Effective Date: 5 November 2025

Important notice. This Privacy Policy explains how personal data is collected and used in connection with the Duelvex service. It is drafted to provide the transparency information required by applicable European data protection law and should be read together with the Terms and Conditions and Cookie Policy made available through the Service.

1. General scope, status of this policy, and controller information

This Privacy Policy sets out the basis on which Itemsism OÜ (the “Company”, “we”, “us”, or “our”), a company incorporated under the laws of the Republic of Estonia under registration number 17363244 and having its registered office at Harju maakond, Tallinn, Lasnamäe linnaosa, Tuulemäe tn 5, 11411, Estonia, collects, records, organizes, stores, uses, discloses, secures, transfers, retains, and otherwise processes personal data in connection with Duelvex and any associated websites, digital interfaces, games, exercises, platform features, communications, support channels, and related content made available through or in connection with https://duelvex.r-one.dev/ (collectively, the “Service”).

For the purposes of Regulation (EU) 2016/679 (the General Data Protection Regulation, or “GDPR”), and any national legislation supplementing or implementing it, the Company acts as the data controller in relation to personal data processed through the Service, except where this Policy expressly states that a third party acts as an independent controller. The Company is responsible for determining the purposes and means of the relevant processing operations and for ensuring that such processing is carried out in accordance with applicable law.

This Policy applies to personal data relating to: (i) visitors who browse or otherwise access the Service; (ii) registered users and account holders; (iii) individuals who communicate with the Company; (iv) individuals whose data is processed in the course of payments, support, fraud prevention, security review, compliance, or dispute handling; and (v) any other person whose personal data is processed as part of the operation, administration, or protection of the Service.

This Policy should be read together with the Company’s Terms and Conditions, Cookie Policy, and any additional notices, statements, permissions, disclosures, or just-in-time privacy explanations made available through the Service. Where a particular processing activity requires consent under applicable law, such consent will be requested separately and may be withdrawn by the data subject at any time, without affecting the lawfulness of processing carried out before the withdrawal.

By accessing or using the Service, a user acknowledges that they have had the opportunity to read and understand this Policy. That acknowledgment does not replace any separate consent that may be required by law for specific processing activities, such as the use of non-essential cookies or direct electronic marketing where consent is mandatory.

2. Categories of personal data that may be collected and processed

The categories of personal data processed by the Company depend on how the Service is used, the features accessed, the communications exchanged, and the legal or operational context in which the processing occurs. The Company seeks to limit its processing to data that is relevant and reasonably necessary for legitimate operational, contractual, compliance, and security purposes.

2.1 Identification and account data

The Company may process identification and account-related information such as a full name, display name, username, user identifier, email address, account credentials or authentication-related information, country or region, date of registration, age confirmation, and any other information reasonably necessary to create, administer, verify, secure, or recover an account, determine eligibility to use certain functionality, or establish a record of user status within the Service.

2.2 Profile, settings, and preference data

The Company may process information relating to user preferences and profile configuration, including language preferences, interface selections, saved settings, communication choices, user-selected options, gameplay preferences, and any other information required to personalize or remember the user experience across sessions or devices, where such personalization is supported by the Service and permitted by applicable law.

2.3 Service usage, activity, and gameplay data

The Service may generate or record information concerning how a user interacts with its games, exercises, tools, and features. This may include progress history, activity records, completion data, results, scores, performance indicators, engagement patterns, time spent using particular features, frequency of access, dates and times of sessions, and the general way in which the Service is navigated or used. This type of information is relevant for service delivery, feature continuity, security review, troubleshooting, analytics, and product improvement.

2.4 Technical, device, and log data

The Company may process technical information such as Internet Protocol (IP) address, browser type and version, operating system, device type, device identifiers, application version, approximate location derived from IP address, referring URLs, language settings, crash data, diagnostics, event logs, system responses, and related technical metadata. Such information is commonly generated automatically when a device connects to the Service and may be used for service security, optimization, fraud prevention, analytics, and operational administration.

2.5 Communications and support data

Where a person contacts the Company, responds to a survey, submits feedback, opens a support ticket, makes a complaint, participates in correspondence, or otherwise communicates with the Company, the Company may process the contents of the communication and related metadata, including names, contact information, issue descriptions, attachments, and the history of communications necessary to handle the matter appropriately and maintain a record of support and dispute handling activity.

2.6 Transaction and payment-related data

Where the Service includes paid features, subscriptions, upgrades, in-service purchases, refunds, or other financial interactions, the Company may process transaction identifiers, payment status data, invoice or billing references, subscription status, refund history, chargeback records, and other administrative information required to confirm, reconcile, support, or defend transactions. Where payment card details are processed directly by independent third-party payment service providers, the Company does not ordinarily store full payment card numbers or security codes.

