BUFF PRIVACY POLICY ("PRIVACY POLICY")

IMPORTANT: BY USING BUFF TECHNOLOGIES’ (“COMPANY” OR “WE”) PROPRIETARY SOFTWARE SOLUTION (“SERVICES”) YOU (“YOU”) ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTAND THE TERMS AND CONDITIONS OF THIS PRIVACY POLICY AND AGREE THAT ALL PERSONAL DATA (DEFINED BELOW) THAT YOU SUBMIT OR THAT IS PROCESSED OR COLLECTED THROUGH OR IN CONNECTION WITH YOUR USE OF THE SERVICES WILL BE PROCESSED BY THE COMPANY AND ITS AFFILIATES IN THE MANNER AND FOR THE PURPOSES DESCRIBED IN THE FOLLOWING PRIVACY POLICY.

BUFF PRIVACY POLICY (“PRIVACY POLICY”)

YOU ARE NOT LEGALLY REQUIRED TO PROVIDE US WITH PERSONAL DATA, HOWEVER, USE OF THE SERVICES REQUIRES THAT YOU PROVIDE PERSONAL DATA. IF YOU CHOOSE TO WITHHOLD ANY PERSONAL DATA REQUIRED IN RESPECT THEREOF, IT WILL NOT BE POSSIBLE FOR YOU TO USE THE SERVICES. IF YOU DO NOT AGREE TO THE TERMS AND CONDITIONS SET FORTH HEREIN PLEASE DO NOT USE THE SERVICES. Children under the age of 16, may not access or use the Services unless they have obtained their parents’ or legal guardians’ consent, in accordance with the Buff Terms of Use located at Terms of Use. Without relieving you of your responsibility to comply with the Buff Terms of Use and the terms hereof we reserve the right (without obligation) to request additional documents so that we can verify that compliance in such respect. “Personal Data” means any information relating to an identified or identifiable natural person. We recognize that privacy is important. This Privacy Policy applies to all of the services, information, tools, features and functionality available on the Services offered by the Company or its subsidiaries or affiliated companies and covers how Personal Data that the Company collects and receives, including in respect of any use of the Services, is treated. If you have any questions about this Privacy Policy, please feel free to contact us at: [email protected].

For the purposes of the EU’s General Data Protection Regulations (GDPR), the UK General Data Protection Regulation (UK GDPR), Israel’s Protection of Privacy Law, California Consumer Privacy Act, as amended (the CCPA) and other US State privacy laws, and any other applicable data protection and privacy law (“Data Protection Law”), Buff is a data controller (or a ‘business’) of the data it processes in relation to its customers (i.e. users of the Services), vendors, service providers or partners.

1. Information We Collect and How We Use It.

Summary: We collect personal data about the users of the Services. We also collect personal data included in publicly available sources. We use Personal Data to provide and improve our Services, and to meet our contractual, ethical and legal obligations.

In order to provide and operate our Services and provide services in connection therewith, we collect and process Personal Data, including the following types of information, divided here based on the applicable lawful basis for the processing:

Processing which is necessary for the performance of a contract to which you are a party or in order to take steps at your request prior to entering into a contract (GDPR Article 6(1)(b)) OR Processing which is necessary for compliance with a legal obligation to which Company is subject (GDPR Article 6(1)(c)):

Your Information. When you register to use the Services or create an account we ask you to provide Personal Data, including email address, login details and certain additional information when you subscribe to our Services or become an affiliate. We use this information to administer the Services, carry out our obligations, verify and carry out financial transactions, contact you for technical and administrative needs related to the Services, reply to queries and troubleshooting, detect and prevent fraud, compliance and audit purposes, identity theft and more.

1(b) Processing which is necessary for the purposes of the legitimate interests pursued by Company or by a third party (GDPR Article 6(1)(f)) of providing efficient and effective Services to our customers, or displaying ads, including:

Usage Information. When you use the Services, we automatically receive and record information from your browser, including without limitation information and statistics about your online/offline status, your IP address, geolocation data (including country and city), browser identifiers, internet service provider, type of browser, your regional and language settings and software and hardware attributes. Our systems automatically record and store technical information regarding the method and nature of your use of the Services. An IP address is a numeric code that identifies your browser on a network, or in this case, the Internet. Your IP address is also used to gather broad demographic information. The Company uses all of the Personal Data identified in this Section in order to understand the usage trends and preferences of our users, including recent visits to our Services and how you move around different sections of our Services for analytics purposes and in order to make our Services more intuitive.
User Communications. When you send emails or other communications to the Company, we retain those communications in order to process your inquiries, respond to your requests and improve our Services. We will send you newsletters and promotional communications, you may opt-out of the list at any time by submitting a request at the following link.
Physical Prizes. When you take part in our community challenges you may be required to provide us with a valid shipping address to receive physical prizes.
Aggregate and Analytical Data. In an ongoing effort to better understand and serve the customers of the Services, we may conduct research on its customer demographics, interests and behavior based on the Personal Data and other information provided to us. This research may be compiled and analyzed on an aggregate basis, and we may share this aggregate data with our affiliates, agents, suppliers and business partners. This aggregate information does not identify you personally. We may also disclose aggregated user statistics in order to describe our services to current and prospective business partners, and to other third parties for other lawful purposes. We also use aggregate data for monetization.

