Purpose and Scope

At Aphex, we respect your privacy and data protection rights and recognize the importance of protecting the personal data we collect and process. This Privacy Policy is designed to help you to understand what personal data we collect about you and how we use and share it.

When we refer to Aphex, we mean Aphex Software Limited, a company registered in England and Wales, company registration number 09681747 and register address of 82 Wandsworth Bridge Road, London, United Kingdom, SW6 2TF. ("Aphex", "we", "us", "our").

This Privacy Policy applies to you if you:

• interact with any of Aphex’s websites (including aphex.co, app.aphex.co, help.aphex.co) or our social media pages (collectively, the "Sites") ("website users");

• visit any of Aphex’s premises ("office visitors");

• attend an Aphex event or an event which Aphex sponsors ("event attendees");

• use Aphex's applications and services (collectively, the "Aphex Services") ("customers");

• interact with any shared data from Aphex's Apps (including shared reports and plans ("guests");

• are a marketing prospect, who is anyone whose data Aphex processes for the purposes of assessing customer eligibility ("marketing prospect"); or

• receive marketing communications from Aphex.

For the purposes of the General Data Protection Regulation (or any successor or equivalent legislation in the UK) ("GDPR"), Aphex Software Limited, is the controller of your personal data. Our Data Protection Officer can be contacted in writing at admin@aphex.co.

Personal Data Collected by Aphex

Personal Data We Collect and Receive

The personal data that we collect about you broadly falls into the categories set out in the following table. Some of this information you provide voluntarily when you interact with the Aphex Services and Sites, or when you attend an event or visit our premises. Other types of information may be collected automatically from your device, such as device data and service data. From time to time, we may also receive personal data about you from third party sources (as further described in the table).

We may collect the following personal data about:

• our website users;

• recipients of marketing communications; and

• marketing prospects.

1. Registration, contact, and company information:

   • first and last names;

   • email addresses;

   • phone numbers;

   • avatars;

   • company name;

   • your role in your company.

2. Payment information:

   • credit card information;

   • billing and mailing addresses;

   • other payment-related information.

3. Device data:

   • operating system type and version number, manufacturer and model;

   • browser type;

   • screen resolution;

   • IP address;

   • unique device identifiers.

4. Service data:

   • the website you visited before browsing to the Aphex Services;

   • how long you spent on a page or screen;

   • how you interact with our emails;

   • navigation paths between pages or screens;

   • date and time;

   • pages viewed;

   • links clicked.

5. Third party source data:

   • profile information gathered from social networking sites;

   • information that you have viewed or interacted with our content;

   • company information;

   • job titles;

   • avatars;

   • email addresses;

   • phone numbers;

   • addresses;

6. geolocation data.

   • The sources of this third party personal data may include:

   • Contact enrichment and lead generation providers; and

   • Targeted online advertising providers

We may collect the following personal data about our office visitors:

1. Registration, contact and company information:

   • first and last names;

   • email addresses;

   • phone numbers;

   • company name;

2. Visitation Data

   • time and date of arrival;

   • photograph ID;

   • signature;

   • CCTV footage.

We may collect the following personal data about event attendees:

1. Registration, contact and personal information:

   • first and last names;

   • email addresses;

   • phone numbers;

   • mailing addresses;

   • company name;

   • your role in your company.

2. Visitation Data

   • time and date of arrival;

   • photograph ID;

   • signature;

   • CCTV footage.

3. Third party source data:

   • first and last names;

   • email addresses;

   • phone numbers;

   • mailing addresses;

   • company name;

   • your role in your company.

4. The sources of this third party personal data may include:

   • The event organizer

We may collect the following personal data about our customers and guests (to the extent applicable):

1. Registration and contact information:

   • first and last names;

   • email addresses;

   • phone numbers;

   • mailing addresses;

   • company name;

   • your role in your company.

2. Payment information:

   • credit card information;

   • billing and mailing addresses;

   • other payment-related information.

