1. FOREWORD

1.1: This policy refers to the data processing that will be carried out on the website www.roarcosmetics.com and the App called ROAR ID.

1.2: IMPORTANT: In fact, the Owner has decided to use a single privacy policy for the two environments (web and App) that together make up the Service because they are connected, because the data collected by the two environments flows into a single database, because the two environments are two data collection and service delivery points that are part of one overall project.

1.3: This notice will attempt to explain who and how processes the data of the data subject (also referred to as the User), what his/her data are, and what his/her rights are and how he/she can exercise them. For particular clarifications, where the User does not understand or does not consider what is included in the policy sufficient, please write to the following address: legal@roarcosmetics.com

2. SOME IMPORTANT NOTIONS ABOUT PERSONAL DATA

What is meant by personal data? Personal data is any information that relates to an identifiable natural person. An email address is personal data. The text of a message, if it reveals information about a person, is personal data. A nickname is personal data, but a shopping list is also personal data also because it reveals, or could reveal, the tastes of the Customer, etc. The physical characteristics indicated by the User (in the Beauty Passport for example) and also the variation of them are certainly personal data, as are the feebabacks on products that express not only the liking by the Customer, but also its adherence to the Customer's style. So finally, the time of consumption of a product is also personal data.

What does it mean to process data? The legal definition of processing includes any operation or set of operations concerning the collection, recording, organization, storage, consultation, processing, modification, selection, extraction, comparison, use, interconnection, blocking, communication, dissemination, erasure and destruction of data. So basically everything that can be done with user data is processing. Already then collecting or reading data for example, that is, consulting them, is processing.

3. WHO PROCESSES THE DATA

Data controller:

ROAR Europe Limited - C102775

The Victoria Centre, Unit 2

Lower Ground Floor, Valletta Road

Mosta MST 9012

Malta

Mail: eu@roarcosmetics.com

Then, with regard to any ancillary functions, Roar Europe may make use of authorized internal data processors (also called data processors) or external entities mostly as data controllers, as autonomous data controllers or joint data controllers, as the case may be.

3/a. TO WHOM THE DATA ARE COMMUNICATED
(or WHO IS ALLOWED ACCESS TO THEM).

The data are disclosed to individuals within the Owner (the employees) who cooperate in the executive and administrative management of the service.

They may be further disclosed in fulfillment of disclosure requirements in the event of a request from a public authority (e.g., request from the court, tax assessments, assessments on record keeping, etc.).

In addition, the data are disclosed:

• To the newsletter service provider;
• To the hosting/cloud service;
• to third-party operators of cookies installed through the site (see the relevant policy);
• to social networks in case of installation of widgets or "like/share etc." function inserted in the website;
• to payment service providers (in this case the data is not communicated, but the user is conveyed directly to payment processing platforms, which is the responsibility of the third-party services);
• to couriers for delivery or pickup of goods;
• Provider of marketing automation applications;

It is important to know that Roar Europe can only manage and dominate data stored and processed within its own system: data transferred or disclosed to third parties will, in the manner and to the extent, be independently processed by the third parties to whom it is disclosed according to their own privacy policies. In any case, where Roar Europe ceases to process a user's personal data, it will also give notice of the cessation to the parties to whom such data has been disclosed, but cannot guarantee the cessation of processing by them.

4. WHERE THEY TRY.

Roar Europe processes Users' personal data at its headquarters and in cloud located in EU area.

5. WHAT DATA IS PROCESSED

Based on the significant quality of the data, one can identify:

• Contact information: email and phone;
• Identifying Information: first name, last name, date of birth, address, social security number, ID number;
• Picture: the photo that the User, if he/she wants, can upload to the profile.
• ID data: nickname;
• Content data: the content of the communication sent by the User through the appropriate form.
• Navigational: data related to navigation may be collected and assume importance, including data related to pages visited, time the user stays on the page, selection of products then not purchased, reading product info, watching videos, etc. These are all data that assume importance in both understanding the actual performance of the online service in terms of user experience and the actual desirability of individual products.
• Of purchase: indicate individual purchases, so product, cost, date, etc.
• Site usage data (for marketing automation);- "Aesthetic" data i.e. data expressing physical characteristics of the User, such as for example eye color, hair, the style of the same, etc. Aesthetic data as a whole feed the Beauty Passport.- Preference data: it is the information related to the inclusion of products in the favorites or whislist by the User (pre-purchase) or even in the cart;- Like or approval: it is the manifestation (with appropriate function) of appreciation of the product (also post-purchase);- Feedback: it is the expression (also motivated) of the opinion (negative or positive) about a specific product purchased on the Shop. The type of data depends on what is written by the User.- Profiling data: it is the data that, based on the processing of other data (such as aesthetic data, purchase and historical purchase and consumption data, feedback, preference data, etc.) place the User in categories (Clusters) and presume the User's liking of certain products. The profiling data are in continuous variation expecting that they continuously relocate, as the data that are used change (or in the case of adding some: for example, the actual purchase of a proposed product is a reinforcement that confirms or not the profiling and goes to modify it) or the parameters of the algorithm, the User in the Cluster considered most appropriate. Profiling data is then the output and consists of the User's inclusion in a Cluster and the list of Products matched to it. Profiling data are data obtained by the Owner by precisely processing the data conferred by the User or collected in the User's experience of using the Service.- Statistical data: this is data that indicates user trends. Statistical data are made and obtained by the Owner through analysis of the other categories of data, and express generalized outputs that cannot be traced back to the individual User.- NFC activation data: by means of a special function, matching a chip inside the package (NFC) to the App informs the Owner of the actual activation of the product. The Holder is sent an alphanumeric string that identifies the individual piece purchased, and only indirectly (with match with the purchase data of that product) the User. The activation data fixes the date of presumed start of use of the product;- Purchase and consumption history and profiling history: this is the sequence of purchases (type of product, consistency with the list of proposed products, etc.), consumption (how many products, how many of a given type, timing of purchase, NFC activation, purchase of new similar or different product) and profiling (also the sequence of individual profiling can express over time useful information to better calibrate, through new profiling precisely, the offer and clustering).

6. FOR WHAT PURPOSES THEY ARE PROCESSED, AND INDICATION OF THE LEGAL BASIS AND RETENTION PERIOD.

Roar Europe processes user data for the following purposes:

1. Response to requests sent by the user (information, exercise of rights, etc.): consists of the response to contacts made by the customer/user (via email or other form of contact).
   Legal basis: performance of the service requested by the user in the communication (such as the exercise of a right);
   Duration: ten years (obligation to retain business correspondence).
   Data processed: contact, identification and other depending on the content of the request (for example, the information contained in the text of the request may refer to persons, and as such are personal data).
   Obligatory natureof provision: the provision of data is necessary in order to be able to process the request made by the User.
   Collection environment and output: Website, App.
2. Social Sharing: The Service hosts features (widgets, buttons or similar) that allow the user to quickly share the web page or other event or link to Roar Europe's social page. It is the user's option to share such events or link to the Page, but just sharing (or - if the user is subscribed to social - just browsing) involves the transmission of data to social, and in particular browsing and subscribing to Roar Europe, as well as in some cases the device and IP address from which the subscription or sharing is made. This data is then managed by the social according to its own data protection logics and policies.
   Data processed: event (including browsing) shared, social account, IP or device of connection with which the social subscription or sharing is made,
   Legal basis: execution of the sharing performance and legitimate interest of the Owner in the promotion of the social page and the dissemination of the event possibly shared and - indirectly - the consequent promotion of its service. The legitimate interest is deemed to prevail over the interests and rights of the users for the following reasons:
   - The event is shared with positive and conscious action by the user;
   - The event is shared on social platforms of which the user is already a subscriber;
   - The user has the right to delete when he/she wants the post shared on the social (according to the settings of most of these platforms);
   Duration: instantaneous as far as Roar Europe is concerned. The duration of the processing carried out by the social depends on the relevant policies regarding the processing of personal data.Obligation to provide: the provision of data is not necessary and sharing occurs only at the User's initiative.
   Collection and output environment: Website.
3. Sending newsletters for Roar Europe's own and/or third party's informational or marketing purposes: The user's email address is used to send periodic emails with operational, promotional content (both from Roar Europe and from partner or third party companies: in any case, marketing content from third party companies will also be conveyed via emails sent by Roar Europe).
   Data used: contact, possibly personal preference or qualities where the emails are intended for a selected audience (by this is meant the case where the content of the email changes according to the categories of recipients, e.g. based on age).
   Legal basis: A) consent expressed during the sign-up phase or by entering the email address in the space provided.
   ATTENTION: consent can always be revoked by activating the appropriate function (usually at the bottom of the email received, such as Unsubscribe, Unsubscribe me or similar) or by writing to the owner. Since the revocation of consent, the data (email) will no longer be used to send communications, but will be retained in order to be able to give proof of the manifestation of consent and subsequent revocation.
   B) Legitimate interest of the Holder (cd. Soft spam) only for Users who have purchased goods or services on the Online Shop by providing their email address for this purpose and only for the promotion of goods or services similar to the one purchased and only of the Holder (emails that also contain announcements promoting goods, services or events of companies other than that of the Holder are therefore excluded from this legal basis and require consent).
   Duration: until unsubscribing from the newsletter service using the appropriate functionality (except when indiated in the previous paragraph).
   Frequency: no more than one email per day.
   Obligatory natureof provision: provision of data is not mandatory and is subject to consent.
   Collection environment: Website and App.
4. User's account activation and management.
   Legal basis: execution of User's account activation and management request (contract execution);
   Data processed: Contact data, Identifiers, of ID nickname, content, browsing, purchase, site usage or APp, "aesthetic", preference, Likes or approval, Feedback, profiling, statistical, NFC activation, purchase and consumption history and profiling history.
   Duration: until account deletion, subject to retention for the time of three months after account deletion in order to allow reactivation without loss of data where requested by the user (as well as - in the possible case of commission of crimes - to allow the exercise of the lawsuit). Data related to the business transaction and - after pseudonymization - other data for statistical purposes (see below) are further stored.
   Mandatory: not giving data prevents account activation. However, not all data are necessary for account activation. Where data are required this is apparent either from specific indications (with asterisks calling out the field as mandatory) or from operational blocks in the service (which does not allow proceeding in such a case if the mandatory data is not entered).
   Collection environment: website and App both allow access to the same account.
5. Distance Selling of Products (see Distance Selling Conditions): The site allows you to purchase goods at a distance. Data are processed by Roar Europe to finalize the sale of the Goods at a distance (thus process the request, payment, shipping, after-sales service);
   Legal basis: execution of contract;
   Data processed: identification (first name, last name, and date of birth, address), contact (email and phone), purchase history, complaints. Billing data if invoice required. Other data derived from the purchase experience are used for Profiling and Statistical purposes (see below).
   Duration: ten years from the conclusion of the purchase (unless longer account duration);
   Mandatory toprovide: not providing data does not allow the purchase of goods;
   Collection environment: website.
   Notes: data are collected through the Online Shop on the website, but flow together with data collected in the App into the dataset used for Profiling, Product Council, statistics.
6. Execution remote sale for non registered User: the site allows the remote sale of the Goods also for non registered users by redirecting on the payment provider (pay pal, stripe etc). In this case will still be processed the data necessary to receive the order, payment, ship the Goods, manage the after sale.
   Legal basis: execution of contract.
   Data processed: first name, last name, address, telephone, payment.
   Duration: ten years from the conclusion of the purchase;
   Obligation toprovide: not providing the data does not allow the purchase of the Goods;
   Collection environment: website.
   Notes: the data are collected through the Online Shop on the website, but they flow together with those collected in the App into the dataset used for Profiling, for the Product Council, for statistics.
7. Publication of feedback: comments and feedback may be published on the site by embedding reviews published by users on the google page or on services such as Trust Pilot or similar by Roar Europe.
   Data processed: name, nickname appearing in the review, content of the evaluation, image when possible;
   Legal basis: legitimate interest of the Owner in the publication of customer evaluations with a view to brand promotion.
   The legitimate interest must be deemed to prevail for the following reasons:
   - it was the user who published the comment, linking it to the Owner's page;
   - the user can also expect the comment to be published on the Owner's website;
   - it was the User who decided whether and what to write in the comment;
   - the User can always request the removal of the comment from Google or the third-party service on which it was published (e.g. Trust pilot etc.);
   Duration: as long as the comment remains on the third party platform (Goolge, TrutPilot etc; the User is encouraged to read the relevant privacy policy);
8. Member Database Creation: Roar Europe creates a database of Users. This database is used both as a backup register and as a database for performing statistical processing and Profiling activities (see below).
   Legal basis: legitimate interest of the owner in the preservation and effective processing of (deemed overriding over contrary interests as this is data already in the possession, albeit in no particular order, of the Owner);
   Duration: until request for deletion (see clause regarding exercise of rights) by sending email to the owner;Data processed:
   Data processed: Contact data, Identification, ID nickname, content, browsing, purchase, site or App usage, "aesthetic", preference, Likes or approval, Feedback, profiling, statistical, NFC activation, purchase and consumption history and profiling history.
   Mandatory: the provision of data in the DB is not mandatory. The user can object to it.
   Collection environment: website, App.
9. NFC activation and keeping record of activations and consumption: some products contain an NFC that, when paired with the App, identifies the initial activation deadline by sending the individual product's alphanumeric code to the Holder.
