Lazy Surfers Co., Ltd. and its affiliates (“we”, “our”, “us”, “the Company”) is committed to protecting the privacy and security of the information we collect and being transparent about the ways in which we collect and process your information. This statement (the “Privacy Policy”) sets forth our policies and practices for handling the information we collect from or about you. It applies to the Marina Protocol app and online services that we operate and that link to this Privacy Policy, such as the Marina Protocol, the blockchain services and online communities (collectively, the “Services”).

It is important that you read this Privacy Policy, together with any other notices we may provide on specific occasions when we are collecting or processing your personal data, so that you are aware of how and why we are using such personal data and what your rights are under the relevant data protection laws.

COLLECTION OF PERSONAL DATA

In this notice, “personal data” means any information about an identified or identifiable individual. We process the following categories of personal data from you when you use our Services:

• Contact information, such as your email address.

• Registration information such as authentication token issued by the third party platform through which you log-in to sign up to Marina Protocol app (Google, Apple) and access the Services through their respective mobile app, as well as your Marina Protocol Nickname, Wallet address, encrypted wallet key, and technical information (e.g. browser type, OS, device type, IP address).

• Information for handling user inquiries and complaints, such as email address or nickname and information related to user issues.

We receive the above categories of information from you when you directly provide it to us, or from other sources, including from users of our Services and third-party services and organizations. (e.g. Google, Apple). Please see Appendix II for more information on personal data collected from third parties. Without this information, we are not able to provide you with all the requested services, and any differences in services are related to your information.

We do not collect any sensitive information (i.e. data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometrics data, data concerning health or data concerning a natural person's sex life or sexual orientation) or any data relating to criminal conviction and offences from you.

USE OF PERSONAL DATA

We will use your personal data for the following purposes:

• To provide you with the Services. We may use your information to open and maintain user accounts, facilitate the functionality of our Services, customize the Services, and to provide forum and community features;

• To improve the quality of our Services. We may use your information to maintain, improve, and administer our Services, including by troubleshooting, data analytics, and testing;

• To keep our Services and users safe. This includes to detect users illegally using our programs; and to otherwise prevent and respond to fraud, abuse, security risks, and technical issues.

• To send you electronic correspondence. We may send you emails or otherwise communicate with you in order to manage inquiries and requests from you or otherwise to communicate about your use of the Services.

• To comply with applicable laws and regulations. This includes using your information to ensure compliance with legal obligations (such as record keeping obligations), solve disputes, enforce our contractual agreements, and to establish, exercise or defend legal claims.

We will use your personal data on the following legal bases as described in Appendix I:

1. To perform a contract we have entered into with you;

2. To comply with a legal obligation; or

3. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

We may also use your personal data on the following less common legal bases:

1. To protect your interests (or someone else’s interests).

2. Where your consent is given; or

3. Where it is required to defend or pursue legal claims.

AUTOMATED DECISION-MAKING AND PROFILING

We do not engage in profiling or other automated decision making in the course of our relationship with you.

DISCLOSURE OF PERSONAL DATA

We may share your personal data with third parties in the following contexts:

• Disclosure to our service providers and external controllers:We may use third-party vendors and service providers (or “data processors”) to process your personal information for the purposes outlined above. Our data processors operate only in accordance with our instructions, in line with this policy, and are subject to appropriate confidentiality and security obligations.

• Disclosure to external controllers:We may share your information with external controllers to process your personal information for the purposes outlined above. Please see Appendix III for more information on personal data provided to external controllers.

• Disclosure pursuant to business transfers:We may share your information in connection with a substantial corporate transaction, such as the sale of a website, a merger, consolidation, asset sale, initial public offering, or in the unlikely event of bankruptcy.

• Disclosure for legal purposes:We may also transfer your personal data to law enforcement agencies, governmental authorities, legal counsel and external consultants in compliance with applicable data protection laws. The legal basis for such processing is compliance with a legal obligation to which we are subject to or our legitimate interests, such as the exercise or defense of legal claims.

• Disclosure with your consent:Lastly, we may also share information about you to third parties when you have consented to it.

Our services allow you to upload and share messages and other content with others. If you choose to engage in public activities on the Services, you should be aware that any information you share there can be read, collected or used by other users of these areas. You should always exercise discretion and use caution when disclosing information while participating in these areas. We are not responsible for the information you choose to submit in these public areas.

