Privacy Policy

For the purposes of EU General Data Protection Regulation 2016/679 ("GDPR"), the UK Data Protection Act 2018 ("UK GDPR"), the Brazilian LGPD, Canadian PIPEDA, U.S. state privacy laws, and any equivalent law, the controller of your personal information is: PLAY PLAY CARDS S.R.L. Str. Drumul Pescarilor nr. 16 A, Olimp, Constanța, 905503, Romania Trade Register no. J2026023005004 · Tax identification (CUI): 54439120 Email: live@playplaycards.com We have not designated a statutory Data Protection Officer because we are not legally required to appoint one. For any data-related question or to exercise your rights, contact live@playplaycards.com.

We collect the following categories of personal information: (a) Information you provide: • Email address — when you subscribe, sign in, request our newsletter, contact us or submit a privacy request. • Condition interest — the medical topic(s) you have chosen to follow. This is a stated topic preference, NOT a medical diagnosis or health record, and is not Protected Health Information ("PHI") under HIPAA (we are not a covered entity). • Payment information — name, billing address, last 4 digits, card brand, expiry. Full card data is collected and processed directly by Stripe, Inc.; we never see or store full PAN or CVC. • Communications you send us (support, feedback, refund and privacy requests). (b) Information collected automatically: • Device and connection data — IP address, browser type and version, operating system, device identifiers, language, time zone, referrer URL. • Usage data — pages viewed, links clicked, time on page, scroll depth, search queries inside the Service, conversion events. • Cookies and similar technologies — see the Cookie Policy. • Approximate geolocation — derived from IP address (city / country level), used for fraud prevention, currency selection and regional legal disclosures. We do not collect precise GPS location. (c) Information from third parties: • Stripe — payment status, fraud signals, country, taxes. • Email delivery providers — bounce / unsubscribe signals. • Advertising platforms (Google Ads, Meta, etc., if and where we use them) — aggregated campaign attribution and hashed identifiers for conversion measurement, with your consent. • Hosting and analytics providers — diagnostic data. We do NOT knowingly collect any "special categories of personal data" / "sensitive personal information" within the meaning of GDPR Art. 9 or U.S. state privacy laws (e.g., precise health diagnoses, biometric identifiers, race, religion, sexual orientation, immigration status, genetic data). You agree not to submit such data via the Service. If you nevertheless provide such data, you give us your explicit consent to process it strictly for the purposes set out in this Policy and you may withdraw that consent at any time.

Purpose / Legal basis under GDPR (where applicable): • To provide and maintain the Service, including delivering newsletters and digital content you have subscribed to — Performance of a contract (Art. 6(1)(b)). • To process payments, send transactional emails, manage subscriptions and prevent payment fraud — Performance of a contract; Legitimate interests (Art. 6(1)(f)); Compliance with legal obligations (Art. 6(1)(c)). • To respond to support and privacy requests — Performance of a contract; Compliance with legal obligations. • To send marketing emails about our own products — Consent (Art. 6(1)(a)) where required, or our legitimate interest in promoting our own similar services with a clear opt-out (PECR / EU "soft opt-in"). • To measure and improve the Service via analytics and to operate non-personalized advertising — Legitimate interests; for personalized advertising and non-essential cookies, Consent. • To detect, prevent and investigate fraud, abuse, security incidents and breaches of the Terms — Legitimate interests; Compliance with legal obligations. • To comply with tax, accounting, consumer-protection and other legal obligations — Compliance with legal obligations (Romanian Fiscal Code, Law no. 227/2015, EU Directive 2006/112/EC on VAT, U.S. ROSCA, etc.). • To establish, exercise or defend legal claims — Legitimate interests; Art. 9(2)(f) for any incidentally-processed sensitive data. We do NOT engage in solely automated decision-making with legal or similarly significant effects within the meaning of GDPR Art. 22.

We disclose personal information only to the following categories of recipients, each of which is bound by appropriate contractual safeguards and acts as our processor / service provider (and NOT as an independent controller) except where noted: • Stripe, Inc. (USA) — payment processing. Independent controller for fraud prevention. • Vercel Inc. (USA) — application hosting and CDN. • Supabase Inc. (USA / EU) — database and authentication backend. • Anthropic PBC (USA) — generative-AI content production. We do not send personally identifying inputs to AI providers. • Google LLC (USA) — Google Analytics 4 and Google Ads (conversion measurement). Subject to your consent. • Email delivery providers (e.g., Resend, SendGrid, Mailchimp) — sending newsletters and transactional emails. • Professional advisors — lawyers, accountants, tax advisors, auditors. • Government authorities, courts, regulators and law enforcement — where we are legally required to disclose information, or to establish, exercise or defend our legal rights. • Acquirers in a corporate transaction — in the event of a merger, acquisition, reorganization, sale of assets, insolvency or similar event, personal information may be transferred or disclosed as part of that transaction, subject to confidentiality and the continued application of this Privacy Policy or a successor policy with at least equivalent protection. We do NOT sell personal information for monetary consideration. Sharing your email and condition interest with our email delivery provider in order to send you the newsletter constitutes "sharing" / "sale" under some U.S. state privacy laws (e.g., CCPA/CPRA) and is disclosed here; you may opt out at any time via our Do Not Sell / Share My Info page.

