EX.CO Privacy Policy

Policy last updated: April 2025

EX.CO Technologies Ltd. (“we”, “us”, “Company”) prepared this Privacy Policy to explain to its Customers, Website Visitors and End Users (as defined below, and collectively, “you”) how and why it collects Personal Data when you are using the online advertising platform (“Platform”) and websites, including www.ex.co and www.playbuzz.com or any other site owned by us and which refers to this policy (collectively “Websites”; and together with the Platform – the “Services”). This Privacy Policy together with the cookie policies referred to below, and any other document referred to herein, constitutes an integral part of EX.CO’s Terms and Playbuzz’s Terms, all of which are incorporated herein by reference.

Our Websites may link to third-party sites which are not governed by this Privacy Policy, please be aware that we are not responsible for the privacy practices or the content of other sites. We encourage you to read the privacy statements provided by other sites as well. If you do not agree to this policy, please discontinue, and avoid using our Services. You have the right to cease using the Services at any time, pursuant to this Privacy Policy and our Terms. You are not legally required to provide us with any Personal Data, but without it we may not be able to provide you with the best experience or full functionality of our Services.

If you have a visual disability, you may be able to use a screen reader or other text-to-speech or text-to-Braille tool to review the contents of this Privacy Policy.

From whom do we collect personal data

This Privacy Policy applies to Company’s collection, use, and disclosure of the Personal Data of the following categories of individuals:

Website Visitors: individuals who visit our Websites and who may volunteer certain contact data (such as their email address) to receive communications from Company.

Customers: those who register on their own or on behalf of an entity or organization to use any product(s) or service(s) within Company’s Platform, including administrators of a Company account.

End Users: individuals who visit our Customers’ websites and whose Personal Data we process (on behalf of our Customers) in order to provide the Services to our Customers pursuant to our agreements with them.

Types of data collected and purposes

Depending on your interaction with us, we may collect two types of data from you:

“Non-Personal Data” meaning aggregated, non-personal non-identifiable data, which may be made available or gathered via your access to and use of the Platform. We are not aware of the identity of the user from which the Non-Personal Data is collected. Such Non-Personal Data may include aggregated usage information and technical information transmitted by your device, such as browser version, operating system type and version, mobile network information, device settings, and software data.

“Personal Data” (as defined under the GDPR) or “Personal Information” (as defined under various US Privacy Laws) meaning data that identifies an individual or may, with reasonable effort, be used to identify an individual.

For the avoidance of doubt, any Non-Personal Data connected or linked to any Personal Data shall be deemed as Personal Data as long as such connection or linkage exists.

We do not knowingly collect or process any Personal Data constituting or revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning a person’s health, government identifiers, precise geolocation or data concerning a person’s sex life or sexual orientation (“Special Categories of Personal Data”).

The table below details the types of Personal Data we collect, the methods and purpose of such collection, and our lawful basis for processing such Personal Data (where the GDPR applies):

