Privacy Policy

PRIVACY POLICY

Welcome to Twinnin’s Privacy Policy (Policy).

We respect your privacy and are committed to protecting your personal data, including biometric data. This Policy will inform you as to how we look after your personal data when you visit and use our Platform (defined below) and tell you about your privacy rights and how the law protects you. References to “we”, “us”, or “our” in this Policy mean AI KAT LTD (Company Number 15040031), trading as Twinnin. Any other capitalised terms that are not defined herein are defined in our Terms of Use.

We ask that you read this Policy carefully.

This Policy is divided into the following sections:

Who we are, purpose of this privacy policy, and our processing role
Contact details:
Our collection and use of your personal data
How we use your personal data and our lawful basis
Transfers of your personal data out of the UK and EEA
Marketing
Your rights
Keeping your personal data secure
How to complain
Changes to this Policy

Who we are, purpose of this Policy and our processing role:

AI KAT LTD operates Twinnin, a digital twin licensing and likeness protection platform comprising a website and mobile application (hereafter, the Platform) where talent can create AI-generated digital twins from photographs and optional voice recordings, which can then be licensed to brands, production companies, advertising agencies and other commercial users (Buyers) for use in advertising, marketing, and other commercial projects. For more information see: About us

As such, we collect and use the personal data of two (2) categories of data subjects (Data Subjects):

Visitors to our Platform and those who enquire about the digital twin services offline; and
Users with accounts on the Platform being both Talent (individuals creating and licensing their digital twins, including Minors whose parent or legal guardian manages their account) and Buyers (brands, agencies, and production companies licensing digital twins.

We collect, use and are responsible for certain personal data about Data Subjects. When we do so we are regulated under the UK GDPR (consisting of the UK Data Protection Act 2018, as amended and updated in light of the UK’s departure from the European Union) and the EU GDPR (the General Data Protection Regulation (EU) 2016/79, as amended from time to time), as applicable based on your location in the United Kingdom or the European Union and we are responsible as ‘controller’ of that personal data for the purposes of those laws.

Throughout the Platform, we may link to other websites owned and operated by trusted third parties (including AI model providers, payment processors, blockchain provenance providers, and KYC verification services) to make additional products and services available to you. These other third party websites may also gather information about Data Subjects in accordance with their own separate privacy policies. For privacy information relating to these other third party websites, please consult their privacy policies as appropriate. We maintain data processing agreements with all third-party processors who handle your personal data on our behalf, which include appropriate technical and organisational security measures and contractual commitments to process data only in accordance with our instructions and applicable data protection laws.

Contact details:

If you have any questions about this Policy or our privacy or tracking practices, please contact us using the following details:

Full Name of Legal Entity: AI KAT LTD

Contact:www.twinnin.ai

Postal Address: First Floor Office, 3 Hornton Place, W8 4LZ, London, United Kingdom

You have the right to make a complaint at any time to your local supervisory authority. If you are based in the United Kingdom, then this will be the Information Commissioner’s Office (the ICO), who is the UK regulator for data protection issues. For more information, please visitwww.ico.org.uk.

If you are based in the European Union, please consult the following website to find out the details of your local supervisory authority,https://edpb.europa.eu/about-edpb/board/members_en.

We would, however, appreciate the chance to respond to your query and deal with your concerns before you approach a supervisory authority.

Our collection and use of Data Subjects’ personal data:

We collect personal data about Data Subjects when they access our Platform or make enquiries about our services offline, including when you create an account with us, contact us, send us feedback, post material to our Platform, when Talent submit Source Materials (photographs, voice recordings, video footage) for digital twin creation, when Buyers license digital twins, and when payments are processed through the Platform.

We collect this personal data from Data Subjects either directly, such as when you create an account with us, contact us, or license digital twins via our Platform, or indirectly, such as your browsing activity while on our website (see our Cookie Policy for more information on automatic collection).

The personal data we collect about Data Subjects depends on the particular activities carried out through our Platform.

