ANDREW GOLF PRIVACY POLICY

Last Revised on December 1, 2025

This Privacy Policy for Lothian Road WRX, Inc. (“Company”, “we”, “us” “our”) describes how we collect, use and disclose information about users of the Company’s website (www.andrew.golf), the Andrew Golf app (“App”), services, tools and features (collectively, the “Services”).  For the purposes of this Privacy Policy, “you” and “your” means you as the user of the Services.  

Please read this Privacy Policy carefully.  By using, accessing, or downloading any of the Services, you agree to the collection, use, and disclosure of your information as described in this Privacy Policy.  If you do not agree to this Privacy Policy, you may not use, access, or download any of the Services.

Our Services use precise geolocation data to verify your eligibility for contests and to enable core App functionality. When you complete identity verification, the App may access your camera to capture images of your face and government-issued identification, which are processed securely by our third-party verification provider, Veriff OÜ, solely for age and identity verification, fraud prevention, and regulatory compliance. We do not store or retain facial images, biometric identifiers, or biometric templates, and we do not use biometric data for advertising, analytics, or AI model training. We also do not sell or “share” personal data for cross-context behavioral advertising.

1. UPDATING THIS PRIVACY POLICY

We may modify this Privacy Policy from time to time in which case we will update the “Last Revised” date at the top of this Privacy Policy. If we make material changes to the way in which we use information we collect, we will use reasonable efforts to notify you (such as by emailing you at the last email address you provided us, by posting notice of such changes on the Services, or by other means consistent with applicable law) and will take additional steps as required by applicable law.  If you do not agree to any updates to this Privacy Policy you may not access or continue to use the Services.

2. COMPANY’S COLLECTION AND USE OF INFORMATION

When you access or use the Services, we may collect certain categories of information about you from a variety of sources.

Some features of the Services may require you to directly enter certain information about yourself. You may elect not to provide this information, but doing so may prevent you from using or accessing these features. Information that you directly submit through our Services may include:

1. Account and Registration. Users may access our App only if they register an Account with us. The personal information we collect as part of the Account creation process includes your first and last name, email, username, password, information to confirm you are old enough to use the Services and use the App, payment information for any in-app purchases or storage of funds in your Andrew Wallet (for example, your name and email associated with your payment account). We may also ask you or allow you to submit certain optional information, which may include your updated usernames, preferences, and other profile information.

2. Prizes and Payments. We collect information to process prize winnings, administer payments, comply with the law (including requiring W9 tax forms when necessary), and maintain records of prices, which may include your email, full name, mailing address, Social Security or Taxpayer ID number, and other information necessary to complete a 1099-MISC tax reporting form, and other relevant tax documentation.

We do not store full credit card numbers or payment-card security codes; these are processed exclusively by our PCI-compliant payment processors.

3. ID Verification and Biometric Information. To comply with age-verification, identity-verification, fraud-prevention, and regulatory requirements, we partner with Veriff OÜ (“Veriff”) to perform identity checks. As part of this process, Veriff may capture images of your face and government-issued identification document in order to compare them and confirm your identity (“Biometric Information”).

1. No Retention by the Company. We do not store, retain, or process facial images, biometric identifiers, or biometric templates. All face data is transmitted directly and securely to Veriff for the sole purpose of identity verification.

2. Purpose of Processing. Face data is processed exclusively to:

• Verify your identity and age;
• Prevent fraud and ensure the integrity of contests;
• Comply with applicable legal, tax, and gaming-compliance requirements; and
• Assist in preventing duplicate, fraudulent, or prohibited accounts.

3. Retention Period for Face Data. Because we do not store facial data, the Company does not retain any face data. Veriff may retain biometric information only for the period necessary to complete the verification process and meet its legal, regulatory, and anti-fraud obligations. According to Veriff’s published policies, retention periods vary by jurisdiction but are not indefinite and are limited to what is required for fraud prevention, audit obligations, and compliance with applicable laws.

4. Sharing of Face Data. We share face data only with Veriff, and only for the verification process. We do not sell or otherwise disclose biometric information to advertisers, analytics services, or other third parties.

5. Third-Party Storage and Practices (Veriff). Veriff may store facial images and biometric identifiers only as required for its verification, fraud-prevention, regulatory-compliance, and audit obligations. Veriff’s current privacy practices—including storage duration, legal basis, retention limits, and security measures—are described at:

• https://www.veriff.com/privacy-notice
• https://www.veriff.com/fraud/learn/how-veriff-keeps-your-data-safe

We encourage you to review Veriff’s privacy notice for full details regarding how they store, secure, and ultimately delete biometric information after the expiration of their retention obligations.

