Privacy Statement

1. DEFINITIONS

1.1. App – Purple Cow mobile application(s) operated by the Company under the pcow.io domain and/or official app distribution channels.

1.2. Platform – collectively, the Website, App, dashboards, publishing portals, creator portal, business dashboard, APIs, and administrative panels operated by the Company.

1.3. Brand – a legal entity that creates an account on the Platform.

1.4. Brand Representative – a natural person authorized to act on behalf of a Brand on the Platform.

1.5. Creator (Content Creator) – an individual who creates an account on the Platform to apply to campaigns and/or deliver content.

1.6. Publishing Partner – a media outlet, publisher, channel owner, or publishing entity that receives publishing requests through the Platform and delivers publishing outputs.

1.7. Distribution Partner – an entity that manages or controls multiple Publishing Partners and receives publishing requests on behalf of such partners.

1.8. Client – any Creator, Brand, Publishing Partner, Distribution Partner, or other user of the Platform.

1.9. Company – Lumos Tech – FZCO, legal entity code 39926, registered office address Dubai Silicon Oasis, DDP, Building A1, 39926 – 001, Dubai, United Arab Emirates.

1.10. Direct marketing – activities intended to promote the Company’s services by direct means (email, phone, SMS, messaging, or similar channels).

1.11. EEA – European Economic Area.

1.12. GDPR – Regulation (EU) 2016/679 (General Data Protection Regulation).

1.13. UAE PDPL – UAE Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data.

1.14. TDRA – Telecommunications and Digital Government Regulatory Authority (UAE).

1.15. Personal Data / Data – any information relating to an identified or identifiable natural person (“data subject”).

1.16. Terms & Conditions – the Company’s binding Terms & Conditions governing use of the Platform and services.

1.17. Website – the Company’s website at pcow.io and any subdomains or successor domains.

2. PURPOSE AND SCOPE OF THIS PRIVACY POLICY

This Privacy Policy explains how the Company collects, uses, stores, shares, and protects Personal Data when individuals: visit the Website; register, sign in, or use the Platform; use Video Mode or available publishing workflows; submit content, campaigns, publishing briefs, proofs, documents, or messages; make payments or receive payouts; contact the Company via Help Center or support channels; interact with Company social media accounts or marketing campaigns.

This Policy applies to all data subjects, including: (i) Creators; (ii) Brand Representatives; (iii) Publishing Partner/Distribution Partner representatives; (iv) Website visitors; (v) Social media visitors; (vi) Persons submitting inquiries/complaints; (vii) Supplier representatives; (viii) Potential clients.

The Platform is not intended for individuals under 18 years old. The Company does not knowingly process Personal Data of persons under 18. If such data is discovered, the Company will take reasonable steps to delete it or obtain appropriate consent in accordance with applicable law.

3. DATA CONTROLLER AND CONTACT DETAILS

Data Controller: Lumos Tech – FZCO (39926)

Address: Dubai Silicon Oasis, DDP, Building A1, 39926 – 001, Dubai, UAE

Telephone: +971-50-791-5299

Email: hello@pcow.io

Hosting / Infrastructure: The Company uses third-party hosting and infrastructure providers (including Amazon Web Services) for secure storage and processing. As of this date, the Company may store data in EEA regions (e.g., Frankfurt) and may migrate part or all hosting to AWS Saudi Arabia or other GCC-based data centres to meet data residency needs, while maintaining safeguards under GDPR and UAE PDPL.

4. PERSONAL DATA WE PROCESS (BY DATA SUBJECT CATEGORY)

4.1. CREATORS (CONTENT CREATORS)

A) Account and identity data: Name, surname, gender, country, date of birth (age); email address, phone number; username (internal), profile photo, password (hashed); social sign-in identifiers (Google/Apple/Facebook).

B) Portfolio and eligibility data: Portfolio videos and media uploads; featured video upload for review/eligibility; equipment details (if collected); category/level data (UGC/Nano Influencer; Pro vs non-Pro; level 1–10).

C) Campaign and performance data: Campaign applications, acceptances, deadlines; draft uploads, watermark states, approvals, rejection reasons; edit requests and responses; delivery timestamps; ratings and reviews; disputes and resolution outcomes; product delivery data.

D) Fund Purchase flow data: Funded amounts, proof-of-purchase uploads, review status; wallet crediting events; service fee deductions.

E) Communication data: Messages sent/received, timestamps, attachments; flagging/moderation records.

F) Wallet, payouts, and compliance data: Wallet balance and transaction history; payout method identifiers (PayPal, bank transfer); payment processor references; tax data (if required).

Data Sources: Provided directly by the Creator; generated from platform usage; received from social sign-in providers.

4.2. BRAND REPRESENTATIVES (BUSINESS USERS)

Name, role/title, company represented; business contact details; business profile data; campaign and publishing request creation details; billing and payment references; support tickets; audit logs.

Important: The Company does not store full payment card details. Card payments are processed by payment processors (e.g., Stripe), and the Company stores only limited references needed for accounting, reconciliation, and support.

