Privacy Policy

Last updated: 22 June 2026

This Privacy Policy explains who we are, how we obtain and process your personal data and how you can exercise your data protection rights.

The company Pixcham International j. s. a., with its registered office at Námestie svätého Egídia 42/97, 058 01 Poprad, Slovak Republic, Company ID (IČO): 55 007 571, registered in the Commercial Register of the District Court of Prešov, Section: Sja, Insert No: 28/P (hereinafter referred to as „Pixcham“, „we“, „our“ or „us“), is the controller processing personal data within the meaning of Article 4(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter referred to as „GDPR“) and Section 5(o) of Act No. 18/2018 Coll. on the Protection of Personal Data and on amendments to certain acts, as amended (hereinafter referred to as „the Act“), which has created and operates the Pixcham mobile application, available for download in the Apple App Store and the Google Play Store (hereinafter referred to as „Application“).

This Privacy Policy applies to the personal data we obtain and process when operating our Application and the website https://www.pixcham.com (hereinafter referred to as „Website“) (the Application and the Website hereinafter together referred to as „Services“).

In accordance with Article 37 GDPR and Section 44 of the Act, we have appointed a Data Protection Officer who oversees the protection of personal data and ensures compliance with data protection legislation:

Name: Tomáš Korenko

E-mail: dpo@pixcham.com

Postal address:

Pixcham International j. s. a.,

for the attention of the Data Protection Officer,

Námestie svätého Egídia 42/97,

058 01 Poprad,

Slovak Republic

You may contact the Data Protection Officer with any questions concerning the processing of your personal data and the exercise of your rights under the GDPR and the Act.

Pixcham operates the Application, which provides you with a fast, beautiful and fun way to share selfie photographs, tags and other related content („User Content“) through our platform for sharing Content within the Application and enables you to take part in Challenges organised through the Application by Organisers of the Challenge or by us, and in Battles. Further information about the content-sharing platform within the Application can be found in our Terms of Service available within the Application and published on the Website.

Before accessing and using the Services, please make sure that You have read and understood how we process Your personal data as described in this Privacy Policy.

By using our Services you acknowledge, that we provide you with a platform for publishing content, including User Content, in the Services and for sharing User Content publicly. This means that other Users may search for, view, use or share any of Your User Content that you make publicly available through the Services, in accordance with the terms set out in this Privacy Policy. We process your personal data to the extent, in the manner and for the purposes set out in this Privacy Policy, always in accordance with the GDPR.

This Privacy Policy applies to all visitors, users and other persons who access the Services (hereinafter referred to as „Users“).

Capitalised terms in this Privacy Policy have the same meaning as ascribed to them in the Application’s Terms of Service Terms of Service of the Application (hereinafter referred to as „Terms“), unless otherwise stated in this Privacy Policy. For ease of reading: a „Challenge Organiser“ is a User (who is not a Consumer) that creates and organises a Challenge; a „Challenge“ is the tournament game mode of the Application; „Content“ includes User Content, Our Content and Third-Party Content. The full definitions are set out in Article 1 of the Terms.

When we are a controller, when a processor and when a joint controller of personal data

In operating the Services, Pixcham acts as a controller, a processor and a joint controller of personal data in accordance with the GDPR and the Act.

Pixcham as a controller

Pixcham acts as a controller processing personal data (within the meaning of Article 4(7) GDPR) where it determines the purposes and means of the processing of your personal data and processes personal data in its own name. As a controller, Pixcham processes your personal data for the following purposes:

• managing user accounts and securing access to the Services;
• providing customer support;
• carrying out marketing activities and advertising analytics;
• enabling participation in Battles;
• verifying the identity of Winners;
• organising Challenges in its own name;
• fulfilling Pixcham’s statutory obligations.

The legal basis for the individual processing operations is set out in the „Legal basis“ section below.

Pixcham as a processor

Pixcham acts as a processor of personal data (within the meaning of Article 4(8) GDPR) exclusively in cases where it specifically agrees in writing with the Challenge Organiser that it processes the personal data of Users participating in its Challenge solely on behalf of the Challenge Organiser as controller and only on the basis of the Organiser’s documented instructions, in accordance with the data processing addendum (pursuant to Article 28(3) GDPR) set out in Annex No. 1 to this Privacy Policy or on the basis of a separate data processing agreement concluded with the Challenge Organiser.

Pixcham as a joint controller

Pixcham acts as a joint controller (within the meaning of Article 26 GDPR and Section 33 of the Act) together with the Challenge Organiser in the organisation and running of each Challenge that is not organised by Pixcham. The Challenge Organiser determines in particular the purpose, theme, Tasks, duration and other parameters of the Challenge and obtains the outputs after it ends; Pixcham determines the means of running the Challenge through the Application (mechanics, scoring, display of results). The joint controllers’ arrangement pursuant to Article 26(1) GDPR is concluded by Pixcham and the Challenge Organiser when the Challenge is ordered.

The legal basis for the joint processing of personal data is:

• Article 6(1)(b) GDPR – performance of the contract under which the User uses the Application;
• Article 6(1)(f) GDPR – the legitimate interest of the joint controllers;
• Article 6(1)(a) GDPR – the consent of the data subject, exclusively in the cases expressly stated in this Privacy Policy (in particular the marketing sharing of Winners’ content and marketing communications); consent is always requested separately, is not a condition of participation in a Challenge and may be withdrawn at any time.

In the arrangement pursuant to Article 26(1) GDPR, the joint controllers transparently allocate in particular the following obligations:

• compliance with the information obligation towards data subjects under Articles 13 and 14 GDPR is ensured by the joint controllers jointly;
• the receipt and handling of data subjects’ requests to exercise their rights under Articles 15 to 22 GDPR is ensured by Pixcham as the point of contact. To exercise these rights you may contact Pixcham at dpo@pixcham.com;
• the notification of a personal data breach to the supervisory authority (Article 33 GDPR) and to data subjects (Article 34 GDPR) is ensured by Pixcham;
• both joint controllers adopt appropriate technical and organisational measures to ensure the protection of personal data in their systems in accordance with Article 32 GDPR.

The essential content of the joint controller arrangement is summarised above in this section (allocation of the information obligation, the point of contact for the exercise of rights, notification of personal data breaches and security measures). The full text of the joint controller arrangement forms Annex No. 2 to this Privacy Policy. In accordance with Article 26(3) GDPR, a User may exercise their rights under the GDPR against any of the joint controllers, irrespective of the internal allocation of obligations set out above.

General

The protection and security of your personal data is important to us and we always pay particular attention to processing your data in accordance with the GDPR and the Act. We retain your data for as long as is necessary to provide the Services, in accordance with the specific periods set out in the „Retention of personal data“ section of this Privacy Policy. We may retain information for longer where required by applicable legislation. In the course of providing the Services, we may share your data with our partners and service providers (a list of our current partners and service providers can be found at https://www.pixcham.com/subprocessors) for the purposes described below in the „How we share your data“ section of this Privacy Policy, which may include the transfer of your personal data outside the European Economic Area (hereinafter referred to as „EEA“), always under conditions compliant with Articles 44 to 49 GDPR. Please check this Privacy Policy regularly for changes. The Data Protection Officer has been notified to the Office for Personal Data Protection of the Slovak Republic pursuant to Article 37(7) GDPR.

Our Services may contain links to third-party websites and/or applications that have their own privacy policies. Pixcham bears no responsibility for their data processing. Before submitting any information to these websites and/or applications, please read their individual privacy policies.

In processing personal data, Pixcham does not use automated individual decision-making, including profiling, within the meaning of Article 22 GDPR that would produce legal effects concerning the data subject or similarly significantly affect them.

Information we collect about you

Most of the information we collect about you comes directly from you when you use our Services or when you interact with advertisements in our Application. We collect information about your device, about how the Application is used and information that you voluntarily provide to us when you contact us.

The information we may collect about you through the Services generally falls into the following categories:

• information that you provide voluntarily;
• information that we collect automatically when you use the Services;
• information obtained from third-party sources.

Each of these categories is described in detail below.

Information you provide voluntarily

Some parts of our Services may ask you to provide personal data voluntarily. For example, within the Application, when you create an account we ask you for certain information so that you can take part in Challenges or 1vs1 Battles, such as:

• your username, your display name in the Application, your e-mail address, date of birth, country of nationality, password or other data needed to process your queries;
• User Content (i.e. selfie photographs, tags and other related content) that you publish within the Services;
• all data and information that you submit through our Services;
• any information that you send to our support team by e-mail.

If you take part in a Challenge that is not organised by Pixcham but by another Challenge Organiser, you provide your personal data to that Challenge Organiser. Pixcham processes your personal data (in particular selfie photographs, username, e-mail) provided in the course of the Challenge jointly with the Challenge Organiser in a joint controllership arrangement (see the section „When we are a controller, when a processor and when a joint controller of personal data“).

If you decide to take part in a Challenge and you win such a Challenge, you may be asked to provide us or the Challenge Organiserwith additional information for the delivery of the Prize, such as your name, surname, telephone number, address or your bank account number. The processing of this data is necessary for the performance of the contract within the meaning of Article 6(1)(b) GDPR — delivery of the Prize constitutes a contractual obligation of Pixcham, or of the Challenge Organiser, towards the Winner.

If you win a Challenge, the Winner is obliged, as part of contractual performance, to provide Pixcham or the Challenge Organiserwith a photograph evidencing receipt of the Prize (for example a selfie of the Winner with the received Prize). Such a verification photograph serves exclusively as proof of the proper handover of the Prize towards the Challenge Organiser, is retained for a maximum of 2 years after the end of the Challengefor audit purposes and is subsequently deleted. The processing is based on Article 6(1)(b) GDPR (performance of the contract) and Article 6(1)(f) GDPR (legitimate interest in evidencing the handover of the Prize and in fraud prevention).

If you take part in a Challenge and provide the Challenge Organiser or Pixcham with your personal data, in particular your username and selfie photograph, you acknowledge that this data will be published in the Application for other Users who have taken part in the Challenge, and also on the relevant Challenge sub-page in the Pixcham Application and at the same time on the website https://pixcham.com (in all language versions operated on the pixcham.com subdomains pixcham.com, for example https://sk.pixcham.com/challenge/nazov_challenge), which is publicly accessible to all internet visitors. The Challenge sub-page remains available even after the Challenge ends as a record of the running of the Challenge, the announced Winners and the results achieved (Article 6(1)(b) in conjunction with Article 6(1)(f) GDPR); at your request we will anonymise your data.

In the event of a win, Pixcham and the Challenge Organiser mayshare your personal data — in particular the username and the winning selfie photograph — on their official social networks (in particular Facebook, Instagram, X, LinkedIn, TikTok) for a period of 3 years from the end of the Challenge. After this period expires, the content is automatically removed from all social channels. The detailed conditions and legal bases of sharing are set out in the „Sharing of Winners’ content for marketing purposes“ section of this Privacy Policy. This sharing is carried out exclusively on the basis of your consent — see the section „Sharing of Winners’ content for marketing purposes“.

The specific parameters of each Challenge (including identification of the Challenge Organiser, a description of the Prizes and Prize providers, the duration of the Challenge, the age restriction, the Official Rules, the contact for complaints and information on the processing of personal data) are set out on the public Challenge sub-page in the Pixcham Application and on the Website and in the „Official Rules“ modal available at the detail of each Challenge. The full wording of the Official Rules of the particular Challenge is also available in PDF format under the „Download information“ button. By entering a particular Challenge by clicking the „Sign up“ button you accept the Official Rules of that Challenge and confirm that you have familiarised yourself with this Privacy Policy, which governs the processing of your personal data — including the sharing of your content in the event of a win. Acceptance of the Official Rules applies to participation in the Challenge and to the processing necessary for its running (Article 6(1)(b) GDPR). The marketing sharing of your content in the event of a win, however, is governed exclusively by your separate consent under the section „Sharing of Winners’ content for marketing purposes“.

Your entries (Selfies, username, results) are displayed in the Application and on the Challenge sub-page during the Challenge and after it has been evaluated, on the basis of Article 6(1)(b) GDPR (performance of the contract — participation in the Challenge, which has a public competitive nature); an overview of your participations can be found in the „Challenge history“ section of your profile. You may at any time request the removal or anonymisation of your entries by e-mail at dpo@pixcham.com dpo@pixcham.com or you may delete your Account at any time directly in the Application (Settings → Legal information → Delete account). For Winners, anonymisation is carried out instead of deletion (the photograph and name cease to be publicly displayed, while the ranking position and Prize remain in the results anonymously) — records needed for tax and accounting purposes are retained to the extent and for the period laid down by law. You may withdraw your separate consent to the sharing of Winners’ content for marketing purposes at any time by switching off the relevant setting in the Application or by e-mail at dpo@pixcham.com dpo@pixcham.com. Upon receipt of the request, Pixcham and the Challenge Organiser will remove your identifiable content without undue delay, and no later than within 30 days.