Because we use service providers based in the United States, your personal information may be transferred to, stored in, and processed in jurisdictions outside your country of residence, including the United States, that may not provide an equivalent level of protection to your home jurisdiction. We rely on the following safeguards under GDPR Chapter V / UK GDPR / Swiss FADP: • EU/UK Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 and the UK International Data Transfer Addendum). • Adequacy decisions where available (e.g., EU-U.S. Data Privacy Framework for self-certified recipients). • Supplementary technical and organizational measures (encryption in transit and at rest, access controls, pseudonymization where feasible). A copy of the safeguards we apply is available on request at live@playplaycards.com.

We retain personal information for as long as necessary for the purposes for which it was collected, including: • Active subscribers: for the lifetime of the subscription plus up to 6 months after cancellation for support, dispute resolution and fraud prevention. • Billing records and invoices: 10 years under the Romanian Accounting Law no. 82/1991 and the Fiscal Procedure Code. • Newsletter subscribers (free): until you unsubscribe, plus a suppression list maintained indefinitely to honour your unsubscribe request. • Server, security and access logs: typically 90 days, unless a longer retention is required to investigate a security incident. • Privacy / consumer-rights requests: 2 years after closure, to demonstrate compliance. Once the retention period has elapsed, we delete or irreversibly anonymize the data.

We implement appropriate technical and organizational measures designed to protect personal information against unauthorized access, loss, alteration or disclosure, including HTTPS/TLS encryption in transit, encryption at rest by our hosting providers, role-based access controls, multi-factor authentication for internal accounts, regular dependency updates, audit logging, and breach-response procedures. No security measure is, however, 100% effective. In the event of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the competent supervisory authority within 72 hours where required by GDPR Art. 33 and affected users without undue delay where required by Art. 34 (or equivalent state-law breach-notification statutes).

If you are located in the EEA, the UK or Switzerland you have the following rights under GDPR / UK GDPR / FADP, subject to applicable exceptions: • Right of access (Art. 15) — obtain confirmation as to whether we process your data and a copy. • Right to rectification (Art. 16) — correct inaccurate or incomplete data. • Right to erasure / right to be forgotten (Art. 17). • Right to restriction of processing (Art. 18). • Right to data portability (Art. 20) — receive a structured, commonly used, machine-readable copy and transmit it to another controller. • Right to object (Art. 21), including to direct marketing. • Right to withdraw consent at any time, without affecting the lawfulness of processing before withdrawal. • Right not to be subject to a decision based solely on automated processing (Art. 22). • Right to lodge a complaint with a supervisory authority — in Romania, ANSPDCP (Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal, https://www.dataprotection.ro); in the UK, the ICO (https://ico.org.uk); or your local supervisory authority. To exercise any right, email live@playplaycards.com. We will respond without undue delay and in any case within one month of receipt (extendable by two months for complex requests). There is no fee for the first request in any given period; we may charge a reasonable fee or refuse manifestly unfounded or excessive requests. We may need to verify your identity by asking you to confirm details associated with your account.

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA/CPRA"), gives you the following rights: • Right to know what categories of personal information we collect, the sources, the business or commercial purposes, and the categories of third parties to whom we disclose it. • Right of access to the specific pieces of personal information we hold about you. • Right to delete personal information we collected from you, subject to statutory exceptions. • Right to correct inaccurate personal information. • Right to opt out of the sale or sharing of personal information for cross-context behavioural advertising. To exercise this right, visit /do-not-sell/ or email live@playplaycards.com. • Right to limit the use of sensitive personal information (we do not knowingly collect sensitive PI as defined under CPRA). • Right to non-discrimination for exercising your rights. • Right to designate an authorized agent to make a request on your behalf (we will require written proof of authorization). We honour the Global Privacy Control (GPC) signal as a valid opt-out of sale/sharing where it is sent. In the preceding 12 months we have disclosed the following categories of personal information for a business purpose: identifiers (email), commercial information (subscription data), internet activity (usage data), inferences (topic preferences). We have "shared" identifiers (email) with our email delivery providers and, where you consented, with Google for advertising attribution. We do NOT use or disclose sensitive personal information for purposes that would trigger the right to limit under Cal. Civ. Code § 1798.121. Categories of recipients are listed in Section 4. We retain personal information for the periods described in Section 6. "Shine the Light" (Cal. Civ. Code § 1798.83): California residents may request information about disclosures of personal information to third parties for direct marketing purposes; we do not disclose information for third parties' direct marketing. To submit a request, visit /do-not-sell/ or email live@playplaycards.com with the subject line "California Privacy Request". We will respond within 45 days (extendable by another 45 days).

