Outercircl Legal

Privacy Policy

Last updated: 18 March 2026

OUTERCIRCL Privacy Policy Last updated: 18 March 2026 Version 1.0

This Privacy Notice for Outercircl Limited ('we', 'us', or 'our') describes how and why we might access, collect, store, use, and/or share ('process') your personal information when you use our services ('Services'), including when you:

This Privacy Notice is issued in accordance with Article 13 and 14 of the General Data Protection Regulation (EU) 2016/679 ('GDPR'), the Irish Data Protection Act 2018, and the Irish ePrivacy Regulations 2011 (S.I. No. 336 of 2011). As an organisation based in Ireland, Outercircl Limited is subject to the supervision of the Data Protection Commission ('DPC') as the competent supervisory authority.

Data Protection Officer (DPO): Outercircl Limited has not designated a formal Data Protection Officer at this stage, as we do not meet the mandatory thresholds under Article 37 GDPR for DPO appointment. Queries relating to data protection should be directed to [email protected].

  • Visit our website at https://outercircle.com or any website of ours that links to this Privacy Notice
  • Download and use our mobile application (Outercircl), or any other application of ours that links to this Privacy Notice
  • Use Outercircl \u2014 a social wellness platform that connects users to in-person, interest-based activities and events also known as Circls. All activities and events are user-generated and are not affiliated with Outercircl unless clearly stated otherwise as an Outercircl-hosted activity or event
  • Engage with us in other related ways, including any marketing or events

Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at [email protected].

SUMMARY OF KEY POINTS This summary provides key points from our Privacy Notice. You can find full details by reviewing the relevant section below.

What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us and the Services, the choices you make, and the products and features you use.

Do we process any sensitive personal information? Some information may be considered 'special' or 'sensitive' in certain jurisdictions, such as racial or ethnic origins, or financial data. We may process sensitive personal information when necessary with your consent or as otherwise permitted by applicable law.

Do we collect any information from third parties? We may collect information from public databases, marketing partners, social media platforms, and other outside sources.

How do we process your information? We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent.

How do we keep your information safe? We have appropriate organisational and technical processes and procedures in place to protect your personal information. However, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure.

What are your rights? Depending on where you are located, the applicable privacy law may mean you have certain rights regarding your personal information. See Section 13 for full details.

How do you exercise your rights? The easiest way is by submitting a data subject access request or by contacting us directly at [email protected]. We will consider and act upon any request in accordance with applicable data protection laws.

TABLE OF CONTENTS 1. What Information Do We Collect? 2. How Do We Process Your Information? 3. What Legal Bases Do We Rely On To Process Your Personal Information? 4. When And With Whom Do We Share Your Personal Information? 5. What Is Our Stance On Third-Party Websites? 6. Do We Use Cookies And Other Tracking Technologies? 7. How Do We Handle Your Social Logins? 8. Our Data Compliance Model (Authentication, Profile Data & Payments) 9. Do We Transfer Your Data Internationally? 10. How Long Do We Keep Your Information? 11. How Do We Keep Your Information Safe? 12. Do We Collect Information From Minors? 13. What Are Your Privacy Rights? 14. Controls For Do-Not-Track Features 15. Do We Make Updates To This Notice? 16. How Can You Contact Us About This Notice? 17. How Can You Review, Update, Or Delete The Data We Collect From You?

1. WHAT INFORMATION DO WE COLLECT? Personal Information You Disclose To Us In Short: We collect personal information that you provide to us.

We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us.

Personal Information Provided by You. The personal information we collect may include the following:

  • Names
  • Phone numbers
  • Email addresses
  • Mailing addresses
  • Usernames
  • Contact preferences
  • Contact or authentication data
  • Billing addresses

Sensitive Information. When necessary, with your consent or as otherwise permitted by applicable law, we process the following categories of sensitive information:

  • Financial data
  • Information revealing race or ethnic origin (where provided as part of profile or event participation)
  • Student data

Payment Data. We may collect data necessary to process your payment if you choose to make purchases, such as your payment instrument number and associated security code. All payment data is handled and stored by Stripe. You may find their privacy notice at: stripe.com/ie/privacy.