Information we collect

When you use our Services, we may collect from You and/or from Your device certain information that may be considered personal data, in particular:

• data and analytics about Your use of our Services (e.g. the history of Challenges you have taken part in, or the history of Battles, session length, preferred settings, advertisements in the Application that you may have viewed, links in the Application or simply Application preferences, the way in which you were referred to our Services);
• records of the use of the Application (application logs, including login records, crashes and error messages);
• your IP address and device identifiers (for example the advertising ID and the device identifier);
• the type and version of the operating system, the device model, the Application language;
• Your communications within the Service (for example reactions, emoticons and ratings that you share with other Users);
• data collected through third-party analytics and diagnostic tools (in the Application, Google Firebase — Crashlytics; on the Website, Google Analytics) for the purposes of measuring user behaviour, the stability of the Application and the improvement of the Services. The precise list of service providers and the international transfer mechanisms are set out below in the section „International transfer of personal data“

Information about the device (device type, operating system and its version) serves us in particular to check the compatibility of the Application with Your device and to ensure its proper functioning.

The legal basis for processing this information is Article 6(1)(b) GDPR (performance of the contract — provision and securing of the functionality of the Application and the Services) and Article 6(1)(f) GDPR (legitimate interest of Pixcham in analytics, security, fraud prevention and the improvement of the Services).

Some of this information may be collected through Cookies or similar technologies (for example third-party SDKs), as explained in more detail below in the „Cookies“ section of this Privacy Policy.

Information we obtain from third-party sources

• Apple Sign In (Sign in with Apple). You may choose to log in or register to the Pixcham Application through your Apple account. With this method of registration, we obtain from Apple Distribution International Limited (or Apple Inc., depending on your region) your display name and e-mail address. Apple allows you to use the „Hide My Email“ feature, whereby Pixcham does not receive your actual e-mail address but only an anonymised relay address in the form „@privaterelay.appleid.com“. More detailed information on the processing of your data by Apple can be found in the Apple Privacy Policy at https://www.apple.com/legal/privacy.
• Providers of verification and security services. When verifying Your identity (for example when winning a Prize), we may obtain data from third-party providers (for example Veriff OÜ). Precise information on the processing of data by these providers is set out in the section „International transfer of personal data“ and in the privacy policy of the relevant provider.
• Advertising partners and attribution services. If you learned about the Application through an advertisement in other applications or on third-party websites, we may obtain limited information about the origin of Your installation (for example the advertising campaign identifier, the click source, the device type). We obtain this information from advertising networks and attribution services in order to evaluate the effectiveness of our marketing activities. Specific advertising partners are set out in the section „International transfer of personal data“ and more detailed information on processing can be found in the „Advertising“ section of this Privacy Policy.

A list of our current service providers and partners can be found at https://www.pixcham.com/subprocessors.

The legal basis for obtaining personal data from third parties is Article 6(1)(b) GDPR (performance of the contract — for example when logging in via Apple Sign In or when verifying a Winner’s identity) and Article 6(1)(f) GDPR (legitimate interest of Pixcham in evaluating marketing activities, fraud prevention and securing the Services). In accordance with Article 14 GDPR, Pixcham informs You of the source of the data and its processing no later than within one month of obtaining it.

We may anonymise and aggregate any personal data that we collect (so that it does not directly identify you). We may use anonymised information for purposes that include testing our IT systems, research, data analysis, improving the Services and developing new products and features within the Application. Anonymised data is no longer considered personal data and is not subject to the GDPR within the meaning of Recital 26 GDPR.

No special categories of personal data

Pixcham does not require, nor does it intend to collect or process, special categories of personal data within the meaning of Article 9(1) GDPR and Section 16 of the Act, i.e. in particular personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Selfie photographs that Users publish within Challenges and 1vs1 Battles are processed exclusively as ordinary personal data (photographs of a person) within the meaning of Article 4(1) GDPR, for the purposes of display within the Application and participation in the Challenge. Pixcham does not use face recognition technologies, facial templates or other technologies for the unique identification of a natural person on the basis of their physical characteristics. We do not provide selfie photographs to third parties for the training of their AI models. Pixcham’s own internal models (fraud detection, deepfake content detection and moderation support) are trained exclusively on anonymised or pseudonymised data within the meaning of Clause 7.13 of the Terms; you can manage your choices in the Profile settings in the „AI & Privacy“ section. The processing of selfie photographs therefore does not fall under special categories of personal data pursuant to Article 9(1) GDPR. Pixcham recommends that Users do not publish special categories of personal data about themselves or other persons within the Services. If a User publishes such data within the Services (for example through User Content), they do so at their own responsibility and Pixcham bears no responsibility for such processing beyond what is imposed on it by the GDPR and the Act. The exception is the biometric identity verification of a Winner via Veriff (comparison of the selfie with an identity document), which is carried out exclusively on the basis of explicit consent pursuant to Article 9(2)(a) GDPR — see the section „Verification of the identity and age of Winners“.

How we use your information

General

We use the information we collect about You/Your device to provide the Services and to operate the Application. We also use it to improve our Services, enhance security and for analytical and research purposes, in order to provide you with the best possible Services. In addition, we use Your data to promote Pixcham’s own Services and Challenges within the Pixcham Application and the pixcham.com website pixcham.com. Pixcham does not display third-party advertising in the Application; advertisements within Challenges are created and inserted exclusively by Pixcham or by the Organiser of the particular Challengeas part of it. We also use Your data to monitor and prevent fraud and to comply with our statutory obligations.

We use Your information for the following purposes:

Provision and improvement of the Services

We use Your data to develop, provide and improve the Services, other products, services and content, to customise our Services, to provide Application updates, to resolve technical problems, to understand and analyse trends related to the use of the Services and to administer the Application. The legal basis is Article 6(1)(b) GDPR (performance of the contract) and Article 6(1)(f) GDPR (legitimate interest in the development and improvement of the Services).

Display of advertisements and measurement of their performance

During the individual rounds of a Challenge, advertising content may be displayed to You (image or video advertisements with a call-to-action button), which is inserted into the Application by Pixcham or the Challenge Organiser. These advertisements relate to Pixcham’s own Services, Challenges or the products and services of the Challenge Organiser. When you click the call-to-action button, you will be redirected to an external website specified by Pixcham or the Challenge Organiser. For the purposes of measuring advertising performance, we collect aggregated statistics (the total number of impressions, the number of unique users who saw the advertisement, and the number of clicks). We share these aggregated, non-identifying statistics with the Challenge Organiserin the form of a report. The legal basis is Article 6(1)(b) GDPR (performance of the contract — advertisements form part of the Challengethat you have taken part in) and Article 6(1)(f) GDPR (legitimate interest of Pixcham and the Challenge Organiserin evaluating the performance of Challenges). Further information can be found in the Advertising section of this Privacy Policy.

Marketing

We use Your data (e-mail address and name) to send marketing communications about our own services (for example newsletters about new Challenges, Application features or summaries of Your activity), on the basis of our legitimate interest in informing Users about similar services (Article 6(1)(f) GDPR in conjunction with Section 116 of Act No. 452/2021 Coll. on electronic communications). You may unsubscribe from these communications at any time, free of charge, by clicking the „Unsubscribe“ link in any e-mail or in the Notification settings, where you can also configure individual e-mail categories separately; after you unsubscribe, we will stop sending you marketing e-mails. We would send you marketing communications beyond this scope (in particular third-party offers) exclusively on the basis of your prior consent (Article 6(1)(a) GDPR). We do not, by default, send marketing communications to Users aged 16 to 17.

Analysis and research

We use Your data to understand and analyse trends related to the use of the Services, to collect demographic information about our user base, and data about where the Application was downloaded from. We may also create reports and analyses for research or business intelligence purposes, for example to monitor potential problems or trends with the Services or to test the features and content of our Application. The legal basis is Article 6(1)(f) GDPR (legitimate interest of Pixcham in improving the Services and understanding User behaviour).

Security and fraud prevention

We use Your data to enhance the safety and security of the Services, to prevent fraud (for example an attempt at multiple participation in a Challengefrom different accounts) and to protect the rights of Pixcham and Users. The legal basis is Article 6(1)(f) GDPR (legitimate interest) and, in some cases, Article 6(1)(c) GDPR (compliance with legal obligations).

Customer support

We use Your data to provide customer support and to answer your questions. The legal basis is Article 6(1)(b) GDPR (performance of the contract) and Article 6(1)(f) GDPR (legitimate interest in resolving Users’ queries).

Verification of the identity and age of Winners

We verify the identity and age of a Winner in the case of a monetary or non-monetary Prize with a value exceeding EUR 350 through the certified provider Veriff OÜ. The legal basis is Article 6(1)(c) GDPR (compliance with legal obligations, in particular tax obligations) and Article 6(1)(f) GDPR (legitimate interest in fraud prevention). To the extent that the verification involves a biometric comparison of the Winner’s likeness with an identity document, it is carried out on the basis of the Winner’s explicit consent pursuant to Article 9(2)(a) GDPR, which the Winner grants by active confirmation on a separate screen in the Application before being redirected to the verification. A Winner who does not consent to biometric verification may request manual verification of the document by Pixcham customer support. Details of the processing by Veriff OÜ are set out in the section „International transfer of personal data“.

Sharing data with the Challenge Organiser

In the case of Challenges, that are not organised by Pixcham, we share Your personal data (in particular the selfie photograph, username and e-mail) with the Challenge Organiserto the extent necessary for the organisation, running and evaluation of the particular Challenge. The legal basis is Article 6(1)(b) GDPR (performance of the contract — participation in the Challenge). Further information can be found in the sections „When we are a controller, a processor and when a joint controller“ and „How we share your information“. The exact scope of the sharing (including the export of the selfie photographs of all participants after the end of the Challenge) is described in the section „How we share your information“.

Our legal obligations

We use Your data where required of us by legislation, for example when keeping records of personal data breaches or handling requests to exercise the rights of data subjects. The legal basis is Article 6(1)(c) GDPR (compliance with legal obligations).

Establishment, exercise and defence of legal claims

We may process Your data in the case of judicial or extrajudicial disputes or in proceedings with public authorities in which we establish or defend our legal claims. The legal basis is Article 6(1)(f) GDPR (legitimate interest of Pixcham).

Sharing of Winners’ content for marketing purposes

The display of Winners (username, winning selfie and ranking position) in the Challenge results in the Application and on the Challenge sub-page is an integral part of the public competition and is carried out on the basis of Article 6(1)(b) GDPR (performance of the contract — announcement of the competition results). Beyond this, Pixcham and the Challenge Organiser may share Your winning selfie and username for marketing purposes on the following channels, exclusively on the basis of Your consent pursuant to Article 6(1)(a) GDPR and Your permission pursuant to Section 12 of the Civil Code, which you grant by means of a separate unticked box upon confirmation of the win — separately from the confirmation of the data for delivery of the Prize (granting consent is not a condition for receiving the Prize; you may withdraw consent at any time in the Application settings or by e-mail at dpo@pixcham.com): dpo@pixcham.com):

a) The social networks of Pixcham and the Challenge Organiser(in particular Facebook, Instagram, X, LinkedIn, TikTok) for a period of 3 years from the end of the Challenge. Legal basis: Your consent pursuant to Article 6(1)(a) GDPR.

b) The official Challenge page on the portal pixcham.com (e.g. https://sk.pixcham.com/challenge/demanova_selfie_challenge_3) and a similar page of the Organiser as a record of the running of the Challenge, the announced Winners and the results achieved. Legal basis: Article 6(1)(b) GDPR (announcement of results as part of the competition) in conjunction with Article 6(1)(f) GDPR (legitimate interest in preserving the integrity of the results). At Your request we will anonymise Your data on the Challenge page (replacement of the name with a generic designation and removal of the selfie).

You may withdraw your consent to sharing at any time by sending an e-mail to dpo@pixcham.com dpo@pixcham.com. After withdrawal, Pixcham and the Organiser will remove Your identifiable content (selfie and name) from all channels without undue delay, no later than within 30 days. The Challenge page may remain active with anonymised data (e.g. replacement of the name with the generic designation „Participant“). Exceptions are cases where further retention is required by legislation.

If the Challenge Organiseruses Your contact data (e-mail) for its own marketing (e.g. newsletter, remarketing, business offers), the Organiser becomes an independent Controller in respect of that processing. Pixcham has no influence over the further processing of Your data by the Organiser outside the Pixcham platform.

The public nature of Competitions and the sharing of User Content among Users

The Pixcham Application is a platform based on the public sharing of Selfies created by Users within Competitions — i.e. Challenges and 1vs1 Battles. By taking part in a Competition you acknowledge and accept the public nature of Your User Content.

