Common use of Privacy; Data Security Clause in Contracts

Privacy; Data Security. Except as would not have a Company Material Adverse Effect, (i) the Company and its Subsidiaries are in compliance with (A) all applicable Privacy Laws, (B) all of the Company’s policies regarding Personal Information (“Privacy Policies”), and (C) all of the Company’s contractual obligations with respect to the receipt, collection, compilation, use, storage, processing, sharing, safeguarding, security (technical, physical and administrative), disposal, destruction, disclosure, or transfer (including cross-border) of Personal Information (collectively with Privacy Laws and Privacy Policies, the “Data Protection Requirements”); (ii) the Company and its Subsidiaries have implemented and at all times maintained reasonable physical, technical, and administrative safeguards, compliant with applicable Data Protection Requirements, that are designed to protect Personal Information in their possession or under their control against loss, theft, misuse or unauthorized access, use, modification or disclosure; (iii) there have been no breaches, security incidents, misuse of or unauthorized access to or disclosure of any Personal Information in the possession or control of the Company and its Subsidiaries or collected, used or processed by or on behalf of any the Company and its Subsidiaries’ IT Systems that would require notification of individuals, other affected parties, law enforcement, or any Governmental Authority under applicable Privacy Laws and (iv) since January 1, 2019, neither the Company nor any of its Subsidiaries has received any written notice of any claims (including written notice from third parties acting on its behalf) of or been charged with, the violation of, any Data Protection Requirements.

Privacy; Data Security. Except Since March 31, 2017, except as would not not, individually or in the aggregate, have a Company Material Adverse Effect, (i) the Company and its Subsidiaries are in compliance with (A) all applicable Privacy Laws, (B) all of the Company’s policies regarding Personal Information (“Privacy Policies”), and (C) all of the Company’s contractual obligations with respect to the receipt, collection, compilation, use, storage, processing, sharing, safeguarding, security (technical, physical and administrative), disposal, destruction, disclosure, or transfer (including cross-border) of Personal Information (collectively with Privacy Laws and Privacy Policies, the “Data Protection Requirements”)Information; (ii) no Privacy Policies of the Company and its Subsidiaries have contained any material omissions or been misleading or deceptive; (iii) the Company and its Subsidiaries have implemented and at all times maintained reasonable physical, technical, and administrative safeguards, compliant consistent with applicable Data Protection Requirementspractices in the industry in which the Company and its Subsidiaries operate, that are designed to protect Personal Information and other confidential data in their possession or under their control against loss, theft, misuse or unauthorized access, use, modification or disclosure; (iiiiv) the Company and its Subsidiaries have taken commercially reasonable steps to ensure that any third party to whom the Company and its Subsidiaries have granted access to Personal Information collected by or on behalf of the Company and its Subsidiaries has implemented and maintained the same; (v) there have been no breaches, security incidents, misuse of or unauthorized access to or disclosure of any Personal Information in the possession or control of the Company and its Subsidiaries or collected, used or processed by or on behalf of any of the Company and its Subsidiaries’ IT Systems that would require notification ; (vi) the Company and its Subsidiaries have not provided or been legally required to provide any notices to any Person in connection with any such breaches, security incidents, misuse of individualsor unauthorized access to or disclosure of any Personal Information in the possession or control of the Company and its Subsidiaries or collected, other affected parties, law enforcement, used or processed by or on behalf of any Governmental Authority under applicable Privacy Laws the Company and its Subsidiaries; and (ivvii) since January 1, 2019, neither the Company nor any of its Subsidiaries has received any written notice of any claims (including written notice from third parties acting on its behalf) ), of or been charged with, the violation of, any Data Protection RequirementsPrivacy Laws, applicable privacy policies, or contractual commitments with respect to Personal Information.