If you create an account on the Platform as Talent or as a Buyer, we collect the following personal data:

your name, address and contact details such as email address and telephone number;
in respect of Talent, biometric data including photographs of your face and body, voice recordings, and video footage (Source Materials) used to create your AI-generated Digital Twin;
transaction data such as details of Subscription Fees paid by Talent and Licence Fees paid by Buyers, processed via our payment provider Stripe;
details of any feedback you give us by phone, email, post or via social media;
information about the Digital Twin licences granted, Usage Terms selected by Talent, pricing tiers, licence durations, and any restrictions or permissions you have specified;
your account details, such as username, login details;
Data Subjects’ IP address, login data, browser type and version, operating system and platform, and device data; and
usage data on how Data Subjects use our Platform, and services.

If Data Subjects merely visit the Platform to browse Talent profiles or learn about our services, but do not create an account or license any digital twins, we only collect the following personal data:

IP address, login data, browser type and version, operating system and platform, and device data;
usage data on how you use our Platform, and services; and
preferences in receiving marketing from us.

We use this personal data to:

create and manage your account with us;
verify your identity;
create AI-generated Digital Twins from your Source Materials and facilitate the licensing of Digital Twins from Talent to Buyers;
facilitate licensing transactions and process payments between Talent and Buyers;
customise our Platform and its content to your particular preferences, including recommending suitable Talent profiles to Buyers and suitable licensing opportunities to Talent;
notify you of any changes to our Platform, Terms of Use, or to our services that may affect you; and
improve our Platform Services, including the quality and accuracy of Digital Twin generation;

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from Data Subjects’ personal data but is not considered personal data in law as this data will not directly or indirectly reveal the identity of Data Subjects. For example, we may aggregate Data Subjects’ usage data to calculate the percentage of users accessing a specific Platform feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify Data Subjects, we treat the combined data as personal data which will be used in accordance with this Policy.

Enhanced protections for Minors' personal data

Minors constitute a subset of our Talent users. Where we process personal data relating to Minors (individuals under 18), we apply enhanced protections in accordance with Article 8 of the UK GDPR and the Children's Code (Age Appropriate Design Code).

Parental Consent: A Minor's biometric data will only be processed where we have obtained explicit, informed consent from a parent or legal guardian who holds parental responsibility. The parent/guardian must complete KYC verification to prove their identity and relationship to the Minor.

No Public Display Without Consent: A Minor's Digital Twin will not be publicly displayed on the Platform without separate, express written consent from the parent or legal guardian. Parents/guardians can choose to create a Digital Twin for protection purposes only (using our IP provenance technology) without making it available for licensing.

Restricted Licensing: Even where a Minor's Digital Twin is made available for licensing, we apply additional content restrictions and Usage Term limitations to ensure that the Minor's likeness is not used in any manner that could be harmful, exploitative, or inappropriate. Prohibited uses for Minors include, without limitation: alcohol, gambling, adult content, political campaigns, and any content that could bring the Minor into disrepute.

Right to Object at 18: When a Minor reaches 18 years of age, we will notify them (if we have their direct contact information) of their right to object to continued processing of their biometric data, to modify their Usage Terms, or to request erasure of their Digital Twin and Source Materials.

Enhanced Security: Minors' biometric data is subject to enhanced technical and organisational security measures, including additional encryption, access controls, and audit logging.

Parents and legal guardians retain full control over the Minor's account, including the ability to modify Usage Terms, suspend licensing, or request deletion at any time.

How we use Data Subjects’ personal data and our lawful basis for processing your personal data

We will only use Data Subjects’ personal data when the law allows us to. Most commonly, we will use Data Subjects’ personal data in the following circumstances:

If you are a Talent user or Buyer who has purchased services from us, we will process your personal data in order to perform the contract we are about to enter into or have entered into with you;
Where it is necessary for our legitimate interests and your interests and fundamental rights do not override those interests; or
Where we need to comply with a legal obligation.

When we process Data Subjects’ personal data, we are required to have a lawful basis for doing so. There are various different lawful bases on which we may rely, depending on what personal data we process and why.

Please see the below for more information on the lawful basis that we may rely on:

consent: where Data Subjects, or in the case of Minors, where the parent or legal guardian has given us clear consent for us to process personal data for a specific purpose.
contract: where our use of Data Subjects’ personal data is necessary for a contract we have with that Data Subject, or because the Data Subject has asked us to take specific steps before entering into a contract.
legal obligation: where our use of a Data Subject’s personal data is necessary for us to comply with the law (not including contractual obligations).
legitimate interests: where our use of a Data Subject’s personal data is necessary for our legitimate interests or the legitimate interests of a third party (unless there is a good reason to protect a Data Subject’s personal data which overrides our legitimate interests).