2.7 Marketing, consent, and compliance records

The Company may maintain records of consents, withdrawals of consent, cookie preference choices, subscription status, suppression lists, legitimate interest assessments where relevant, user objections, and records necessary to demonstrate compliance with legal obligations under data protection law. This may include records showing when a person opted in or out of particular communications or data processing arrangements.

2.8 Security, anti-abuse, and regulatory data

The Company may process fraud indicators, suspicious activity flags, abuse reports, network and information security logs, records of suspected misuse, authentication anomalies, access restrictions, investigative notes, evidence preservation records, and other data required to protect the Company’s systems, users, assets, legal rights, and regulatory position. Where appropriate, this may include records required for legal compliance, dispute handling, claim management, or enforcement of contractual rights.

3. Sources from which personal data may be obtained

Personal data may be collected directly from the relevant individual, for example when a user registers, configures an account, uses a game or feature, purchases a subscription, contacts support, completes a form, or otherwise submits information through the Service. Personal data may also be collected automatically through technical interaction with the Service, including through logs, cookies, and similar technologies, subject to the Company’s Cookie Policy and applicable consent requirements.

In addition, the Company may receive limited data from service providers and other third parties, including payment service providers, hosting and infrastructure vendors, analytics providers, fraud prevention tools, customer support platforms, identity or security verification services, legal advisers, regulators, or public authorities, where such receipt is necessary for payment confirmation, service administration, lawful compliance, dispute handling, platform security, or another legitimate purpose identified in this Policy.

4. Purposes for which personal data is processed

The Company processes personal data only for identified purposes that are compatible with the operation of the Service and the requirements of applicable law. Depending on the circumstances, these purposes may include providing, operating, maintaining, and improving the Service; creating and managing user accounts; authenticating users and maintaining account security; delivering games, exercises, progress continuity, and related functionality; remembering preferences and user choices; administering purchases, subscriptions, renewals, refunds, and related account activity; communicating with users regarding updates, confirmations, support, security alerts, or operational notices; monitoring and analyzing the performance, reliability, usability, and effectiveness of the Service; detecting, preventing, investigating, and addressing fraud, abuse, unauthorized access, harmful conduct, technical faults, and security incidents; enforcing the Terms and Conditions and other policies; complying with legal, regulatory, tax, accounting, audit, reporting, and evidence-preservation obligations; establishing, exercising, or defending legal claims; maintaining records of privacy choices and compliance activity; and protecting the rights, systems, property, business, and legitimate interests of the Company, its users, and third parties.

Where permitted by law, the Company may also use certain personal data to send marketing or promotional communications, to measure the effectiveness of communications or campaigns, or to develop and improve products and service design. Where consent is legally required for such activity, the Company will request it separately before processing takes place.

5. Lawful bases relied upon for processing

The Company processes personal data only where a lawful basis exists under the GDPR and any other applicable legal framework. In many cases, more than one lawful basis may apply depending on the nature of the processing and the relationship between the Company and the relevant individual.

5.1 Performance of a contract or steps prior to entering into a contract

Processing may be necessary in order to create and administer user accounts, provide access to the Service and its functionality, deliver paid or unpaid features, manage subscriptions or renewals, process user requests, facilitate customer support, and enforce or administer the contractual relationship between the Company and the user.

5.2 Compliance with legal obligations

Processing may be required in order to comply with applicable law, including obligations relating to accounting, taxation, consumer protection, complaint handling, responses to lawful requests from competent authorities, network and information security, evidence retention, fraud prevention, or legal recordkeeping. Where such obligations require disclosure, restriction, preservation, or review of personal data, the Company may process the data to the extent required or permitted by law.

5.3 Legitimate interests

Processing may be necessary for the legitimate interests pursued by the Company or a third party, provided that those interests are not overridden by the rights and freedoms of the individual. Such legitimate interests may include operating and improving the Service; ensuring network, platform, and information security; preventing fraud and misuse; preserving evidence; defending legal claims; maintaining internal administration and business continuity; measuring and improving service performance; and understanding how the Service is used so that it may be made more reliable, secure, and user-friendly.

5.4 Consent

Where required by law, the Company will rely on consent, including for the use of non-essential cookies and similar technologies, certain analytics activities, and direct marketing communications where consent is mandatory. Where processing is based on consent, consent may be withdrawn at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal was received or recorded.