4.3. PUBLISHING AND DISTRIBUTION PARTNER REPRESENTATIVES

Identity and contact details; company represented, role; owned channels/outlets; packages, pricing, deliverables, lead times; publishing request assignments, fulfillment steps, proof of publication uploads; payout method identifiers; dispute and ticket history; audit logs.

4.4–4.8. OTHER DATA SUBJECTS

Website Visitors: IP address, device identifiers, browser type, OS; page visits, session data, referral source; cookie identifiers.

Social Media Visitors: Public profile info; interactions with Company content; messages and attachments.

Support / Inquiries: Name, contact details; ticket content and attachments; resolution actions.

Suppliers / Contract Parties: Representative identity and contact details; communications and contract documentation.

Potential Clients: Publicly available business contact data; pre-sales communications.

5. THE WEBSITE VISITOR (COOKIE POLICY)

5.1 Cookies

Cookies are small files stored on your device that help the Website function properly, improve user experience, measure performance, and (where enabled) support advertising and marketing. The Website may use first-party cookies (set by the Company) and third-party cookies (set by service providers such as analytics, authentication, payments, support tools, and marketing platforms).

5.2 Mandatory (technical) cookies

These cookies are necessary for the Website to function, including security, authentication, load balancing, fraud prevention, and payment functionality.

Cookie Provider Purpose Validity

HSID Google / Google Analytics Protects users from false logins, ensures user authenticity. 2 years

SIDCC Google / Google Analytics Ensures user authenticity. 3 months

SID Google / Google Analytics Ensures user authenticity. 2 years

_gid Google / Google Analytics Stores a unique value after each page visit. 1 day

__cfduid Google / Google Analytics Designed to speed up page loading. 3090 days

DSID Google / Google Analytics Stores an encrypted unique identifier. Session

intercom-session-pu1mxg2b Intercom Designed to ensure the operation of the Intercom tool. 1 hour

_hjid HotJar Set when a user visits a page, a random number identifying the user is stored. 365 days

_hjAbsoluteSessionInProgress HotJar Designed to provide HotJar features. Session

auth0 Auth0 Stores user login information. 3 days

did_compat Auth0 Stores information about the user’s last login activity. 1 year

did Auth0 Stores information about the user’s last login activity. 1 year

auth0_compat Auth0 Stores user login information. 3 days

OptanonAlertBoxClosed Auth0 Stores the date the information message was closed. 1 year

OptanonConsent Auth0 Stores information about consent to the information notification. 1 year

ga_Rollup Auth0 Stores information related to the Auth0 plugin submission. 2 years

__stripe_mid Stripe Stores a unique value associated with the user to ensure Stripe functions. 1 year

__stripe_orig_props Stripe Stores Stripe plugin settings. 1 year

__stripe_sid Stripe Stores a unique value associated with the user to ensure Stripe functions. 1 year

Scfc Stripe Stores information to ensure the operation of the Stripe plugin. 1 year

5.3 Analytical cookies

Analytical cookies help measure usage and improve the Website and Platform performance.

Cookie Provider Purpose Validity

SAPISID Google / Google Analytics Assists in gathering information about videos uploaded to YouTube. Permanent

SSID Google / Google Analytics Helps gather information about using YouTube and Google Maps. Permanent

_ga Google / Google Analytics Designed to uniquely identify different users. 2 years

gtm_id Intercom Links the user to the internal Intercom Google Analytics. 2 years

_ga Intercom Links the user to the internal Intercom Google Analytics. 2 years

ajs_user_id Hotjar Used by usage analysts online. 365 days

_ga Hotjar Sets Google Analytics, used to differentiate users. 2 years

ajs_group_id Hotjar Used to group visits from different users. 365 days

ajs_anonymous_id Hotjar Randomly generated for anonymous users. 365 days

5.4 Functional cookies

Functional cookies enable enhanced functionality and personalization (e.g., remembering consent settings).

Cookie Provider Purpose Validity

CONSENT Google / Google Analytics Stores user settings for personalized ads. Permanent

5.5 Commercial (marketing) cookies

Commercial cookies support advertising and remarketing activities (where enabled and consented).

Cookie Provider Purpose Validity

__Secure-3PAPISID Google / Google Analytics Creates a user interest profile to display ads. 2 years

__Secure-3PSID Google / Google Analytics Creates a user profile to display ads. 2 years

NID Google / Google Analytics Holds user settings based on recent searches. 6 months

APISID Google / Google Analytics Personalize Google Analytics ads. 2 years

__Secure-3PSIDCC Google / Google Analytics Assists in gathering information related to ad serving. 2 years

ANID Google / Google Analytics Collects info about recently displayed ads based on searches. Permanent

1P_JAR Google / Google Analytics Helps show personalized ads on Google sites. 1 week

IDE Google / Google Analytics Designed to make Google DoubleClick work. Session

_fbp Facebook Designed to provide Facebook advertising services. Session

5.6 Purposes and legal basis for cookies

Mandatory (technical) cookies: legitimate interest (Website functionality, security) – GDPR Art. 6(1)(f).

