Introduction:

This Privacy Policy explains how GrtWines, operated by GrtWine Digital Solutions Pte Ltd, ., a company incorporated under the laws of Singapore with its registered address at 10 Anson Road, #23-05, International Plaza, Singapore, its affiliates and subsidiaries (collectively, “Company”, “we”, “us” or “our”) has the highest regard for the privacy and personal data of each user (hereinafter referred to as “user”, “you” or “your”), collects, uses, and shares information about you when you use the GrtWines Platform (“Platform), our website at www.grtwines.com and our related websites, as well as users of applications or any other software, tools, features or functionalities in connection with our services thereon (collectively “Service”). By using the Service, you agree to the collection, use, and sharing of your information in accordance with this Privacy Policy.

We are aware that the success of our Service depends on the trust that you have in the way we handle your personal data. By entrusting us with your information, we would like to assure you of our commitment to keep such information private.

We have taken considerable steps to protect the confidentiality, security and integrity of the information shared with us. We encourage you to review the following information carefully before using the Service. By using the Service, you are deemed to have read, understood and accepted our practices governing the collection, use and disclosure of your personal data in this Privacy Policy.

We are not responsible for the privacy practices of any third-party websites that may be linked to the Service. It is your responsibility to check this webpage periodically to see if any terms have been changed or modified. Your continued use of the Service constitutes your acceptance of any updates to this Privacy Policy.

This Privacy Policy is drafted in accordance with the Personal Data Protection Act 2012 (“PDPA”) under Singapore law and is intended for use in Singapore and, where applicable, other countries or regions which provide the same level of protection for personal data that is comparable to the standards of the PDPA.

The PDPA recognizes the rights of individuals to protect their personal data (including rights of access and correction) and the requirement for organisations to collect, use or disclose personal data for legitimate and reasonable purposes. Accordingly, this Privacy Policy outlines the personal data that we collect, how it may be used, how it is stored and retained, whom it may be transmitted to as well as our and your responsibilities in relation to such uses and disclosures. We recommend that you read this Privacy Policy and our Terms and Conditions carefully before disclosing any personal data to us or using the Service.

Please refer to the Terms and Conditions accessible at: https://www.grtwines.com/terms-conditions (“Terms“) when reading this Privacy Policy. Unless otherwise defined in this Privacy Policy, capitalised terms used herein shall have their meanings ascribed to them under each of the Terms and Conditions specific to each of the Service.

Application:

This Privacy Policy applies to users when browsing, visiting, accessing and/or using the Service.

This Privacy Policy sets out our commitments and explains the rights that you have with respect to your personal data. If you do not agree to the terms of this Privacy Policy, please do not use the Service or any part thereof.

You shall not be permitted to use the Service where you do not confirm your acceptance of this Privacy Policy.

Grounds for data collection::

By browsing, visiting, accessing and/or using the Service and/or when you provide personal data to us, you consent to the collection, storage, use, disclosure and other uses and processing of your personal data by us in accordance with this Privacy Policy, and such consent shall remain effective unless you otherwise notify us in writing of the withdrawal of your consent and the reason thereto. You shall not use our Service if you do not consent to this Privacy Policy, and you shall immediately cease using our Service if you withdraw your consent for us to process your personal data.“Personal data” and other terms defined under the PDPA where used in this Privacy Policy shall have the same meaning defined under the PDPA.

Processing of your personal data is necessary for the performance of our contractual obligations towards you under the Terms, permitting access to the Service, to protect our legitimate interests, and to ensure compliance with legal and financial regulatory obligations. Failure to provide the relevant data to us or the limitation placed on us in the processing of your personal data may affect our ability to allow your access to the Service and/or your ability to enjoy the full benefits of the Service.