Further information—the personal data we collect, when and how we use it, and our lawful bases for processing biometric data

For further details on when we collect personal data, the type of data we collect as well as the lawful basis we rely on, please read the following table:

Purpose for processing your personal data	Type of data	Lawful basis for processing including basis of legitimate interest
To create an AI-generated Digital Twin from Source Materials provided by Talent	(a) Identity (b) Contact (c) Biometric data (photographs, voice recordings, video footage) - Special Category Data under Article 9 (d) AI model outputs and generated Digital Twin assets	Explicit consent under Article 9(2)(a) UK GDPR for processing of biometric data; and (b) Performance of a contract with you
To conduct KYC verification and age verification for Talent (or parent/legal guardian in the case of Minors)	(a) Identity (b) Contact (c) Identity verification documents and proof of parental responsibility (for guardians of Minors)	(a) Performance of a contract with you (b) Necessary for our legitimate interests
To facilitate licensing of Digital Twins from Talent to Buyers including: Displaying Talent profiles to Buyers; Communicating Usage Terms and licensing restrictions; Processing Subscription Fees and Licence Fee payments; and Maintaining audit trails and compliance records to establish, exercise or defend legal claims relating to licensing	(a) Identity (b) Contact (c) Financial (d) Transaction (e) Marketing and Communications	(a) Performance of a contract with you (b) Necessary for our legitimate interests (to recover debts due to us)
To manage our relationship with Data Subjects which will include: (a) Notifying you about changes to our Terms of Use or Privacy or Cookie Policy (b) Asking Data Subjects to leave a review or take a survey	(a) Identity (b) Contact (c) Profile (d) Marketing and Communications	(a) Performance of a contract with you (b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)
To administer and protect our business and the Platform (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)	(a) Identity (b) Contact (c) Technical	(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) (b) Necessary to comply with a legal obligation
To deliver relevant Platform content and advertisements to Data Subjects and measure or understand the effectiveness of the advertising we serve to Data Subjects	(a) Identity (b) Contact (c) Profile (d) Usage (e) Marketing and Communications (f) Technical	Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy
To use data analytics to improve our Platform, products/services, marketing, customer relationships and experiences	(a) Technical (b) Usage	Necessary for our legitimate interests (to define types of customers for our products and services, to keep our Platform updated and relevant, to develop our business and to inform our marketing strategy)
To make suggestions and recommendations to Data Subjects about goods or services that may be of interest	(a) Identity (b) Contact (c) Technical (d) Usage (e) Profile (f) Marketing and Communications	Necessary for our legitimate interests (to develop our products/services and grow our business)

Purpose for processing your personal data

Type of data

Lawful basis for processing including basis of legitimate interest

To create an AI-generated Digital Twin from Source Materials provided by Talent

(a) Identity

(b) Contact

(d) AI model outputs and generated Digital Twin assets

Explicit consent under Article 9(2)(a) UK GDPR for processing of biometric data; and (b) Performance of a contract with you

To conduct KYC verification and age verification for Talent (or parent/legal guardian in the case of Minors)

(a) Identity

(b) Contact

(a) Performance of a contract with you

(b) Necessary for our legitimate interests

To facilitate licensing of Digital Twins from Talent to Buyers including:

Displaying Talent profiles to Buyers;

Communicating Usage Terms and licensing restrictions;

Processing Subscription Fees and Licence Fee payments; and

Maintaining audit trails and compliance records to establish, exercise or defend legal claims relating to licensing

(a) Identity

(b) Contact

(d) Transaction

(e) Marketing and Communications

(a) Performance of a contract with you

(b) Necessary for our legitimate interests (to recover debts due to us)

To manage our relationship with Data Subjects which will include:

(a) Notifying you about changes to our Terms of Use or Privacy or Cookie Policy

(b) Asking Data Subjects to leave a review or take a survey

(a) Identity

(b) Contact

(d) Marketing and Communications

(a) Performance of a contract with you

(b) Necessary to comply with a legal obligation

(c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)

To administer and protect our business and the Platform (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)

(a) Identity

(b) Contact

(a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)