3. Device data:

   • operating system type and version number, manufacturer and model;

   • browser type and language;

   • screen resolution;

   • IP address;

   • unique device identifiers.

4. Service data:

   • the website you visited before browsing to the services;

   • how long you spent on a page or screen;

   • navigation paths between pages or screens;

   • session date and time; activity status (including first seen, last seen, last heard from - and last contacted);

   • pages viewed;

   • links clicked;

   • language preferences

   • tags applied within customer accounts

   • Aphex assigned user identifier.

5. Third party source data

   • profile information gathered from social networking sites;

   • information that you have viewed or interacted with our content;

   • company information;

   • job titles;

   • avatars;

   • email addresses;

   • phone number;

   • approximate geolocation data.

Cookies and Other Tracking Technologies

Some device data, service data and third party source data is collected through the use of first or third party cookies and similar technologies. Aphex Apps do not collect, retain, or share data regarding a particular user's activity across multiple websites or applications that are not owned by Aphex. Aphex does assign each user a unique user ID within the scope of an individual website, but does not collect or retain IP or any information that would allow Aphex to identify the same particular user on more than one website. For more information, please see Aphex's Cookie Policy.

Do Not Track. Some Internet browsers may be configured to send "Do Not Track" signals to the online services that you visit. We currently do not respond to "Do Not Track" or similar signals. To find out more about "Do Not Track," please visit http://www.allaboutdnt.com.

How and Why we use your Personal Data

1. We collect and process your personal data for the following purposes and, if you are from the European Economic Area (EEA), the UK or Switzerland, on the following legal bases:

   • Providing and facilitating delivery of the Aphex Services and Sites: We process your personal data to perform our contract with you for use of our Services and Sites and to fulfill our obligations under applicable terms of service. Where we have not entered into a contract with you, we process your personal data in reliance on our legitimate interests to operate and administer the Aphex Services and Sites. For example, to create, administer and manage your account.

   • Communicating with you about the Aphex Services and providing customer support: We may send you service, technical and other administrative messages in reliance on our legitimate interests in administering the Aphex Services. For example, we may send you messages about the availability or security of the Aphex Services. We also process your personal data to respond to your comments and questions and to provide customer care and support.

   • Improving the Aphex Services and Sites: We process your personal data to improve and optimize the Aphex Services and Sites and to understand how you use the Aphex Services and Sites, including to monitor usage or traffic patterns and to analyze trends and develop new products, services, features and functionality in reliance on our legitimate interests.

   • Sending marketing communications: We process your personal data to send you marketing communications via email, post or SMS about our products, services and upcoming events that might interest you in reliance on our legitimate interests or where we seek your consent. Please see the "Your Privacy Rights and Choices" section below to learn how you can control your marketing preferences.

   • Registering office visitors: We process your personal data for security reasons and for the purpose of hosting your visit to the extent such processing is necessary for our legitimate interests in protecting our premises and confidential information against unauthorized access and the safety of our staff and office visitors.

   • Managing event registrations and attendance: We process your personal data to plan and host events for which you have registered or that you attend, including sending related communications to you.

   • Maintaining security of the Aphex Services and Sites: We process your personal data to control unauthorized use or abuse of the Aphex Services and Sites, or otherwise detect, investigate or prevent activities that may violate Aphex policies or applicable laws, in reliance on our legitimate interests to maintain and promote the safety and security of the Aphex Sites and Services.

   • Carrying out other legitimate business purposes: including invoicing, audits, fraud monitoring and prevention.

   • Complying with legal obligations: We process your personal data when cooperating or complying with public and government authorities, courts or regulators in accordance with our obligations under applicable laws and to protect against imminent harm to our rights, property or safety, or that of our users or the public, as required or permitted by law.

2. In certain circumstances, we may collect your personal data on a different legal basis. If we do, or if we use your personal data for purposes that are not compatible with, or are materially different than, the purposes described in this notice or the point of collection, we will explain how and why we use your personal data in a supplementary notice at or before the point of collection. Where we refer to legal bases in this section we mean the legal grounds on which organizations can rely when processing personal data.