2. Cookies.

Summary: We use cookies, pixels and similar technologies on our Services. You can disable cookies but then your online experience on our Services may be limited.

In order to collect the data described herein we use temporary cookies that remain on your browser for a limited period of time. We also use persistent cookies that remain on your browser/device until the Company’s Services are removed, in order to manage and maintain the Services and record your use of the Services. Cookies by themselves cannot be used to discover the identity of the user. A cookie is a small piece of information which is sent to and stored on your browser. Cookies do not damage your browser/device. Most browsers/devices allow you to block cookies but you may not be able to use some features on the Services if you block them. You may set most browsers/devices to notify you if you receive a cookie (this enables you to decide if you want to accept it or not). We also use web beacons via the Services to collect information. Web beacons or “gifs”, are electronic images that are used in our Services or in our emails. We use Web beacons to deliver cookies, count visits and to tell if an email has been opened and acted upon.

Personalized and Interest Based Ads. Our Services may in the future include interest based ads, which means advertisements we believe that may be valuable to you, based on the Personal Data provided to us. Such ads may be placed by us or our third party affiliates and service providers.

Links. Links to other services, sites and applications are provided by the Company as a convenience to our users. The Company is not responsible for the privacy practices or the content of other sites and applications and you visit them at your own risk. This Privacy Policy applies solely to Personal Data collected by us.

No Unauthorized Minor Data. If you have reason to believe that a child under the age of 16 has provided us with their Personal Data without their parents or legal guardians’ consent, please contact us at the address given above and we will endeavor to delete that Personal Data from our databases.

3. Information Sharing.

Summary: We transfer your Personal Data to third parties who assist us in providing the Services. We have a contract with those third parties to govern their processing on our behalf. We may also transfer Personal Data to comply with any obligations by which we are bound or to an investor or in connection with a merger or acquisition or similar transaction.

As part of providing the Services our affiliates, agents, representatives and service providers will have access to your Personal Data. We require these parties to process such information in compliance with this Privacy Policy and subject to security and other appropriate confidentiality safeguards. The Company will also share Personal Data in the following circumstances: (a) as required for providing the Services; (b) for maintenance and improvement of the Services; (c) if we become involved in a reorganization, merger, consolidation, acquisition, or any form of sale of some or all of our assets, with any type of entity, whether public, private, foreign or local; and/or (d) to satisfy applicable law or prevention of fraud or harm or to enforce applicable agreements and/or their terms, including investigation of potential violations thereof. We periodically add and remove third party providers. At present our third-party providers to whom we may transfer Personal Data include also the following:

Cloud computing providers, such as AWS;
Business partners. such as Overwolf, and advertisers;
Data security, data backup, and data access control systems;
Our lawyers, accountants, and other standard business software and partners.

4. Data Security.

We follow generally accepted industry standards to protect against unauthorized access to or unauthorized alteration, disclosure or destruction of Personal Data. However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, while we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.

5. Data Retention.

Summary: We retain Personal Data only for as long as necessary to meet our contractual, legal and ethical obligations, which for different types of Personal Data will be different periods.

Company will retain Personal Data in accordance with its record retention policy. Personal Data associated with the users of the Services will be retained only for as long as required for the Services, or until requested to be deleted. Company performs periodic reviews of our databases, and have established specific time limits for data retention, based on the criticality of the Personal Data and the purposes of the data processing. We will also retain Personal Data to meet any audit, compliance and business best-practices.

Personal Data that is no longer retained will be anonymized or deleted. Non-personal, non-identifiable, metadata and statistical information concerning the use of our Services are retained by Company indefinitely. Some Personal Data may also be retained on our third-party service providers’ servers until deleted in accordance with their privacy policy and their retention policy.

6. Rights of Data Subjects (EEA, UK, IL, United States).

Summary: depending on the law that applies to your Personal Data, you may have various data subject rights, such as rights to access, erase, and correct Personal Data, and information rights. We will respect any lawful request to exercise those rights.