Privacy; Data Security. Except as would not have (a) The Company, the Company Subsidiaries, and, to the Company’s Knowledge, all third parties Processing Personal Information on behalf of any Company Subsidiary pursuant to a written agreement with the Company or a Company Material Adverse EffectSubsidiary (collectively, “Company Data Partners”), comply and have at all times since January 1, 2020 complied, in all material respects, with all applicable (i) the Company and its Subsidiaries are in compliance with (A) all applicable Privacy Laws, (Bii) all of external-facing policies, notices, and/or statements published by the Company’s policies regarding Company or a Company Subsidiary, as applicable, related to Personal Information (“Company Privacy PoliciesPolicy”), and (Ciii) all contractual commitments related to the Processing of Personal Information in a Company Material Contract (collectively, “Company Privacy Requirements”). All Company Privacy Policies are and have been materially accurate, consistent and complete and not misleading or deceptive (including by omission) in any material respect. To the Company’s contractual obligations with respect to the receipt, collection, compilation, use, storage, processing, sharing, safeguarding, security (technical, physical and administrative), disposal, destruction, disclosure, or transfer (including cross-border) of Personal Information (collectively with Privacy Laws and Privacy PoliciesKnowledge, the “Data Protection Requirements”); execution, delivery, and performance of this Agreement do not conflict with and will not result in a breach of any Company Privacy Requirements or require the consent of or provision of notice to any Person. (iib) the The Company and its Subsidiaries each Company Subsidiary have implemented and at all times since January 1, 2020 implemented and maintained commercially reasonable physical, technical, and administrative safeguards, compliant with applicable Data Protection Requirements, that are measures designed to protect Personal Information in their possession or under their control against lossany accidental, theft, misuse unlawful or unauthorized access, use, modification loss, disclosure, alteration, destruction, or disclosure; compromise (iiia “Security Incident”). To the Company’s Knowledge, none of the Company, the Company Subsidiaries, or, to the Company’s Knowledge, any Company Data Partners have experienced any material Security Incidents, including any successful ransomware attack or denial-of-service attack material to the Company or Company Subsidiary’s operations. In relation to any Security Incident and/or Company Privacy Requirement, none of the Company, the Company Subsidiaries, or, to the Company’s Knowledge, any Company Data Partners, have (i) there have notified or been no breachesrequired to notify any Person under Privacy Laws, security incidentsor (ii) received any notice, misuse of inquiry, request, claim, complaint, correspondence or unauthorized access to other communication from, or disclosure been the subject of any Personal Information in investigation or enforcement action by, any Person. To the possession Company’s Knowledge, there are no facts or control of the Company and its Subsidiaries or collected, used or processed by or on behalf of any the Company and its Subsidiaries’ IT Systems circumstances that would require notification reasonably be expected to give rise to the occurrence of individuals, other affected parties, law enforcement, (i) or any Governmental Authority under applicable Privacy Laws and (iv) since January 1, 2019, neither the Company nor any of its Subsidiaries has received any written notice of any claims (including written notice from third parties acting on its behalf) of or been charged with, the violation of, any Data Protection Requirementsii).

Privacy; Data Security. Except as would not not, individually or in the aggregate, reasonably be expected to have a Company Material Adverse Effect, the (i) the Company and its Subsidiaries Entities are in compliance with (A) all applicable Privacy Laws, (B) all of the Company’s policies regarding Personal Information (“Privacy Policies”), and (C) all of the Company’s contractual obligations with respect to the receipt, collection, compilation, use, storage, processing, sharing, safeguarding, security (technical, physical and administrative), disposal, destruction, disclosure, or transfer (including cross-border) of Personal Information (collectively with Privacy Laws and Privacy Policies, the “Data Protection Requirements”)Information; (ii) no Privacy Policies of the Company and its Subsidiaries Entities have contained any material omissions or been misleading or deceptive; (iii) the Company Entities have implemented and at all times maintained reasonable physical, technical, and administrative safeguards, compliant consistent with applicable Data Protection Requirementspractices in the industry in which the Company Entities operate, that are designed to protect Personal Information and other confidential data in their possession or under their control against loss, theft, misuse or unauthorized access, use, modification or disclosure; (iiiiv) the Company Entities have taken commercially reasonable steps to ensure that any third party to whom the Company Entities have granted access to Personal Information collected by or on behalf of the Company Entities has implemented and maintained the same; (v) there have been no breaches, security incidents, misuse of or unauthorized access to or disclosure of any Personal Information in the possession or control of the Company and its Subsidiaries Entities or collected, used or processed by or on behalf of any Company Entity; (vi) the Company and its Subsidiaries’ IT Systems that would require notification Entities have not provided or been legally required to provide any notices to any Person in connection with a disclosure of individuals, other affected parties, law enforcement, or any Governmental Authority under applicable Privacy Laws Personal Information; and (ivvii) since January 1, 2019, neither the no Company nor any of its Subsidiaries Entity has received any written notice of any claims (including written notice from third parties acting on its behalf) ), of or been charged with, the violation of, any Data Protection RequirementsPrivacy Laws, applicable privacy policies, or contractual commitments with respect to Personal Information, and there are no facts or circumstances that could reasonably be expected to form the basis of any such notice or claim.