We do not use biometric information to train internal or external AI or machine-learning models.

4. Feedback. We collect and maintain records of customer service and other communications with users including survey responses, questions or comments sent to us (including the nature of the request, name and contact information), resumes provided, or other similar activities. This information may be used to enhance the Services or the App, to market to you or others, and to allow us to make appropriate hiring decisions if submitted for that purpose.

5. Usage Data. We automatically collect information about your use of our Services and the App through cookies, local storage, analytics tools and other technologies, (“Tracking Technologies”) such as your device ID, location information, device name and model, operating system type, name and version, the length of time that you are using our Services and your activities within our Services (“Usage Data”). We may combine Usage Data with other information that we have collected about you. Please see the section “Analytics and Tracking” below for more information.

6. Geolocation Information. We collect and use precise geolocation data to provide and improve our Services. By using the App, you expressly consent to our collection and use of your precise location data. This information is crucial for features such as locating nearby golf courses, tracking your position during gameplay, and ensuring compliance with local regulations.

How we use location data:

• To enable core app functionality;
• To verify your eligibility for certain Contests;
• To comply with legal and regulatory requirements; and
• To prevent fraud and ensure fair play.

You can control location tracking through your device settings. However, disabling location services may limit your ability to use certain features of the App. You may withdraw your consent at any time by disabling location services for the App in your device settings or by contacting us at support@andrew.golf.

We may use the information we collect automatically to tailor features and content to you, to market to you, to provide you with offers or promotions, to run analytics and better understand user interaction with the Services.

We may obtain information about you from outside sources. Such information may include:

• Information from third parties that you choose to share with us, for example:

• When you choose to link any social media platforms to your account, such as Facebook or Twitter/X. This information is used to maintain your account and login information.

Any information we receive from outside sources will be treated in accordance with this Privacy Policy. We are not responsible or liable for the accuracy of the information provided to us by third parties and are not responsible for any third party’s policies or practices.

In addition to the foregoing, we may use any of the above information to comply with any applicable legal obligations, improve and develop the Services and our product offerings, including as we describe in our Terms of Service, to enforce any applicable terms of service, to protect or defend the Services, our rights, and the rights of our users or others, and for the purpose of combatting fraud, or to otherwise operate our business. This Privacy Policy is integrated into and is expressly a part of the Terms of Service, to be interpreted in conjunction with such Terms. Any capitalized term not defined herein, shall have the meaning ascribed to it in the Terms of Service.

3. SPORTS BETTING AND GAMING REGULATIONS

Our Services involve sports-related contests and may be subject to specific betting and gaming regulations. We are committed to compliance with all applicable laws and regulations in this area.

Regulatory Compliance:

• We adhere to all relevant state and federal laws governing sports betting and gaming activities.

• Our practices comply with regulations set by state, federal, and local authorities.

User Verification:

• We are required to verify the identity and age of our users to ensure compliance with legal gambling age restrictions.

• Additional verification may be required for certain transactions or prize claims.

Responsible Gaming:

• We promote responsible gaming practices and provide resources for users who may need assistance.

• Users have the option to set personal limits on their betting activities.

Geolocation:

• We use geolocation technology to ensure users are physically located in jurisdictions where our services are legal.

• Users must allow location services for the App to participate in certain activities.

Financial Transactions:

• All financial transactions related to betting or gaming are processed in compliance with applicable financial regulations.

• We maintain records of transactions as required by law.

Data Sharing:

• We may be required to share certain user data with regulatory bodies to comply with reporting requirements.

By using our Services, you acknowledge and consent to these practices. For more information on our compliance with sports betting and gaming regulations, please contact us at support@andrew.golf.

4. DATA RETENTION

We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements, to establish or defend legal claims, or for fraud prevention purposes. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Specific Retention Periods:

• Account information: Retained for the duration of your active account and for a period of 5 years after account closure.

• Competition and entry fee data: Kept for 5 years to comply with gaming regulations and tax requirements.

• Payment information: Stored for 7 years after the last transaction for financial auditing purposes.

• Usage data and analytics: Retained in an anonymized form for 3 years for service improvement and trend analysis.

You may request deletion of your personal data at any time. We will comply with such requests unless we have legitimate grounds to retain the data, such as for legal compliance or fraud prevention.