(b) Necessary to comply with a legal obligation

To deliver relevant Platform content and advertisements to Data Subjects and measure or understand the effectiveness of the advertising we serve to Data Subjects

(a) Identity

(b) Contact

(d) Usage

(e) Marketing and Communications

(f) Technical

Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy

To use data analytics to improve our Platform, products/services, marketing, customer relationships and experiences

(a) Technical

(b) Usage

Necessary for our legitimate interests (to define types of customers for our products and services, to keep our Platform updated and relevant, to develop our business and to inform our marketing strategy)

To make suggestions and recommendations to Data Subjects about goods or services that may be of interest

(a) Identity

(b) Contact

(d) Usage

(e) Profile

(f) Marketing and Communications

Necessary for our legitimate interests (to develop our products/services and grow our business)

Who we share your personal data with

If you are a Talent or Buyer on the Platform, we share your personal data such as identity, contact and transactional data with our payment services provider Stripe. Talent must create a Stripe Connected Account to receive Licence Fee payouts. For more information about how Stripe processes your personal data please visit:https://stripe.com/gb/privacy-center/legal.

We use Google Cloud Platform Services and for secure cloud storage of Source Materials, Digital Twin assets, and platform data. All biometric data is encrypted in transit. For more information about how Google Cloud Processes your personal data please visit:https://cloud.google.com/privacy.

We use third-party AI model providers to generate Digital Twins from Source Materials. Your biometric data (photographs and voice recordings) may be processed by these providers solely for the purpose of creating your Digital Twin and not for training or fine-tuning AI models. We maintain processor agreements with all AI vendors that include strict data security, confidentiality, and purpose limitation provisions. For a list of current AI model providers, please contact us using the details at the beginning of this Policy.

For Minors, we implement additional restrictions on third-party processing of biometric data, including contractual prohibitions on retention beyond the period necessary for Digital Twin creation, enhanced encryption requirements, restrictions on cross-border transfers, immediate deletion of working files upon project completion, and prohibition on any secondary use.

Likeness protection and provenance tracking is powered by Fribbler IP, which timestamps and encrypts Talent Source Materials on the Polygon blockchain to provide proof of ownership and enable detection of unauthorised use. Blockchain records are immutable by design; while we can delete Source Materials from our active systems, cryptographic hashes and timestamps recorded on the blockchain cannot be erased. These blockchain records contain no directly identifying biometric data-only cryptographic proofs of content authenticity. For more information about how Fribbler IP processes your personal data please visit:https://fribbler-ip.com/privacy.

This data sharing enables us to: (a) create AI-generated Digital Twins from your Source Materials; (b) facilitate licensing transactions between Talent and Buyers; (c) process payments and payouts; (d) verify identity and age; and (e) protect Talent likeness through blockchain provenance technology.

We share Digital Twin assets, Talent identity information, and Usage Terms with Buyers who have obtained a valid licence in order to facilitate the licensed use of the Digital Twin in advertising, marketing, and other commercial projects. This sharing is conducted with the explicit consent of the Talent (or their parent/legal guardian in the case of Minors) and in accordance with the Talent's selected Usage Terms and licensing restrictions.

Talent consent is obtained separately and granularly for: (a) initial scanning and biometric data collection; (b) Digital Twin creation; and (c) specific licensed uses, including defined markets, channels, duration, and scope. This granular consent structure ensures Talent maintain control over how their digital replica is used and enables compliance with both GDPR requirements and industry best practices for digital replica permissions. For adult Talent (aged 18 or over), once a valid licence has been granted to a Buyer and the Buyer is using the Digital Twin in accordance with the agreed Usage Terms, the Talent cannot withdraw their consent for that specific licensed use during the licence term. This limitation on withdrawal is necessary to protect the legitimate interests of Buyers who have entered into binding commercial arrangements in reliance on the licence grant, and is justified under Article 6(1)(f) UK GDPR and EU GDPR as necessary for the performance of the contract between the Talent and the Buyer, and to enable the Platform to function as a viable commercial marketplace. Withdrawal of consent would render the contractual licence unenforceable and cause disproportionate harm to Buyers who have invested resources in creating content using the licensed Digital Twin. This limitation applies only to the specific licensed use covered by the existing licence agreement; Talent retain full control over granting or refusing consent for any new or different uses not covered by existing licences. For Minors (individuals under 18 years of age in the UK), parental or legal guardian consent is required in accordance with Article 8 UK GDPR and EU GDPR, with additional safeguards including enhanced verification of parental authority, age-appropriate privacy notices, and heightened protections against unauthorised use of Minor Digital Twins.