Privacy; Data Security. Except as would not have a Company Material Adverse Effect, (i) the Company and its Subsidiaries are in compliance with (A) all applicable Privacy Laws, (B) all of the Company’s policies regarding Personal Information (“Privacy Policies”), and (C) all of the Company’s contractual obligations with With respect to the receiptoperation of the App, collectionSeller, compilationand, useto Seller’s Knowledge, storageall vendors, processing, sharing, safeguarding, security (technical, physical and administrative), disposal, destruction, disclosureprocessors, or transfer (including cross-border) other third parties acting for or on behalf of Seller in connection with the Processing of Personal Information (collectively with Privacy Laws and Privacy Policies, the “Data Protection Requirements”); (ii) the Company and its Subsidiaries have implemented and at all times maintained reasonable physical, technical, and administrative safeguards, compliant with applicable Data Protection Requirements, or that are designed to protect Personal Information in their possession or under their control against loss, theft, misuse or unauthorized access, use, modification or disclosure; (iii) there otherwise have been no breaches, security incidents, misuse of or unauthorized authorized to have access to or disclosure of any Personal Information in the possession or control of Seller, comply and at all times in the Company past have complied, in all material respects with all of the following in connection with the operation of the App: (A) Privacy Laws; (B) rules of self-regulatory organizations, including the Payment Card Industry Data Security Standard; (C) industry standards, guidelines and its Subsidiaries best practices, including the National Institute of Standards and Technology (NIST) Cybersecurity Framework; (D) the App Privacy and Data Security Policies; and (E) all obligations or collectedrestrictions concerning the privacy, used security or processed Processing of Personal Information under any Contract to which Seller is a party or otherwise bound as of the date hereof. (ii) To Seller’s Knowledge, the execution, delivery and performance of this Agreement and the consummation of the transactions contemplated hereby, including the transfer to Purchaser of all Personal Information in the possession or control of Seller in connection with the App, do not and will not: (A) conflict with or result in a violation or breach of any Privacy Laws or App Privacy and Data Security Policies (as currently existing or as existing at any time during which any Personal Information was collected or Processed by or on behalf for Seller in the operation of the App); or (B) require the consent of or notice to any person concerning such person’s Personal Information. (iii) Seller has posted to each of its websites and mobile applications and published or otherwise made available in connection with the App a Privacy and Data Security Policy. To Seller’s Knowledge, no disclosure or representation made or contained in any App Privacy and Data Security Policy has been found to be inaccurate, misleading, deceptive or in violation of any the Company and its Subsidiaries’ IT Systems that would require notification of individuals, other affected parties, law enforcement, or any Governmental Authority under applicable Privacy Laws and (iv) since January 1, 2019, neither the Company nor any of its Subsidiaries has received any written notice of any claims (including written notice from third parties acting on its behalf) by containing any material omission), and Seller’s practices with respect to the Processing of Personal Information in connection with the App conform, and at all times in the past have conformed, to the App Privacy and Data Security Policies that govern the use of such Personal Information in all material respects. Seller has delivered or been charged withmade available to Purchaser true, the violation of, any complete and correct copies of all App Privacy and Data Protection RequirementsSecurity Policies that are currently in effect.