Retention of Biometric Information

We do not retain facial images or biometric identifiers collected during the identity-verification process. All such information is processed directly by Veriff for authentication and anti-fraud purposes and is not stored by the Company. Veriff maintains face data only for the limited time necessary to complete identity verification, satisfy fraud-prevention and regulatory obligations, and comply with applicable law. We do not control Veriff’s retention periods; however, Veriff does not store biometric information indefinitely and deletes it according to its internal retention policy and legal requirements.

5. HOW THE COMPANY SHARES YOUR INFORMATION

In certain circumstances, the Company may share your information with third parties for legitimate purposes subject to this Privacy Policy. Such circumstances may include:

• With vendors or other service providers, such as cloud storage providers, security vendors,
• With Veriff for identity verification – we share facial images and identity-verification data only with Veriff to confirm your identity, prevent fraud, and comply with legal requirements. We do not share biometric information with any other third parties.

• With our affiliates or otherwise within our corporate group;
• When you request that we share certain information with third parties, such as through your use of social media widgets, login integrations, or interactions with other users on the Platform;
• To comply with applicable law or any obligations thereunder, including cooperation with law enforcement, judicial orders, and regulatory inquiries;
• In connection with an asset sale, merger, bankruptcy, or other business transaction;
• To enforce our Terms of Service;
• To ensure the safety and security of the Company and/or its users;
• When you request us to share certain information with third parties, such as through your use of social media widgets or login integrations; or
•  With professional advisors, such as auditors, law firms, or accounting firms.

6. COOKIES AND OTHER TRACKING TECHNOLOGIES

Do Not Track Signals

Your browser settings may allow you to transmit a “Do Not Track” signal when you visit various websites. Like many websites, the Website is not designed to respond to “Do Not Track” signals received from browsers. To learn more about “Do Not Track” signals, you can visit http://www.allaboutdnt.com/.

Cookies and Other Tracking Technologies

Most browsers accept cookies automatically, but you may be able to control the way in which your devices permit the use of Tracking Technologies. If you so choose, you may block or delete our cookies from your browser; however, blocking or deleting cookies may cause some of the Services to work incorrectly or not function at all.

We use cookies and similar tracking technologies to collect information about your use of our Services. These technologies help us analyze usage patterns, personalize your experience, and improve our Services.

Types of Cookies:

• Essential Cookies: Necessary for website functionality
• Analytics Cookies: Help us understand user interaction
• Functional Cookies: Enable enhanced personalization
• Advertising Cookies: Deliver relevant advertisements

How We Use Cookies:

• Authenticate users and prevent fraud
• Remember preferences and settings
• Analyze Service performance and user interaction
• Serve personalized content and advertisements

Third-Party Cookies:
Some cookies may be placed by third parties. We do not control these third parties or their use of cookies.

Your Choices:
You can usually set your browser to remove or reject cookies. Note that this may affect the availability and functionality of our Services.

Other Tracking Technologies:
We may also use web beacons and similar technologies to collect information about your interactions with our emails and mobile applications.

7. THIRD PARTY WEBSITES AND LINKS

We may provide links to third-party websites or other online platforms operated by third parties. If you follow links to sites or interact with features (e.g., applications offered by third parties or social media widgets) not affiliated or controlled by us, you should review their privacy and security policies and other terms and conditions. We may provide links to websites or other online platforms operated by third parties. If you follow links to sites not affiliated or controlled by us, you should review their privacy and security policies and other terms and conditions.  We do not guarantee and are not responsible for the privacy or security of these sites, including the accuracy, completeness, or reliability of information found on these sites. Information you provide on public or semi-public venues, including information you share on third-party social networking platforms (such as Facebook or Twitter/X) may also be viewable by other users of the Services and/or users of those third-party online platforms without limitation as to its use by us or by a third party. Our inclusion of such links does not, by itself, imply any endorsement of the content on such platforms or of their owners or operators, except as disclosed on the Services. 

8. CHILDREN’S PRIVACY

Children under the age of 13 are not permitted to use the Services, and we do not seek or knowingly collect any personal information about children under 13 years of age. If we become aware that we have unknowingly collected information about a child under 13 years of age, we will make commercially reasonable efforts to delete such information from our database.

If you are the parent or guardian of a child under 13 years of age who has provided us with their personal information, you may contact us using the information below to request that it be deleted.

Age Verification and Parental Consent. Our Services are intended for users who are 18 years of age or older. We implement age verification measures during the account creation process to ensure compliance with this requirement. If you are between the ages of 13 and 17, you may only use our Services with the consent and supervision of a parent or legal guardian.