   Data processed: account, product type, activation data, product expiration, purchase and consumption history.
   Legal basis: legitimate interest of the Owner in the sale of a high-quality product since activation, which is assumed to coincide with the initial use of the product, allows effective monitoring and control of product expiration, as well as rendering as output information on actual consumption (in terms of the start and duration of actual product consumption). This legitimate interest is considered to prevail over the contrary interests of the Users since
   - activation is not mandatory, but left to the will of the Customer (although, where he wants to "read" the supply chain information contained in the NFC he will still have to match it);
   - the data collected is a data of limited importance for the interested party since it only indicates the initial presumed use of a good that the same has already purchased and is therefore matched to the same Customer.
   Duration: the single activation is collected and matched to the Customer and processed for consumption monitoring until the permanence of his account (the consumption history in fact can be used for both Profiling and Statistics).
   Mandatory: activation is not mandatory. Not activating NFC implies only the failure of the Holder to monitor the event and the inability to monitor the expiration of the product.
   Environment: the data is collected by matching the product with the App. It is then matched to the account and feeds the consumption history.
10. Expiration monitoring: In case of NFC activation and in any case usually based on the time of purchase, the Service performs an expiration monitoring of the product alerting the Customer when the good is expiring.
    Data processed: account, type of product, activation or purchase data, product expiration, purchase history and consumption.
    Legal basis: legitimate interest of the Owner in the sale of a high quality product as the monitoring allows to render a better service to customers. This legitimate interest is considered to prevail over the contrary interests of the Users as the data collected is a data of limited importance to the data subject since it only indicates the date of cessation of use of a good that the same person has already purchased and is therefore already matched to the same Customer anyway.
    Duration: monitoring is output of the consumption history. It does not imply collection of a new data but only output.
    Mandatory: as indicated for the activation of NFC it is not mandatory. Expiration monitoring instead inferred from the non-activated product is data provided by the Holder.
    Environment: the data is processed by the Database communue to App and Site and rendered to the Customer in his/her Account.
11. Aggregate statistics: the service processes statistics using data collected from the data subject and data collected by the system. For example, statistics are processed that match the actual purchase of goods, or even monitoring of them, age, characteristics (all or some) of the User, purchase and consumption history, etc. The statistics rendered refer to categories of users or characteristics of goods and cannot be traced back to the individual User.
    Data processed: Contact data, Identifiers, of ID nickname, content, browsing, purchase, site usage or APp, "aesthetic", preference, Likes or approval, Feedback, profiling, statistical, NFC activation, purchase and consumption history and profiling history.
    Legal basis: legitimate interest of the owner in the analysis of the market, customer and user categories, online service performance and desirability of products. This legitimate interest is deemed to prevail over the interests of users because:
    - statistics does not make outputs traceable to the individual user, but only to categories of users and goods;
    - statistics are processed after pseudonymization of the data and in a manner that makes it difficult to re-identify the data subject.
    Duration: the data subject's data, after precisely pseudonymization, are used for statistical processing indefinitely;
    Mandatory: the processing of the data for this purpose is not mandatory. The Customer/User has the right to object by writing to the owner.Environment: data are collected both through App and Website. Processing is then done in the backend by the owner on its own systems.
    NOTE: Statistical processing is the sole right of the owner. Any form of datamining by third parties is prohibited.
12. Single site usage analysis: Roar Europe uses programs to monitor individual user use of the site (browsing, access, purchases, etc.).
    Legal basis: legitimate interest of the Vendor in optimizing site usability, sales, and customization of offers.
    Data processed: identification, account, service use, contact, browsing.
    Duration: until account deletion.
13. Beauty Passport: the service allows the creation, for itself or for third parties, of the so-called Beauty Passport. This is a list of Beauty Data provided by the User and which constitutes the profile then also used for profiling and statistics. Based on the Beauty Passport (and other data) individual Products or Video Tutorials are then recommended to the Customer.
    Data processed: Contact data, Identification, of ID nickname, "aesthetic", preference, Likes or approval, profiling, statistical.
    Legal basis: performance of the requested service. In fact, the Beauty passport is realized and activated only at the User's initiative.
    Duration: the Beauty Passport remains as long as the account remains active. Changes in individual entries of the beauty data are also recorded. However, the User is allowed to delete the Beauty Passport.
    Mandatory: the Beauty Passport is not mandatory. It is also not mandatory to enter all the entries of the beauty data that make it up.
    Environment: the beauty data are collected both through the site and through the App. A single Beauty Passport is then generated.
14. Wishlist: the service allows the User the selection of products for inclusion in the wishlist (or Whislist or favorite products).
    Data processed: account, preference.
    Legal basis: performance of the requested service. The wishlist is activated only at the User's initiative.
    Duration: until permanence of products in the wishlist. The expressed preference data are also used for statistics and profiling.
    Mandatory: the wishlist is not mandatory. It is the User's free will to include products in the wishlist.
    Environment: website.
15. Product Recommendation or Video Tutorial: based on Profiling, the Service recommends purchasing products or watching video tutorials.
    Data processed: Contact data, site usage or APp, "aesthetic", preference, Likes or approval, profiling, statistical, purchase and consumption history and profiling history.
    Legal basis: performance of the requested advice service. In fact, the advice is requested by the User Customer only through activation of the Beauty Passport function.In any case, there is the legitimate interest of the Owner in the suggestion of suitable and suitable products to the customer in order to render a complete and better service. The legitimate interest is considered to prevail because:- the advice is a data not necessarily attributable to the user but a hypothesis formulated by the Owner about recommended products;- the advice is an output, not a data of the Customer;- the data expressing the advice is in any case a data of little relevance in itself considered, since it is added to information already provided to the customer about his general interest towards the cosmetics sector.
    Duration: the data is rendered and stored until modified (the history is also stored).Obligatoryity: the advice is not mandatory. Even if it is activated by default, it will be the Client's option to object with a request sent to the Owner.
    Environment: web and app.
    Note. It is then acquired, in order to assess the actual correctness of the advice, the data related to the actual purchase of the good or the actual viewing of the recommended tutorial. Such reinforcement (and confirmation) data may also feed into the datasets used for statistics or profiling.
16. Profiling: the service uses the User's data to place the User within categories (clusters) of users/customers and consequently identify the User's likely liking of certain products (which could be the subject of advice). Profiling acts by comparing the User's data with the tags that mark the products: the more data that are matched to the tags, the greater the degree of likelihood that the individual product will be liked by the customer. At a later stage, machine learning algorithms will also be used that will use not only Aesthetic data, but also other data such as purchase and consumption history, likes, etc.
    Data processed: Contact data, Identifiers, of ID nickname, content, browsing, purchase, site usage or APp, "aesthetic", preference, Likes or approval, Feedback, profiling, statistical, NFC activation, purchase and consumption history and profiling history.
    Legal basis: express consent of the data subject.
    Duration: until consent is revoked.
    Mandatory: profiling processing is not mandatory, but is activated only with the consent of the User Customer.
    Environment: data are collected both on the website and in the App. Profiling is then processed by the Service, which is then returned both in App (mainly to recommend videos and tutorials) and on the Website (to recommend Products).