If a recipient of your personal data is located outside of the EU and the European Economic Area (“EEA”) in a country that is not recognized by the European Commission as ensuring an adequate level of data protection, we will implement appropriate measures to ensure that your personal data remains protected and secure when it is transferred outside of your home country, in accordance with applicable data protection and privacy laws. These safeguards include data transfer agreements implementing European Commission's Standard Contractual Clauses (a form of data transfer agreement pre-approved by the European Commission as providing adequate safeguards for personal data). You may ask for a copy of such appropriate measures by contacting the company published in the policy.

CHILDREN

Services are not intended for anyone under age of 19. We do not knowingly collect or sell any information from children, as defined by applicable law, without parental consent or as otherwise permitted by applicable law.

DATA SECURITY

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In addition, we limit access to your personal data to only those employees, agents, contractors and other third parties who have a business need for such access. We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.

DATA RETENTION

We will only retain your personal data for as long as necessary to fulfill the purposes set out above, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Broadly, most of your data will be deleted immediately upon termination of our relationship with you. But in the following circumstances, your personal data will be retained for different set periods:

(i) Information of users with activity history and/or transaction history and/or remaining $SURF, $BAY and other assets in the Marina Protocol app - 5 years (ii) Information related to inquiries submitted to customer support - 3 years (iii) Information of users with incomplete Marina Protocol account creation - up to 60 days

Notwithstanding the above, we may keep your personal data as long as required to comply with legal or regulatory obligations to which we are subject.

YOUR DUTY AND RIGHTS IN RELATION TO YOUR PERSONAL DATA

Your duty to inform us of changes

It is important that the personal data we hold about you is accurate and current. If you become aware of changes or inaccuracies in your information, you should inform us of such changes so that the information may be updated or corrected.

Your rights in connection with personal data

You may be entitled, in accordance with applicable law, to the following rights to:

• Request access to your personal data. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it;

• Request correction and/or deletion of your personal data;

• Request the restriction of the processing of your personal data;

• Request receipt or transmission to another organization, in a machine-readable form, of the personal data that you have provided to us;

• Object, at any time, to the processing of your personal data by us; or

• Withdraw your consent.

To exercise any of your rights, please contact us by using the contact details at the end of this policy. We may need to request specific personal data from you to help us verify your identity and confirm your right to access the personal data (or to exercise any of your other rights). This is another appropriate security measure to ensure, for example, that personal data is not disclosed to any person who has no right to receive it.In the event that you wish to make a complaint about how we process your personal data, please contact us and we will endeavor to handle your request as soon as possible. You may lodge a complaint with a supervisory authority if you believe our processing of your information is unlawful. If you are in the EU, you can find the supervisory authority for your country and how to contact them in https://edpb.europa.eu/about-edpb/board/members_en. If you are in the UK, the supervisory authority is the Information Commissioner’s Office, who you can contact in https://ico.org.uk/make-a-complaint/your-personal-information-concerns

DATA CONTROLLER AND CONTACT DETAILS

The Company is the data controller for the purposes of the EU GDPR, the UK GDPR and other applicable data protection laws. If you have any questions about this notice or wish to contact the Company regarding your personal data or concerns you have about this notice.

[Contact Information]

• contact@marina-protocol.com

[DPO contact information]

• VeraSafe

• Anastasia Pavlou (Privacy Counsel)

• 100 M Street S.E., Suite 600

• Washington, D.C. 20003 USA

• +1 (617) 398-7067

• experts@verasafe.com

[EU Representative contact information]

• VeraSafe Netherlands BV

• Keizersgracht 391 A

• 1016 EJ Amsterdam

• The Netherlands

• contact form: https://www.verasafe.com/privacy-services/contact-article-27-representative/

• +420 228 881 031.

[UK Representative contact information]

• VeraSafe United Kingdom Ltd.

• 37 Albert Embankment

• London SE1 7TL

• United Kingdom

• contact form: https://verasafe.com/public-resources/contact-data-protection-representative

• +44 (20) 45322003

CHANGES TO THIS POLICY

We will update this policy to reflect changes in our practices and services, and take appropriate measures to notify you of any significant changes in accordance with applicable data protection laws. When we post changes to this policy, we will revise the "Last Updated" date at the top of this policy.