Age Verification Process:

• During registration, users must provide their date of birth;
• We use technical measures to verify the accuracy of the provided age; and
• Additional verification may be required for users near the age threshold.

Parental Consent for Minors:

• Users under 18 must provide verifiable parental consent before using our Services;
• Parents or guardians can provide consent by submitting a signed consent form or verifying via email; and
• We reserve the right to request additional proof of parental consent at any time

If we become aware that a user is under 13 or that a user between 13 and 17 is using our Services without parental consent, we will terminate the account and delete any associated personal information.

9. DATA SECURITY

Please be aware that, despite our reasonable efforts to protect your information, no security measures are perfect or impenetrable, and we cannot guarantee “perfect security.” Please further note that any information you send to us electronically, while using the Services or otherwise interacting with us, may not be secure while in transit. We recommend that you do not use unsecure channels to communicate sensitive or confidential information to us.

We implement reasonable and appropriate security measures to protect your personal information:

Technical Safeguards:

• Data encryption
• Firewalls and intrusion detection systems
• Regular security updates
• Multi-factor authentication

Organizational Safeguards:

• Employee training on data protection
• Access controls based on least privilege
• Regular security audits
• Incident response plans

Physical Safeguards:

• Secure data centers
• Surveillance systems
• Proper disposal of physical documents

While we strive to protect your information, no security measures are perfect. We cannot guarantee absolute security of data transmitted electronically.

Your Role:

• Use strong, unique passwords
• Don't share login credentials
• Be cautious on public devices
• Keep your devices updated

Breach Notification:
We will notify you and authorities of any data breaches as required by law. If you notice any suspicious activity, please contact us immediately at support@andrew.golf

10. Residents of Virginia, Colorado, Connecticut, and Utah may have additional rights regarding access, deletion, and restriction of personal data.

11. European and California Users.

1. If you are a citizen of the European Union (“EU”) or the state of California, you may have some or all of the following rights with respect to our processing of your personal data:

1. Updating Your Information. If you would like to update personal information that you have provided to us, you can do so by accessing your Account and editing your profile.

2. Marketing Communications. You can opt-out of receiving marketing communications from us by clicking “unsubscribe” in any marketing email communications we send you, or by sending an email to support@andrew.golf. If you opt out of receiving emails about recommendations or other information we think may interest you, we may still send you emails about any Services you have requested or received from us.

3. Additional Rights for the EEA and Certain Other Territories. If you reside in certain territories (such as the European Economic Area), you may have the right to exercise certain privacy rights available to you under applicable laws. We will process your request in accordance with the GDPR. We may need to retain certain information for record-keeping purposes, legal purposes, and/or to complete transactions that you began prior to requesting any deletion. You can contact our Data Privacy and Protection office by sending an email to support@andrew.golf.

4. Right Not to Provide Consent or to Withdraw Consent. We may seek to rely on your consent in order to process certain personal information and to render the Services. Where we do so, you have the right not to provide your consent or to withdraw your consent at any time. This does not affect any actions based on consent before its withdrawal.

5. Right of Access. You may have the right to access the personal information that we hold about you.

6. Right of Erasure. In certain circumstances, you may have the right to the erasure of personal information that we hold about you (for example if it is no longer necessary for the purposes for which it was originally collected).

7. Right to Object to Processing. You may have the right to request that we stop processing your personal information and/or to stop sending you marketing communications.

8. Right to Correct. You may have the right to require us to correct any inaccurate or incomplete personal information.

9. Right to Restrict Processing. You may have the right to request that we restrict processing of your personal information in certain circumstances (for example, where you believe that the personal information we hold about you is not accurate or lawfully held).

10. Exercise of Rights. If you would like to exercise any of the above rights, please contact support@andrerw.golf so that we may consider your request under applicable law. To protect your privacy and security, we may take steps to verify your identity before complying with the request. You also have the right to lodge a complaint to your local data protection authority at: https://edpb.europa.eu/about-edpb/board/members_en

12. YOUR CHOICES

We may send periodic informational emails to you. You may opt out of such communications by following the opt-out instructions contained in the email. If you opt out of receiving emails about recommendations or other information we think may interest you, we may still send you emails about any Services you have requested or received from us.