Social Media Login Data We may provide you with the option to register using your existing social media account details (such as Google, Facebook, or X). If you choose to register this way, we will collect certain profile information from the social media provider. See Section 7 \u2014 'How Do We Handle Your Social Logins?' \u2014 for more detail.

Application Data If you use our application(s), we may also collect the following information if you choose to provide us with access or permission:

  • Geolocation Information: We may request access to track location-based information from your mobile device, either continuously or while you are using our application(s), to provide certain location-based services. You may change our access in your device settings.
  • Mobile Device Access: We may request access to certain features from your mobile device, including your calendar, contacts, reminders, SMS messages, and social media accounts. You may change our access in your device settings.
  • Mobile Device Data: We automatically collect device information such as your mobile device ID, model, manufacturer, operating system, version information, browser type and version, hardware model, internet service provider and/or mobile carrier, and IP address.
  • Push Notifications: We may request to send you push notifications regarding your account or certain features of our application(s). You may turn these off in your device settings.

Information Automatically Collected In Short: Some information \u2014 such as your IP address and browser and device characteristics \u2014 is collected automatically when you visit our Services.

We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity but may include device and usage information such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information. This information is primarily needed to maintain security and for internal analytics and reporting purposes.

Like many businesses, we also collect information through cookies and similar technologies. The information we collect includes:

  • Log and Usage Data: Service-related, diagnostic, usage, and performance information our servers automatically collect when you access or use our Services, including your IP address, device information, browser type, date/time stamps, pages and files viewed, searches, and other actions you take.
  • Device Data: Information about your computer, phone, tablet, or other device used to access the Services, including your IP address, device and application identification numbers, location, browser type, hardware model, internet service provider and/or mobile carrier, and operating system.
  • Location Data: Information about your device's location, which can be either precise or imprecise. You can opt out by refusing access or disabling your Location setting on your device, though this may affect certain features.
  • Behavioural Data: Behaviour and usage of Outercircl platforms including, but not limited to, activities and events joined or created, search behaviour within the platform, event categories browsed, and frequency of platform use.

Google API Our use of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. See: developers.google.com/terms/api-services-user-data-policy

Information Collected From Other Sources In Short: We may collect limited data from public databases, marketing partners, social media platforms, and other outside sources.

In order to enhance our ability to provide relevant marketing, offers, and services to you and update our records, we may obtain information about you from other sources, such as public databases, joint marketing partners, affiliate programmes, data providers, social media platforms, and other third parties. This information includes mailing addresses, job titles, email addresses, phone numbers, intent data (user behaviour data), IP addresses, social media profiles, social media URLs, and custom profiles, for purposes of targeted advertising and event promotion.

If you interact with us on a social media platform using your social media account, we receive personal information about you from such platforms such as your name, email address, and gender. You have the right to withdraw your consent to processing your personal information at any time.

2. HOW DO WE PROCESS YOUR INFORMATION? In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent.

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:

  • To facilitate account creation and authentication and otherwise manage user accounts: We may process your information so you can create and log in to your account, as well as keep your account in working order.
  • To deliver and facilitate delivery of services to the user: We may process your information to provide you with the requested service.
  • To respond to user enquiries and offer support to users: We may process your information to respond to your enquiries and solve any potential issues you might have with the requested service.
  • To send administrative information to you: We may process your information to send you details about our products and services, changes to our terms and policies, and other similar information.
  • To fulfil and manage your orders: We may process your information to fulfil and manage your orders, payments, returns, and exchanges made through the Services.
  • To enable user-to-user communications: We may process your information if you choose to use any of our offerings that allow for communication with another user.
  • To request feedback: We may process your information when necessary to request feedback and to contact you about your use of our Services.
  • To send you marketing and promotional communications: We may process the personal information you send to us for our marketing purposes, if this is in accordance with your marketing preferences. You can opt out of our marketing emails at any time.
  • To deliver targeted advertising to you: We may process your information to develop and display personalised content and advertising tailored to your interests, location, and more. Anonymised search behaviour and browsing activity may be used for this purpose \u2014 data will always be anonymised before use for advertising.
  • To protect our Services: We may process your information as part of our efforts to keep our Services safe and secure, including fraud monitoring and prevention.
  • To identify usage trends: We may process information about how you use our Services to better understand how they are being used so we can improve them.
  • To improve and personalise the platform: Your activity data, event preferences, and usage patterns are used to personalise your experience \u2014 including surfacing relevant events and improving recommendations. This data is also used in aggregate and anonymised form to improve features and develop the platform over time.
  • To determine the effectiveness of our marketing and promotional campaigns: We may process your information to better understand how to provide marketing and promotional campaigns that are most relevant to you.
  • To save or protect an individual's vital interest: We may process your information when necessary to save or protect an individual's vital interest, such as to prevent harm.