Public visibility within the Challenge

Your Selfie and username are publicly visible within the Challenge and the 1vs1 Battle to all other Users of the Application and visitors to the Website https://www.pixcham.com. Within each Challengethe following are displayed in particular: During the Challenge and after it ends, the overall leaderboard of Challenge participants (username, name and Points achieved) and the top 100 entries of each round (Top 100) are displayed publicly. Selfies that did not reach the Top 100 are not displayed publicly; however, they continue to be processed in accordance with this Privacy Policy (in particular they are available in the „Challenge history“ section of the relevant User and form part of the export for the Challenge Organiser pursuant to the section „How we share your information“).

• Your Selfie that you created by completing a Task;
• Your username and profile picture from Your Profile;
• The number of Points you achieved in the individual rounds of the Challenge and in the overall Challenge ranking;
• Your ranking position among Users according to the total number of Points.

Other Users of the Application may view the Selfies of all participants in a given Challenge, including Users with the highest number of Points (for example the Top 100 or Top 10 Users of a given Challenge).

User Content sharing feature among Users

The Application provides a sharing feature that allows Users to share the User Content of other participants in a Challenge or 1vs1 Battle on external channels — in particular on social networks (Facebook, Instagram, X, TikTok, LinkedIn) or through other applications on the device (for example Messages, Mail, AirDrop, WhatsApp).

When User Content is shared among Users, a link back to the Pixcham Platform (the URL of the particular Challenge or of the Website) is attached to the content, where the target platform technically allows it (for example with Messages, e-mail or WhatsApp); on platforms that do not allow a link to be attached (for example Instagram), the content is shared without a link. Pixcham, however, has no control over the further dissemination of User Content once it has been shared outside the Pixcham Platform.

Legal basis

Performance of the contract pursuant to Article 6(1)(b) GDPR (taking part in a Challenge or 1vs1 Battle in accordance with the Pixcham Terms of Service means accepting the public nature of the Competition and the User Content sharing feature among Users) in conjunction with the legitimate interest of the Company pursuant to Article 6(1)(f) GDPR (support for the Platform’s virality mechanisms, community growth and the promotion of Challenges through organic sharing).

Your rights and options

• Right to object: If you find that another User has shared Your User Content in a manner that you consider inappropriate or contrary to the Community Guidelines, you may send a request to dpo@pixcham.com dpo@pixcham.com. The Company, in cooperation with You, will make reasonable efforts to remove the content from the Pixcham Platform and to review the case in accordance with the Community Guidelines.
• Right to removal of your own User Content: You may delete Your Account, including the Profile, at any time directly in the Application (Settings → Legal information → Delete account); you may request the removal of a specific Selfie by e-mail at dpo@pixcham.com dpo@pixcham.com. You can view your participations in Challenges in the „Challenge history“ section of Your profile. After the Profile is deleted, Your User Content will cease to be displayed in the Application and on the Website within 30 days. User Content that has already been shared by other Users on external channels (social networks, other applications), however, remains under the control of the relevant external platform and the individual persons sharing it — the Company has no technical means to remove such content shared outside the Pixcham Platform.
• Report a breach of the Community Guidelines: The Application provides a „Report“ feature through which you can alert the Company to a breach of the Community Guidelines by another User. Each report is reviewed by the Company’s team in cooperation with independent adjudicators through the Pixcham Judge application. In the event of a breach, the Company may take appropriate steps, including the removal of User Content, the blocking of the infringing User’s Profile or other measures in accordance with the Terms.

Sharing restrictions (Community Guidelines)

The sharing of other Users’ User Content is permitted exclusively in the context of the original Challenge or 1vs1 Battle and in support of sporting competition. In accordance with the Community Guidelines, it is prohibited to:

• share another User’s User Content with a defamatory, offensive, discriminatory or hateful comment;
• use another User’s Selfie for the commercial promotion of third parties without their explicit consent;
• manipulate another User’s User Content (for example editing the Selfie, deepfake, change of context) or share User Content modified in this way;
• share User Content outside the Application for the purpose of bullying, doxxing or other infringement of another person’s privacy.

A breach of the Community Guidelines may lead to the immediate blocking of the infringing User’s Profile and, in serious cases, to the application of legal liability under the Civil Code, the Copyright Act and the criminal-law regulations of the Slovak Republic.

Personalised content (Pixcham Moments)

After the end of each ChallengePixcham automatically creates personalised AI-generated content for You from Your competition rounds — for example a short video, a visual summary, fun statistics or a visual retrospective of Your participation in the Challenge. This content is intended primarily for You and is available in Your account in the Pixcham Application.

Which of Your data is processed when creating Pixcham Moments:

To create the personalised content, the following personal data that you provided when participating in the Challenge is processed:

• username and profile picture;
• selfie photographs that you uploaded during the competition rounds;
• statistics of Your participation (number of rounds, Points achieved and ranking position, Challenge category, participation dates);
• the name of the Challengeand the Challenge Organiser.

AI providers used (Processors)

To generate Pixcham Moments, Pixcham uses the following third-party AI providers, which act as processors of personal data pursuant to Article 28 GDPR:

• Anthropic PBC (Claude) — San Francisco, USA — for generating the textual elements of the personalised content (captions, descriptions, fun statistics, narrative);
• Google LLC (Gemini / Nano Banana) — Mountain View, USA — for generating and editing the visual elements (collages, videos, graphics, animations).

With both providers, Pixcham concludes a data processing agreement (DPA) in accordance with Article 28 GDPR before the start of any processing of Your data. The transfer of Your personal data to the USA takes place on the basis of standard contractual clauses within the meaning of Article 46(2)(c) GDPR and the EU-US framework for the protection of personal data (the EU-US Data Privacy Framework (DPF)). Details of the transfer and sub-processors are set out in the section „International transfer of personal data“.

Your decision on sharing

Pixcham Moments are generated automatically after the end of each Challenge and are available in Your account in the Pixcham Application. Pixcham does not share this content on its own channels without Your explicit decision. You are free to:

• share it on Your own social networks (Facebook, Instagram, X, TikTok, LinkedIn) through the built-in sharing feature in the Application;
• download it to Your device and use it at your own discretion;
• keep it private without any sharing;
• or delete it from Your account at any time.

Legal basis

Performance of the contract pursuant to Article 6(1)(b) GDPR (Pixcham Moments is part of the Pixcham service provided to the User) in conjunction with the legitimate interest of Pixcham pursuant to Article 6(1)(f) GDPR (improvement of the service, the user experience and support for the platform’s virality through the voluntary sharing of content by the Users themselves). You may switch off the generation of Pixcham Moments at any time in the Profile settings (the „AI & Privacy“ section); in such a case, Your data is not sent to the AI providers.

Retention
Pixcham Moments are retained in Your account for the duration of the User Account. Upon cancellation of the Account, they are deleted within 30 days. Inputs (prompts and temporary processing) at the AI providers are retained at most in accordance with their own retention policies (Anthropic: 30 days, Google: in accordance with the Gemini API terms).

How we share your information

We may share Your personal data with certain categories of recipients, exclusively to the extent necessary for the performance of the contract, the provision of the Services or for compliance with Pixcham’s legal obligations. All recipients are contractually bound to maintain the confidentiality of Your personal data and to process it in accordance with the GDPR and the Act.

We may share Your personal data with the following categories of recipients:

• Challenge Organiser. In the case of Challengesthat are not organised by Pixcham, we share with the Challenge Organiser Your personal data (in particular the selfie photograph, username and e-mail) to the extent necessary for the organisation, running and evaluation of the particular Challenge. The legal basis is Article 6(1)(b) GDPR (performance of the contract). Pixcham and the Challenge Organiser act in this case as joint controllers within the meaning of Article 26 GDPR (see the section „When we are a controller, a processor and when a joint controller“). After the end of the Challenge, the Challenge Organiser obtains an export of the selfie photographs of all Challenge participants (without any assignment of usernames or other participant identifiers) for the purpose of evidencing the implementation and scope of the Challenge; identification data (name and surname, username, e-mail, address, telephone number) is obtained exclusively in respect of Winners. The Challenge Organiser is entitled to use the exported content exclusively in connection with the given Challenge within the meaning of Clauses 7.2 and 7.3 of the Terms; any other use (in particular marketing in relation to third parties) requires Your explicit consent.
• Prize provider. If the Prize in a Challenge is provided by a person other than the Challenge Organiser (a Prize provider identified in the Challenge detail or in the Official Rules of the Challenge), we share the Winner’s personal data with them exclusively to the extent necessary for the handover or delivery of the Prize (typically name and surname, delivery address, e-mail or telephone number). The legal basis is Article 6(1)(b) GDPR (performance of the contract — handover of the Prize). The Prize provider processes this data when delivering the Prize as a separate controller.
• Private Challenges. In the case of a private Challenge that Users join on the basis of a list of invited persons provided by the Challenge Organiser, we process the e-mail addresses of the invited persons on behalf of the Challenge Organiser (as a processor) exclusively for the purposes of managing access to the Challenge and sending invitations; the Challenge Organiser is responsible for the legal basis for the use of these addresses. We retain the list of invited persons for the purposes of the Challenge Organiser’s further Challenges and we will delete it without undue delay at the Organiser’s request, no later than upon cancellation of their business account.
• Providers of verification and security services. When verifying the identity and age of a Winner (in particular when winning a Prize), we share limited personal data (for example an identity document) with providers of verification services (for example Veriff OÜ). The legal basis is Article 6(1)(b) GDPR (performance of the contract) and Article 6(1)(f) GDPR (legitimate interest in fraud prevention). Details of the processing are set out in the section „International transfer of personal data“.
• Providers of analytics and diagnostic services. For the purposes of measuring user behaviour, the stability of the Application and the improvement of the Services, we use third-party analytics tools (for example Google Analytics and Google Firebase, operated by Google LLC). The device data we share with such providers is encoded and the providers assign random identifiers to it, so that it is not directly attributable to a specific person. The legal basis is Article 6(1)(f) GDPR (legitimate interest of Pixcham in analytics and the improvement of the Services). Details of the international transfer are set out in the section „International transfer of personal data“.
• Providers of cloud and hosting services. The information we collect from You is stored on the servers of our cloud service providers (for example Amazon Web Services). The legal basis is Article 6(1)(b) GDPR (performance of the contract — provision of the Services) and Article 6(1)(f) GDPR (legitimate interest in the secure and reliable operation of the Application).
• Providers of authentication services. If you decide to log in or register to the Application through Apple Sign In, we share limited data about Your account (display name, e-mail address or the anonymised relay address depending on Your choice of the „Hide My Email“ feature) with Apple Distribution International Limited (or Apple Inc., depending on Your region). The legal basis is Article 6(1)(b) GDPR (performance of the contract — providing access to the Application). Details of the processing by Apple can be found in the Apple Privacy Policy at https://www.apple.com/legal/privacy.
• Providers of e-mail and communication services. To send transactional e-mails, notifications and marketing communications (if you have consented to them), we use providers of e-mail and communication services (for example Sinch). The legal basis is Article 6(1)(b) GDPR (performance of the contract) for transactional e-mails and Article 6(1)(a) GDPR (consent) for marketing communications.
• Providers of attribution services and fraud prevention. To evaluate the effectiveness of our marketing activities and to prevent fraud, we may use providers of attribution services that collect limited information about the origin of Application installations (for example the click source, the advertising campaign identifier). The legal basis is Article 6(1)(f) GDPR (legitimate interest of Pixcham in evaluating marketing activities and in fraud prevention). The specific providers are set out in the section „International transfer of personal data“.
• Third-party tracking provider of an advertising partner. We allow our advertising partners to track impressions, clicks, installs or other indicators of advertising campaign performance through their tracking providers for the purpose of measuring the performance of their advertising campaign. They may use their own third-party tracking providers.

In the future, we may enter into a contract with additional partners or change existing partners to perform any services in connection with the Services. We will keep these changes updated on the website https://www.pixcham.com/subprocessors or we will update them without undue delay in the event of material changes to our data processing practices.

A list of our current service providers and partners can be found at https://www.pixcham.com/subprocessors.

Pixcham reserves the right to disclose Your personal data:

• to public authorities or courts on the basis of a legal obligation, a court decision or a legitimate request (Article 6(1)(c) GDPR);
• for the purposes of establishing or defending Pixcham’s legal claims, or protecting the rights and safety of Pixcham, Users or third parties (Article 6(1)(f) GDPR);
• in the event of a reorganisation, merger, acquisition, sale of the business or part thereof — to transfer the personal data to a successor of Pixcham, while continuity of personal data protection under the GDPR will be ensured (Article 6(1)(f) GDPR).

Any questions concerning the sharing of Your personal data with third parties may be addressed to us at legal@pixcham.com or dpo@pixcham.com.

Advertising

Within the Application, Pixcham displays advertising content that is created and inserted exclusively by Pixcham or the Challenge Organiser. Pixcham does not display third-party advertising in the Application (for example Google AdMob, Meta Audience Network or other advertising networks) and does not provide Users’ personal data to third-party advertising networks for the purposes of targeted advertising.