Data subjects, have rights under GDPR, Israeli law and other Data Protection Laws, including, in different circumstances, rights to: access data, rectify data, object to processing, and erase data. It is clarified for the removal of doubt, that data subject rights cannot be exercised in a manner inconsistent with the rights of Company’s employees, with our proprietary rights, and third party rights. As such, job references, reviews, internal notes and assessments, documents and notes including proprietary information or forms of intellectual property, cannot be accessed or erased or rectified. In addition, these rights may not be exercisable where they relate to data that is not in a structured form, for example emails, or where other exemptions apply. If processing occurs based on consent, data subjects have a right to withdraw their consent.

If, for any reason, a data subject wishes to exercise these rights and modify, delete or retrieve their Personal Data, they may be able to do so by contacting Company at [email protected].

Right to Lodge Complaint. Data subjects also have the right to lodge a complaint with a data protection supervisory authority regarding the processing of their Personal Data.

Note that we may have to undertake a process to identify a Data Subject exercising their rights, and we will keep details of such rights exercised for our compliance and audit requirements. Personal Data may be either deleted or retained in an aggregated manner without being linked to any identifiers or Personal Data, depending on technical commercial capability. Such information may continue to be used by Company.

Categories of Personal Information Shared for Cross-Context Behavioral Advertising: The Personal Data that we’ve shared with our advertising partners for cross-context behavioral advertising in the past 12 months fall into the following categories under the CCPA: Identifiers such as name, unique personal identifier, online identifier, IP address, and email address, internet or other electronic network activity information, such information regarding your interaction with the Services, geolocation data, and inferences drawn on the information above, such as aggregated metrics.

Do Not Track Notices. You are also advised that Company does not respond to “Do Not Track” signals.

7. International transfer of personal data.

The server on which the Services are hosted and/or through which the Services are processed may be outside the country from which you access the Services and may be outside your country of residence. Some of the uses and disclosures mentioned in this Privacy Policy involve the transfer of your Personal Data to various countries around the world that may have different levels of privacy protection than your country and will be transferred outside of the European Economic Area. If there is a transfer of your Personal Data outside the EEA we will rely on appropriate safeguards such as entering into appropriate approved standard contractual clauses. By submitting your Personal Data through the Services, you acknowledge, and agree that we will collect, use, transfer, and disclose your Personal Data as described in this Privacy Policy.

8. Enforcement.

The Company regularly reviews its compliance with this Privacy Policy. Please feel free to direct any questions or concerns regarding this Privacy Policy or our treatment of Personal Data by contacting us as provided above. When we receive formal written complaints, it is the Company’s policy to contact the complaining user regarding his or her concerns. We will cooperate with the appropriate regulatory authorities, including local data protection authorities, to resolve any complaints regarding the transfer of Personal Data that cannot be resolved between the Company and an individual.

9. Changes to This Privacy Policy.

The Company may update this Privacy Policy from time to time. The most current version of this Privacy Policy will be available at: https://buff.game/buff-privacy-policy. Changes to this Privacy Policy are effective as of the stated “Last Date Updated” date and your continued use of our services will constitute your active acceptance of the changes to and terms of the Privacy Policy.

10. Contact Us.

If you have any questions about this Privacy Policy or concerns about the way we process your Personal Data, please contact us at [email protected]. We have appointed a Data Protection Officer, available at [email protected]. Our EU representative under Article 27 of the GDPR is MyEDPO Ltd.

Last Date Updated: September 14, 2025.

Cookie	Duration	Description
AWSALBCORS	7 days	This cookie is managed by Amazon Web Services and is used for load balancing.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
elementor	never	This cookie is used by the website's WordPress theme. It allows the website owner to implement or change the website's content in real-time.
trustedsite_visit	1 day	This cookie is set by the provider McAfee for website security. This cookie is used for storing the number of visits.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_UA-114852827-1	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_uetsid	1 day	This cookies are used to collect analytical information about how visitors use the website. This information is used to compile report and improve site.
CONSENT	16 years 3 months 17 days 13 hours	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
anj	3 months	No description available.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
MUID	1 year 24 days	Bing sets this cookie to recognize unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
uuid2	3 months	The uuid2 cookie is set by AppNexus and records information that helps in differentiating between devices and browsers. This information is used to pick out ads delivered by the platform and assess the ad performance and its attribute payment.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	These cookies are set via embedded youtube-videos.
yt.innertube::requests	never	These cookies are set via embedded youtube-videos.

Cookie	Duration	Description
_rdt_uuid	3 months	No description available.
_uetvid	1 year 24 days	No description available.
AWSALB	7 days	AWSALB is a cookie generated by the Application load balancer in the Amazon Web Services. It works slightly different from AWSELB.
buff-908	10 years	No description
outbrain_cid_fetch	5 minutes	No description available.
trustedsite_tm_float_seen	5 minutes	No description available.

BUFF PRIVACY POLICY ("PRIVACY POLICY")