights to obtain and reuse your personal data for your own purposes. This right only applies: to personal information you have provided to us (i.e. not any other information); where the processing is based on your consent or for the performance of a contract; and when processing is carried out by automated means. We can refuse your data portability request if the processing does not satisfy the above criteria. Also, if the personal information concerns more than one individual, we may not be able to transfer this to you if doing so would prejudice that person's rights. Kindly note that the above rights are not absolute. There are instances where applicable law or regulatory requirements allow or require us to refuse your request, for example, refuse your request where we need to process the data to exercise or defend legal claims. In addition, in certain instances, your Host Data may have been destroyed, erased or made anonymous in accordance with our record retention obligations and practices. You are able to submit a complaint to the applicable supervisory authority in relation to our processing of your personal data. We take our obligations seriously and we ask that any concerns are first brought to our attention, so that we can try to resolve this. RETENTION OF HOST DATA Except as otherwise permitted or required by applicable law or regulatory requirements, the Company endeavors to retain your Host Data only for as long as it believes is necessary to fulfill the purposes for which the Host Data was collected (including, for the purpose of meeting any legal, accounting or other reporting requirements or obligations), and as required under applicable laws and regulations. We may, instead of destroying or erasing your Host Data, make it anonymous such that it cannot be associated with or tracked back to you. CHANGES TO THE PRIVACY NOTICE We reserve the right to change this Privacy Notice at any time, so please re-visit this page frequently. We will provide notice of substantial changes of this Privacy Notice on the Services and/or we will send you an e-mail regarding such changes to the e-mail address that you volunteered. Such substantial changes will take effect seven (7) days after such notice was provided on any of the above mentioned methods. Otherwise, all other changes to this Privacy Notice are effective as of the stated "Last Revised" date, and your continued use of the Services after the Last Revised date will constitute acceptance of, and agreement to be bound by, those changes. HOW TO CONTACT US If you have any general questions about the Services or the information that we collect about you and how we use it, please contact us via email at DPO@imlive.com or by sending a letter to: I.M.L. SLU Attn: Data Protection Officer Edifici Burge's Planta 3, Avinguda St. Antoni 27, La Massana AD 400 Principat d'Andorra We will make an effort to reply within a reasonable timeframe. Please feel free to reach out to us at any time. If you are unsatisfied with our response, you can reach out to the applicable data protection supervisory authority. NOTICE FOR CALIFORNIA RESIDENTS This part of the Privacy Notice addresses the specific disclosure requirements under the California Consumer Privacy Act of 2018 (Cal. Civ. §§ 1798.100-1798.199) and the California Consumer Privacy Act Regulations by the Attorney General (collectively, "CCPA"). User Rights under the CCPA The CCPA provides consumers with specific rights regarding their Personal Information. This section describes your CCPA rights and explains how to exercise those rights. Access to Personal Information You may request, up to two times each year, that we disclose to you the categories and specific pieces of Personal Information that we have collected about you, the categories of sources from which your Personal Information is collected, the business or commercial purpose for collecting your Personal Information, the categories of Personal Information that we disclosed for a business purpose, any categories of Personal Information about you that we sold, the categories of third-parties with whom we have shared your Personal Information, and the business purpose for sharing your Personal Information, if applicable. Deletion Requests You have the right to request that we delete any Personal Information collected from you and retained, unless an exception applies. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers, subcontractors, and consultants to delete) your Personal Information, unless an exception applies. Exercising Your Rights You can exercise your rights by submitting a verifiable consumer request to our email address: DPO@imlive.com or by sending a mail to our physical address specified in the "HOW TO CONTACT US" section. Only you or a person authorized to act on your behalf may make a consumer request related to your Personal Information. The request must: • Provide sufficient information to allow us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative. • Describe your request with sufficient details to allow us to properly understand, evaluate, and respond to it. • We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use Personal Information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request. We will only use Personal Information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request. You may only request a copy of your data twice within a 12-month period. If you have any general questions about the Personal Information that we collect about you how we use it, please contact us at DPO@imlive.com. Response Timing and Format Our goal is to respond to a verifiable consumer request within 45 days of its receipt. If we require more time, we will inform you of the reason and extension period in writing within the first 45 days period. We will deliver our written response, by mail or electronically, at your option. Any disclosures we provide will cover only the 12-month period preceding the request. If reasonably possible, we will provide your Personal Information in a format that is readily useable and should allow you to transmit the information without hindrance. We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request. In case of rejection, the response we provide will explain the reasons for which we cannot comply with your request. Please note that these CCPA rights are not absolute and requests are subject to any applicable legal requirements, including legal and ethical reporting or document retention obligations. Designating Agents You can designate an authorized agent to make a request under the CCPA on your behalf if: • The authorized agent is a natural person or a business entity registered with the Secretary of State of California; and • You sign a written declaration that you authorize the authorized agent to act on your behalf. If you use an authorized agent to submit a request to exercise your right to know or your right to request deletion, please mail a certified copy of your written declaration authorizing the authorized agent to act on your behalf using the contact information below. If you provide an authorized agent with power of attorney pursuant to Probate Code sections 4000 to 4465, it may not be necessary to perform these steps and we will respond to any request from such authorized agent in accordance with the CCPA. Non-Discrimination Unless permitted by the CCPA, we will not: • Deny you goods or services. • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties. • Provide you a different level or quality of goods or services. Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.