DATA TYPE	METHODS AND PURPOSE	LAWFUL BASIS
Contact Information We ask for and collect our Customers, contact data (such as name and email address) as well as our Website Visitors and End Users’ contact details when they submit web forms on our Website (“Contact Information”).	We process Contact Information to provide you with opportunities and to allow you to receive email communications from us. We may also ask you to submit such Personal Data if you choose to use interactive features of the Services, including participation in surveys, requesting customer support, or otherwise communicating with us. We will send such communications in accordance with applicable law.	We process Contact Information subject to your consent. Further processing may be subject to our legitimate interest, for example for internal documentation and improvement of service purposes. We may also process Contact Information for the purpose of performing our contract with the data subject whose data is processed.
Log Files Just as when you visit and interact with most websites and services delivered via the Internet, we may gather certain information from our Customers, Website Visitors and End Users and store it in log files. This information may include but is not limited to Internet Protocol (IP) addresses, system configuration information, URLs of referring pages, and locale and language preferences. This also includes certain technical Personal Data that is recorded when you use our Services. This information may include but is not limited to WiFi information, operating system and device information, system configuration information, and other information about traffic to and from our or our Customers’ websites. (“Log Files”)	We process Log Files to understand how visitors use Company Websites, as well as to measure the effectiveness of our features and content. We further use this data to track conversions from ads and understand the effectiveness of our promotional campaigns, and remarket to people who have taken some action on the website. In addition, data related to our Websites helps us to better understand our business, analyze our operations, maintain, improve, design, and develop the Services and new products, conduct statistical analysis purposes, to test and improve our offers, and decide how to improve the Services based on the results obtained from this processing. In addition, we use Log Files data for operational, website functionality, security, fraud prevention, and debugging purposes, and to resolve technical problems. Data collected from End Users will also be used as part of, and for the purpose of, providing our Services to Customers, who serve as the initial Data Controllers (or Businesses, as defined under various US Privacy Laws).	Where we collect Log Files for analytic, operational and security purposes, we process your data based on (a) your consent, where such data is obtained through the use of tracking technologies (as described below), or (b) our legitimate interest. Our legitimate interest is providing you with our Services, providing monetization services to our Customers, and the performance of analytics, security and fraud detection, and campaign reporting.
Cookies and Other Tracking Technologies We may use cookies and other information-gathering technologies to collect information from Website Visitors. We also use an analytics technology commonly referred to as “Session replay” which helps us better understand user behavior and make improvements to our Services.	We process such data through our third-party cookies and tracking technologies for analytics.	Where we collect such data for analytics purposes, we process the data based on your consent, which we will obtain through our cookie notice and consent management. You may withdraw consent at any time by using the cookie preference settings.
Customer Account Information When you register for an account, we collect your email address, name and other contact data. We may also ask you to enter your website domain in order to provide our Services. By voluntarily providing us with such data, you represent that you are the owner of such Personal Data or otherwise have the requisite consent to provide it to us. If you register to our Platform through a social network platform (for example Google), you will provide us access to any information you made available on that platform (depending on your privacy settings) and any additional information that you specifically consent to provide us with. (“ Customer Information”)	Customer Information is required to identify you as a customer and permit you to access your account(s).	We process Customer Information (a) Subject to your consent, and (b) for the performance of our contract with you.
Payment Information When Customers sign up for one of our paid Services, they must provide billing information. We do not store full credit card numbers or personal account numbers. The required information depends on the billing method chosen. For example, if you pay with a credit card, our third party payment service providers will collect your card information and billing address.	Payment information is collected by our payment service providers in order to process payments for purchases, fulfill requests for refunds, returns, or exchanges, and process the redemption of discounts.	The legal bases for processing this data are (a) the performance of our contractual obligation, (b) consent, and (c) our legitimate interests. Our legitimate interests in this case are processing of information which is necessary for the provision of our Services.
Legal Matters	We may use certain Personal Data to prevent potentially prohibited or illegal activities, fraud, misappropriation, infringements, identity thefts and any other misuse of the Services, to enforce our legal terms and conditions, to protect the security or integrity of our databases, and to take precautions against legal liability.	Such processing is based on our legitimate interests, which in this case are protecting our Services and data, exercising our legal rights, and complying with our legal obligations.

Please note that the actual processing operation per each purpose of use and lawful basis detailed in the table above may differ. Such processing operation usually includes a set of operations made by automated means, such as collection, storage, use, disclosure by transmission, erasure or destruction. The transfer of Personal Data to third party countries as further detailed in the International Data Transfers Section is based on the same lawful basis as stipulated in the table above.

We may collect different categories of Personal Data and Non-Personal Data from you, depending on the nature of your interaction with the Services, as detailed above.

Cookies and similar technologies

We use “cookies” (or similar tracking technologies) when you access or interact with our Services. The use of cookies is a standard industry-wide practice. A “cookie” is a small piece of information that a website assigns and stores on your computer while you are viewing it. You can find more information about cookies at All About Cookies. Cookies can be used for various purposes, including allowing you to navigate between pages efficiently, or for statistical and advertising purposes. To learn more, please visit EX.CO’s Cookie Policy.