Privacy; Data Security. Except as would not have a Company Material Adverse Effect, (i) the The Company and its Subsidiaries are is in compliance in all Material respects with (A) all applicable Privacy Laws, Privacy Policies and Privacy Contracts, and has collected, processed, stored, maintained, transferred, disclosed, secured, shared, or otherwise used Personal Information in compliance in all material respects with all applicable Privacy Laws, Privacy Policies and Privacy Contracts. There has been no notice to, complaint against, or Action (B) all of or, to the Company’s policies regarding Personal Information Knowledge, investigation) commenced against the Company by any Person (“Privacy Policies”), and (Cincluding any Governmental Authority) all of the Company’s contractual obligations with respect related to the receipt, collection, compilation, use, storage, distribution, transfer, or disclosure of, or unauthorized access to, Personal Information. (ii) The Company has complete and accurate records of all Persons who have notified the Company of such Person’s election not to receive any electronic communications or solicitations (“Opt-out Notifications”) from or on behalf of the Company. The Company has complied with all such Opt-out Notifications. (iii) To the Company’s Knowledge, the execution, delivery, or performance of this Agreement and consummation of transactions contemplated hereby will not violate any applicable Privacy Laws, Privacy Policies or Privacy Contracts or result in or give rise to any right of termination or other right to impair or limit Buyer’s rights to own or use any Personal Information used in or necessary for the conduct of the Business as presently conducted. Each Privacy Policy, and all materials distributed or marketed by the Company have at all times made all disclosures to employees, users, customers, prospective customers, and other applicable parties as the case may be, required by applicable Laws and none of such disclosures made or contained in any such materials have been inaccurate, misleading, or deceptive or in violation of any applicable Laws. (iv) There has been no notice to, complaint against or audit, proceeding or investigation conducted or claim asserted with respect to the Company by any Person (including any Governmental Authority) related to the collection, processing, sharinguse, safeguardingstorage, security (technicaldistribution, physical and administrative), disposal, destruction, disclosuretransfer, or transfer (including cross-border) disclosure of Personal Information (collectively with Privacy Laws each such event, an “Information Incident”) that would have a Material Adverse Effect. To the Company’s Knowledge: (i) no Information Incident has been overtly threatened, including the receipt of a demand for payment at the risk of losing access to data, and Privacy Policies, the “Data Protection Requirements”); (ii) the no event has occurred or circumstance exists that would have a Material Adverse Effect. (v) The Company and its Subsidiaries have implemented and at all times maintained reasonable physical, technicalis, and administrative safeguardsfor the past five (5) years has been, compliant in compliance with applicable Data Protection Requirements, that are designed to protect Personal Information in their possession or under their control against loss, theft, misuse or unauthorized access, use, modification or disclosure; (iii) there have been no breaches, security incidents, misuse of or unauthorized access to or disclosure of any Personal Information in the possession or control of the Company and its Subsidiaries or collected, used or processed by or on behalf of any the Company and its Subsidiaries’ IT Systems that would require notification of individuals, other affected parties, law enforcement, or any Governmental Authority under applicable Privacy Laws and (iv) since January 1, 2019, neither the Company nor any of its Subsidiaries has received any written notice of any claims (including written notice from third parties acting on its behalf) of or been charged with, the violation of, any Data Protection PCI Requirements.

Privacy; Data Security. Except as would not reasonably be expected, individually or in the aggregate, to be material to the Business and the Purchased Entity (and its Subsidiaries), taken as a whole: (a) the data, privacy and information security practices of the Purchased Entity (and Subsidiaries thereof) are, and since January 1, 2021, have a Company Material Adverse Effectbeen, in compliance with all (i) applicable Laws, (ii) contractual obligations or industry standards to which the Company and Purchased Entity or any of its Subsidiaries or, in respect of the Business, Seller or any of its Subsidiaries are in compliance with (A) all applicable Privacy Laws, (B) all of bound and the Company’s policies regarding Personal Information (“Privacy Policies”)Payment Card Industry Data Security Standard, and (Ciii) all with the Purchased Entity’s (and its Subsidiaries’) and, in respect of the CompanyBusiness, Seller’s contractual obligations with respect to (and its Subsidiaries’) publicly facing privacy and information security policies concerning the receipt, collection, compilation, use, storage, processing, sharing, safeguarding, security (technical, physical and administrative), disposal, destructiontransfer, disclosure, or transfer protection of Personally Identifiable Information; (including cross-borderclauses (i) of Personal Information through (collectively with Privacy Laws and Privacy Policiesiii), the collectively, “Data Protection Security Requirements”); ; (iib) the Company Purchased Entity (and Subsidiaries thereof) and Seller and its Subsidiaries have implemented and at all times maintained maintain reasonable and appropriate organizational, physical, technical, administrative and administrative safeguards, compliant with applicable Data Protection Requirements, that are technical safeguards designed to protect Personal the Information in their possession Technology owned by the Purchased Entity or under their control against lossits Subsidiaries, theft, misuse or unauthorized access, use, modification or disclosure; (iii) there have been no breaches, security incidents, misuse of or unauthorized access to or disclosure of together with any Personal Personally Identifiable Information in the possession or control of the Company and its Subsidiaries or collected, used held or processed by the Purchased Entity or on behalf of any its Subsidiaries in connection with the Company Business, against unauthorized access and its Subsidiaries’ IT Systems that would require notification of individuals, other affected parties, law enforcement, or any Governmental Authority under applicable Privacy Laws and misuse; and (ivc) since January 1, 20192021, neither to the Company nor Knowledge of Seller, there has been no breach, cybersecurity incident, or other third-party unauthorized access to any Personally Identifiable Information held or processed by any of Seller or its Subsidiaries has received any written notice of any claims (including written notice from third parties acting on its behalf) of or been charged withSubsidiaries, in each case, in connection with the violation of, any Data Protection RequirementsBusiness.