Some of these third party recipients may be based outside the United Kingdom and European Economic Area — for further information including on how we safeguard your personal data when this occurs, see ‘Transfer of your information out of the UK and EEA’ below.

We will share personal data with law enforcement or other authorities if required by applicable law.

Where we do share your data with third parties, we will always ensure that such third parties are bound by a contract setting out how they are authorised to process data on our behalf and which contains provisions regarding data security, confidentiality, purpose limitation, prohibition on model training using Talent data, data deletion capability, retention schedules, clear procedures for responding to data deletion requests, and geographic processing transparency, as required by applicable privacy laws.

Transfer of your personal data out of the UK and EEA

We may transfer your personal data to the following which are located outside the United Kingdom (UK) and European Economic Area (EEA):

United States of America (for processing and cloud infrastructure);

Where we transfer your personal data (including biometric data) outside of the UK and the EEA to AI model providers, cloud infrastructure providers, or other service providers, we will only do so for the purposes mentioned in this Policy and our Terms of Use, and subject to appropriate safeguards.

Countries outside of the UK and the EEA do not always have the same data protection laws as the UK and EEA. Therefore, when making such a transfer of data (particularly special category biometric data), we will always rely on a safeguard mechanism under the UK GDPR and/or the EU GDPR. We will only transfer your personal data to a country which the European Commission or the UK authorities have given a formal adequacy decision/regulation that confirms this third-country provides an adequate level of data protection similar to those which apply in the UK and EEA. If the third-country does not have an adequacy decision awarded to it, any transfer of your personal information will be subject to the European Commission’s Standard Contractual Clauses (the SCCs) which are designed to help safeguard your privacy rights and give you remedies in the unlikely event of a misuse of your personal data. For transfers of biometric data, we conduct Transfer Impact Assessments to ensure that the protections afforded by SCCs are effective in practice.

For transfers of Minor biometric data, we conduct enhanced Transfer Impact Assessments that specifically evaluate the adequacy of protections for children's data in the destination country, including assessment of local laws regarding children's privacy, data retention practices, and enforcement mechanisms. We apply additional contractual restrictions on international transfers of Minor data, including requirements for enhanced encryption, limited retention periods, prohibition on onward transfers without our prior written consent, and technical measures to enable data deletion upon request. Where possible, we minimise international transfers of Minor biometric data and prioritise processing within the UK and EEA.

Our processor agreements with international vendors include specific provisions requiring them to maintain clear records of where your data is processed and prohibit use of your biometric data for purposes beyond the specific project scope for which it was collected.

Transfers of personal data from the EEA to the UK shall be done on the basis of an adequacy decision awarded by the European Commission to the UK in June 2021.

If you would like further information about the specific countries to which your data is transferred, the safeguards in place, or copies of the Standard Contractual Clauses we have entered into with our processors, please contact us using the details provided at the start of this Policy. We will not otherwise transfer your personal data outside of the UK and the EEA or to any organisation (or subordinate bodies) governed by public international law or which is set up under any agreement between two or more countries.

Marketing

We would like to send you information about the Platform, new features, licensing opportunities for Talent, new Talent profiles for Buyers, and any special offers, which may be of interest to you. Where we have your consent or it is in our legitimate interests to do so, we may do this by post, email, telephone, text message (SMS) or automated call.

We will ask whether you would like us to send you marketing messages when you provide consent to such marketing, or where you have purchased products from us.

If you have previously agreed to being contacted in this way, you can unsubscribe at any time by:

—contacting us using the detail provided at the beginning of this Policy;

—using the ‘unsubscribe’ link in emails; or

—updating your marketing preferences on our Platform within your account.

