This Privacy Policy explains how KILOCALORII SRL ("we," "us," "our," or "the Company"), a Romanian limited liability company with registered office at Strada Sf. Andrei 16, Iași, 700028, Romania (Trade Registry J22/2529/2016, VAT ID RO36795846), collects, uses, shares, and protects your personal data when you visit our websites or purchase our digital product The Food Monetizer Toolkit ("the Product").

This Policy applies to: • thefoodmonetizer.com (sales and marketing site) • toolkit.thefoodmonetizer.com (checkout and product delivery via Circle.so) • s2s.thefoodmonetizer.com (server-side analytics subdomain operated via Datahash)

We comply with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA / CPRA), the UK GDPR, and applicable Romanian data protection law.

For the purposes of GDPR, the data controller is:

KILOCALORII SRL Strada Sf. Andrei 16, Iași, 700028, Romania Email: contact@thefoodmonetizer.com Trade Registry: J22/2529/2016 VAT ID: RO36795846

If you have any questions about this Policy or wish to exercise your privacy rights, contact us at the email address above.

We collect personal data in the following categories:

3.1 Data you provide directly • At checkout: name, email address, billing address, country, postal code • Payment information (card number, expiry, CVC) — processed directly by Stripe; we do not store full card details • Communications: any messages, support requests, or feedback you send us • Marketing preferences (e.g., newsletter sign-up)

3.2 Data collected automatically

When you visit our websites, we and our third-party service providers automatically collect: • Device and browser data: IP address, user agent, operating system, browser type, screen resolution, language preference • Usage data: pages viewed, time on page, click events, scroll depth, referring URL • Device identifiers: cookies, pixel identifiers, advertising identifiers • Approximate location (derived from IP address) • Marketing attribution data: UTM parameters, click IDs, referrer information

3.3 Data from third parties

• Payment confirmation data from Stripe (transaction status, last four digits of card, country) • Marketing performance data from Meta, TikTok, Google, and other ad platforms (aggregated; no individual user identification beyond what we initiated)

We do not knowingly collect data from children under 16 (or under 13 where applicable). If we learn that we have collected data from a minor, we will delete it.

We use cookies, pixels, and similar technologies for analytics, marketing, and conversion tracking.

4.1 Tracking technologies in use

Meta Pixel & Conversions API Conversion tracking, ad measurement, audience building Type: Marketing https://www.facebook.com/privacy/policy

TikTok Pixel TikTok PixelConversion tracking, ad measurement Type: Marketing https://www.tiktok.com/legal/privacy-policy

Google Analytics 4 Website usage analytics Type: Analytics https://policies.google.com/privacy

Stripe Payment processing, fraud prevention Type: Essential https://stripe.com/privacy

Circle.so Course delivery platform Type: Essential https://circle.so/privacy

Datahash CAPI Gateway Server-side conversion event delivery Type: Marketing https://datahash.com/privacy-policy

Onepage.io Website hosting Type: Essential https://onepage.io/privacy 4.2 Cookie categories

• Strictly necessary cookies: required for the website and checkout to function (cannot be opted out of) • Analytics cookies: help us understand site usage (Google Analytics 4) • Marketing cookies: used for advertising and conversion tracking (Meta, TikTok)

4.3 Cookie consent

If you are visiting from the European Union, the United Kingdom, or another jurisdiction requiring prior consent for non-essential cookies, you will be presented with a cookie consent banner on first visit. You may accept all, reject non-essential, or customize your preferences. You can change your preferences at any time by clicking "Cookie Settings" in the website footer.

We use your data for the following purposes: Purpose: Processing your order and providing access to the Product Legal basis (GDPR): Contract (Art. 6(1)(b) GDPR)

Purpose: Processing payments via Stripe Legal basis (GDPR): Contract (Art. 6(1)(b) GDPR)

Purpose: Sending order confirmations and access information Legal basis (GDPR): Contract (Art. 6(1)(b) GDPR)

Purpose: Customer support and dispute resolution Legal basis (GDPR): Contract; legitimate interest (Art. 6(1)(f))

Purpose: Compliance with tax, accounting, and legal obligations Legal basis (GDPR): Legal obligation (Art. 6(1)(c))

Purpose: Sending marketing emails (only with consent) Legal basis (GDPR): Consent (Art. 6(1)(a))

Purpose: Website analytics to improve our services Legal basis (GDPR): Legitimate interest (Art. 6(1)(f)) or consent where required

Purpose: Advertising and conversion tracking via Meta, TikTok, Google Legal basis (GDPR): Consent (Art. 6(1)(a))

Purpose: Fraud prevention and security Legal basis (GDPR): Legitimate interest (Art. 6(1)(f)) We do not sell your personal data to third parties.