Advertising content within the Application is displayed in the form of image or video advertisements with a call-to-action button (for example „Show more“, „Buy now“, „Order“) that are displayed between the individual rounds of a Challenge. When you click the call-to-action button, you will be redirected to an external website specified by Pixcham or the Challenge Organiser. Pixcham is not responsible for the processing of personal data on external third-party websites, which are governed by their own privacy policies.

We further inform you that:

a) if you use our Services, we send You marketing communications about our own services (for example newsletters about new Challenges or Application features) on the basis of our legitimate interest (Article 6(1)(f) GDPR in conjunction with Section 116 of Act No. 452/2021 Coll.). You have the right to object to this processing at any time and to unsubscribe from the communications by clicking the „Unsubscribe“ link in any e-mail, in the Notification settings in the Application or by sending a request to dpo@pixcham.com; after you object, we will stop sending you marketing e-mails. We would carry out marketing communications beyond our own services only with Your prior consent; its withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

b) For the purposes of measuring advertising performance within Challenges, we collect aggregated, non-identifying statistics (in particular the total number of advertisement impressions, the number of unique Users who saw the advertisement, and the number of clicks on the call-to-action button). We provide these aggregated statistics to the Challenge Organiserin the form of a report for the purpose of evaluating the success of the Challenge. Individual Users are not identifiable in this report. The legal basis for the processing is Article 6(1)(b) GDPR (performance of the contract — measuring the performance of the Challengeforms part of the contractual relationship with the Challenge Organiser) and Article 6(1)(f) GDPR (legitimate interest of Pixcham and the Challenge Organiserin evaluating advertising campaigns).

c) For the technical measurement of the Application’s performance, we use Google Firebase tools (Crashlytics and Cloud Messaging); on the Website we use Google Analytics on the basis of Your consent to analytics Cookies (see the „Cookies“ section). Details of these providers and the international transfer mechanisms can be found in the sections „How we share your information“ and „International transfer of personal data“.

d) We retain advertising statistics for the duration of the Challenge and subsequently for a period of 7 days after it ends for the purposes of evaluation and reporting to the Organiser. Aggregated, fully anonymised statistics (without any User identifiers) may be retained indefinitely for the purposes of benchmarking and improving the Services.

e) In connection with the processing of Your personal data for advertising purposes, you have the rights set out in the „Your rights“ section of this Privacy Policy, in particular the right to object to processing based on legitimate interest (Article 21 GDPR). Any questions or objections may be addressed to our Data Protection Officer at dpo@pixcham.com.

Third-party social networks

Logging in through third-party social networks

The Pixcham Application allows You to log in or register through Your Apple account (the Apple Sign In / Sign in with Apple feature). Details of the data we obtain from Apple are set out in the section „Information we obtain from third-party sources“. In the event that the supported social networks are expanded, we will inform You through an updated version of this Privacy Policy and an updated list of partners at https://www.pixcham.com/subprocessors.

The third-party social networks whose services we use are governed by their own privacy policies, terms of use and contractual arrangements with end users. Pixcham is not responsible for the processing practices or privacy policies of these third parties and has no control over them. Details of the processing of Your personal data by these third parties can be found in their privacy policies (for example the Apple Privacy Policy at https://www.apple.com/legal/privacy/).

Information we obtain when logging in via Apple Sign In

When using the Apple Sign In feature, we obtain from Apple Distribution International Limited (or Apple Inc., depending on Your region) the following data:

• Your display name (to the extent you chose during registration);
• Your e-mail address or, if you chose the „Hide My Email“ feature, an anonymised Apple relay address in the form „@privaterelay.appleid.com“;
• A unique identifier of Your Apple account (sub claim).

Pixcham does not obtain any other data from Apple (for example your contacts list, photographs, location or the content of other applications). The legal basis for the processing is Article 6(1)(b) GDPR (performance of the contract — providing access to the Application).

How you yourself can share your content on social networks

The Pixcham Application allows You to manually share Your content from the Application (for example selfie photographs, Challenge results, achievements) on third-party social networks through the system „Share“ button of Your mobile device. After clicking the „Share“ button, you yourself choose on which social network (for example Instagram, Facebook, WhatsApp, X) you wish to publish the content. This sharing is entirely under Your control and Pixcham has no influence over it or access to the subsequent processing by that third-party social network.

Please note that from the moment you share content on a third-party social network, the processing is governed by the privacy policy of that social network. Pixcham bears no responsibility for such processing.

If you have any questions concerning logging in via third-party social networks or sharing content, you may contact us at legal@pixcham.com or dpo@pixcham.com.

Cookies

Cookies are small files that are stored on your mobile device or internet browser when you browse our Website (including all language versions operated on the subdomains pixcham.com). They enable us to improve the functionality of the Website and to understand user behaviour. On our Website we use the following basic types of Cookies:

• Necessary Cookies are essential to ensure the proper functioning of the Website and its basic features, such as page navigation and access to secure areas of the Website. Without these Cookies, the Website cannot function properly. These Cookies are set automatically and cannot be switched off in the Cookies settings.
• Analytics Cookies are used to understand and analyse the key performance indicators of the Website, which help to provide visitors with a better user experience. These Cookies can be switched on or off in the Cookies banner settings. Analytics Cookies may include Cookies of third-party analytics service providers (for example Google Analytics, operated by Google LLC); details of the international transfer of data can be found in the „International transfer of personal data“ section of this Privacy Policy.

In accordance with Section 109(8) of Act No. 452/2021 Coll. on electronic communications and Article 6(1)(a) GDPR, before setting analytics and marketing Cookies we require Your prior consent, which you grant through the Cookies banner on our Website. You may withdraw your consent or change your settings at any time through the „Cookies settings“ link in the footer of the Website. Necessary Cookies are set automatically without Your consent, because their use is essential to ensure the proper functioning of the Website, and they are stored on the basis of Section 109(8) of Act No. 452/2021 Coll. (technical necessity); the related processing of personal data relies on Article 6(1)(f) GDPR (legitimate interest of Pixcham in the functionality and security of the Website).

In addition, we distinguish between „first-party“ Cookies, which are stored directly by us or our servers, and „third-party“ Cookies, which are stored by external service providers or third parties.

You may also change your Cookies settings at any time through the settings of Your internet browser. Most browsers allow you to block all Cookies, block only third-party Cookies or delete all Cookies already stored. Please note, however, that blocking all Cookies may lead to a restriction of the Website’s functionality.

Cookies

Name: CONTEST
Type: Necessary
Expiry: 2 years
Description: Used to determine whether the visitor has accepted the marketing category in the Cookies banner. This Cookie is necessary to ensure the Website’s compliance with the GDPR.

Name: vuex
Type: Necessary
Expiry: Session
Description: Registers the user’s login status. This allows the Website owner to control the accessibility of certain parts of the website based on whether the User is logged in or not.

Name: _ga
Type: Analytics
Expiry: 1 year and 1 month
Description: Registers a unique ID that is used to generate statistical data on how the visitor uses the Website.

Name: _ga_#
Type: Analytics
Expiry: 1 year and 1 month
Description: Used by the Google Analytics service to collect data on the number of a user’s visits to the Website, as well as the dates of the first and most recent visit.

This list represents the current overview of the Cookies we use. The precise wording and the list of all Cookies is also available directly in the Cookies banner on our Website. Pixcham reserves the right to update this list in the event of the addition or change of Cookies and will inform You of changes through an updated version of this Privacy Policy.

Protection of children’s privacy

Pixcham deeply values the protection of the privacy of children and minors. In accordance with Article 8 GDPR and Section 15 of the Act, the minimum age for creating an account in the Pixcham Application is 16 years. Persons under the age of 16 are not permitted to create an account or use the Services.

Age verification at registration

At registration, the Pixcham Application verifies Your age through a two-stage mechanism:

Primary confirmation — before opening the registration form, the User must expressly state whether they are more or less than 18 years old;

Secondary verification — if the User states that they are under 18 years old, entering a date of birth is required before completing registration. If the entered age does not reach 16 years, registration is automatically rejected.

Pixcham warns that providing false information about age is a breach of the Terms of Use of the Application, may lead to the loss of entitlement to a Prize in a Challenge and to the immediate cancellation of the account.

Restrictions for Users aged 16 – 17 years

Users aged 16 to 17 years may use the Pixcham Application; however, their legal capacity within the meaning of Section 9 of the Civil Code is limited. Participation of a User aged 16 to 17 years in any Challenge is therefore always conditional upon the prior verified consent of a parent or legal guardian pursuant to Clauses 2.3, 2.3.1 and 4.8 of the Terms, granted and managed through the Parental Control feature. The Challenge Organiser may set a stricter age limit for a particular Challenge (for example 18+); it may not set a lower limit.

The age restriction for a particular Challengeis set out in the Challenge detailin the Pixcham Application and in the Official Rules of the Challenge.

Tax regime of winnings

Monetary and non-monetary Prizes are subject to taxation within the meaning of Act No. 595/2003 Coll. on income tax. Winnings with a value of up to EUR 350 are exempt from tax. Winnings exceeding EUR 350 are subject to tax at the rate of 19% on the part exceeding EUR 350. In the case of monetary Prizes provided by the Company, the Company ensures the withholding and remittance of tax as the taxpayer pursuant to Act No. 595/2003 Coll.; details are governed by Clause 12.3 of the Terms. In the case of non-monetary Prizes from third-party Organisers, the Winner is obliged to declare the value of the Prize in their tax return. Details are set out in the Terms of Use of the Pixcham Application.

Parental control and request for removal

If you suspect that a minor under the age of 16 has, despite the age check, created an account in the Pixcham Application, you may inform us of this by e-mail at dpo@pixcham.com. After verifying the age, we will take steps without undue delay (no later than within 30 days) to remove such a person’s personal data from our servers and we will cancel their account. We proceed in the same way if we ourselves become aware that a person under the age of 16 has registered in the Application.

Legal basis

The legal basis for age verification is Article 6(1)(c) GDPR (compliance with a legal obligation — in particular Article 8 GDPR and Section 15 of Act No. 18/2018 Coll.) and Article 6(1)(f) GDPR (legitimate interest of Pixcham in the protection of minors).

Your Rights

As a data subject, you have the following rights in relation to Your personal data under the GDPR and the Act:

You may exercise these rights at any time in accordance with the instructions set out below or by sending a request to dpo@pixcham.com.

Exercise of rights

You may exercise Your rights at any time by sending a request to our Data Protection Officer (DPO) at dpo@pixcham.com. You may also send the request to the secondary contact legal@pixcham.com. Pixcham will respond to Your request within one month of its receipt within the meaning of Article 12(3) GDPR. In the case of a complex or repeated request, Pixcham may extend this period by a further two months, while informing You of this together with the reasons. The exercise of Your rights is free of charge, with the exception of manifestly unfounded or excessive requests, for which Pixcham may charge a reasonable fee or refuse the request (Article 12(5) GDPR). When assessing a request, we may ask for the provision of additional information to verify Your identity within the meaning of Article 12(6) GDPR.

Withdrawal of consent

If the processing of Your personal data is based on Your consent, you have the right to withdraw that consent at any time by sending an e-mail to dpo@pixcham.com. The withdrawal of consent does not affect the lawfulness of the processing of data based on consent before its withdrawal (Article 7(3) GDPR).

List of Your rights

Right of access to your data (Article 15 GDPR) -

• Right to rectification (Article 16 GDPR) - you have the right to have any inaccurate or incomplete personal data that we hold about you rectified without undue delay;
• Right to erasure — the „right to be forgotten“ (Article 17 GDPR) you have the right to request that Pixcham erase Your personal data without undue delay where one of the grounds set out in Article 17 GDPR is met (for example where the personal data is no longer necessary for the purposes for which it was collected, or where you have withdrawn consent);
• Right to restriction of processing (Article 18 GDPR) you have the right to request that Pixcham restrict the processing of Your personal data where you contest its accuracy, the processing is unlawful, Pixcham no longer needs the data but you need it for the establishment of legal claims, or you have objected to the processing;
• Right to data portability (Article 20 GDPR) — where we process Your personal data on the basis of Your consent or on the basis of the performance of a contract and the processing is carried out by automated means, you have the right to receive that data in a structured, commonly used and machine-readable format and the right to transmit it to another controller, where technically feasible;
• Right to object (Article 21 GDPR) — you have the right to object at any time to the processing of Your personal data that is based on our legitimate interest (Article 6(1)(f) GDPR), including profiling based on that ground; if you object to processing for direct marketing purposes, we will no longer process Your personal data for that purpose;
• Right not to be subject to automated individual decision-making, including profiling (Article 22 GDPR) — you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning You or similarly significantly affects You. The Pixcham Application does not, as a standard, carry out such decision-making;

Legal basis

In each case where we process your data, we do so lawfully in accordance with one of the legal bases laid down in the GDPR.

