TOFFEE PAY PRIVACY POLICY

Last Updated: November 21, 2025

PURPOSE OF THIS POLICY

Toffee Pay (“Toffee Pay,” “we,” “our,” or “us”) is operated by different legal entities depending on your location:

• EU/EEA Users: Galactica Games Limited is the data controller for personal data processed in connection with your use of the Services within the European Union.
• UK Users: Galactica Games UK Ltd. is the data controller for personal data processed in connection with your use of the Services within the United Kingdom.
• United States and Rest of World Users: Galactica Games Inc. (USA) is the data controller for personal data processed outside the EU/UK.

This Privacy Policy explains how each entity collects, uses, and safeguards your personal information in accordance with applicable laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and relevant U.S. state privacy laws.

LAWFUL BASES FOR PROCESSING (EU & UK GDPR)

Where the EU GDPR or UK GDPR applies, we process personal data on the following lawful bases:

• Contract Performance (Art. 6(1)(b)) – To process orders, fulfill purchases, provide customer support, authenticate users, and deliver our Services.

• Legal Obligations (Art. 6(1)(c)) – To comply with tax, accounting, anti-fraud, and anti-money laundering (AML/KYC) requirements.

• Legitimate Interests (Art. 6(1)(f)) – To protect the security of our Services, detect and prevent fraud, conduct internal analytics, improve user experience, and ensure service reliability.

• Consent (Art. 6(1)(a)) – For direct marketing, non-essential cookies, optional analytics, and any processing not strictly necessary for the performance of our Services.

INFORMATION WE COLLECT

Toffee Pay collects, processes, and uses personal information to provide the following services:

• To fulfil contracts of sale to consumers who purchase products from our in-game commerce platform where Toffee Pay is deemed to be Seller/Merchant of Record.

• To perform direct marketing to those consumers who have explicitly given their consent to such activity. Consent to receive marketing will be obtained through active opt-in from the consumer, their consent will be recorded, and consumers will have the ability to withdraw their consent easily and at any time.

• For identity verification, fraud prevention, and compliance with anti-money laundering regulations.

Types of Personal Information

We collect the following types of personal information:

• Contact Information: Name, email address, shipping address

• Game Play Statistics: In-game achievements, levels completed, quests accomplished

• Payment Information: Payment tokens and limited payment information. Note that full payment card details are processed and stored by our third-party payment gateway partners, not by Toffee Pay

• Device Information: IP address, device type, operating system, browser type

• Usage Data: How you interact with our Services, including browsing patterns and purchase history

Sources of Information

We collect personal information from the following sources:

• Information you provide directly (account creation, purchases, customer support)
• Automated collection through our Services (device data and basic usage analytics generated by your device or browser)
• Third parties (payment processors, game developers, fraud prevention services)
• Public sources (for fraud prevention and compliance verification)

Sensitive Personal Information

In certain circumstances, we may collect:

• Financial information necessary for payment processing
• Precise geolocation data (if location services enabled)
• Biometric identifiers (if used for fraud prevention)

DATA PROTECTION PRINCIPLES

Toffee Pay shall perform our data protection responsibilities in accordance with the following principles:

1. Lawfulness, fairness, and transparency: We shall obtain and process personal data lawfully, fairly, and in a transparent manner.

2. Purpose limitation: We shall collect personal data for specific, explicit, and legitimate purposes, and not process it in a manner incompatible with those purposes.

3. Data minimization: We shall only collect personal data that is adequate, relevant, and limited to what is necessary.

4. Accuracy: We will ensure high levels of data accuracy, completeness, and keep data up-to-date, with a process to rectify inaccuracies when notified.

5. Storage limitation: We will retain your personal data only for as long as necessary for the purposes for which it was collected, or until you request its deletion, subject to legal retention requirements.

6. Integrity and confidentiality: We implement appropriate technical and organizational security measures to protect against unauthorized or unlawful processing and against accidental loss, destruction, or damage of personal data.

DISCLOSURE TO THIRD PARTIES

We may share your personal information with the following third parties:

• Game Developers: We may share anonymized user data with game developers to improve the gaming experience and analyze offer effectiveness.

• Brand Partners: We may share anonymized user data with fashion brands and other retail partners who provide products through our platform.

• Service Providers: Payment processors, shipping companies, and customer service providers necessary to fulfil your orders and provide our services.

• Legal Authorities: When required by law, court order, or governmental regulation.

• Corporate Transactions: In connection with a corporate transaction, such as a merger, acquisition, or sale of assets.

We will not sell your personal information to third parties for their own marketing purposes without your explicit consent.

INTERNATIONAL USERS (EU AND UK DISCLOSURES)

If you are located in the European Economic Area (EEA) or the United Kingdom (UK), Toffee Pay acts as a data controller for the personal data described in this Privacy Policy.

Where we use third-party service providers, those providers act as data processors on our behalf and are bound by contractual terms consistent with Article 28 GDPR and the UK GDPR.

COOKIES AND TRACKING TECHNOLOGIES

Toffee Pay does not use cookies or similar tracking technologies on our Services.
We do not set analytics cookies, marketing cookies, or browser-based tracking tools of any kind.