Your rights

Under the UK GDPR and the EU GDPR, you have a number of important rights free of charge. For Minors, parents and legal guardians may exercise these rights on behalf of the child, and we provide age-appropriate mechanisms for Minors to understand and exercise their own rights where appropriate. In summary, those include rights to:

fair processing of information and transparency over how we use your use personal data
access to your personal data and to certain other supplementary information that this Policy is already designed to address
require us to correct any mistakes in your personal data which we hold
require the erasure of personal data concerning you in certain situations, subject to our legal obligations to retain certain records for compliance, legal claims, and audit purposes as described in our data retention schedule. For Minors, we apply enhanced erasure rights, including proactive deletion of Minor biometric data upon reaching the age of majority (unless the individual provides fresh consent as an adult) and expedited response times for Minor erasure requests. Parents and legal guardians may exercise erasure rights on behalf of Minors at any time
receive the personal data concerning you which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to a third party in certain situations
object at any time to processing of personal data concerning you for direct marketing
object to decisions being taken by automated means which produce legal effects concerning you or similarly significantly affect you
object in certain other situations to our continued processing of your personal data
otherwise restrict our processing of your personal data in certain circumstances

For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the General Data Protection Regulation at www.ico.org.uk.

If you would like to exercise any of those rights, please email or write to us using the details provided at the beginning of this Policy.

We will require information from you to allow us to identify you. We will endeavour to respond to all requests within 30 days of receipt.

Keeping your personal data secure

We have appropriate security measures in place to prevent personal data from being accidentally lost, or used or accessed in an unauthorised way. We limit access to your personal data to those who have a genuine business need to know it. Those processing your personal data will do so only in an authorised manner and are subject to a duty of confidentiality.

For Minor data, we implement enhanced security measures including: (a) segregated storage systems with additional access controls; (b) enhanced encryption for Minor biometric data both at rest and in transit; (c) mandatory training for all personnel with access to Minor data on child protection and GDPR Article 8 requirements; (d) heightened monitoring and audit procedures for Minor data access; and (e) immediate breach notification protocols for any suspected unauthorised access to Minor data. We maintain separate security documentation and incident response procedures specifically for Minor data subjects.

We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

We maintain a comprehensive data retention schedule that distinguishes between: (i) working files and temporary processing data (including extra takes, unused scan variants, and vendor caches) which are deleted according to defined timelines after project completion; and (ii) a Minimum Compliance Pack which is retained for legal and contractual purposes as described below. The Minimum Compliance Pack consists of: (a) signed consent documentation (including explicit consent for biometric data processing and any parental/guardian consents for Minors); (b) proof of licensing scope and term (including the specific Usage Terms agreed, licence duration, territories, and any restrictions); (c) payment records (invoices, transaction confirmations, and payout records necessary for tax and financial compliance); and (d) reference copies of delivered content (final versions of Digital Twin assets provided to Buyers under valid licences, retained solely for dispute resolution and verification purposes). The Minimum Compliance Pack is retained for the period necessary to comply with legal obligations (including tax, financial reporting, and contractual record-keeping requirements) and to establish, exercise, or defend legal claims (typically 6-7 years from the end of the relevant licence term, or longer where required by applicable limitation periods). Upon expiry of licensed usage terms, Talent may request deletion of their Source Materials and Digital Twin assets, subject to our retention of the Minimum Compliance Pack described above. For Talent who were minors at the time of data collection, we proactively notify them (or their parent/guardian if still under 18) within 30 days of licence expiry or upon reaching age of majority (whichever is later) to inform them of their right to request deletion and provide a simplified mechanism for exercising this right. Where Talent is a minor (under 18 years of age at the time of data collection), we apply enhanced data protection measures including: (a) shorter retention periods for working files unless extended retention is specifically justified and documented; (b) priority processing of erasure requests; (c) proactive review of retention necessity and notification upon the individual reaching age of majority; and (d) additional safeguards in our erasure runbook to ensure that data relating to minors is not retained longer than strictly necessary. We document all data retention and deletion decisions in accordance with Article 17(3) of the GDPR and maintain an erasure runbook that specifies what data is deleted, what is retained under legal exceptions, and the justification for such retention, with specific protocols for processing data of minors.

Changes to this Policy

This Policy was last updated on 21.03.2026.

We may change this Policy from time to time, when we do, we will update this Policy on the Platform and notify affected data subjects of material changes (with enhanced notification procedures for individuals who were minors at the time of original data collection, ensuring they or their parent/guardian if still under 18 receive direct notice of any changes affecting their rights or our processing of their data). It is your responsibility to ensure you are always up to date of the latest policy in force.