The legal bases on which we rely are as follows:

• Contractual necessity. This relates to information that we process in order to provide you with a service that you have requested - and which we have agreed to provide -, i.e. to provide and improve the Services, provide customer support, provide special features in the Application,
• Legitimate interests. This includes information that we process for purposes that can reasonably be expected in connection with your use of the Services, in order to pursue our legitimate interests with the aim of ensuring you the best possible experience when using the Application and/or the Services, ensuring the security of your information and providing you with certain features of the Application free of charge or at a low cost. We pay particular attention to your data protection rights, taking care to ensure that your data protection rights are not overridden by our legitimate interests. When processing data for the purposes of analysis, fraud monitoring and prevention, push notifications, cross-promotion and contextual advertising, we rely on our legitimate interests. Pixcham also relies on legitimate interests in the case of judicial or extrajudicial disputes or in proceedings with public authorities in which it establishes or defends its legal claims, or when sending marketing communications to its existing or former Users with the aim of offering Users relevant and interesting information. On the basis of legitimate interest, Pixcham also processes the personal data of contact persons or other persons authorised to act for or on behalf of Challenge Organisers, as well as when verifying the identity of Winners.
• Consent. If we ask you for consent to use your data for a specific purpose, we will state this clearly at the moment of data collection and will also clarify for you how you can withdraw your consent.
• Legal obligation. This applies to information that we process to fulfil a legal obligation, for example to keep records for tax purposes, when handling requests to exercise the rights of data subjects, when keeping records of personal data breaches or when handling complaints.

Security

In accordance with Article 32 GDPR and Section 39 of the Act, Pixcham has implemented appropriate technical and organisational measures to protect the confidentiality, integrity, availability and resilience of personal data processing systems. These measures include in particular:

• Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256);
• Role-based access control (RBAC) and the principle of least privilege;
• Two-factor authentication (2FA) for all employees and processors with access to personal data;
• Regular security audits, penetration tests and system updates;
• Segregation of production, testing and development environments;
• Backup procedures and a disaster recovery plan;
• An obligation of confidentiality for all persons with access to personal data;
• Training of employees in the area of personal data protection and cybersecurity.

Despite these measures, Pixcham cannot guarantee the absolute security of transmitted and stored data, because no technical measure guarantees 100% protection in the event of unauthorised access.

Notification of personal data breaches

If a personal data breach occurs that results in a high risk to the rights and freedoms of natural persons, Pixcham, in accordance with Articles 33 and 34 GDPR:

• will notify the breach to the Office for Personal Data Protection of the Slovak Republic without undue delay, but no later than within 72 hours of becoming aware of the breach;
• will, without undue delay, inform the data subjects whose personal data was affected by the breach, where the breach presents a high risk to their rights and freedoms;
• will document all personal data breaches, including the facts relating to the breach, its consequences and the remedial measures taken.

International Transfer of Personal Data

Your personal data is processed primarily within the European Economic Area (EEA). In some cases, however, Pixcham uses service providers established in third countries outside the EEA (in particular in the United States of America). In such cases, Pixcham ensures appropriate safeguards for the protection of personal data within the meaning of Articles 44 to 49 GDPR, in particular:

• A European Commission adequacy decision (Article 45 GDPR);
• Standard contractual clauses approved by the European Commission (Article 46(2)(c) GDPR);
• Certification of the provider under the EU-US framework for the protection of personal data (the EU-US Data Privacy Framework (DPF));
• Data Processing Agreements.

For the purposes of transparency, we set out below a list of our sub-processors who may have access to Your personal data. For each sub-processor we state its purpose, the category of data transferred and the transfer mechanism. Where we carry out advertising analytics or attribution through third-party software, such a provider is always set out in this list and at https://www.pixcham.com/subprocessors. For transfers of data of Users from the United Kingdom, we apply the UK GDPR and we have concluded a UK Addendum to the standard contractual clauses (or an IDTA) with the sub-processors.

Service provider:
Stripe Payments Europe Limited (registered office: Dublin, Ireland)
Purpose:
Processing of payments for the Challenge Organiser’s Licence Fee (License Fee). Stripe serves exclusively as a payment gateway for processing the payments of Challenge Organisers. Tax documents (invoices) for the Licence Fee are issued and recorded by Pixcham in its own system; Stripe does not issue invoices on behalf of Pixcham.
Categories of personal data:
Identification data of the Challenge Organiser (business name, Company ID (IČO), Tax ID (DIČ), VAT ID (IČ DPH)); Billing data (registered office address, contact details, e-mail for invoice delivery); Transaction data (amount, date, payment description); The Organiser’s bank details and payment card data (encrypted and processed directly by Stripe); Historical records of the Organiser’s payments and invoices.
Provider’s privacy policy: https://stripe.com/en-sk/privacy
Transfer mechanism:
Processing primarily in the EEA (Stripe Payments Europe Limited, Ireland); for any transfers outside the EEA, standard contractual clauses pursuant to Article 46(2)(c) GDPR and DPF certification pursuant to Article 45 GDPR.

Service provider:
Wise Europe SA (registered office: Brussels, Belgium; licensed payment institution in the EEA)
Purpose:
Processing and payout of monetary Prizes (Cash Prizes) to Winners.
Categories of personal data:
The Winner’s name and surname, address, bank account number (IBAN), e-mail, transaction data, the value of the Prize paid out.
Provider’s privacy policy:
https://wise.com/gb/legal/global-privacy-policy-en
Transfer mechanism:
A European Commission adequacy decision (Article 45 GDPR) — processing within the EEA. Standard contractual clauses for any transfer outside the EEA (Article 46 GDPR).

Service provider:
Veriff OÜ (registered office: Tallinn, Estonia)
Purpose:
Verification of the Winner’s identity (KYC process) before the payout of a monetary Prize exceeding EUR 350.
Categories of personal data:
Name and surname, date of birth, photograph of an identity document (identity card or passport), selfie photograph for comparison with the document, IP address. The biometric comparison of the selfie with the document is carried out on the basis of explicit consent (Article 9(2)(a) GDPR); biometric templates are destroyed without undue delay after verification, and the verification session is retained by Veriff for a period of 2 years (the „Extended data retention“ add-on). In its own database, Pixcham retains only the session identifier, the date and the result of the verification — without copies of documents and photographs.
Provider’s privacy policy: https://www.veriff.com/privacy-notice
Transfer mechanism:
Processing within the EEA on the basis of a European Commission adequacy decision (Article 45 GDPR).

Service provider:
Sinch Email AB (registered office: Stockholm, Sweden)
Purpose:
Sending transactional and informational e-mails to Users (registration confirmation, win notification, notifications regarding Challenges).
Categories of personal data:
E-mail address, User’s name, message content.
Provider’s privacy policy: https://sinch.com/privacy-policy
Transfer mechanism:
Processing within the EEA on the basis of a European Commission adequacy decision (Article 45 GDPR), standard contractual clauses and a Data Processing Agreement (DPA). The Mailjet service is part of the Sinch group.

Service provider:
Amazon Web Services EMEA SARL (registered office: Luxembourg; data centres in the EEA)
Purpose:
Cloud infrastructure — hosting of the Pixcham Application, data storage, content delivery network (CDN) for static files including the data.pixcham.com subdomain (images, video trailers).
Categories of personal data:
All personal data processed within the Application (stored in the cloud infrastructure), static media files.
Provider’s privacy policy: https://aws.amazon.com/privacy
Transfer mechanism:
Standard contractual clauses within the meaning of Article 46(2)(c) GDPR and a Data Processing Addendum (AWS Data Processing Addendum). Pixcham’s data is processed primarily in the EEA regions of AWS.

Service provider:
Hetzner Online GmbH (registered office: Gunzenhausen, Germany; data centres in Germany and Finland)
Purpose:
Cloud infrastructure — supplementary server services and hosting.
Categories of personal data:
All personal data processed within the Application (stored in the cloud infrastructure).
Provider’s privacy policy:
https://www.hetzner.com/legal/privacy-policy
Transfer mechanism:
Processing within the EEA on the basis of a European Commission adequacy decision (Article 45 GDPR).

Service provider:
Google LLC (registered office: Mountain View, California, USA; EU representative: Google Ireland Limited)
Purpose:
Firebase Crashlytics — collection and analysis of the Application’s crash reports for the purposes of technical stability and bug fixing. Firebase Cloud Messaging — delivery of push notifications to Users. The Pixcham Application does not use Google Analytics or Firebase Analytics.
Categories of personal data:
Crashlytics: device identifier, device model, operating system, anonymised IP address, data on the course of the Application’s crash (stack trace). Cloud Messaging: device push token, notification content.
Provider’s privacy policy:
https://policies.google.com/privacy?hl=en
Transfer mechanism:
Standard contractual clauses within the meaning of Article 46(2)(c) GDPR, certification under the EU-US framework for the protection of personal data (the EU-US Data Privacy Framework (DPF)).

Service provider:
Apple Distribution International Limited (registered office: Hollyhill Industrial Estate, Cork, Ireland)
Purpose:
Distribution of the Application through the Apple App Store and authentication of Users through the Sign in with Apple service, including the Hide My Email feature (anonymised e-mail address in the @privaterelay.appleid.com domain).
Categories of personal data:
The User’s Apple ID, e-mail address (or, where applicable, an anonymised address in the @privaterelay.appleid.com domain), the User’s name, a unique identifier (sub claim).
Provider’s privacy policy:
https://www.apple.com/legal/privacy/en-ww
Transfer mechanism:
Processing within the EEA on the basis of a European Commission adequacy decision (Article 45 GDPR). Apple Distribution International Limited is an Irish entity subject to regulation by the Irish Data Protection Commission (DPC).

Service provider:
Temporal Technologies Inc. (registered office: Seattle, Washington, USA)
Purpose:
Workflow orchestration — ensuring the reliability and automation of the Application’s internal processes.
Categories of personal data:
Technical metadata about tasks and workflows; Temporal does not process Users’ personal data in content form.
Provider’s privacy policy:
https://temporal.io/global-privacy-policy
Transfer mechanism:
Standard contractual clauses within the meaning of Article 46(2)(c) GDPR.

Service provider: MongoDB, Inc.
Purpose:
Database service (MongoDB Atlas) — storage and management of the Application’s data.
Categories of personal data:
All personal data processed within the Application (stored in the database).
Provider’s privacy policy:
https://www.mongodb.com/legal/privacy/privacy-policy
Transfer mechanism:
Standard contractual clauses within the meaning of Article 46(2)(c) GDPR, certification under the EU-US framework for the protection of personal data (the EU-US Data Privacy Framework (DPF)). Pixcham’s data is processed primarily in the EEA regions of MongoDB Atlas (Frankfurt / Ireland).

Service provider: Anthropic PBC
Purpose:
Artificial intelligence for generating the textual elements within the Pixcham Moments feature — captions, descriptions, fun statistics and narratives from the User’s competition rounds.
Categories of personal data:
Username, statistics of participation in Challenges, the name of the Challenge, metadata from selfie photographs. Exclusively for generating the personalised Pixcham Moments content for the given User.
Provider’s privacy policy: https://www.anthropic.com/legal/privacy
Transfer mechanism:
Standard contractual clauses within the meaning of Article 46(2)(c) GDPR, a data processing agreement (DPA) with Anthropic PBC. Anthropic is certified under the EU-US framework for the protection of personal data (the EU-US Data Privacy Framework (DPF)) where applicable.

Service provider: Google LLC (Gemini / Nano Banana)
Purpose:
Artificial intelligence for generating and editing the visual elements within the Pixcham Moments feature — collages, videos, graphics and animations from the User’s competition rounds.
Categories of personal data:
Username, profile picture, selfie photographs from the competition rounds, statistics of participation in Challenges. Exclusively for generating the personalised visual Pixcham Moments content for the given User.
Provider’s privacy policy: https://policies.google.com/privacy
Transfer mechanism:
Standard contractual clauses within the meaning of Article 46(2)(c) GDPR, certification under the EU-US framework for the protection of personal data (the EU-US Data Privacy Framework (DPF)), a data processing agreement (DPA) with Google LLC.

Retention of personal data

We retain your data for as long as is necessary to provide the Services. If you request the cancellation of the Account, Your personal data will no longer be available in the Application. However, we will retain the data for a period of 30 days from the date of cancellation of the Account, after which it will be permanently deleted, unless its retention is required by legislation. In the event that the Challenge Organisercancels its business account in the Application, Your personal data related to its Challenges will be retained until the cancellation of its business account. In the case of identity verification, we retain the provided data for a period of 2 years from the date of verification of Your identity. Data relating to advertising analytics is retained for a maximum of 7 days from the end of the Challenge. We will delete the information as soon as we no longer need it for the purposes described in this Privacy Policy. After being deleted from production systems, data may remain in secure backups for a maximum of 90 days; backups are not restored to production systems except in the case of disaster recovery.

Where required by law, we will retain your data for as long as the law requires of us. If you ask us to erase your data, we will erase your data as described above in the „Your rights“ section of this Privacy Policy.