Categories of recipients to whom we disclose personal data

We disclose your Personal Data to third parties that help us maintain and provide our Services. More information about the categories of such third-party recipients is described below:

CATEGORY OF RECIPIENT	DATA THAT WILL BE DISCLOSED	PURPOSE OF DISCLOSURE
Internal concerned parties	All types of Personal Data.	We may disclose your Personal Data to companies within our group, as well as our employees, in order to provide you with and improve our Services.
Service providers	All types of Personal Data.	We may disclose your Personal Data to our service providers, such as payment processors, storage providers (such as AWS), marketing affiliates (who assist us with carrying our marketing campaigns, such as email campaigns), our fraud detection tools, and our analytics providers who help us provide you with our Service.
Legal and regulatory entities	All types of Personal Data, subject to requests by authorities.	We may disclose Personal Data in case we believe, in good faith, that such disclosure is necessary in order to enforce our policies (including our Company Terms), take precautions against liabilities, investigate and defend ourselves against any third party claims or allegations, protect the security and integrity of the Services and protect the rights and property of Company. We may also disclose your Personal Data where requested by legal or regulatory authorities having control or jurisdiction over us or you.
Mergers and acquisitions	All types of Personal Data.	We may disclose or transfer your Personal Data if we enter into a business transaction such as a merger, acquisition, reorganization, bankruptcy, or sale of some or all of our assets. Any party that acquires our assets as part of such a transaction will continue to use your data in accordance with the terms of this Privacy Policy.
Professional advisers	All types of Personal Data.	In individual instances, we may disclose Personal Data to professional advisers acting as processors or controllers including lawyers, bankers, auditors, insurers, and accounting services, to the extent we are legally obliged to disclose or have a legitimate interest in disclosing your Personal Data.

We reserve the right to use, disclose or transfer (for business purposes or otherwise) aggregated and processed Non-Personal Data to third parties, including, inter alia, affiliates, for various purposes including commercial use. This Personal Data may be collected, processed and analyzed by us and transferred in a combined, collectively and aggregated manner (i.e., your information is immediately aggregated with other users) to third parties.

When disclosing Personal Data to third parties, they are required to secure the Personal Data they receive and to use that Personal Data only in compliance with all applicable data protection regulations (such service providers may use other Non-Personal Data for their own benefit).

User rights and opt-out options

We acknowledge that different people have different privacy concerns and preferences. Our goal is to be clear about what information we collect so that you can make meaningful choices about how it is used. We allow you to exercise certain choices, rights, and controls in connection with your Personal Data. Depending on your relationship with us, your jurisdiction and the applicable data protection laws that apply to you, you have the right to control and request certain limitations or rights to be executed.

Please note that some rights are only available for residents of certain jurisdictions:

The right to know what Personal Data we collected, including the categories of Personal Data, the sources from which the Personal Data is collected, the business or commercial purpose for collecting, selling, or sharing Personal Data, the categories of third parties to whom we disclose Personal Data, and the specific pieces of Personal Data we collected about you.
The right to know what Personal Data we collected, including the categories of Personal Data, the sources from which the Personal Data is collected, the business or commercial purpose for collecting, selling, or sharing Personal Data, the categories of third parties to whom we disclose Personal Data, and the specific pieces of Personal Data we collected about you.
The right to delete Personal Data that we collected from you, subject to certain exceptions.
The right to correct inaccurate Personal Data that we maintain about you.
The right to opt-out of the “sharing” of your Personal Data for “cross-contextual behavioral advertising” (or as otherwise defined under applicable US Privacy Laws), often referred to as “interest-based advertising” or “targeted advertising”.
The right to opt-out of the “sale”
of your Personal Data (or as otherwise defined under applicable Us Privacy Laws).
The right to Limit the Use or Disclosure of Sensitive Personal Information (“SPI”).
The right to request to opt-out from processing involving profiling, in furtherance of decisions that produce legal or similarly significant effects concerning you.
The right to opt-out of the use of automated decision making in relation to your Personal Data.
The right to not be subject to discriminatory treatment by a business for the exercise of privacy rights conferred, including an employee’s, applicants, or independent contractor’s right not to be retaliated against for the exercise of their rights, denying a consumer goods or services, charging different prices or rates for goods or services, providing you a different level or quality of goods or services, etc. We may, however, charge different prices or rates, or provide a different level or quality of goods or services, if that difference is reasonably related to the value provided to us by your Personal Data.
The right to request a copy of your Personal Data, including, where applicable, to obtain a copy of the Personal Data you provided to us in a portable format.
The right to request restrictions or to object to processing of your Personal Data.
Withdrawal of Consent – If Personal Data is processed on the basis of your consent, you have the right to withdraw it at any time.