3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR INFORMATION? In Short: We only process your personal information when we believe it is necessary and we have a valid legal reason (i.e. legal basis) to do so under applicable law, like with your consent, to comply with laws, to provide you with services to enter into or fulfil our contractual obligations, to protect your rights, or to fulfil our legitimate business interests.

The General Data Protection Regulation (GDPR) requires us to explain the valid legal bases we rely on in order to process your personal information. We may rely on the following legal bases:

  • Consent (Article 6(1)(a)): We may process your information if you have given us permission to use your personal information for a specific purpose. You can withdraw your consent at any time by contacting us or updating your preferences.
  • Performance of a Contract (Article 6(1)(b)): We may process your personal information when we believe it is necessary to fulfil our contractual obligations to you, including providing our Services or at your request prior to entering into a contract with you.
  • Legitimate Interests (Article 6(1)(f)): We may process your information when we believe it is reasonably necessary to achieve our legitimate business interests and those interests do not outweigh your interests and fundamental rights and freedoms. For example, we may process your personal information to:
  • Send users information about special offers and discounts on our products and services
  • Develop and display personalised and relevant advertising content for our users
  • Analyse how our Services are used so we can improve them to engage and retain users
  • Support our marketing activities
  • Diagnose problems and/or prevent fraudulent activities
  • Understand how our users use our products and services so we can improve user experience
  • Legal Obligations (Article 6(1)(c)): We may process your information where we believe it is necessary for compliance with our legal obligations, such as to cooperate with a law enforcement body or regulatory agency, exercise or defend our legal rights, or disclose your information as evidence in litigation in which we are involved.
  • Vital Interests (Article 6(1)(d)): We may process your information where we believe it is necessary to protect your vital interests or the vital interests of a third party, such as situations involving potential threats to the safety of any person.

4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION? In Short: We may share information in specific situations described in this section and/or with the following categories of third parties.

Vendors, Consultants, and Other Third-Party Service Providers. We may share your data with third-party vendors, service providers, contractors, or agents ('third parties') who perform services for us or on our behalf and require access to such information to do that work. We have contracts in place with our third parties designed to safeguard your personal information. They cannot do anything with your personal information unless we have instructed them to do so, and they commit to protect the data they hold on our behalf.

The categories of third parties we may share personal information with are as follows:

  • Ad Networks
  • AI Platforms
  • Cloud Computing Services
  • Communication & Collaboration Tools
  • Data Analytics Services (including PostHog EU Cloud)
  • Data Storage Service Providers
  • Finance & Accounting Tools
  • Payment Processors (Stripe)
  • Performance Monitoring Tools
  • Product Engineering & Design Tools
  • Retargeting Platforms
  • Sales & Marketing Tools
  • Social Networks
  • Testing Tools
  • User Account Registration & Authentication Services (Supabase, Google)
  • Website Hosting Service Providers

We also may need to share your personal information in the following situations:

  • Business Transfers: We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
  • When we use Google Maps Platform APIs: We may share your information with certain Google Maps Platform APIs (e.g. Google Maps API, Places API) to retrieve location-specific information. Google Maps uses GPS, Wi-Fi, and cell towers to estimate your location. We obtain and store on your device ('cache') your location. You may revoke your consent anytime by contacting us.
  • Other Users: When you share personal information (for example, by posting comments, contributions, or other content to the Services) or otherwise interact with public areas of the Services, such personal information may be viewed by all users and may be publicly available outside the Services. Other users will be able to view descriptions of your activity, communicate with you within our Services, and view your profile.
  • Legal Requirements: We may disclose data where required to do so by law, court order, or the Data Protection Commission (DPC) of Ireland.

