Data Processing Addendum

Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the meaning assigned to it under this clause or elsewhere in this DPA. Capitalized terms used but not defined in this DPA can be found in our Terms of Service and/or other Platform Terms. When we refer to any such term in this DPA, we will try and specify where in the Policy and/or other Platform Terms you can find the meaning/definition.

• “Authorized User(s) Data” shall have the meaning assigned to it under the Privacy Policy i.e., it shall mean and include any Personal Data (as defined below) that a Creator collects from their Authorized User(s) through the Creator’s Page (as defined in the Terms of Service including without limitation i) Authorized Users’ account information, such as name and email address; and (iii) any messages or communications between the Creator and their Authorized Users.
• “Content on Creator’s Page” shall have the meaning assigned to it under the Terms of Service and includes any information, materials, media, applications, data, services, subject-matter, including Personal Data, or solutions created and/or uploaded by a Creator on the Platform.
• “Controller” shall mean the Person, who alone or jointly with others, determines the purpose and means of Processing of Personal Data and shall include the meaning assigned to the term in the applicable Data Protection Laws.
• “Creator Data” shall have the meaning assigned to it under the Privacy Policy i.e., Content on Creator’s Page (as defined in the Terms of Service), and the Page User(s) Data (as defined below). Creator Data specifically excludes User Data (defined below).
• “Data Protection Laws” shall have the meaning assigned to it under the Privacy Policy i.e., it shall mean and include the Digital Personal Data Protection Act, 2023 (India), Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (India), the EU and UK Data Protection Laws (defined below) and / or the California Consumer Privacy Act (CCPA) or other equivalent / similar legislations, as may be amended, superseded,or replaced from time to time, and as applicable in the context of this DPA and other Platform Terms.
• “Data Subject Request” shall mean an actual or purported request, notice, or complaint from, or on behalf of, a Data Subject under Data Protection Laws, including, but not limited to,requests under Articles 16, 17 , or 18 of the GDPR, requests for data portability, objections to Processing, or requests not to be subject to automated decision-making.
• “Effective Date” means the date on which the Creator accepts the Terms of Service as stated therein.
• “Member(s) Data” (formerly End-User(s) Data) shall have the meaning assigned to it under the Privacy Policy i.e., it shall mean and include any Personal Data (as defined below) that a Creator collects from their Member(s) through the Creator’s Page (as defined in the Terms of Service), including without limitation (i) Members’ account information, such as name and email address; (ii) information about a Members’ purchases and other activities on the Creator’s Page, including course or session completion status, quiz results (if any) and certificates (if any and applicable); and (iii) any messages or communications between the Creator and their Members.
• “EU and UK Data Protection Laws” shall mean and include all data protection laws and regulations applicable to the EU, EEA, Switzerland, and the UK, including without limitation (i) GDPR; (ii) Privacy and Electronic Communications Directive 2002 (“e-Privacy Directive”); (iii) applicable national legislation implementing the GDPR and e-Privacy Directive; and (iv) with respect to the UK, UK General Data Protection Regulation (UKGDPR), tailored by the Data Protection Act 2018, as amended from time to time.
• “Page User(s) Data” shall mean and include Authorized Users Data and Member(s) Data.
• “Personal Data” shall have the meaning assigned to it under the Privacy Policy i.e., shall mean and include any information which identifies a user of the Platform, including first and last name, identification number, email address, age, gender, location, photograph and/or phone number, and any other information categorized as ‘personal data’ under the Data Protection Laws. For Creators, this also includes bank account details, tax information, and government-issued ID for KYC as collected by Playto.
• “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
• “Processor” shall mean the Person who processes Personal Data on behalf of the Controller.
• “Standard Contractual Clauses”/(“SCCs”) shall mean the Standard Contractual Clauses adopted by the European Commission Decision (EU) 2021/914 of 4 June 2021 for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as may be amended, supplemented or replaced from time to time. (Playto Note: This definition has been updated. The Exhibit MUST reflect these new SCCs).
• “Sensitive Personal Data” shall have the meaning assigned to it under the Privacy Policy i.e.,it shall mean and include (i) passwords and financial data (except the truncated last four digits of credit/debit card for platform payments, or full bank details collected for Creator payouts), (ii) health data, (iii) official identifier (such as biometric data, Aadhar number specifics beyond verification for KYC if applicable, social security number, driver’s licence, passport, etc., unless explicitly required for KYC and payout processes and handled with appropriate security), (iv) information about sexual life, sexual identifier, race, ethnicity, political or religious belief or affiliation (unless voluntarily provided in a public profile), (v) account details and passwords, or (vi) other data/information categorized as ‘sensitive personal data’ or ‘special categories of data’ under the applicable Data Protection Laws and in context of this DPA and other Platform Terms.
• “Sub-Processor” means any person appointed by Playto to process data in furtherance of Playto’s Processing of Creator Data and User Data.
• “User Data” shall have the meaning assigned to it under the Privacy Policy i.e., it shall mean and include any information, including Personal Data, that Playto directly collects from the Creator and processes in connection with the use of the Platform and the provision of the Services on the Platform. User Data specifically excludes Creator Data.

The terms, "Commission", "Data Subject", "Member State", "Processing" and "Supervisory Authority" shall have the same meaning as in the applicable Data Protection Laws, whether such terms are capitalized therein or not.