Exercising your rights

Your rights may be exercised by contacting our DPO at dpo@ex.co. Certain rights can also be easily executed independently:

You can opt-out from receiving our emails by clicking the “unsubscribe” link available in the email itself.
You can use the cookie settings tool on our website (click the bottom-left icon from any page) to change your preferences and to submit requests to opt-out of our “sharing” of your personal information.
You can opt out of interest-based advertising with some of the service providers we use, such as Google and Google Analytics. Please note that if you opt out of interest-based advertising, some information will still be collected for other purposes such as analytics, and internal operations. You will also continue to receive contextual advertisements, but they may be less relevant to your interests.
You may opt-out directly from third party retargeting cookies or other ad-technology trackers through self-regulatory services. For more information, please visit:

Digital Advertising Alliance (US)
Digital Advertising Alliance (Canada)
Digital Advertising Alliance (EU)
Network Advertising Initiative
Digital Advertising Alliance App Choices
Use the Global Privacy Control (“GPC”) signals. Ad choices settings will vary depending on your browser and device settings. Please note that your optout choices will only apply to the specific browser or device from which you opt out. We encourage you to explore your device and browser settings to better understand your choices.
EX.CO also participates in the IAB Europe Transparency & Consent Framework and complies with its policies and specifications. EX.CO’s IAB Europe assigned Vendor ID is: 444.

Data retention

We will retain your Personal Data for as long as necessary to provide our Services, comply with our legal obligations, resolve disputes, and enforce our policies. Please note that except as required by applicable law, we will not be obligated to retain your data for any particular period, and we may delete it for any reason and at any time, without providing you with prior notice if our intention to do so. However, retention periods shall be determined taking into account the type of information that is collected and the purpose for which it is collected for, bearing in mind the requirements applicable to the situation and the need to destroy outdated, unused information at the earliest reasonable time.

Security measures

We work hard to protect the Personal Data we process from unauthorized access, alteration, disclosure, or destruction. We have implemented administrative, technical, and physical safeguards to help prevent unauthorized access, use, or disclosure of your Personal Data.

Your account Information is protected by a password for your privacy and security or by an SSO service such as Google of Facebook identity services. You need to help us prevent unauthorized access to your account by protecting your password appropriately and limiting access to your account by signing off after you have finished accessing your account. You will be solely responsible for keeping your password confidential and for all use of your password and your account, including any unauthorized use.

While we seek to protect your information to ensure that it is kept confidential, we cannot guarantee the security of any information. You should be aware that there is always some risk involved in transmitting information over the internet and that there is also some risk that others could find a way to thwart our security systems. As a result, while we strive to protect your Personal Data, we cannot ensure or warrant the security and privacy of your Personal Data or other content you transmit using the Platform, and you do so at your own risk. Thus, we encourage you to exercise discretion regarding the Personal Data you choose to disclose.

International data transfers

We operate globally, and any information that we collect, disclose or share, including (but not limited to) your Personal Data, can be stored and processed in the European Economic Area, United Kingdom and United States, for the purposes detailed in this Policy. To the extent that the GDPR or UK GDPR are applicable, we will only transfer or share your Personal Data to data recipients:

located in the EEA or in the UK;
located in non-EEA countries or UK which have been approved as providing adequate level of data protection by the European Committee; or
who have entered into a legal agreement ensuring an adequate level of data protection, including the Standard Contractual Clauses as approved by the European Committee.