13. YOUR RIGHTS UNDER THE GDPR. In addition to the other disclosures in this Policy, we make the following express disclosures in accordance with the GDPR and hereby notify you of your rights:

For further information on each of those rights, including the circumstances in which they apply, see the guidance from the UK Information Commissioner's Office (ICO) on individual rights under the General Data Protection Regulation

14. TRANSFERRING PERSONAL INFORMATION OUT OF THE EEA. To deliver Services to you and to enable your participation in the Contests, it is sometimes necessary for us to share your personal information outside the European Economic Area (EEA), e.g.:

• With our offices outside the EEA;
• With your and our service providers located outside the EEA;
• If you are based outside the EEA; or
• Where the Contests and Services have an international or cross-border character.

These transfers are subject to special rules under European and UK data protection law.

In general, non-EEA countries may not have the same data protection laws as the United Kingdom and EEA. We will, however, ensure the transfer complies with data protection law and all personal information will be secure. Our standard practice is to use standard data protection contract clauses that have been approved by the European Commission. To obtain a copy of those clauses please contact us or our Data Protection Officer (see “How To Contact Us” below).

15. CALIFORNIA PRIVACY RIGHTS ADDENDUM

1. This CALIFORNIA PRIVACY NOTICE (“Notice”) supplements our Privacy Policy. We have adopted this Notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”) but it applies to all of our users and players.

2. Information We Collect. We collect information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device (“personal information”). In particular, we collect:

3. We obtain the categories of personal information listed above from the following categories of sources:

1. Directly from our Users. For example, from when Users register for our services.

2. Directly and indirectly from activity on our websites and applications. This includes:

1. Usage and log information. For example, service-related, diagnostic and performance information. This includes information about your activity on our websites and applications, log files and reports.

2. Device and connection information. We collect device-specific information such as hardware model, operating system information, browser information, IP address, etc.

3. From third parties that interact with us in connection with the services we perform. We may work with third parties, for example, in order to understand, customize, support and market the services we provide and/or to comply with laws.

4. Use of Personal Information. We may use or disclose the personal information we collect for one or more of the following business purposes as disclosed in our Privacy Policy:

1. To provide and manage the services you request;

2. To improve customer service and our services;

3. To process payments;

4. To personalize user experience;

5. To contact you about our services;

6. To send important notices to you;

7. To comply with our legal and regulatory obligations; and/or

8. To offer alternative dispute resolution services .

5. We will not collect additional categories of personal information or use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

6. Sharing Personal Information. We may disclose your personal information to a third party for a business purpose. When we disclose personal information for a business purpose, we enter into a contract that describes the purpose and requires the recipient to both keep that personal information confidential and not use it for any purpose except for performing the contract. We disclose your personal information for a business purpose to the following categories of third parties:

1. Our affiliates;

2. Service providers; and/or

3. Third parties that interact with us in connection with the services we perform.

We do not sell your personal information, and never will.

7. Your Rights and Choices. The CCPA provides users who are California residents with specific rights regarding their personal information. You have the right to access the personal information we’ve collected about you during the past 12 months and information about our data practice. You also have the right to request that we delete the personal information we have collected from you.

8. Exercising Access and Deletion Rights. To exercise the access and deletion rights described above, please submit a verifiable consumer request to us by contacting us as set forth below. Only you or a person registered with the California Secretary of State that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. If you decide to use an authorized agent, please also include written permission that you have designated that agent to make this request, or proof of the agent’s power of attorney. We may follow up with you to verify your identity before processing your authorized agent’s request. You may also make a verifiable consumer request on behalf of your minor child. In order for your consumer request to be verifiable, you must provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative. You must provide: (1) full name, (2) date of birth, (3) address, (4) email address, (5) whether you are a California consumer pursuant to CCPA, (6) if you would like to know the specific pieces of personal information that we have collected about you, or to delete your personal information, (7) identification that clearly shows your name, date of birth and address (for example, passport or other photo identification), (8) describe your request with sufficient detail that allows us to properly understand, evaluate and respond to it.

9. We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you. Making a verifiable consumer request does not require you to create an account with us. We will only use personal information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request.

10. Response Timing and Format. We endeavor to respond to a verifiable consumer request within 45 days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing. If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance. We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

11. We will not discriminate against you for exercising any of your CCPA rights.

12. This Notice may be updated from time to time to reflect changes in the way we work or the way our work is regulated. We will notify you of changes by posting changes here, or by other appropriate means.

16. HOW TO CONTACT US AND OUR DATA PROTECTION OFFICER

Should you have any questions about our privacy practices or this Privacy Policy, please email us at support@andrew.golf.