How do we receive information about you?:

• Registration: The Service requires registration and provision of your information, including personal data;

• Upon creating a profile or registering with us: Where you create an account with us (by providing a valid email address and connect a third party blockchain wallet to the Platform), you will be asked to provide personal data which will form part of your unique digital identity on the Service;

• For compliance with our Anti-Money Laundering / Counter Financing of Terrorism (“AML/CFT”) measures: The Company complies with its AML/CFT Policy released and updated by the Company on the Service from time to time (“AML/CFT”). In accordance with our AML/CFT policy, we may request for your personal data, including information such as identification documents and pictures;

• Whenever you submit information via the Service: You may, in the course of interactions with other users on the Service accessible via the Platform, disclose your personal data; and

• If, upon the introduction of the feature, you choose to sign up via your social media accounts or other authentication providers: when you sign-up to the Service via your social media accounts or other authentication providers (such as Google account or Facebook account), we will have access to basic information made publicly from such account, such as your full name, home address, email address, birthdate, profile picture, friends list, personal description, as well as any other information you made publicly available on such account, or agreed to share with us.

It is your voluntary decision whether to provide us with any personal data, however if you do not provide the information we require or requested, you may not be able to create a profile or or use the Service. Your use of Service may be severely limited.

To enable us to provide the Service to you effectively, the information you provide to us shall be accurate, complete, not misleading and without material omission, and that such information is kept up to date. If you discover that the information is inaccurate, incomplete, misleading, contains material omission or is outdated, please update us with the true, accurate, complete and updated information.

If you provide us personal data about another person, you confirm that such other person has appointed you to act for him/her, to consent to the processing of his/her personal data by us in accordance with this Privacy Policy and to receive on his/her behalf any data protection notices.

Information We Collect::

We collect the following types of information (“Information”):

• Personal Information: When you create an account or use our Service, we may collect personal information, such as your name, email address, gender, birth date, zip code, country of residency, home address, shipping address and phone number;

• Blockchain Data: we may collect and analyse public blockchain data such as transaction ID, transaction amounts, wallet address for the transfer or storage of tokens, timestamps, events or data transactions between parties, smart contracts, AI services, social graph services and data storage, as well as user interactions between users and the Service. For the avoidance of doubt, the blockchain is a decentralised ledger and where your data is stored on the blockchain, the data is accessible by the Company, but not controlled by the Company;

• Voluntary information: when you communicate with us (for example when you send us an email or use a “contact us” form) we collect the personal data you provided us with;

• Transaction Information: When you trade wine-backed and wine-inspired NFTs or redeem wine bottles, we may collect information about the transaction, including the NFTs involved and the transaction date between you and the producers or negociants (collectively, “Producers”);

• Usage Information: We collect information about your usage of the Service, including the pages you visit, the content you view, and the actions you take while using the Service;

• Technical Information: We collect technical information about your device and internet connection, such as your IP address, browser type, and operating system; and

• Service usage data: We collect information about your use of the Service. This includes but is not limited to the type of computing or mobile device you use, language of your operating system, the Internet browser you are using, geo-location and use of the Service.

Tracking Technologies – Cookies::

A cookie is a small piece of text that is sent to the Platform or your browser when you access the Platform. The Platform provides this piece of text to your device when you return. We use cookies to help personalise your experience with the Platform.

A “persistent” cookie may be used to help save your settings and customizations. Also, if you log in to the Platform, such a cookie will be used to recognize you as a valid user so you will not need to log in each time you use the Platform.

The Platform automatically accepts cookies however you may modify security settings so you can approve or reject cookies on a case-by-case basis or reject all cookies.

Also, you are free to delete any existing cookies at any time. If you delete or disable cookies from the Platform, some parts or functions of the Platform may not work properly for you.

We also use “Google Analytics” to collect information about the use of the Service. Google Analytics collects information such as how often users visit the Service, what pages they visit, when they do so, and what other sites they used prior to coming to the Service. Google Analytics collects only the IP address assigned to you on the date you use the Service, as well as information regarding your operating system, language and information regarding your use of the Service, rather than your name or other identifying information. We do not combine the information collected through the use of Google Analytics with personal data. We use the information we get from Google Analytics only to improve the Service. Google’s ability to use and share information collected by Google Analytics about your use of the Service is restricted by the Google Analytics Terms of Use and the Google Privacy Policy.

How We Use Your Information:

We use your information for various purposes, including to:

• Provide and improve the Service: we will use your information for the provision and improvement of our Service to you, and for the processing of your requests and queries. For example, data collected automatically on the Service may be used to help diagnose problems with our servers, to make our Service more useful, to customise it and personalise its content for you;

• Personalise your experience on the Service;

• Process transactions and send you transaction confirmations;

• General communication: We also use your personal data to send you texts, emails or other communications regarding updates, promotions, and customer service inquiries;

• Protect the security and integrity of the Service;

• Enforce our Terms and comply with legal requirements: we may use your personal data for the purpose of enforcing our rights under the Terms or to defend ourselves, including assessing the personal data posted to determine whether content containing such personal data should be deleted.