Privacy; Data Security. (a) Except as would not not, individually or in the aggregate, have a Company Material Adverse Effect, (i) the Systems perform in a manner that permits the Company and its the Company Subsidiaries are in compliance with (A) all applicable Privacy Laws, (B) all of the Company’s policies regarding Personal Information (“Privacy Policies”), and (C) all of the Company’s contractual obligations with respect to the receipt, collection, compilation, use, storage, processing, sharing, safeguarding, security (technical, physical and administrative), disposal, destruction, disclosure, or transfer (including cross-border) of Personal Information (collectively with Privacy Laws and Privacy Policies, the “Data Protection Requirements”)conduct their respective businesses as currently conducted; (ii) the Company and its the Company Subsidiaries have taken all commercially reasonable actions (A) to monitor and protect the confidentiality, integrity, operation and security of the Company Platforms and Systems, and (B) to implement and maintain business continuity, backup, security and disaster recovery plans, procedures and facilities; (iii) since January 1, 2018, to the Knowledge of the Company, there has been no corruption, malfunction or failure of, disruption to, or malicious code contained in, any Systems or Company Platforms; and (iv) to the Knowledge of the Company, there has been no unauthorized access, use, modification, interruption or corruption of the Systems or Company Platforms. (b) The Company and Company Subsidiaries are, and have been since January 1, 2018, in compliance in all material respects with, and not in material default or violation of, Privacy and Security Laws, Privacy Policies and Privacy Contracts, and neither the execution and delivery of this Agreement nor the consummation of the Transactions will violate any Privacy and Security Laws, Privacy Policies or Privacy Contracts in any material respect. (c) Except as would not, individually or in the aggregate, have a Company Material Adverse Effect, (i) no Privacy Policies of the Company or any Company Subsidiary have contained any omissions or been misleading or deceptive; (ii) the Company and Company Subsidiaries have implemented and at all times maintained reasonable physical, technical, and administrative safeguards, compliant consistent with applicable Data Protection Requirementsindustry practice, that are designed to protect Personal Information in their possession or under their control Relevant Data against loss, theft, misuse or unauthorized access, use, modification or disclosure; (iii) the Company and Company Subsidiaries have taken commercially reasonable steps to ensure that any Person to whom the Company or any Company Subsidiary has granted access to Relevant Data has implemented and maintained the same; and (iv) to the Knowledge of the Company, there has been no loss, theft, misuse or unauthorized access, use, modification or disclosure of Relevant Data. (d) Since January 1, 2018, (i) except as would not, individually or in the aggregate, have a Company Material Adverse Effect, to the Knowledge of the Company, there have been no (A) breaches, security incidents, misuse of or unauthorized access to or disclosure use of any Personal Information in the possession Systems or control any Relevant Data Processed thereon, stored or contained therein, or transmitted thereby or (B) unauthorized modifications or disclosures of any Relevant Data; (ii) the Company and its Company Subsidiaries have not provided or collectedbeen legally required to provide any notices to any Person in connection with any breaches, used security incidents, misuse or processed by unauthorized access to or on behalf use of any the Company and its Subsidiaries’ IT Systems that would require notification of individuals, other affected parties, law enforcementor Relevant Data, or unauthorized modifications or disclosures of any Governmental Authority under applicable Privacy Laws Relevant Data; and (iviii) since January 1, 2019, neither the Company nor any of its the Company Subsidiaries has received any written notice of any claims (including written notice from third parties Persons acting on its behalf) of any claim or been charged with, allegation of the violation of, or failure to comply with, any Data Protection RequirementsPrivacy and Security Laws, Privacy Policies or Privacy Contracts. No Action is pending or, to the Knowledge of the Company, threatened alleging any such violation or failure that has had, or would reasonably be expected to have, individually or in the aggregate, a Company Material Adverse Effect.