6. Health, cognitive, and other potentially sensitive information

The Service may include games, exercises, or features relating to cognitive performance, mental stimulation, learning, or progress tracking. Such functionality is intended for educational, lifestyle, engagement, or entertainment purposes unless the Company clearly states otherwise. The Service is not presented as a medical, psychiatric, therapeutic, or diagnostic service, and the Company does not intentionally seek to collect or process special categories of personal data, such as health data, unless a specific feature, notice, or request explicitly states otherwise and an appropriate legal basis exists under applicable law.

Users should not submit medical records, clinical information, diagnostic notes, or other special category data to the Service unless the Company expressly asks for such information and provides an additional legal notice explaining why that processing is necessary. Where a user nevertheless voluntarily discloses potentially sensitive information in support communications or elsewhere, the Company may process that information only to the extent reasonably necessary to respond to the communication, comply with legal obligations, protect legal rights, or as otherwise permitted by law.

Any scores, progress indicators, or performance metrics generated through the Service are informational in nature and do not constitute medical advice, clinical findings, or professional evaluation. The Company does not warrant that gameplay results, cognitive scores, or performance metrics reflect actual health, medical condition, intelligence, memory, diagnosis, or therapeutic outcome.

7. Cookies and similar technologies

The Company uses cookies and similar technologies across the Service for authentication, security, fraud prevention, functionality, preference management, analytics, and, where permitted, marketing. Strictly necessary cookies may be used without consent where they are required for the operation, reliability, or security of the Service. Non-essential cookies, including analytics and marketing cookies, will be used only in accordance with applicable law and the individual’s choices made through the cookie consent mechanism. Additional information is available in the Company’s Cookie Policy, which forms part of the wider privacy framework applicable to the Service.

8. Disclosure and sharing of personal data

The Company may disclose personal data to third parties where such disclosure is reasonably necessary for the purposes described in this Policy. Recipients may include hosting providers, cloud and technical infrastructure providers, payment service providers, billing and subscription processors, fraud screening tools, analytics and diagnostics providers, customer support platforms, communication tools, security vendors, legal, tax, audit, and professional advisers, insurers, financial institutions, courts, regulators, supervisory authorities, public authorities, and law enforcement agencies where required or permitted by law.

Personal data may also be disclosed to prospective or actual purchasers, investors, financing counterparties, affiliates, successors, or transaction advisers in connection with a merger, acquisition, restructuring, financing, investment, transfer of assets, or similar corporate event, subject to appropriate confidentiality safeguards. The Company does not sell personal data to data brokers or permit unrelated third parties to use personal data for their own independent commercial exploitation unrelated to the Service.

9. International transfers of personal data

Personal data processed by or on behalf of the Company may be transferred to and processed in countries within and outside the European Economic Area where service providers, infrastructure partners, or advisers are located. Where personal data is transferred to a country that is not the subject of an adequacy decision by the European Commission, the Company will seek to ensure that appropriate safeguards are implemented in accordance with applicable law. Such safeguards may include Standard Contractual Clauses approved by the European Commission, transfers to recipients subject to an adequacy decision, or another lawful transfer mechanism recognized under data protection law.

A person may contact the Company for further information regarding the transfer safeguards used in the relevant processing context, subject to legal, confidentiality, and security limitations. The Company will provide additional information where appropriate and reasonably practicable.

10. Data retention and retention-ready governance

The Company retains personal data only for as long as it is necessary for the purposes for which it was collected, including to satisfy legal, regulatory, tax, accounting, audit, security, evidence-preservation, and dispute-resolution requirements. Retention periods are determined by reference to the nature of the data, the purpose of the processing, the sensitivity of the information, the frequency and context of interaction with the individual, the legal basis for processing, and any statutory or operational obligations that require continued retention.

As a matter of general retention practice, account and profile data may be retained for as long as the relevant account remains active and for a reasonable period thereafter to allow for account recovery, audit, complaint handling, fraud prevention, and enforcement of rights. Transaction and billing records may be retained for the period required by applicable financial, tax, accounting, and anti-fraud obligations. Support communications may be retained for as long as reasonably necessary to address the request, improve support quality, resolve disputes, and preserve evidence of service interactions. Technical logs, security records, access records, and anti-abuse data may be retained for as long as reasonably necessary to preserve service integrity, investigate incidents, satisfy legal requirements, and defend legal claims. Records of consent and privacy requests may be retained as necessary to demonstrate compliance with applicable data protection law.

When personal data is no longer required for an active purpose and no longer needs to be preserved under an applicable obligation or legitimate necessity, the Company may delete it, anonymize it, or securely archive it in a restricted form. The Company may also retain limited data where continued retention is necessary for suppression purposes, legal hold obligations, preservation of evidence, or the protection of legal rights.