5. WHAT IS OUR STANCE ON THIRD-PARTY WEBSITES? In Short: We are not responsible for the safety of any information that you share with third parties that we may link to or who advertise on our Services, but are not affiliated with, our Services.

The Services may link to third-party websites, online services, or mobile applications and/or contain advertisements from third parties that are not affiliated with us and which may link to other websites, services, or applications. Accordingly, we do not make any guarantee regarding any such third parties, and we will not be liable for any loss or damage caused by the use of such third-party websites, services, or applications. The inclusion of a link towards a third-party website, service, or application does not imply an endorsement by us. We cannot guarantee the safety and privacy of data you provide to any third-party websites. Any data collected by third parties is not covered by this Privacy Notice. We are not responsible for the content, privacy, or security practices and policies of any third parties.

6. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES? In Short: We may use cookies and other tracking technologies to collect and store your information, in compliance with the GDPR and the Irish ePrivacy Regulations 2011 (S.I. No. 336 of 2011).

The ePrivacy Regulations apply in addition to, and alongside, the GDPR. Under the ePrivacy Regulations, we are required to obtain your prior informed consent before placing non-essential cookies or similar tracking technologies on your device. The ePrivacy Regulations take precedence over the GDPR in respect of cookies and electronic communications.

We may use cookies and similar tracking technologies (like web beacons and pixels) to gather information when you interact with our Services. Some online tracking technologies help us maintain the security of our Services and your account, prevent crashes, fix bugs, save your preferences, and assist with basic site functions. These strictly necessary cookies do not require your consent as they are essential to deliver the service you have requested.

We also permit third parties and service providers to use online tracking technologies on our Services for analytics and advertising, including to help manage and display advertisements and to tailor advertisements to your interests. These non-essential cookies require your prior consent before being placed on your device. The third parties and service providers use their technology to provide advertising about products and services tailored to your interests which may appear either on our Services or on other websites.

Cookie Consent Requirements. In line with DPC guidance and Irish ePrivacy Regulations:

  • Pre-ticked boxes or assumed consent are not valid \u2014 consent must be a clear, affirmative action
  • You must be able to withdraw consent as easily as you gave it
  • Consent for cookies must not be bundled with acceptance of terms and conditions
  • Non-essential cookies will not be placed on your device until you have given valid consent

Specific information about how we use such technologies and how you can refuse certain cookies is set out in our Cookie Policy, available at outercircle.com/cookies.

Google Analytics We may share your information with Google Analytics to track and analyse the use of the Services. To opt out of being tracked by Google Analytics across the Services, visit https://tools.google.com/dlpage/gaoptout. For more information on the privacy practices of Google, please visit the Google Privacy & Terms page at policies.google.com/privacy.

PostHog Analytics We use PostHog EU Cloud (hosted in Frankfurt, Germany) to collect and analyse platform usage data. The following privacy measures are in place:

  • IP addresses are anonymised before storage and are never retained in identifiable form
  • Analytics data is pseudonymised \u2014 linked to internal user identifiers, not directly to your name or email
  • Input fields containing personal data (such as name and email fields) are masked and excluded from session recordings
  • All analytics data is stored on EU servers subject to EU data protection law
  • PostHog processes data under a Data Processing Agreement with Outercircl

You can manage your analytics preferences through our cookie consent settings.

7. HOW DO WE HANDLE YOUR SOCIAL LOGINS? In Short: If you choose to register or log in to our Services using a social media account, we may have access to certain information about you.

Our Services offer you the ability to register and log in using your third-party social media account details (such as your Google or Facebook login). Where you choose to do this, we will receive certain profile information about you from your social media provider. The profile information we receive may vary depending on the social media provider concerned, but will often include your name, email address, and profile picture, as well as other information you choose to make public on such a social media platform.