If you are a resident of Colorado (CPA), Connecticut (CTDPA), Virginia (VCDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), Iowa (ICDPA), Tennessee (TIPA), Indiana (INCDPA), Delaware (DPDPA), New Jersey (NJDPA), New Hampshire (NHPA), Minnesota (MNCDPA), Maryland (MODPA), Rhode Island (RIDTPPA) or any other U.S. state with a comprehensive consumer privacy law in force, you have the right, subject to that law's specific scope and exceptions, to: (i) confirm whether we process your personal data and access it; (ii) correct inaccuracies; (iii) request deletion; (iv) obtain a portable copy; and (v) opt out of (a) sale of personal data, (b) targeted advertising, and (c) profiling in furtherance of decisions producing legal or similarly significant effects (we do not engage in such profiling). Where the applicable law provides, you also have the right to appeal a refusal of your request — to appeal, reply to our refusal email. Submit requests to live@playplaycards.com. We honour the Global Privacy Control where applicable.

If you are in Canada, the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial laws (including Quebec's Law 25 / Loi 25) give you the rights of access, correction, withdrawal of consent, data portability (Quebec), and the right to lodge a complaint with the Office of the Privacy Commissioner of Canada (https://www.priv.gc.ca) or the Commission d'accès à l'information du Québec (https://www.cai.gouv.qc.ca). We comply with Canada's Anti-Spam Legislation (CASL): we obtain consent (express or implied as permitted by CASL) before sending commercial electronic messages, identify ourselves clearly, and provide an unsubscribe mechanism in every commercial email.

Residents of Brazil benefit from the rights granted by Lei Geral de Proteção de Dados (Lei nº 13.709/2018), including access, correction, anonymization, blocking, deletion, portability and the right to lodge a complaint with the Autoridade Nacional de Proteção de Dados (ANPD). Australian users benefit from the Australian Privacy Act 1988 and the Australian Privacy Principles. Swiss residents benefit from the Federal Act on Data Protection (FADP). To exercise any of these rights, email live@playplaycards.com.

The Service is not directed to and may not be used by children under 13. We do not knowingly collect personal information from children under 13. In jurisdictions where the digital age of consent under GDPR is higher than 13 (16 in many EU Member States), we do not knowingly collect personal information from children under that age without verifiable parental consent. If you believe that we may have collected information from a child, please contact live@playplaycards.com and we will promptly investigate and delete the information.

Marketing emails are sent only to recipients who have consented or qualify under an applicable "soft opt-in" / implied consent exemption. Every marketing email identifies the sender (PLAY PLAY CARDS S.R.L.), includes our physical postal address, identifies itself clearly as an advertisement where required, and contains a one-click unsubscribe link that is honoured within 10 business days (typically within minutes). Transactional emails (receipts, renewal reminders, security alerts, subscription changes) are excluded from the unsubscribe mechanism because they are necessary to perform the contract; if you wish to stop receiving them you may close your account.

The Service is NOT a "covered entity" or "business associate" within the meaning of the U.S. Health Insurance Portability and Accountability Act (HIPAA). We do not provide healthcare services. The information we collect (email address and stated topic interest) is not "protected health information" under HIPAA. You should not submit any protected health information through the Service.

See our Cookie Policy at /cookie-policy/ for the full list of cookies, similar technologies, their purposes, retention periods and how to manage your preferences. Non-essential cookies (analytics, advertising) are only set with your prior consent, captured via our cookie banner using Google Consent Mode v2.

Some browsers transmit "Do Not Track" signals. There is currently no industry consensus on how to interpret DNT signals; we do not respond to them. We do honour the Global Privacy Control (GPC) as an opt-out of sale/sharing for U.S. state-law purposes where required.

We may update this Privacy Policy from time to time to reflect changes in our practices or applicable law. The most recent version is always available at this URL with an updated "Last Updated" date. Material changes will be notified to active users by email at least 30 days in advance where required by law.

For any privacy question, to exercise your rights, or to submit a complaint: PLAY PLAY CARDS S.R.L. — Privacy Team Str. Drumul Pescarilor nr. 16 A, Olimp, Constanța, 905503, Romania live@playplaycards.com If you are unsatisfied with our response, you have the right to lodge a complaint with the supervisory authority of your country of residence (see Sections 8-12).