Interaction with third-party websites

Our Services enable and host third party content, products or services that are not owned or controlled by us, including sponsored content and advertisement (each or jointly “Third Party Content”). Third Party Content hosted on our Services is provided directly by its owners or operators and governed by their own terms and privacy policies. Although we do require each Third Party Content to ensure full compliance and transparency, we are not responsible for the privacy practices or the content of such Third Party Content. Please be aware that Third Party Content and related services may collect Personal Data from you based on your consent, including through use of cookies, as further detailed above.

Eligibility and children privacy

Our Services are not intended for use by individuals under the age of majority, as defined by the applicable law in such individual’s jurisdiction of residence (“Minor”). Company does not knowingly process Minor’s information and will discard any data we receive from a user that we find or reasonably suspect to be a Minor immediately upon discovery. Please contact us at: dpo@ex.co if you have reason to believe that a Minor has shared any data with us.

Additional Information for US Residents

This Section supplements the Privacy Policy and addresses specific disclosure requirements under US Privacy Laws. [1]

Collection, disclosure and sharing of Personal Information

In the preceding twelve (12) months, we have collected the following Personal Information:

Category of Personal Information Collected	Personal Information Collected	Sources of Personal Information	Business Purpose for Collection
Identifiers	Full name, email address, postal address, social media identifier, IP address, account name	Directly from consumers upon subscription. Directly or indirectly from activity on our Websites by cookies or other tracking technologies. From third parties that interact with us, including social networks and other publicly available sources.	To provide you with our Services. To improve our Services. To detect and prevent fraud or illegal activities. To respond to your requests and inquiries, and communicate with you. Direct marketing purposes – we may use the contact details you provided us to send you promotional offers. To perform research, technical diagnostics, analytics or statistical purposes. Information is also disclosed to business partners for commercial purposes (e.g. to advertisers). To charge our Customers for the Services provided by us.
Personal Information Categories listed in the California Customer Records Statute (Cal. Civ. Code § 1798.80(e))	Name, image, address.
Internet or Other Electronic Network Activity Information	The referring page that linked to Company Websites, browsing history, interaction with Company Websites.	Directly from consumer’s device by using cookies or other tracking technologies.
Geolocation Data	Country, State and city.	Directly from consumer’s device by using IP address, or as directly submitted by the consumer, or as made available on publicly available sources.
Professional or employment-related information	Company name, roles of relevant Customer employees.	Directly from correspondence with users. From Customer’s website, social media page or other publicly available resources.
Commercial Information	Records of products or Services purchased by us.	From our databases of historical transactions.

We do not “Sell” Personal Information.

We may “Share” Personal Information about you (in the meaning assigned to the terms “Sell” and “Share” under US Privacy Laws).

In the preceding twelve (12) months we disclosed or shared your Personal Information, as described below:

Categories of Recipients	Type of Personal Information	Disclosed/Shared?	Purpose
Business partners, such as customers and advertisers	Unique identifiers, IP address, user activity data (interaction with Ads)	Shared	Company’s operational purposes. The disclosure of such Personal Information will be as reasonably necessary and proportionate to achieve such operational purposes. This includes: Auditing related to a current interaction with our Consumers. Detecting security incidents, protecting against malicious, deceptive, fraudulent, or illegal activity, and prosecuting those responsible for that activity. Debugging to identify and repair errors that impair our Services. Short-term, transient use, provided the personal information that is not disclosed to another third party and is not used to build a profile about a consumer or otherwise alter an individual consumer’s experience outside the current interaction, including, but not limited to, the contextual customization of ads shown as part of the same interaction. Performing services on behalf of another business or Service Provider. Undertaking internal research for technological development and demonstration. Undertaking activities to verify or maintain the quality or safety of our Services, and to improve, upgrade, or enhance our Services.
Affiliates	All types of Personal Information	Disclosed
Service Providers	All types of Personal Information	Disclosed