We will use the information we receive only for the purposes that are described in this Privacy Notice or that are otherwise made clear to you on the relevant Services. Please note that we do not control, and are not responsible for, other uses of your personal information by your third-party social media provider. We recommend that you review their privacy notice to understand how they collect, use, and share your personal information.

8. OUR DATA COMPLIANCE MODEL There is no single, uniform approach to data compliance at Outercircl. Our obligations depend on the type of data collected and the role Outercircl plays with respect to that data. Outercircl operates a deliberate hybrid compliance model: we retain full control and responsibility over core product data, while leveraging established, regulated third-party providers for authentication and payment processing. This structure is a conscious risk-reduction strategy \u2014 it reduces our regulatory and security exposure in areas where specialist processors are better placed to maintain compliance, while keeping us fully accountable for the data that defines the Outercircl experience.

For clarity, our data is categorised and governed as follows:

8.1 Authentication and User Account Data Authentication is currently implemented via passwordless (magic link) login using Supabase, with identity services provided by Google.

Role: Outercircl acts as the data controller. Supabase and its underlying identity providers (including Google) act as data processors.

Authentication data is processed and stored by these third parties in accordance with their respective security and compliance frameworks. Outercircl's obligations in respect of authentication data are expressly limited to:

  • Appropriate disclosure of the processors and their roles (as set out in this Privacy Policy)
  • Ongoing vendor due diligence to ensure processors maintain adequate technical and organisational security measures in line with GDPR requirements
  • Ensuring that valid and enforceable Data Processing Agreements (DPAs) are in place with Supabase and all underlying identity providers

Outercircl does not directly store authentication credentials. All authentication tokens and session data are managed by Supabase in accordance with its own security and compliance framework.

8.2 Onboarding and Profile Data Data collected through onboarding forms and profile setup is collected for the sole purpose of providing the Outercircl service.

Role: Outercircl acts as the data controller and is solely responsible for this data.

Outercircl owns and controls all onboarding and profile data and is solely and fully responsible for its lawful collection, storage, use, retention, and deletion. This data is governed exclusively by this Privacy Policy and Outercircl's Terms & Conditions, which together provide:

  • A clear description of the purpose for which data is collected
  • The legal basis for processing under GDPR Article 6
  • Access controls limiting who can view and process this data
  • Full transparency on your rights as a data subject, including the right to access, rectify, erase, and port your data

Unlike authentication data, there is no delegation of control or responsibility for this category. If you have any query relating to your onboarding or profile data, Outercircl is your sole point of contact.

8.3 Payment Information All payment information is processed by Stripe, Inc., which acts as an independent data processor and regulated payment service provider.

Role: Stripe acts as an independent data processor. Outercircl does not act as a data controller for payment data.

Outercircl does not store, process, or transmit cardholder data, banking information, or any payment card details. All such data is collected, processed, and stored directly by Stripe in accordance with:

  • Stripe's own Privacy Policy (available at stripe.com/ie/privacy)
  • PCI DSS (Payment Card Industry Data Security Standard) compliance requirements
  • Applicable financial services regulation

Outercircl's responsibilities with respect to payment data are expressly limited to:

  • Disclosure of Stripe's role as payment processor in this Privacy Policy
  • Ensuring that a valid Data Processing Agreement and contractual coverage is in place with Stripe

Any queries relating to the processing of your payment data should be directed to Stripe directly via stripe.com/ie/privacy.

Summary This structure represents a deliberate and transparent hybrid compliance model. Outercircl retains full controller responsibility over the data that defines your experience on the platform \u2014 your profile, activity, and preferences \u2014 while delegating authentication and payment processing to established, regulated third-party providers who are better positioned to manage the security and compliance requirements of those specialist functions. This approach reduces risk for both Outercircl and its users.

9. DO WE TRANSFER YOUR DATA INTERNATIONALLY? In Short: We may transfer, store, and process your information in countries other than your own, with appropriate safeguards in place.