• Marketing purposes: We will use your personal data (such as your email address or phone number) to communicate with you. We may also send you promotional material concerning our Service, including but not limited to, by building an automated profile based on your personal data, for marketing purposes. If you do not want us to use or share your personal data for marketing purposes, you may request us to cease processing your personal data for marketing purposes using the information below under “How to Contact Us”. Please note that even if you opt-out, we may still use and share your personal data with third parties for non-marketing purposes (for example to fulfil your requests, communicate with you and respond to your inquiries, etc.). In such cases, the organisation with whom we share your personal data are authorised to use your personal data only as necessary to provide these non-marketing services;

• Analytics, surveys and research: We are always trying to improve our services and think of new and exciting features for our users. From time to time, we may conduct surveys or test features, and analyse the information we have to develop, evaluate and improve these features;

• Anonymised data: We may analyse and evaluate your personal data in connection with the Service, anonymise and aggregate our analysis and evaluation, and commercialise such anonymised and aggregated analysis and evaluation in any manner as we think fit;

• Protecting our interests: We may use your personal data when we believe it is necessary in order to take precautions against liabilities, investigate and defend ourselves against any third-party claims or allegations, investigate and protect ourselves from fraud, protect the security or integrity of the Service and protect the rights and property of the Company, its users and/or partners;

• Enforcing of policies: We may use your personal data in order to enforce our policies, including the Terms;

• Compliance with legal and regulatory requirements: We may also use your personal data as required by or for the purpose of compliance with law, regulation or other governmental authority, or to comply with a subpoena or similar legal process;

• Record-keeping: we will collect and retain your personal data in the ordinary course of our business and for so long as necessary for the fulfilment of the purposes set out in this Privacy Policy or as is required by any legal, regulatory and/or accounting requirements; and

• Ancillary purposes: We may use your personal data for any purposes in connection with, relating or ancillary to any of the above, provided that they are necessary for the delivery of the Service.

How We Share Your Information:

We may share your information with the following persons:

• With service providers, as is reasonably necessary, with our contractors or consultants, including vendors and suppliers that provide us with development services, technology, services, or content for the operation, development and maintenance of the Service or data and analysis on the use of the Service. We shall impose on such service providers obligations of confidentiality and only share personal data to the extent necessary;

• With the Producers;

• With other users of the Service, when you engage in transactions or publicly post content;

• With content providers, in order to provide you with personalised third-party content or links to third party sites that might interest you. We provide this third-party content and/or links to third party sites for information purposes only and are not liable for such content or sites. For more information see the “Links to other Websites or Apps” section below;

• With law enforcement authorities, courts and tribunals, including with legal advisors and consultants, in case we need to respond to law enforcement requests or other legal requests or pursuant to a requirement imposed by law, order, judgement or decree, or courts in order to protect and defend our rights and property or those of Service users;

• With other organisations, in the event of a merger, acquisition or sale of all or a portion of our assets;

• With our auditor if requested for the purpose of an audit on our business. We may also share your personal data with our legal and other professional advisors for the purpose of enforcing our rights or defending any claims against us, or for any other purpose in connection with the Service;

• With group companies, for internal reporting purposes.

• In connection with a merger, acquisition, or sale of company assets;

• With your consent or at your direction.

Use of aggregated data::

We make every effort to ensure that aggregated data does not include any personally identifiable information. The AI technologies powering the Platform and/or enabling the delivery of the Service may analyse and/or combine all information we receive (as set out under this Privacy Policy), with information from other users to create aggregated data that may be disclosed to and utilised by us, our affiliates and by third parties without restriction, on commercial terms that we can determine in our sole discretion, for purposes such as: content marketing, research purposes, in order to understand behaviour patterns, marketing strategies and for entering into commercial contracts in order to provide our users with the Service as well as to periodically enhance the Platform and/or the Service.