Authorized agents

“Authorized agents” may submit opt out requests on a consumer’s behalf. If you have elected to use an authorized agent, or if you are an authorized agent who would like to submit requests on behalf of a consumer, the following procedures will be required prior to acceptance of any requests by an authorized agent on behalf of a consumer. Usually, we will accept requests from qualified third parties on behalf of other consumers, regardless of either the consumer or the authorized agent’s state of residence, provided that the third party successfully completes the following qualification procedures:

When a consumer uses an authorized agent to submit a request to know or a request to delete, a business may require that the consumer do the following:

Provide the authorized agent signed permission to do so or power of attorney.
Verify their own identity directly with the business.
Directly confirm with the business that they provided the authorized agent permission to submit the request.

We may deny a request from an authorized agent that does not submit proof that they have been authorized by the consumer to act on their behalf.

Notice of financial incentive

We do not offer financial incentives to consumers for providing Personal Information.

Other California obligations:

Direct Marketing Requests: California Civil Code Section 1798.83 permits you, if you are a California resident, to request certain information regarding disclosure of Personal Information to third parties for their direct marketing purposes. To make such a request, please contact us at dpo@ex.co
“Do Not Track” Settings: Cal. Bus. And Prof. Code Section 22575 also requires us to notify you how we deal with the “Do Not Track” settings in your browser. As of the effective date listed above, there is no commonly accepted response for Do Not Track signals initiated by browsers. Therefore, we so not respond to the Do Not Track settings. Do Not Track is a privacy preference you can set in your web browser to indicate that you do not want certain information about your web page visits tracked and collected across websites. For more details, including how to turn on Do Not Track, visit: www.donottrack.us.

Additional disclosures for Nevada residents

Nevada law requires certain businesses to establish a designated request address where Nevada consumers may submit requests directing the business not to sell certain kinds of Personal Information that the business has collected or will collect about the consumer. Nevada law defines “sale” as the exchange of Personal Information for monetary consideration by the business to a third party for the third party to license or sell the Personal Information to other third parties. If you are a Nevada consumer from whom Company has collected Personal Information and you wish to submit a request relating to our compliance with Nevada law, please contact us at dpo@ex.co.

Policy amendments

The updated date of this Policy will be reflected in the “Last Updated” heading, indicated at the header of the Policy. As required by the CCPA we will review this Privacy Policy every twelve (12) months and amend it as necessary. We recommend you review this Policy periodically to ensure that you understand our most updated privacy practices.

Controlling version

This Policy has been drafted in the English language, which is the original and controlling version of this Policy. All translations of this Policy into other languages shall be solely for convenience and shall not control the meaning or application of this Policy. In the event of any discrepancy between the meanings of any translated versions of the Policy and the English language version, the meaning of the English language version is controlling.

Contact information

If you have any question, inquiry or concern related to this Privacy Policy or the processing of your Personal Data, you may contact our Data Protection Officer, either at dpo@ex.co or by postal mail:

EX.CO Technologies Ltd.
Attn: Data Protection Officer
5 Aluf Kalman Magen St.
Building A, 1st Floor
Tel Aviv, 6107077
Israel

Data Protection Representative: The Company has a designated representative in the European Union for data protection matters, pursuant to Article 27 of the GDPR, and in the United Kingdom. Inquiries regarding Company’s EU and UK privacy practices may be sent to:

EX.CO Technologies Limited
Attn: Data Protection Representative
3 Waterhouse Square
138-142 Holborn
London EC1N 2SW
United Kingdom

1 California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020, and the regulations enacted thereunder, Virginia Consumer Data Protection Act, Va. Civ. Code § 59.1, Colorado Privacy Act, 2021 Colo. ALS 483; 2021 Colo. Ch. 483; 2021 Colo. SB. 190, Connecticut Data Privacy and Online Monitoring Act, Conn. Gen. Stat. §42-515 et. Seq., Utah Consumer Privacy Act, Utah Code Ann. Title 13, Ch. 61, and additional US privacy laws as may be enacted or amended from time to time (collectively: “US Privacy Laws”)