In accordance with the storage limitation principle pursuant to Article 5(1)(e) GDPR, Pixcham retains Your personal data only for as long as is necessary to fulfil the purposes for which it was collected, or to comply with legal obligations. After the expiry of the established retention period, we will permanently delete or anonymise the personal data in such a way that the identity of the data subject cannot be restored

Specific retention periods

Below we set out the specific retention periods for the individual categories of personal data:

a) User Profile (name, e-mail, date of birth, country) — for the entire duration of the Account, subsequently 30 days from the cancellation of the Account, after which the data is permanently deleted.

b) User Content (selfie photographs, entries in Challenges) — for the entire duration of the User Account and the existence of the relevant Challenge; after the cancellation of the Account, the photographs are removed within 30 days, with the exception of content that forms part of the archived Challenge infographics pursuant to the Terms of Use of the Application.

c) Winning selfies and usernames of Winners on social networks (Facebook, Instagram, X, LinkedIn, TikTok) — on the basis of Your consent, 3 years from the end of the Challenge or until consent is withdrawn, whichever occurs first. After this period expires, the content is automatically removed from all social channels.

d) Usernames and winning selfies of Winners on the official Challenge page (e.g. https://sk.pixcham.com/challenge/nazov_challenge) — as part of the Challenge results; at the Winner’s request we will anonymise the data.

e) Challenge Organiser data (business profile) — for the entire duration of the business account and in accordance with the Terms of Use of the Application (sections 10.8.18 and 10.8.19), whereby after the cancellation of the business account Pixcham is entitled to retain basic information about the Challenges carried out for archival and presentation purposes. Documents submitted by the Challenge Organiser upon registration of the business account in order to verify its existence and trustworthiness (in particular an extract from the commercial register, a VAT registration certificate, proof of registered office, confirmation of a bank account) are retained for the duration of the business account for the purposes of verifying the Organiser and preventing fraud (Article 6(1)(b) and (f) GDPR); after the cancellation of the business account we will delete them, with the exception of data whose retention is required by tax and accounting regulations.

f) Record-keeping data on the Challenges carried out (Challenge ID, the Organiser’s Company ID (IČO), date, number of participants, list of Winners, value of prizes, Licence Fee payments received from the Organiser via Stripe) — 10 years for reasons of accounting and tax record-keeping. This data is retained in an internal archive and is not shared publicly.

g) Winner verification data held by the provider Veriff (copy of the identity document, selfie, name, date of birth) — 2 years from verification (Extended data retention); biometric templates are destroyed without undue delay after the completion of the verification.

h) Winner verification photograph (a separate photograph taken upon handover of the Prize) — 2 years from the date of handover of the Prize.

i) Data on monetary Prizes paid out exceeding EUR 350 (name, address, IBAN, value, tax withheld, confirmation of the result of the Veriff verification — session ID, date and result, without copies of documents — and the Wise confirmation) — 10 years from the end of the calendar year in which the Prize was paid out (Section 35 of Act No. 431/2002 Coll. on accounting, Section 76 of Act No. 563/2009 Coll. on the administration of taxes).

j) Invoices for the Licence Fee and related tax documents (issued in Pixcham’s own invoicing system; the payment data is processed by Stripe as the payment gateway) — 10 years from the end of the calendar year in which the invoice was issued (Act No. 431/2002 Coll. on accounting).

k) E-mail communications (Sinch) — 2 years from the sending of the communication, unless a longer retention period follows from law or from the need to establish legal claims.

l) Firebase Crashlytics crash reports — 90 days from being recorded.

m) Firebase Cloud Messaging push tokens — for the entire duration of the active User Account; upon cancellation of the Account they are removed.

n) Analytics data on advertising campaigns — a maximum of 7 days from the end of the Challenge.

o) Cookies — the retention periods of the individual cookies are set out in the „Cookies“ section of this Privacy Policy.

p) Data retained for the establishment of legal claims (disputes, complaints) — 3 years from the end of the dispute or complaint, or in accordance with the limitation periods laid down by law.

q) Backup copies of data — a maximum of 90 days from their deletion from the production systems (Clause 7.5 of the Terms).

r) Pseudonymised records of breaches of the Community Guidelines, fraud and misuse of the Application — a maximum of 5 years (Clause 7.5 of the Terms), for the purposes of preventing repeated breaches.

s) User Content in the archive of completed Challenges (infographics and records of results) — a maximum of 10 years from the end of the Challenge for accounting, tax and archival purposes (Clause 7.5 of the Terms and Section 35 of Act No. 431/2002 Coll.).

Legal obligations

In the event that a specific law imposes on us a longer retention period (in particular in the area of taxes and accounting — Act No. 595/2003 Coll. on income tax, Act No. 431/2002 Coll. on accounting, Act No. 563/2009 Coll. on the administration of taxes), we will retain Your personal data for such a statutory period, even after the cancellation of Your Account.

Anonymisation of data

In some cases, instead of being permanently deleted, personal data may be anonymised in such a way that it can no longer be attributed to a specific person. Pixcham may use data anonymised in this way for statistical and analytical purposes without any time limit, since it is no longer personal data within the meaning of the GDPR.

Right to erasure

If you wish to request the erasure of Your personal data, you may do so in accordance with the procedure set out in the „Your Rights“ section of this Privacy Policy. Pixcham will erase Your personal data without undue delay, with the exception of cases where its further retention is necessary to fulfil a legal obligation, to establish legal claims or for other reasons set out in Article 17(3) GDPR.

Changes to our Privacy Policy

Changes to this Privacy Policy

This Privacy Policy may be updated from time to time in order to:

• respond to changes in personal data protection legislation;
• introduce new features or services in the Pixcham Application;
• reflect changes in the manner of processing personal data or in the list of sub-processors;
• correct identified inaccuracies or improve the clarity of the text.

The current wording of the Privacy Policy is always available at https://www.pixcham.com/privacy, including an indication of the date of the last update.

In the case of significant changes that materially affect the manner of processing Your personal data, Pixcham informs Users:

• by e-mail to the address stated in the User Account at least 30 days before the change takes effect;
• by notification directly in the Application upon the first login after the update;
• by publishing the updated wording on the Pixcham website.

This Privacy Policy is an informational document — the processing of Your personal data relies on the legal bases set out in this Privacy Policy, not on its „acceptance“. If you do not agree with the manner of processing, you may exercise your rights under the „Your Rights“ section (including objection and the withdrawal of consents) or cancel Your Account at any time in accordance with the Terms.

You may request previous versions of the Privacy Policy by sending an e-mail to dpo@pixcham.com or legal@pixcham.com.

Jurisdiction-specific features

Depending on the country in which you registered or use the Pixcham Application, additional rights and obligations under local laws may apply to you. This section describes these specific features.

Country: Slovak Republic (SK)
Supervisory authority and contact:
Office for Personal Data Protection of the Slovak Republic
Hraničná 12, 820 07 Bratislava
statny.dozor@pdp.gov.sk
www.dataprotection.gov.sk
Applicable legislation:
• Act No. 18/2018 Coll. on the Protection of Personal Data
• GDPR (EU 2016/679)
Specific features:
• Protection of the personal data of deceased persons (Section 11 of the Act)
• Age of consent for processing: 16 years
• Journalistic exemption for media processing

Country: Czech Republic (CZ)
Supervisory authority and contact:
Úřad pro ochranu osobních údajů (ÚOOÚ)
Pplk. Sochora 27, 170 00 Praha 7
posta@uoou.cz
www.uoou.cz
Applicable legislation:
• Act No. 110/2019 Coll. on the processing of personal data
• GDPR (EU 2016/679)
Specific features:
• Age of consent for processing: 16 years
• Notification obligation for transfers outside the EU

Country: Federal Republic of Germany (DE)
Supervisory authority and contact:
Die Bundesbeauftragte für den Datenschutz und die Informationsfreiheit (BfDI)
+ 16 Landesbeauftragte (for each federal state)
Graurheindorfer Str. 153, 53117 Bonn
poststelle@bfdi.bund.de
www.bfdi.bund.de
Applicable legislation:
• Bundesdatenschutzgesetz (BDSG)
• GDPR (EU 2016/679)
• Telekommunikation-Telemedien-Datenschutzgesetz (TTDSG) — for cookies
Specific features:
• Obligation to have an Impressum (applies to pixcham.com from DE/AT)
• TTDSG rules for cookies (strict)
• Works councils (Betriebsrat) may require consultations

Country: Republic of Austria (AT)
Supervisory authority and contact:
Österreichische Datenschutzbehörde (DSB)
Barichgasse 40-42, 1030 Wien
dsb@dsb.gv.at
www.dsb.gv.at
Applicable legislation:
• Datenschutzgesetz (DSG)
• GDPR (EU 2016/679)
Specific features:
• Alternative arbitration (Verbraucher-Schlichtung)
• Special rules for health data
• Impressum-Pflicht (same as DE)

Country: French Republic (FR)
Supervisory authority and contact:
Commission nationale de l'informatique et des libertés (CNIL)
3 Place de Fontenoy, 75007 Paris
www.cnil.fr
Applicable legislation:
• Loi Informatique et Libertés
• GDPR (EU 2016/679)
• Code de la consommation
Specific features:
• Strict rules for cookies (CNIL Guidelines 2020)
• Age of consent for processing: 16 years
• Loi Toubon (French language for commercial documents)
• Post-mortem data directives (Loi pour une République numérique)

Country: Italian Republic (IT)
Supervisory authority and contact:
Garante per la protezione dei dati personali
Piazza Venezia 11, 00187 Roma
garante@gpdp.it
www.garanteprivacy.it
Applicable legislation:
• Codice in materia di protezione dei dati personali
• GDPR (EU 2016/679)
Specific features:
• Enhanced rights for children
• Stricter retention for telecommunications
• Workplace monitoring restrictions (Art. 4 dello Statuto dei Lavoratori)

Country: Kingdom of Spain (ES)
Supervisory authority and contact:
Agencia Española de Protección de Datos (AEPD)
C/ Jorge Juan, 6, 28001 Madrid
www.aepd.es
Applicable legislation:
• LOPD-GDD (Ley Orgánica 3/2018)
• GDPR (EU 2016/679)
Specific features:
• Digital rights (new rights under LOPD-GDD)
• Right to digital disconnection for workers
• Special protection for accounts of deceased persons

Country: Kingdom of the Netherlands (NL)
Supervisory authority and contact:
Autoriteit Persoonsgegevens (AP)
Bezuidenhoutseweg 30, 2594 AV Den Haag
www.autoriteitpersoonsgegevens.nl
Applicable legislation:
• Uitvoeringswet Algemene verordening gegevensbescherming (UAVG)
• GDPR (EU 2016/679)
Specific features:
• Age of consent: 16 years
• Active enforcement by AP (the second most active DPA in the EU)

Country: Kingdom of Belgium (BE)
Supervisory authority and contact:
Autorité de protection des données (APD)
Rue de la Presse 35, 1000 Bruxelles
contact@apd-gba.be
www.autoriteprotectiondonnees.be
Applicable legislation:
• Loi du 30 juillet 2018 relative à la protection des personnes physiques
• GDPR (EU 2016/679)
Specific features:
• Mandatory DPO for the public sector (not relevant for Pixcham)
• Age of consent: 16 years

Country: Republic of Poland (PL)
Supervisory authority and contact:
Urząd Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warszawa
kancelaria@uodo.gov.pl
www.uodo.gov.pl
Applicable legislation:
• Ustawa o ochronie danych osobowych
• GDPR (EU 2016/679)
Specific features:
• Age of consent: 16 years
• Strict rules for marketing via e-mail

Country: Denmark (DK)
Supervisory authority and contact:
Datatilsynet
Borgergade 28, 5., 1300 København K
dt@datatilsynet.dk
www.datatilsynet.dk
Applicable legislation:
• Databeskyttelsesloven
• GDPR (EU 2016/679)
Specific features: —

Country: Kingdom of Sweden (SE)
Supervisory authority and contact:
Integritetsskyddsmyndigheten (IMY)
Box 8114, 104 20 Stockholm
imy@imy.se
www.imy.se
Applicable legislation: —
Specific features: —

Country: Republic of Finland (FI)
Supervisory authority and contact:
Tietosuojavaltuutetun toimisto
PL 800, 00521 Helsinki
tietosuoja@om.fi
tietosuoja.fi
Applicable legislation: —
Specific features: —

Country: Norway (NO — EEA)
Supervisory authority and contact:
Datatilsynet
P.O. Box 458 Sentrum, 0105 Oslo
postkasse@datatilsynet.no
www.datatilsynet.no
Applicable legislation: —
Specific features: —

Country: Republic of Ireland (IE)
Supervisory authority and contact:
Data Protection Commission (DPC)
21 Fitzwilliam Square South, Dublin 2
info@dataprotection.ie
www.dataprotection.ie
Applicable legislation: —
Specific features:
Note: If you have a Pixcham account via Meta Login or Google Login, your GDPR complaint against these providers falls under the DPC Dublin (not the ÚOOÚ SR).