Some technical information (such as IP address, device type, operating system, and basic usage data) may be collected automatically by your device or browser as part of normal internet communication, but we do not store or access information on your device for tracking or identification purposes.

If this ever changes, we will update this Privacy Policy and provide notice where required by applicable law.

DATA RETENTION

We retain personal data only for as long as necessary for the purposes described in this Privacy Policy or as required by law:

• Transaction and Order Data: 7 years (tax, accounting, and regulatory requirements).
• Account Information: Retained until you request deletion.
• Marketing Preferences: Retained until you withdraw your consent.
• Fraud Prevention and Security Logs: Up to 5 years, depending on risk.
• Customer Support Communications: 3 years after our last interaction.

If we anonymize personal data, we may retain it indefinitely. Anonymized data is not considered personal data under applicable law and may be retained or used indefinitely.

DATA SECURITY

We have implemented appropriate technical and organizational security measures designed to protect your personal information from accidental loss and from unauthorized access, use, alteration, and disclosure.

Toffee Pay uses Google Cloud Platform (GCP) for all of its infrastructure with appropriate redundancies and data protection measures. Our use of GCP’s enterprise-grade security features includes encryption of data at rest and in transit, network security controls, and regular security assessments. We also implement additional security measures, including access controls, monitoring, and security testing.

However, please note that no method of transmission over the Internet or electronic storage is 100% secure, and we cannot guarantee absolute security.

DATA BREACHES

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, where feasible. If the breach is likely to result in a high risk to your rights and freedoms, we will also notify you without undue delay.

YOUR PRIVACY RIGHTS

Depending on your location, you may have the following rights regarding your personal information:

• Right to access: You can request information about the personal data we hold about you and how it is being processed.

• Right to rectification: You can request correction of inaccurate or incomplete personal data.

• Right to erasure: In certain circumstances, you can request deletion of your personal data.

• Right to restrict processing: You can request restriction of processing of your personal data in certain situations.

• Right to data portability: You can request a copy of your personal data in a structured, commonly used, and machine-readable format.

• Right to object: You can object to the processing of your personal data in certain circumstances.

• Right to withdraw consent: Where our processing is based on your consent, you can withdraw that consent at any time.

To exercise these rights, please contact us at support@toffeepay.com.

AUTOMATED DECISION-MAKING AND PROFILING

We use automated tools to support:

• Fraud detection and prevention
• AML checks
• Security monitoring

These processes may evaluate device information, transaction patterns, and risk indicators.
Where legally required, you have the right to:

• request human review,
• express your point of view,
• contest the automated decision.

We do not engage in automated decision-making that produces legal or similarly significant effects without human oversight.

CHILDREN’S PRIVACY

Our Services are not intended for users under the age of 13 without parental/guardian consent. Users between 13 and 18 years may use our Services with parental or guardian consent, as required by applicable law. We do not knowingly collect personal information from children under 13 without appropriate parental consent. If you believe we have collected personal information from a child under 13 without proper consent, please contact us at support@toffeepay.com.

INTERNATIONAL DATA TRANSFERS

For EU/EEA users, your personal data is controlled by Galactica Games Limited, and for UK users by Galactica Games UK Ltd. These entities may transfer personal data to Galactica Games Inc. (USA) or to other service providers located outside the EU/UK.

When personal data is transferred outside the EU or UK, we rely on:

• EU Standard Contractual Clauses (SCCs) approved by the European Commission
• UK International Data Transfer Addendum (UK Addendum)
• Supplementary technical and organisational measures, where necessary

These safeguards ensure that your personal data receives a level of protection equivalent to that required by the EU GDPR and UK GDPR.

CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. Any changes to this Privacy Policy will be posted on this page with an updated “Last Updated” date. We encourage you to review this Privacy Policy periodically for any changes.

DATA CONTROLLERS

Depending on where you use our Services, the relevant data controller is:

European Union / EEA:
Galactica Games Limited
Greyfriars, Waterford City, Waterford.
Email: support@toffeepay.com

United Kingdom:
Galactica Games UK Ltd.
128 City Road, London
Email: support@toffeepay.com

United States & Rest of World:
Galactica Games Inc.
447 Broadway, Fl 2 #1817, New York, NY 10013
Email: support@toffeepay.com

You may contact the appropriate entity for any privacy-related inquiries or to exercise your rights.

DATA PROTECTION OFFICER (DPO)

We have assessed our obligations under the EU GDPR and UK GDPR and determined that Toffee Pay is not required to appoint a Data Protection Officer.

ADDITIONAL RIGHTS FOR U.S. RESIDENTS (CCPA/CPRA & OTHER STATE LAWS)

Residents of California, Colorado, Connecticut, Utah, and Virginia may have additional rights, including:

• Right to know the categories of personal information collected
• Right to access specific pieces of personal information
• Right to request correction or deletion
• Right to opt out of the sale or sharing of personal information
• Right to limit the use of sensitive personal information
• Right to non-discrimination

To exercise these rights, please contact us at support@toffeepay.com**.**

CONTACT US

If you have any questions about this Privacy Policy or our privacy practices, please contact us at:

Email: support@toffeepay.com
Website: https://toffeepay.com

Galactica Games dba Toffee Pay