Our servers and those of our third-party processors are primarily located within the European Economic Area (EEA). However, some of our third-party providers may process data outside the EEA, including in the United States. Where such transfers occur, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, including:

  • Standard Contractual Clauses (SCCs): Where transfers occur to countries without an EU adequacy decision, we rely on the European Commission's standard contractual clauses as the transfer mechanism, as updated by Commission Implementing Decision (EU) 2021/914.
  • Adequacy Decisions: Where the European Commission has determined that a third country provides an adequate level of protection, we may rely on that decision as the basis for transfer.
  • Processor-Specific Safeguards: Supabase and Stripe maintain their own GDPR-compliant transfer mechanisms, which we verify as part of our vendor due diligence obligations.

EU data residency: Our analytics provider PostHog processes and stores data exclusively within the EU (Frankfurt, Germany), and no data transfer outside the EEA occurs in connection with PostHog.

You may request a copy of the transfer safeguards we rely on by contacting us at [email protected].

10. HOW LONG DO WE KEEP YOUR INFORMATION? In Short: We keep your information for as long as necessary to fulfil the purposes outlined in this Privacy Notice unless otherwise required by law.

We will only keep your personal information for as long as it is necessary for the purposes set out in this Privacy Notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements). No purpose in this notice will require us to keep your personal information for longer than twelve (12) months past the termination of the user's account.

Our general retention practices are:

  • Account and profile data: Retained for the duration of your account and up to 12 months following account deletion, unless a longer period is required by law
  • Event activity data: Retained for the duration of your account and a reasonable period thereafter for platform integrity and dispute resolution purposes
  • Analytics data: Retained in anonymised or pseudonymised form for up to 24 months for platform improvement purposes
  • Authentication logs: Retained for a limited period for security and fraud prevention purposes
  • Payment records: Retained as required by Irish financial and tax law (typically 7 years)

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise such information, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.

11. HOW DO WE KEEP YOUR INFORMATION SAFE? In Short: We aim to protect your personal information through a system of organisational and technical security measures.

We have implemented appropriate and reasonable technical and organisational security measures designed to protect the security of any personal information we process. These measures include:

  • Passwordless (magic link) authentication to eliminate password-related security risks
  • Encrypted data transmission (TLS/HTTPS) across all platform communications
  • Access controls limiting data access to authorised personnel only
  • Regular security assessments and vendor due diligence
  • Data Processing Agreements with all third-party processors

However, despite our safeguards and efforts to secure your information, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure. We cannot promise or guarantee that hackers, cybercriminals, or other unauthorised third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information. Although we will do our best to protect your personal information, transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment.

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Data Protection Commission within 72 hours and notify affected users without undue delay, in accordance with our obligations under Articles 33 and 34 GDPR.

12. DO WE COLLECT INFORMATION FROM MINORS? In Short: We do not knowingly collect data from or market to children under 16 years of age. The digital age of consent in Ireland is 16 under the Data Protection Act 2018.

Under the Irish Data Protection Act 2018 and Article 8 of the GDPR, the digital age of consent in Ireland is 16 years of age. This means that where we rely on consent as the legal basis for processing personal data in connection with our online services, only persons aged 16 or over may provide their own valid consent. Where a person is under 16, consent must be given or authorised by the holder of parental responsibility over that child.

Our Services are not directed at children under the age of 16. We do not knowingly collect, solicit data from, or market to children under 16 years of age, nor do we knowingly sell such personal information. By using the Services, you represent that you are at least 16 years of age.

If we learn that personal information from users less than 16 years of age has been collected without verified parental consent, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 16, please contact us at [email protected].

Note: Under the Data Protection Act 2018, it is an offence to process the personal data of a child under 18 for the purposes of direct marketing, profiling, or micro-targeting. Outercircl does not process the personal data of anyone known to be under 18 for any such purpose.

13. WHAT ARE YOUR PRIVACY RIGHTS? In Short: In some regions, such as the European Economic Area (EEA), United Kingdom (UK), and Switzerland, you have rights that allow you greater access to and control over your personal information. You may review, change, or terminate your account at any time, depending on your country, province, or state of residence.