We share data only with the following categories of recipients, and only as necessary:

6.1 Service providers (data processors acting on our behalf)

• Stripe, Inc. — payment processing • Circle.so — course platform and checkout hosting • Onepage.io — main website hosting • Datahash — server-side analytics infrastructure • Meta Platforms, Inc. — advertising platform (data sent via Pixel and Conversions API) • TikTok Pte. Ltd. — advertising platform (data sent via TikTok Pixel) • Google LLC — analytics platform (Google Analytics 4) • Email service provider (name to be added when finalized) — transactional and marketing emails

6.2 Legal compliance

We may disclose data when required by law, including: • Responding to valid legal requests from competent authorities (Romanian or EU authorities, courts) • Protecting our legal rights, property, or safety • Investigating fraud, security incidents, or violations of our Terms

6.3 Business transfers

If we sell or transfer the Company or its assets, your data may be transferred as part of that transaction. We will provide notice of any such transfer.

6.4 International transfers

Some of our service providers (Stripe, Meta, TikTok, Google, Circle, Datahash) are based outside the European Economic Area (primarily in the United States). When we transfer data internationally, we rely on legal mechanisms recognized under GDPR:

• Standard Contractual Clauses (SCCs) approved by the European Commission • Adequacy decisions where applicable (e.g., EU-US Data Privacy Framework for certified providers) • Your explicit consent in specific cases

You can request copies of the relevant transfer mechanisms by emailing contact@thefoodmonetizer.com.

We retain personal data only for as long as necessary for the purposes described in this Policy:

Data type: Customer account and Product access data Retention period: For as long as your account is active, plus up to 2 years after closure

Data type: Payment and transaction records Retention period: 10 years (Romanian tax and accounting law)

Data type: Marketing email subscriber data Retention period: Until you unsubscribe, plus a brief suppression period

Data type: Website analytics data Retention period: Up to 14 months (Google Analytics 4 default)

Data type: Marketing pixel data Retention period: Per the retention policies of Meta, TikTok, Google (typically 24 months)

Data type: Customer support communications Retention period: Up to 3 years after resolution After the applicable retention period, data is deleted or anonymized.

8.1 Rights under GDPR (EU/EEA, UK)

You have the right to:

• Access — request a copy of the personal data we hold about you • Rectification — correct inaccurate or incomplete data • Erasure ("right to be forgotten") — request deletion of your data, subject to legal retention obligations • Restriction of processing — request that we limit how we use your data • Data portability — receive your data in a structured, machine-readable format • Object to processing — object to processing based on legitimate interests, including direct marketing • Withdraw consent — at any time, where processing is based on consent • Lodge a complaint — with the Romanian data protection authority (ANSPDCP, https://www.dataprotection.ro) or the supervisory authority in your country of residence

8.2 Rights under CCPA/CPRA (California residents)

If you are a California resident, you have the right to:

• Know what personal information we collect, use, and share • Delete personal information we have collected (subject to exceptions) • Correct inaccurate personal information • Opt-out of the "sale" or "sharing" of personal information for cross-context behavioral advertising • Limit the use of sensitive personal information • Non-discrimination — we will not discriminate against you for exercising your rights

We do not sell personal information for monetary compensation. However, the use of marketing pixels (Meta, TikTok) may constitute "sharing" under CPRA. To opt out, click "Do Not Sell or Share My Personal Information" in the website footer or email contact@thefoodmonetizer.com.

8.3 How to exercise your rights

To exercise any rights described above, email contact@thefoodmonetizer.com with: • Your full name • The email address used for purchase (if applicable) • A clear description of the right you are exercising • Verification of your identity (we may request additional information)

We will respond within 30 days (or 45 days for complex requests, with notification of the extension).

There is no fee for exercising your rights, except in cases of manifestly unfounded or excessive requests.

We implement reasonable technical and organizational measures to protect personal data, including:

• HTTPS encryption on all pages • Secure payment processing via Stripe (PCI-DSS compliant) • Access controls and authentication for administrative systems • Regular software updates and security patches • Limited access to personal data on a need-to-know basis

However, no system is completely secure. We cannot guarantee the absolute security of data transmitted over the internet. In the event of a personal data breach affecting your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and you directly where required by law.

Our services are not directed to children under 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected data from a minor, contact us at contact@thefoodmonetizer.com and we will promptly delete it.

We do not engage in fully automated decision-making that produces legal effects concerning you or significantly affects you. Marketing personalization (e.g., showing you ads based on your behavior) does not fall within this definition under GDPR.

We may update this Policy from time to time to reflect changes in our practices, services, or legal obligations. Material changes will be communicated via email to active customers and posted on this page with an updated "Last updated" date.

We encourage you to review this Policy periodically.

For any privacy-related questions, requests, or concerns:

KILOCALORII SRL, Strada Sf. Andrei 16 Iași, 700028, Romania

Email: contact@thefoodmonetizer.com

You may also contact the Romanian data protection authority:

Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) B-dul G-ral. Gheorghe Magheru 28-30, Sector 1, 010336, București, Romania Website:

https://www.dataprotection.ro