Access and correction::

You may request access to, and correction of, your personal data and limit the processing of your personal data or make any enquiries or complaints in respect of the processing of your personal data, by contacting us at the contact details set out in “Contact Us” section below. You are responsible for informing us when your personal data or preferences have changed and require updating. We shall, within a reasonable time frame, attend to your request for access to and correction of your personal data or updating of your preferences.

International transfers::

We store information and data on public and/or private cloud, where your data can be stored and/or backed up in any of the jurisdictions where the cloud service providers provide their cloud service (“Off Chain Storage”). You hereby consent that we may store your personal data on our cloud server, which may be located outside Singapore or the jurisdiction in which the Service was obtained or is used.

The Company utilises a network of storage and server resources that is designed to provide the required security and accessibility for the Service. The Company shall, in all engagements with data storage solution providers, use service providers who have evidenced the capability to manage the volumes, nature and technology necessary to store the data provided by users of the Service.

Your Choices and Rights:

You have the right to access, update, or delete your personal information at any time by logging into your account and managing your account settings. You may also contact us at support@grtwines.com to request access, updates, or deletion of your personal information.

Data Retention:

We retain your personal information for as long as necessary to fulfil the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our policies. Retention periods will be determined taking into account the type of information that is collected and the purpose for which it is collected, bearing in mind the requirements applicable to the situation and the need to destroy outdated, unused information at the earliest reasonable time.

Links to other websites or apps::

Our Services may link to or refer to websites or mobile device services that we do not control. Any personal data you provide on the linked pages is provided directly to this third party and is subject to this third party’s provider’s privacy policy. This Privacy Policy does not apply to such other websites or mobile device services, and we are not responsible for the privacy practices or content of any website or mobile device service not controlled by us. If you have any concerns, we urge you to review the terms of those other websites or mobile device services for more information about their applicable policies.

Security:

We take reasonable measures to protect your information from unauthorised access, use, or disclosure.

You need to help us prevent unauthorised access to your account by protecting your password appropriately and limiting access to your account (for example, by signing off after you have finished accessing your account). You will be solely responsible for keeping your password confidential and for all use of your password and your account, including any unauthorised use.

While we seek to protect your information to ensure that it is kept confidential, we cannot absolutely guarantee its security. You should be aware that there is always some risk involved in transmitting information over the internet. While we strive to protect your personal data, we cannot ensure or warrant the security and privacy of your personal data or other content you transmit using the Service, and you do so at your own risk.

You are further informed that On Chain Storage is utilised by the Company. Data stored on the relevant blockchain supporting the Platform and/or the Service does not belong to the Company and is situated on a decentralised ledger. On Chain Storage is used to store data that can be used to verify users’ identities and ensure data integrity.

Off Chain Storage is also utilised by the Company to store data you disclose to us. All the data stored in Off Chain Storage is encrypted at rest and in transit. The off-chain data will be stored in secure, scalable, and highly available cloud services which are directly integrated with the Service.

We shall, in the event of a compromise of personal data:

• Assess the extent to which personal data collected by us has been compromised and put in place appropriate measures to contain the breach of personal data and minimise any harm to you arising from the breach of personal data;

• Analyse and determine the cause of the data breach;

• Ascertain if the data breach are notifiable data breaches under any data protection and privacy laws applicable to the Company;

• Report the data breach to any relevant governmental data protection body or agency, including the Singapore Personal Data Protection Commission if the data breach is a notifiable data breach;

• Ascertain if you are required to be informed of the data breach having regard to relevant rules, regulations, advisories, orders wherever applicable, including but not limited to the Personal Data Protection (Notification of Data Breaches) Regulations 2021 and the Advisory Guidelines on Key Concepts in the PDPA;

• Inform you if you are required to be notified of the data breach; and

• Take continuing action to prevent further harm to you arising from the breach of personal data, including but not limited to reviewing measures taken to contain breaches of personal data and protect personal data.

We shall, in managing data breaches, have regard to the Guide on Managing and Notifying Data Breaches under the PDPA (“Guide”). Subject to our compliance with the Guide in the event of a breach of personal data, by continuing to use the Platform following such an event of breach, you confirm that you accept the adequacy of measures taken by us following an event of breach of personal data.