Analytical cookies: consent – GDPR Art. 6(1)(a).

Functional cookies: consent – GDPR Art. 6(1)(a).

Commercial cookies: consent – GDPR Art. 6(1)(a).

5.7 Cookie management

Most browsers accept cookies by default. Visitors can block/delete cookies via browser settings and can update cookie preferences through the Website’s cookie consent tool. Blocking cookies may impact Website functionality.

Third-party cookie resources:

Google Analytics: https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage

Google cookies: https://policies.google.com/technologies/types

Auth0: https://auth0.com/privacy/

Stripe: https://stripe.com/cookies-policy/legal

Intercom: https://www.intercom.com/legal/privacy ; https://www.intercom.com/legal/cookie-policy

Hotjar: https://www.hotjar.com/legal/policies/privacy/

Facebook cookies: https://www.facebook.com/policies/cookies/

6. PURPOSES AND LEGAL BASES FOR PROCESSING

6.1 Account creation and Platform access – Legal basis: contract performance (GDPR Art. 6(1)(b)).

6.2 Service delivery (Video Mode and publishing workflows)– Legal basis: contract performance and legitimate interest.

6.3 Payments, wallets, deductions, and payouts – Legal basis: contract performance, legal obligation, legitimate interest.

6.4 Customer support and ticketing – Legal basis: legitimate interest and contract performance.

6.5 Security, fraud prevention, and platform integrity – Legal basis: legitimate interest.

6.6 Analytics and product improvement – Legal basis: legitimate interest and/or consent.

6.7 Direct marketing – Legal basis: consent where required and/or legitimate interest with opt-out.

6.8 Legal compliance and enforcement – Legal basis: legal obligation and legitimate interest.

7. PLATFORM INTEGRITY, MODERATION, AND AUTOMATED PROCESSING

The Platform may use automated or semi-automated tools to: detect prohibited content (e.g., sending phone number/email/social profiles in messages); flag suspicious activity and enforce Terms & Conditions; generate audit logs for admin review and dispute resolution; prevent fraud and abuse of wallets, referrals, or payments.

Where automated tools trigger restrictions, the Company may apply human review, especially for disputes or appeals.

8. PAYMENTS, WALLETS, PAYOUTS, AND FINANCIAL DATA HANDLING

8.1 Card payments may be processed via payment processors such as Stripe. The Company does not store full card details.

8.2 Wallet balances are maintained for Brands (spend), Creators, and eligible publishing partners (earn). Wallet transactions may include: deposits, deductions, refunds, payouts; funding amounts for “Fund Purchase”; service fee deductions; transaction references and reconciliation logs.

8.3 Payout methods may include PayPal or Bank Transfer. The Company stores payout identifiers necessary to send payouts.

8.4 Invoices, receipts, and accounting records may be retained as required by law.

9. SHARING OF PERSONAL DATA (RECIPIENTS)

Personal Data may be shared with: hosting/cloud providers (e.g., AWS); analytics tools (Google Analytics, Hotjar); authentication providers (Auth0); support tools (Intercom); payment processors (Stripe); email providers (e.g., SendGrid); social sign-in providers (Google, Apple, Facebook); Brands and Creators involved in a transaction; publishing partners involved in a publishing request; courier/shipping providers; professional advisors (legal/accounting); authorities where legally required; courts/law enforcement; successors in business transfer scenarios; other parties with your consent.

All processors operate under contractual safeguards and confidentiality obligations.

10. INTERNATIONAL DATA TRANSFERS

Where data is transferred outside the EEA or UAE, the Company uses safeguards such as: Standard Contractual Clauses; Adequacy decisions; Other lawful mechanisms under GDPR and UAE PDPL.

11. DATA RETENTION

Unless law requires otherwise:

Account and transactional records: 10 years after account termination;

Support tickets: 3 years after resolution;

Fraud/security logs: retained as needed for security and enforcement;

Tax records: as required by law;

Publicly published content: retained as required for contractual/legal purposes.

12. DATA SUBJECT RIGHTS

You may have rights under GDPR and applicable law: access, rectification, erasure, restriction, objection, portability, withdrawal of consent. Requests may be sent to hello@pcow.io.

13. SECURITY MEASURES

The Company applies appropriate technical and organizational measures including encryption, access controls, logging, monitoring, secure authentication, and incident response plans. No system can be guaranteed 100% secure.

14. CHILDREN’S PRIVACY

The Platform is not intended for individuals under 18. If the Company becomes aware of such data, it will take steps to delete it or comply with applicable law.

15. QUESTIONS, COMPLAINTS, AND DISPUTES

Contact: hello@pcow.io / +971-50-791-5299.

16. CHANGES TO THIS PRIVACY POLICY

This policy may be updated and will be published on the Website with an updated date.