Privacy; Data Security. Except as would not have a Company Material Adverse Effect, (ia) the The Company and its Subsidiaries own, or have valid rights to access and use pursuant to a written agreement, all IT Systems. The IT Systems are (i) subject to commercially reasonable disaster recovery procedures, (ii) free from any defect, bug, virus, corruption, malicious code or other similar contaminants, and (iii) adequate and sufficient (including with respect to working condition and capacity) for, and operate and perform in all material respects as required in connection with, the conduct and operation of Group Companies as currently conducted. The Company and its Subsidiaries have taken all commercially reasonable efforts to protect the confidentiality, integrity and security of the IT Systems. During the three (3) years prior to the date of this Agreement, the IT Systems have not suffered a material failure or malfunction. There have been no unauthorized uses or intrusions of, or breaches (including any “security incident” (as defined in 45 C.F.R § 164.304) or “breach” (as defined in 45 C.F.R § 164.402)) to, the IT Systems of the Company or any Subsidiary of the Company, or any other loss, unauthorized disclosure or use of any sensitive or confidential information, including Personal Information, in the custody or control of the Group Companies. (b) The Company and each of its Subsidiaries are, and for the past three (3) years have been, in compliance with all privacy and security obligations to which they are subject under (Ai) all applicable privacy policies and online terms of use, (ii) any applicable Law, including Privacy Laws, (B) all of the Company’s policies regarding Personal Information (“Privacy Policies”), and (Ciii) any Contract, including all of contractual commitments that the Company’s contractual obligations Company or a Subsidiary has entered into with respect to the receipt, collection, compilation, use, storage, processing, sharing, safeguarding, security (technical, physical and administrative)security, disposal, destruction, disclosure, or transfer (including cross-border) of Personal Information or User Data (collectively with Privacy Laws and Privacy Policiescollectively, the “Data Protection Security Requirements”); . There have not been any investigations regarding, and neither the Company nor its Subsidiaries have received any written notice from any Governmental Authority or Person alleging, any violation of any Data Security Requirements. The Company and each of its Subsidiaries have provided accurate and complete disclosure with respect to their privacy policies and privacy and data security practices, including providing any type of notice and obtaining any type of consent required by Privacy Laws. (iic) the The Company and its Subsidiaries have implemented and at all times maintained reasonable physicalnot incorporated or used any open source Software in connection with any Software developed, technical, and administrative safeguards, compliant with applicable Data Protection Requirements, that are designed to protect Personal Information in their possession used or under their control against loss, theft, misuse or unauthorized access, use, modification or disclosure; (iii) there have been no breaches, security incidents, misuse of or unauthorized access to or disclosure of any Personal Information in the possession or control of otherwise exploited by the Company and its Subsidiaries or collectedany of their customers in a manner that requires the contribution, licensing, transfer, assignment, attribution or disclosure to any third Person of any portion of the source code of any Software developed, licensed, distributed used or processed otherwise exploited by or on behalf of any for the Company and or its Subsidiaries’ IT Systems that would require notification of individuals, . No source code owned by the Group Companies has been delivered or licensed to any other affected parties, law enforcementPerson, or is subject to any Governmental Authority under applicable Privacy Laws and (iv) since January 1, 2019, neither the Company nor any of its Subsidiaries has received any written notice of any claims (including written notice from third parties acting on its behalf) of source code escrow or been charged with, the violation of, any Data Protection Requirementsassignment obligation.