3. Please note these legal bases only apply to you if you are resident in the EEA, the UK or Switzerland.

4. If you have any questions about our legal bases for processing your personal data, please contact us at admin@aphex.co.

Sharing your Personal Data

1. We may disclose some or all of the personal data we collect to the following third parties:

   • To Aphex Group Companies:

     • Aphex Software Limited;

     • Aphex Australia Pty Ltd;

     • Any such other group companies as may be added to this list from time to time.

   • Service Providers:

     • Consultants and vendors engaged by us to support our provision of the Aphex Services and Sites and the operation of our business;

     • Any such other Service Providers as may be added to the Subprocessor List, from time to time.

   • Professional Advisors:

     • Professional advisors, such as lawyers, auditors and insurers, in the course of the professional services that they render to us.

   • Compliance with Law Enforcement:

     • Comply with applicable laws, lawful requests, and legal process, such as to respond to subpoenas or requests from government authorities;

     • Protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims);

     • Enforce the terms and conditions that govern the Services; and

     • Prevent, identify, investigate and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft.

   • Business Transfers:

     • Parties to transactions or potential transactions (and their professional advisors) involving a corporate divestiture, merger, consolidation, acquisition, reorganization, sale or other disposition of all or any portion of the business, assets, or equity interests of Aphex Group Companies (including, as part of a bankruptcy or similar proceeding).

2. Aggregated or anonymized information. We may also share aggregated or anonymized information with third parties for other purposes. Such information does not identify you individually, but may include usage, viewing and technical information such as the websites you generally use, the configuration of your computer, and performance metrics related to the use of websites which we collect through our technology, products and services. If we are required under applicable law to treat such information as personal data, then we will only disclose it as described above. Otherwise, we may disclose such information for any reason.

Retention of your Personal Data

1. We retain your personal data only for as long as necessary to fulfill the purposes set out in this Privacy Policy. If you would like more information about specific retention periods please contact admin@aphex.co

2. Note that content you create may remain on the Sites even if you cease using the Sites or we terminate access to the Sites.

Transfers of your Personal Data

1. The Aphex Services and Sites, are provided and hosted globally by Google Cloud. Unless otherwise specified, we may transfer, and process, your personal data outside of the country in which you are resident to other Aphex Group Companies and our service providers including to the UK, Australia and other such countries as we deem appropriate from time to time. These countries may not have equivalent privacy and data protection laws (and, in some cases, may not be as protective). We will protect your personal data in accordance with this Privacy Policy wherever it is processed.

2. Certain recipients (our service providers and other companies) who process your personal data on our behalf may also transfer personal data outside the country in which you are resident. Where such transfers occur, we will make sure that an appropriate transfer agreement is put in place to protect your personal data.

Your Privacy Rights and Choices

1. Depending on your location and subject to applicable laws, you may have certain data protection rights. If you are a resident of the EEA or the UK you have the following data protection rights:

   • If you wish to access, correct, update or request deletion of your personal data, you can do so at any time.

   • You can object to processing of your personal data, ask us to restrict processing of your personal data or request portability of your personal data.

   • You have the right to opt-out of marketing communications we send you at any time. If you no longer wish to receive our newsletter and promotional communications, you may opt-out of receiving them by clicking on the "unsubscribe" or "opt-out" link in the communications we send you. Please note, however, that it may not be possible to opt-out of certain service-related communications. You can let us know at any time if you do not wish to receive marketing messages by contacting us on the Aphex Messenger or by contacting us using the contact details below.

   • Similarly, if we have collected and process your personal data with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.

   • You have the right to complain to a data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority. Contact details for data protection authorities in the EEA and the UK are available here.

2. You can exercise any of these rights by submitting a request to our Data Protection Officer at admin@aphex.co.