We shall be entitled to all rights of indemnity against you as a user of the Service in the case where you posted content containing personal data and acted in breach of the Terms.

You acknowledge that notwithstanding the Company’s security measures, malicious actors, scripts, viruses, codes, software and other damaging factors including the evolution of hacking technologies, may result in the compromise of the personal data which you have provided to the Company.

To the fullest extent permitted, you waive any claim against the Company for any, loss, liability, damage and/or cost incurred (“Damage”), howsoever such Damages arise and whether such losses are direct or indirect losses, where such data breaches do not arise out of the negligence, fraud or wilful default of the Company.

Specific provisions related to the European Union General Data Protection Regulation::

We acknowledge that the GDPR will apply if we process or hold any personal data of individuals residing in the EU or if we offer goods or services to individuals in the EU (“EU Individuals”).

We understand that we may lawfully process personal data if consent is provided by the EU Individual for the processing for specific purposes, if it is necessary for the performance of a contract or if it is necessary for our compliance with a legal obligation.

We understand that personal data must be processed lawfully, fairly, and transparently, be collected and applied only for specified, explicit and legitimate purposes, must be limited to only what is required, must be accurate, not be kept in personally identifiable form for longer than is necessary and must be secured and protected pursuant to the GDPR.

Sensitive personal data, or special categories of personal data as defined under the GDPR, which includes data about an individual’s race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, health information as well as genetic and biometric data, are collected by us. The processing of such sensitive personal data is limited to the purposes and uses set out under this Privacy Policy.

We acknowledge and agree that the GDPR affords EU Individuals with rights such as:

• Right to access and obtain a copy of the EU Individuals’ personal data, including the purposes of processing and who the personal data has been disclosed to;

• Right to rectify inaccurate personal data concerning the EU Individual;

• Right to erasure of personal data concerning the EU Individual in certain circumstances;

• Right to restriction of processing of personal data in certain circumstances, such as where the accuracy of the personal data is contested, or the processing is unlawful;

• Right to data portability by receiving personal data concerning the EU Individual or data which has been provided to us, in a structured, commonly used and machine-readable format, and the right to transmit that data to another organisation;

• Right to object to the processing of personal data in certain circumstances, including for the purposes of direct marketing; and

• Right not to be subject to automated decision-making (including profiling) where this has a legal effect on the EU Individual or significantly affects him.

We agree that we will act on a request from an EU Individual without undue delay (within one month). We will maintain records of how we process personal data, acknowledge the need to conduct data protection impact assessments and the need to apply careful consideration in the adoption and engagement of our data processors.

Where you are an EU individual, we are required to:

• investigate any reported actual or suspected data security breach;

• where applicable, make the required report of a data breach to any relevant supervisory authority without undue delay and, where possible within 72 hours of becoming aware of it, if it is likely to result in a risk to the rights and freedoms of individuals; and

• notify the affected individuals if a data breach is likely to result in a high risk to their rights and freedoms and notification is required by law.

• By proceeding with or continuing with the use of the Service, you agree that this Privacy Policy provides sufficient protection to your personal data rights under the GDPR. You also agree that where we have acted on your request in accordance with the above clauses, the action by us is in all respects, compliant with the GDPR.

Changes to this Privacy Policy:

This Privacy Policy was last updated on [26/10/2023]. We may update and modify this Privacy Policy from time to time, at our absolute discretion and such modifications shall come into effect immediately. We will notify you of any changes by posting the updated Privacy Policy on our website. For these reasons, we encourage you to periodically review this Privacy Policy for the latest version. Your continued use of the Service after any update constitutes your acceptance of the updated Privacy Policy.

Children's Privacy:

Our Service is not intended for individuals under the age of 18, and we do not knowingly collect personal information from children under 18. If any person discovers that his/her child has been using the Service without his/her consent, or that someone has been using the Service for or on behalf of his/her child without his/her consent, please contact us using the information below under “How to Contact Us” and we will take reasonable steps to delete the child’s information from our active databases. We reserve the right to check our user base from time to time and remove users whom we have grounds to believe they are in fact minors, including without limitation, restricting those user accounts, or deleting them, as we may deem appropriate.

Contact Us:

If you have any questions or concerns about this Privacy Policy or our data practices, please contact us at support@grtwines.com .