Please note:

• A) In cases where the Legal Basis is consent, it can always be revoked. Withdrawal of consent results in the cessation, as of that time, of the processing of data for the purpose for which consent was given. In some cases, however, the data may be retained to provide evidence of consent and subsequent revocation of consent (which in the case of total deletion would not be possible).
• B) In cases where the legal basis is Legitimate Interest the User, if provided for in the individual item, will have the right to object to such processing by writing to the owner.

7. HOW THE DATA ARE CONFERRED

Data are conferred directly by the User by filling in the appropriate forms, flagging entries (for example, for aesthetic data), writing comments, etc. Some data are collected from the use of the Service. Finally, other data, such as profiling and statistical data, are obtained by the Data Controller by processing other data conferred by the User or detected during his/her browsing experience or use of the Service.

8. HOW THE SERVICE WILL COMMUNICATE WITH THE USER.

Roar Europe will communicate with You in the following ways:

• It may send emails, make phone calls, send messages or other communications (including push notifications): these will be operational communications for the execution of the service or otherwise in response to the communication sent by the User. These communications are essential for the regular management of the relationship with the User.

• May send Newsletters (or push notifications): frequency: daily; content: operational, promotional related to products or services of Roar Europe or third-party companies.

9. WHAT ARE THE RIGHTS OF USERS

Users are beneficiaries of a number of rights.