Country: Switzerland (CH)
Supervisory authority and contact:
Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragter (EDÖB)
Feldeggweg 1, 3003 Bern
www.edoeb.admin.ch
Applicable legislation:
• Bundesgesetz über den Datenschutz (DSG, nDSG from 1.9.2023)
• Swiss-US Data Privacy Framework
Specific features: —

Country: United Kingdom (UK)
Supervisory authority and contact:
Information Commissioner's Office (ICO)
Wycliffe House, Wilmslow, Cheshire, SK9 5AF
ico.org.uk
Applicable legislation:
• UK GDPR
• Data Protection Act 2018
• UK-US Data Bridge
• Representative in the United Kingdom (Article 27 UK GDPR): The Company is registered with the ICO and pays the data protection fee.
Specific features: —

Other EU/EEA countries

Country: Bulgaria
Supervisory authority:
Комисия за защита на личните данни (KZLD)
Web: kzld.bg

Country: Estonia
Supervisory authority: Andmekaitse Inspektsioon (AKI)
Web: www.aki.ee

Country: Greece
Supervisory authority: Hellenic DPA
Web: www.dpa.gr

Country: Croatia
Supervisory authority: AZOP
Web: azop.hr

Country: Cyprus
Supervisory authority:
Commissioner for Personal Data Protection
Web: dataprotection.gov.cy

Country: Latvia
Supervisory authority: Data State Inspectorate
Web: www.dvi.gov.lv

Country: Lithuania
Supervisory authority: State DP Inspectorate
Web: www.ada.lt

Country: Luxembourg
Supervisory authority: CNPD
Web: www.cnpd.lu

Country: Hungary
Supervisory authority: NAIH
Web: naih.hu

Country: Malta
Supervisory authority: IDPC
Web: idpc.org.mt

Country: Portugal
Supervisory authority: CNPD
Web: www.cnpd.pt

Country: Romania
Supervisory authority: ANSPDCP
Web: dataprotection.ro

Country: Slovenia
Supervisory authority: IP
Web: www.ip-rs.si

Country: Iceland (EEA)
Supervisory authority: Persónuvernd
Web: www.personuvernd.is

Country: Liechtenstein (EEA)
Supervisory authority: Datenschutzstelle
Web: www.dss.llv.li

Updating of jurisdictions

Pixcham continuously monitors legislative developments in the individual countries. In the event of a change to the relevant laws or regulators, we will update this section and notify Users through the Application or by e-mail.

Contacting the local regulator

If you wish to lodge a complaint or carry out any other interaction with your local supervisory authority, you may do so directly. In the event of any uncertainty, contact our Data Protection Officer (DPO): dpo@pixcham.com.

Cookies and ePrivacy — rules in individual countries

The rules for cookies and similar technologies follow the ePrivacy Directive (2002/58/EC, as amended by 2009/136/EC), which is transposed into national laws in the individual countries. Unlike the GDPR, ePrivacy does not have a „one-stop-shop“ mechanism, which means that each national regulator may directly investigate Pixcham for a breach of the cookie rules.

Slovak Republic (SK): Act No. 452/2021 Coll. on electronic communications (Section 109). Consent is not required for necessary cookies, but it is required for analytics and marketing cookies.

Czech Republic (CZ): Act No. 127/2005 Coll. on electronic communications (Section 89). An opt-in consent regime has been in force since January 2022 (previously an opt-out mechanism).

Federal Republic of Germany (DE): Telekommunikation-Telemedien-Datenschutzgesetz (TTDSG) of 1.12.2021. Strict rules — an explicit opt-in consent mechanism is required, with an equally visible „Reject all“ button as „Accept all“.

French Republic (FR): CNIL Cookie Guidelines 2020 (revised 2021). The strictest rules in the EU: a ban on pre-ticked boxes, a ban on cookie barriers („cookie walls“ – the inability to use the site without consent), an obligation for an equally visible „Refuser“ button.

Republic of Austria (AT): Telekommunikationsgesetz 2003 (Section 96(3)). Similarly strict to DE; the cookie banner must have equally visible opt-in/opt-out buttons.

Italian Republic (IT): Garante per la protezione dei dati personali, Cookie Guidelines of June 2021. Granular consent is required (separate cookie categories).

Kingdom of Spain (ES): Ley 34/2002 LSSI (Article 22(2)). The AEPD issues a Cookie Guide regularly; the current opt-in regime with an obligation for equally visible buttons.

Pixcham implements its cookie banner in accordance with the strictest rules (the CNIL/TTDSG standard) so that it is usable in all EU/EEA countries without modifications.

Consumer protection — Médiateur de la consommation (FR)

In accordance with the French Consumer Code (Code de la consommation, Article L611-1 et seq.), as a consumer resident in France you have the right to free out-of-court mediation of consumer disputes. This right applies exclusively where Pixcham acts towards You as a seller of services in a business-to-consumer (B2C) relationship.

Pixcham currently provides services primarily in a business-to-business (B2B) regime — the paying Challenge Organisers are businesses, not consumers. For the regime of free Users in a business-to-consumer (B2C) relationship in France, where there is no paid transaction between the User and Pixcham, the obligation of consumer mediation does not apply.

In the case of broader expansion into France and of business-to-consumer (B2C) paid services, Pixcham undertakes to register with an accredited Médiateur de la consommation (e.g. AME Conso, CMAP, CNMC) and to publish the contact in this Privacy Policy and in the Terms of Use.

EU AI Act — transparency of the use of artificial intelligence

Pixcham uses artificial intelligence (AI) systems within the Pixcham Moments feature, where it generates personalised visual and textual content on the basis of User data. In accordance with the EU Regulation on artificial intelligence (Regulation 2024/1689, the „EU AI Act“), effective from August 2025, we inform You of the following:

Risk classification: The Pixcham Moments feature is categorised as a „limited risk“ artificial intelligence system under Article 50 of the EU AI Act — transparency towards Users is required, but it is not subject to the strict obligations for high-risk systems.

AI providers: Pixcham uses AI models from the following providers: Anthropic PBC (Claude AI — textual content), Google LLC (Gemini, Nano Banana — visual content). Both are certified under the EU-US Data Privacy Framework (DPF) and have signed a Data Processing Agreement (DPA) with Pixcham within the meaning of Article 28 GDPR.

Explicit objection to AI training: Your data sent to the AI providers is not used to train their AI models. Pixcham ensures that Your data sent to the AI providers is not used to train their models — through the data processing agreement (DPA) and the activation of the „no-training“ setting at each provider before the launch of the Pixcham Moments feature.

Your rights: You have the right to (a) refuse the use of AI features in the settings of Your profile, (b) request the erasure of AI-generated content associated with Your account, (c) object to automated processing pursuant to Article 22 GDPR, (d) request an explanation of how the AI generates content about Your person.

Labelling of AI content: All content generated by AI is visibly labelled (e.g. with the label „Generated by AI“ or an icon) in accordance with Article 50 of the EU AI Act.

For more detailed information on data processing in the AI features, you may contact our DPO at dpo@pixcham.com.

Contact us

For questions concerning the protection of personal data, the exercise of Your rights or if you wish to contact the Data Protection Officer, write to us at the e-mail address: dpo@pixcham.com.

If you have questions, concerns or wish to exercise your rights in connection with the processing of Your personal data, you may contact:

The controller:

Pixcham International j. s. a. Námestie svätého Egídia 42/97, 058 01 Poprad, Slovak Republic, Company ID (IČO): 55 007 571 E-mail: legal@pixcham.com Telephone: +421 911 919 990

The Data Protection Officer:

Tomáš Korenko E-mail: dpo@pixcham.com

The Data Protection Officer (DPO) is Your primary contact for all questions concerning the protection of personal data, the exercise of Your rights under the GDPR and complaints regarding the processing of Your personal data.

Supervisory authority:

In the Slovak Republic, the supervisory authority is the Office for Personal Data Protection of the Slovak Republic:

Office for Personal Data Protection of the Slovak Republic, Hraničná 4826/12, 820 07 Bratislava 27 E-mail: statny.dozor@pdp.gov.sk Web: www.dataprotection.gov.sk

If you believe that the processing of Your personal data has breached the GDPR, you have the right to lodge a complaint directly with the supervisory authority.

General questions and support:

For general questions about the Pixcham Application, you may use our contact page: https://www.pixcham.com/contact.

Annex No. 1 – Data Processing Addendum (hereinafter referred to as the „Addendum“)

This annex governs exclusively the relationship between Pixcham and the Challenge Organiser in the case of specifically agreed processing on behalf of the Organiser; it does not establish any rights or obligations for Users who are not Challenge Organisers, and their legal position is governed by the Privacy Policy itself.

1. Subject matter of the Addendum and its basic conditions

• 1. The Challenge Organiserunder this Addendum entrusts Pixcham with the processing of personal data to the extent and under the conditions set out in this Addendum. Pixcham undertakes, on the basis of the Challenge Organiser’s mandateto process personal data in the manner, to the extent, for the period, for the purpose and in accordance with the further conditions set out below, in such a way that all activities in which Pixcham processes personal data on behalf of the Challenge Organiser, are carried out in accordance with the GDPR, the law of the European Union or other generally binding legal regulations of the Slovak Republic in the area of personal data protection (hereinafter referred to as the „Legal Regulations“).
  2. The purpose of the processing of personal data determined by the Challenge Organiseris the provision of services connected with the running of the Challenge in the Application.
  3. Pixcham is entitled to process personal data only on the basis of a documented instruction of the Challenge Organiser, unless point 1.4 of the Addendum provides otherwise. For the purposes of this Addendum, the very creation of the Challenge in the Application is considered to be a documented instruction of the Challenge Organiser is considered to be the very creation of the Challenge in the Application. This is without prejudice to the possibility for the Challenge Organiser to state additional conditions for the processing of personal data in its instruction.
  4. Pixcham is entitled to process personal data even without a documented instruction of the Challenge Organiser, where required by the Legal Regulations.
  5. Pixcham is entitled to process personal data under this Addendum only until the cancellation of the User’s account in the Application or until the cancellation of the Challenge Organiser’s account in the Application, unless the Legal Regulations require Pixcham to process this data for a longer period.
  6. On the basis of this Addendum, Pixcham will process on behalf of the Challenge Organiserin particular ordinary personal data (e.g. username, e-mail, selfie photographs) that the User provides when taking part in a Challenge. If the User wins a Prize, Pixcham may also process other personal data necessary for the delivery of the Prize; for example place of residence, telephone number or account number. Pixcham is also entitled, on behalf of the Challenge Organiser to share the winning selfies and usernames of Winners on the official social networks of Pixcham and the Organiser (Facebook, Instagram, X, LinkedIn, TikTok), as well as on the official Challenge page on the portal pixcham.com (in the form https://sk.pixcham.com/challenge/nazov_challenge), to the extent and under the conditions set out in the Pixcham Privacy Policy (the section „Sharing of Winners’ content for marketing purposes“).
  7. The data subjects whose personal data Pixcham will process under this Addendum are the Users.
  8. Pixcham is, on the instruction of the Challenge Organiserand in accordance with the Legal Regulations, entitled to in particular:

☒ collect,

☒ record,

☐ organise,

☐ structure,

☒ store,

☐ adapt or alter,

☐ retrieve,

☐ consult,

☒ use,

☒ disclose by transmission,

☐ align or combine,

☒ erase or destroy.

2. Further conditions for the processing of personal data

2.1 Pixcham is entitled to process personal data to the extent and under the conditions laid down in this Addendum and in the Legal Regulations. Pixcham undertakes that, when processing the personal data of data subjects, it will proceed in such a way that the rights and legally protected interests of those persons are not endangered.

2.2 Pixcham is obliged to maintain confidentiality regarding the personal data.

2.3 Pixcham is obliged to ensure that its employees and any other persons designated by it who process the personal data of data subjects (hereinafter referred to as „Authorised Persons“) process this data only on the basis of, and in accordance with, the instructions of the Challenge Organiserand that they are bound to maintain confidentiality regarding it. Pixcham is obliged to ensure that this obligation of confidentiality continues even after the end of the processing of the data subjects’ personal data by the Authorised Persons.

2.4 Pixcham is obliged to instruct all Authorised Persons about the security measures adopted, about the rights and obligations laid down by the Legal Regulations and about liability for their breach. Pixcham is obliged to carry out this instruction before issuing the first instruction to an Authorised Person to carry out any processing operation with personal data. Each Authorised Person confirms the instruction by their signature.

2.5 Pixcham is obliged to keep a written record of the instruction throughout the duration of the employment or other relationship with the Authorised Person.

2.6 The obligation of confidentiality of Pixcham and the Authorised Persons pursuant to points 0 and 0 shall not apply in relation to the competent supervisory authority and in relation to the Challenge Organiser when checking the fulfilment of any obligation under this Addendum or the Legal Regulations.