In some regions (like the EEA, UK, and Switzerland), you have certain rights under applicable data protection laws. These may include the right:

  • Right of Access (Article 15): To request access and obtain a copy of your personal information
  • Right to Rectification (Article 16): To request rectification or erasure of inaccurate or incomplete personal information
  • Right to Erasure (Article 17): To request deletion of your personal data where it is no longer necessary or where you withdraw consent
  • Right to Restriction of Processing (Article 18): To restrict the processing of your personal information in certain circumstances
  • Right to Data Portability (Article 20): To receive your personal data in a structured, machine-readable format
  • Right to Object (Article 21): Not to be subject to automated decision-making, and to object to processing based on legitimate interests

Automated Decision-Making. We do not currently make decisions based solely on automated processing that produce significant legal or similarly significant effects on you. If this practice changes in the future, we will update this Privacy Notice accordingly and provide you with meaningful information about the logic involved and the significance and consequences of such processing.

Obligation to Provide Data. Where we collect your personal data to fulfil a contract with you or to comply with a legal obligation, providing such data is a requirement. Where provision is voluntary (e.g. optional profile fields), we will make this clear at the point of collection. Failure to provide required data may mean we are unable to provide the Services to you.

You can make such a request by contacting us using the contact details provided in Section 15 below.

We will consider and act upon any request in accordance with applicable data protection laws.

If you are located in the EEA or UK and you believe we are unlawfully processing your personal information, you also have the right to complain to your Member State data protection authority or the UK data protection authority (ico.org.uk).

If you are located in Switzerland, you may contact the Federal Data Protection and Information Commissioner (edoeb.admin.ch).

Ireland \u2014 Data Protection Commission (DPC): 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland Phone: +353 (0)1 765 0100 | Website: www.dataprotection.ie

Withdrawing Your Consent If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time. You can withdraw your consent by contacting us using the contact details provided in Section 15 below or by updating your preferences. Please note that this will not affect the lawfulness of the processing before its withdrawal.

Opting Out of Marketing and Promotional Communications You can unsubscribe from our marketing and promotional communications at any time by clicking on the unsubscribe link in the emails that we send, or by contacting us using the details provided in Section 15 below. You will then be removed from the marketing lists. However, we may still communicate with you for service-related messages that are necessary for the administration and use of your account.

Account Information If you would at any time like to review or change the information in your account or terminate your account, you can log in to your account settings and update your user account.

Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases. However, we may retain some information in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our legal terms and/or comply with applicable legal requirements.

Cookies and Similar Technologies Most web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove or reject cookies. If you choose to remove or reject cookies, this could affect certain features or services of our Services. You may also opt out of interest-based advertising by advertisers on our Services by visiting aboutads.info/choices.

If you have questions or comments about your privacy rights, you may email us at [email protected].

14. CONTROLS FOR DO-NOT-TRACK FEATURES Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ('DNT') feature or setting you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognising and implementing DNT signals has been finalised. As such, we do not currently respond to DNT browser signals or any other mechanism that automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted that we must follow in the future, we will inform you about that practice in a revised version of this Privacy Notice.

15. DO WE MAKE UPDATES TO THIS NOTICE? In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.

We may update this Privacy Notice from time to time. The updated version will be indicated by an updated 'Revised' date at the top of this Privacy Notice. If we make material changes to this Privacy Notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this Privacy Notice frequently to be informed of how we are protecting your information.

The current version of this Privacy Notice is always available at outercircle.com/privacy.

16. HOW CAN YOU CONTACT US ABOUT THIS NOTICE? If you have questions or comments about this notice, you may email us at [email protected] or [email protected], or contact us by post at:

Outercircl Limited 136 Capel Street County Dublin, D01 T2C9 Ireland

We aim to respond to all privacy-related queries within 5 business days.

17. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU? Based on the applicable laws of your country, you may have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. You may also have the right to withdraw your consent to our processing of your personal information. These rights may be limited in some circumstances by applicable law.

To request to review, update, or delete your personal information, please submit a data subject access request by emailing [email protected] or by visiting the data subject access request link in our platform. We will respond to all verifiable requests within 30 days in accordance with applicable data protection laws.

\u00A9 2026 Outercircl Limited. This document was last updated on 18 March 2026.