Information rights about:

• Categories of data are processed (see point #2 and #5);
• Data origin, i.e., knowing where the service got its data from (see item #7);
• Purposes of data processing, i.e., for what purposes the data are processed (see item #6);
• Contact details of the data controller and any data processors (see item no. 3);
• Subjects to whom data are disclosed (see item no. 3/a);
• Storage time and data processing (see item #6);
• Right to file a complaint before the Data Protection Authority;
• Existence or non-existence of profiling process;
• Legal basis for processing (see point #6);

Then there are rights that are not merely informational but operational. They are of various kinds. In summary:

• The data subject has the right to have a copy of the data he or she has provided. If the data have been processed by automated methods and on the basis of your consent or a contract, you may request - if technically possible - that the data be transmitted to the same data subject or even to a possible new data controller (portability), provided that this operation does not harm the rights (and data) of other persons. Therefore, this right in the present case cannot be exercised in relation to communications that contain data of third parties, trade secrets or otherwise protected content. In such a case, he can also request the deletion of the data (unless the law requires the Holder to retain it, as in the case of commercial communications).
• If the personal data are inaccurate or incomplete, the data subject may ask for them to be corrected or completed by providing indications to that effect. If the Data Controller needs to verify the accuracy of the data contested by the data subject, the data subject may in the meantime obtain the limitation of the contested data (limitation means that the data is only stored and no other processing is done with it except with the specific consent of the data subject or if it is needed to exercise or defend a right in court).
• If the personal data are no longer necessary for the purposes for which they were collected or otherwise processed, the data subject may request their deletion.
  If, however, the data are needed by the data subject to exercise a right of his or her own in a court of law, he or she may request their limitation (i.e., retention only).
• If the processing is unlawful because the data is processed in the absence of consent, legitimate interest on the part of the Data Controller, contract for the performance of which the processing itself is necessary, legal obligation to process by the Data Controller, the data subject may request deletion or restriction.
• In the case of profiling, the User has the right, by notice to be sent to the Controller by email, to request a review of the output by a person.

10. HOW HE CAN EXERCISE THEM

Procedure for exercising rights: User rights can be exercised by sending an email to legal@roarcosmetics.com

The Controller must respond within thirty days (which may be extended by another two months, but the Controller in this case must give reasoned notice of the delay to the user). The Holder may refuse, if it has reason, to act on the user's request (refusal to be communicated to the user within one month) only in the case of manifestly unfounded or repetitive requests. It must give a reasoned response in that case. In any case, the user may appeal to the Data Protection Authority or the Judge.

The Owner must respond using the same channel (email, telephone, etc.) used by the user for the request, unless the user himself requests a response by a different route. In the case of a request coming from an email address other than the one indicated in the account, the requester must prove that he/she is the interested party.

The Controller, where it has doubts about the identity of the person making the request or exercising any of the rights that are listed below, may request additional information to confirm the identity of the requester. In the case of a request coming from an email address other than the one indicated in the account, the requester will have to prove that he/she is the data subject.

Requests and responses are free of charge unless they are repetitive. In the latter case, the Holder may charge for the out-of-pocket costs it incurs in responding (so personnel costs, material costs, etc.).

In any case, the person concerned may contact the Data Protection Authority or the competent Jurisdictional Authority to exercise his or her rights.

11. WHAT ARE THE DUTIES AND BURDENS OF USERS

The User is obliged to report truthful data.

It is the User's responsibility to notify the Controller of any changes that have occurred to the personal data previously disclosed. Finally, it is the User's responsibility, where functionality permits, not to enter excessive data. For example, if the form requires you to enter non-mandatory data (usually marked with an asterisk), it is recommended that you enter it only if you deem it necessary. Similarly, if you write a message through the service, it is recommended that you avoid explicit references to identifiable persons unless necessary.

12. DATA BREACH SCENARIOS

In the event that one or more of the following events should occur with respect to Users' data: unauthorized access, misappropriation, loss, destruction, disclosure, modification (so-called Data breach) Roar Europe, without prejudice to the urgent technical measures to be put in place to block (as far as possible) the event and to reduce its damaging effects, undertakes to:

- restore the service efficiently as soon as possible by recovering the available data from the last useful backup made;

- to inform Users, either directly if circumstances permit or generically (by means of a notice on the home page of the website or by means of a communication sent to all Users, including those for whom there may have been no data events) of the type of event, the time in which it occurred, the measures taken (without going into detail in order not to facilitate any new attacks) to reduce the damage and to avoid new similar events, as well as the measures and expedients that the User should - on his part - put in place to reduce the likelihood of new events and limit the consequences of those that have already occurred.