2.7 Pixcham is obliged to ensure the secure processing of personal data, in particular to protect it against damage, theft, loss, unauthorised access, alteration or dissemination. To this end, Pixcham undertakes to adopt and regularly update appropriate technical, organisational and personnel measures determined with regard to the latest knowledge, the state of the art, the costs of implementing these measures, the nature, scope, context and purposes of the processing of personal data and the risks to the rights and freedoms of data subjects. To this end, Pixcham is obliged to ensure in particular that:

a) personal data is used, provided, made available or otherwise processed only in accordance with the purpose of its processing and is not otherwise processed without good reason;

b) the necessary operations with personal data within the purpose of the processing are carried out only by designated persons who are trained and authorised to process personal data;

c) it uses appropriate technical equipment and software in a manner that prevents unauthorised or accidental access to personal data;

d) personal data is accessible only to designated persons who are trained and authorised to process personal data;

e) personal data in electronic form is stored on secure servers or on secured information media, to which only Authorised Persons will have access;

f) personal data in electronic form is regularly backed up;

g) the remote transmission of personal data takes place only via a publicly inaccessible network or via secure transmission over public networks;

h) personal data on physical media or in paper form is stored in duly secured premises and rooms (that is, in a locked space); and

i) all Authorised Persons who come into contact with personal data maintain confidentiality regarding the personal data.

2.8 Pixcham is responsible for the security of the personal data it processes under this Addendum.

2.9 Pixcham undertakes to provide the Challenge Organiser with the necessary cooperation and assistance through appropriate technical and organisational measures in fulfilling the Challenge Organiser’s obligation to respond to requests to exercise the rights of data subjects laid down in Chapter III of the GDPR or in other Legal Regulations governing the rights of data subjects in relation to their personal data.

2.10 Pixcham undertakes to provide the Challenge Organiser cooperation and assistance in fulfilling the obligation to provide data subjects with the necessary information (Articles 13, 14 GDPR), to process personal data securely (Article 32 GDPR), the obligation to notify a personal data breach to the competent supervisory authority (the Office for Personal Data Protection of the Slovak Republic) (Article 33 GDPR), the obligation to communicate a personal data breach to the data subject (Article 34 GDPR), the obligation to carry out a data protection impact assessment of the planned processing operations (Article 35 GDPR) and, depending on the results of the impact assessment carried out, also the obligation to carry out consultations with the competent supervisory authority (the Office for Personal Data Protection of the Slovak Republic) prior to the commencement of the processing of personal data (Article 36 GDPR), all to the extent and taking into account the nature of the processing and the information available to Pixcham.

2.11 Pixcham undertakes to provide the Challenge Organiserat its request with all information and confirmations evidencing the fulfilment of the obligations laid down by this Agreement and the Legal Regulations, without undue delay from the receipt of the Challenge Organiser’s request.

2.12 Pixcham undertakes to enable the Challenge Organiserto carry out an inspection and audit of compliance with the obligations laid down by this Addendum and the Legal Regulations (hereinafter referred to as the „Audit“), whether by the Challenge Organiser in person or through a third party designated by it. The Audit will be carried out on a date agreed in advance between the Parties.

2.13 Pixcham undertakes, without undue delay, to demonstrably notify the Challenge Organiser of every case in which, in its opinion, an instruction given by the Challenge Organiser results in a breach of the Legal Regulations.

2.14 Pixcham undertakes, without undue delay, to demonstrably notify the Challenge Organiserof any breach of the protection of the processed personal data of data subjects of which it has become aware.

2.15 Pixcham fulfils all obligations arising from this Addendum and the Legal Regulations at its own cost, without any claim to reimbursement of these costs and without any claim to remuneration.

2.16 Pixcham is obliged, without undue delay after the end of the provision of the Services, to terminate the processing of personal data and to return any data, information, records and documents containing personal data to the Challenge Organiserand to destroy any copies of this personal data in its possession. If the Challenge Organiserinstructs Pixcham to carry out the destruction of the personal data directly, without the need to return it to the Challenge Organiser, Pixcham is obliged to do so, including before the end of the provision of the services. Pixcham is not obliged to destroy the personal data processed on behalf of the Challenge Organiseror copies thereof, where the Legal Regulations require its retention, of which Pixcham will demonstrably inform in advance.

3. Engagement of a further processor

3.1 The Challenge Organiser hereby authorises Pixcham to engage in the processing of the personal data of data subjects the processors set out at this link https://www.pixcham.com/subprocessors. In addition to these persons, Pixcham may also engage in the processing of personal data under this Addendum providers of IT services or providers of marketing services with which it cooperates in securing the operation of the Application.

3.2 Pixcham is obliged to demonstrably inform the Challenge Organiserin advance of the intended addition of a further processor or of the replacement of an existing processor with another processor.

4. Declaration of Pixcham

4.1 Pixcham declares that it meets the requirements of professional, technical, organisational and personnel competence and the ability to guarantee the security of the processed personal data of data subjects and to provide sufficient guarantees that the personal data of data subjects will be processed at all times in accordance with the Legal Regulations.

Annex No. 2 – Joint Controllership Arrangement for personal data pursuant to Article 26 of Regulation (EU) 2016/679 (GDPR) and Section 33 of Act No. 18/2018 Coll. (hereinafter referred to as the „Joint Controllership Arrangement“)

This annex governs exclusively the relationship between Pixcham and the Challenge Organiser in the case of the joint controllership of personal data; it does not establish any rights or obligations for Users who are not Challenge Organisers, and their legal position is governed by the Privacy Policy itself.

1. Parties and scope

• 1. The parties to this Joint Controllership Arrangement are the company Pixcham International j. s. a., with its registered office at Námestie svätého Egídia 42/97, 058 01 Poprad, Company ID (IČO): 55 007 571 (hereinafter referred to as „Pixcham“), and the Challenge Organiser within the meaning of the Terms (hereinafter referred to as the „Organiser“; together hereinafter referred to as the „joint controllers“).
  2. This Joint Controllership Arrangement is concluded by acceptance of the Terms upon registration of the Organiser’s business account and applies to each Challenge organised by the Organiser through the Platform. If the parties conclude a separate written joint controllership arrangement or a separate data processing agreement, such a separate agreement takes precedence.
  3. Capitalised terms have the meaning given in the Terms.

2. Subject matter of the joint controllership

2.1 The joint controllers jointly determine the purposes and means of the processing of Users’ personal data in the organisation and running of the Challenge: the Organiser determines in particular the purpose of the Challenge (promotion of its brand, products or activities), the theme, the Tasks, the duration, the Prizes, the age restriction and other parameters of the Challenge; Pixcham determines the means of its running (the Application, the mechanics of the Challenge, scoring through Pixcham Judge, the display of results and operational support).

2.2 The joint controllership does not extend to: (a) the personal data of Winners that the Organiser obtains for the purpose of delivering the Prize — in respect of which the Organiser is a separate controller; (b) the processing connected with the operation of the Application and the management of User accounts — in respect of which Pixcham is a separate controller; (c) the lists of invited persons in private Challenges — in respect of which Pixcham is a processor under Article 6 of this Joint Controllership Arrangement.

3. Scope of data and legal bases

3.1 The subject matter of the joint controllership is the personal data of Users participating in the Challenge to the following extent: username, profile picture, selfie photographs created within the Challenge, Points achieved and ranking position; for Winners also the name, surname, e-mail address, address and telephone number.

3.2 The legal basis is Article 6(1)(b) GDPR (participation in the Challenge on the basis of acceptance of the Official Rules), Article 6(1)(f) GDPR (legitimate interest in evaluating the Challenge, preserving the integrity of the results and preventing fraud) and Article 6(1)(a) GDPR (explicit consent — exclusively for the marketing sharing of Winners’ content pursuant to Article 7).

4. Export of the Challenge content and its use by the Organiser

4.1 After the end of the Challenge, Pixcham will make available to the Organiser an export containing: (a) the selfie photographs of all Challenge participants without any assignment of usernames or other participant identifiers and (b) the identification data of Winners to the extent set out in point 3.1.

4.2 The Organiser is entitled to use the exported content exclusively to evidence the implementation and scope of the Challenge and for use in connection with the given Challenge within the meaning of Clauses 7.2 and 7.3 of the Terms. Any other use, in particular marketing in relation to third parties or the provision of the content to a third party, requires the explicit consent of the data subject.

4.3 The Organiser retains the exported content for the period necessary to evidence the implementation and scope of the Challenge for accounting and tax purposes, for a maximum of 10 years from the end of the calendar year in which the Challenge ended; during this period it will restrict access to the content to the necessary group of persons (point 5.4). After the expiry of the period, it will destroy or anonymise the content. It may retain aggregated data that does not allow the identification of persons without any time limit.

4.4 The Organiser must not artificially divide a Prize intended for one Winner into several separate performances with the aim of avoiding tax obligations or the verification of the Winner’s identity.

5. Allocation of obligations pursuant to Article 26(1) GDPR

5.1 The information obligation under Articles 13 and 14 GDPR is fulfilled by the joint controllers jointly, through this Privacy Policy and the identification of the Organiser in the Challenge detail and in the Official Rules of the Challenge.

5.2 Requests by data subjects to exercise their rights under Articles 15 to 22 GDPR are received and handled by Pixcham as the point of contact at the addressdpo@pixcham.com. The Organiser will forward to Pixcham every request delivered directly to it without undue delay, no later than within 5 working days, and will provide the necessary cooperation.

5.3 The notification of a personal data breach to the supervisory authority (Article 33 GDPR) and to data subjects (Article 34 GDPR) is ensured by Pixcham. The Organiser will notify Pixcham of every personal data breach on its side without delay after becoming aware of it.

5.4 Each of the joint controllers adopts appropriate technical and organisational measures pursuant to Article 32 GDPR in its systems; the Organiser in particular will restrict access to the exported content to persons who need it for the purposes under point 4.2.

5.5 In accordance with Article 26(3) GDPR, a data subject may exercise their rights with any of the joint controllers, irrespective of the allocation of obligations under this Joint Controllership Arrangement.

5.6 The essential parts of this Joint Controllership Arrangement are made available to data subjects in this Privacy Policy (the section „Pixcham as a joint controller“).

5.7 The joint controllers will provide one another with the cooperation necessary to demonstrate compliance with the GDPR, in particular in an inspection or other proceedings of the supervisory authority and in handling requests by data subjects; they will provide the requested materials and information without undue delay, no later than within 5 working days of the request, and in urgent cases (in particular in the case of a personal data breach) without delay.

5.8 The Organiser maintains in its business account up-to-date contact details of the person responsible for personal data protection matters on its side; the point of contact for Pixcham is dpo@pixcham.com.

6. Private Challenges — lists of invited persons

6.1 In the case of a private Challenge, the Organiser provides Pixcham with a list of the e-mail addresses of invited persons. The Organiser declares that it has a legal basis for the use of this data for the purpose of inviting to the Challenge and that the invited persons have been informed of the use of their data.

6.2 Pixcham processes the list of invited persons as a processor of the Organiser in accordance with Annex No. 1 to this Privacy Policy, exclusively for the purposes of managing access to the Challenge and sending invitations on behalf of the Organiser. Pixcham retains the list for the purposes of the Organiser’s further Challenges and will delete it without undue delay at the Organiser’s request, no later than upon the cancellation of its business account.

7. Marketing sharing of Winners’ content

7.1 The sharing of the winning selfie and the username of the Winner on the social networks of Pixcham or the Organiser is carried out exclusively on the basis of the Winner’s explicit consent (Article 6(1)(a) GDPR and Section 12 of the Civil Code), for a maximum period of 3 years from the end of the Challenge.

7.2 The Organiser will remove content shared in this way from its channels no later than within 30 days of the withdrawal of the Winner’s consent and, in any event, no later than after the expiry of 3 years from the end of the Challenge. Pixcham fulfils the same obligation on its channels.

8. Liability

8.1 The liability of the joint controllers for damage caused by the processing is governed by Article 82 GDPR and Section 38 of Act No. 18/2018 Coll. A party that has compensated the damage in full has the right of recourse against the other party to the extent corresponding to its share of liability.

8.2 Each party is responsible for the fulfilment of the obligations allocated to it by this Joint Controllership Arrangement.

9. Duration and final provisions

9.1 This Joint Controllership Arrangement lasts for the duration of the Organiser’s business account and applies to all Challenges organised during its duration. The obligations under Articles 4, 6.2 and 7.2 continue even after its end until the expiry of the relevant periods.

9.2 Changes to this Joint Controllership Arrangement are governed by Clause 18.1 of the Terms; Pixcham will notify the Organiser of material changes in advance by e-mail or by notification in the business account. Acceptance of the Terms, including this annex, is recorded (identification of the Organiser, date and time, document version).

9.3 This Joint Controllership Arrangement is governed by the legal order of the Slovak Republic.

9.4 This Joint Controllership Arrangement may also be drawn up in English or another language; in the event of a conflict between the language versions, the Slovak version takes precedence.