11. Security of personal data

The Company implements and maintains appropriate technical and organizational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, unauthorized access, and other unlawful or inappropriate forms of processing. Depending on the circumstances, these measures may include encryption in transit, access controls, authentication safeguards, role-based restrictions, logging and monitoring, environment segregation, regular testing and review of security controls, vulnerability management, backup and recovery procedures, and internal policies governing confidentiality, access, and security handling.

Although the Company takes reasonable steps to protect personal data, no internet-based transmission or electronic storage system can be guaranteed to be completely secure. Accordingly, while the Company aims to apply appropriate safeguards proportionate to the risks involved, absolute security cannot be promised or guaranteed.

12. Automated tools, profiling, and decision support

The Company may use automated tools to support fraud detection, abuse prevention, account security, content or infrastructure moderation, analytics, performance monitoring, and service optimization. These tools may assist human review by identifying anomalies, suspicious activity, or usage patterns requiring investigation or technical response.

The Company does not ordinarily engage in decision-making based solely on automated processing that produces legal effects or similarly significant effects in relation to an individual, unless such processing is authorized by law, necessary for a contract, or based on explicit consent and subject to the safeguards required by applicable law. Where significant automated processing is introduced in the future, the Company will update this Policy and provide any additional disclosures required by law.

13. Marketing communications and service messaging

The Company may send service-related messages where such communications are necessary for the administration, security, continuity, or contractual operation of the Service, including messages concerning account status, password resets, confirmations, technical notices, incident alerts, subscription changes, or support responses. Where required by law, marketing communications will be sent only where the individual has provided consent or where another valid legal basis is available. Any person receiving marketing communications from the Company may opt out at any time by using the unsubscribe functionality provided in the communication or by contacting the Company directly.

14. Children, minors, and eligibility controls

The Service is not intended for individuals who do not meet the minimum age required under applicable law to use the Service or provide valid consent where consent is relied upon. The Company does not knowingly collect or process personal data from children in violation of applicable legal requirements. If the Company becomes aware that personal data has been collected from a child contrary to those requirements, the Company may delete the data, suspend or close the relevant account, and take any other reasonable compliance measures considered necessary in the circumstances. A parent or guardian who believes that a child has provided personal data unlawfully may contact the Company using the details set out below.

15. Rights of data subjects

Subject to applicable law, an individual may have the right to be informed, the right of access, the right to rectification, the right to erasure, the right to restriction of processing, the right to object to processing, the right to data portability, the right to withdraw consent where processing is based on consent, and rights relating to automated decision-making where applicable. These rights are not absolute and may be subject to statutory conditions, exceptions, verification requirements, or limitations. In order to exercise a privacy right, an individual may contact the Company using the contact information below. The Company may request information reasonably necessary to verify identity before responding. The Company will respond to valid requests in accordance with the timescales and requirements set out in applicable law.

16. Complaints and supervisory authority contact

A person who believes that the processing of their personal data infringes applicable law has the right to lodge a complaint with a competent supervisory authority. For matters falling under Estonian supervision, the competent authority is the Data Protection Inspectorate. Individuals may also contact the authority in the Member State of their habitual residence, place of work, or place of the alleged infringement, where applicable under the GDPR.

17. Third-party websites, tools, and services

The Service may contain links to or integrations with third-party websites, applications, tools, plug-ins, payment providers, or content providers. The Company is not responsible for the privacy practices, security standards, content, or policies of third-party services that are not controlled by the Company. Individuals should review the privacy notices of such third-party services before providing personal data to them or using features that are operated by those providers.

18. Changes to this Privacy Policy

The Company reserves the right to amend, revise, supplement, or replace this Policy from time to time in order to reflect changes in law, regulatory expectations, technology, security standards, operational practices, or the Service itself. Updated versions will be published through the Service together with the revised effective date. Where required by law, the Company will provide additional notice or seek renewed consent in relation to material changes affecting the way personal data is processed.

19. Contact details

Questions about this Privacy Policy, requests to exercise privacy rights, and communications regarding data protection matters may be directed to the Company at: Itemsism OÜ, Harju maakond, Tallinn, Lasnamäe linnaosa, Tuulemäe tn 5, 11411, Estonia; website: https://duelvex.com/; email: info@duelvex.com; registration number: 17363244.

Document integrity note. This Privacy Policy is intended to operate coherently with the Duelvex Terms and Conditions and Cookie Policy. Where operational practices, consent flows, payment arrangements, or support procedures are updated, those documents should be reviewed together to ensure continued consistency across the Service.