This privacy notice (the “Notice”) applies to the processing of personal data (hereinafter, “Personal Data”) of the users (hereinafter, the “User/s” or the “Data Subject/s”) carried out by next AI Ltd., Company number 12727655, with Registered office address at 11 Leadenhall Street, London, United Kingdom, EC3V 1LP, hereinafter, the “Data Controller” or the “Company”) through the application called “VPN + TOR Browser Private Web” (hereinafter, the “App”) in accordance with Regulation (EU) 2016/679 - General Data Protection Regulation or the “GDPR” and other applicable local laws, as amended or replaced (jointly, the “Applicable Privacy Laws”).

I. Data Controller’s contact details

The Data Controller is next AI Ltd., Company number 12727655, with Registered office address at 11 Leadenhall Street, London, United Kingdom, EC3V 1LP.

Email: info@nextAI.co.uk

II. Categories of the processed Personal Data, purposes and legal basis for the processing

The Company’s apps and services are not for children under the age of 16. The Company does not knowingly collect personal data from children. If you believe we have received personal data from children under the age of 16, please email us at info@nextAI.co.uk.

If the Data Subject is under the age of 16, the consent must be given by a parent or other holder of parental responsibility (the Data Controller shall make every reasonable effort to verify that consent is given or authorized by the holder of parental responsibility).

Should the Data Controller realize that some Users are aged below 16 and consents have not been given by parents (or holders of parental responsibility), it shall immediately delete the processed data and close the related account forthwith.

III. Data retention of User’s Personal Data

Personal Data may processed by both paper and electronic means.

The Data Controller adopts all technical and organizational measures for preventing the loss, improper use and alteration of Data Subjects’ Personal Data, and, in some cases, may adopt data encryption measures, too. Your Personal Data shall be stored at the Data Controller’s and at its IT services providers’ premises

User’s Personal Data processed will be kept for no more than two years from the termination of the agreement (i.e., after the cancellation of the App’s account) except for any legal obligation that sets a longer data retention period. At the end of this period, the processed data will be deleted or anonymized.

IV. Recipients of Personal Data

Personal Data may be disclosed to the following categories of recipients:

1. public, judicial or police authorities, within the limits established by applicable laws and regulations;

2. third parties carrying out activities that are related or instrumental to the Data Controller’s activities, as outsourced data processors duly appointed in writing by the Company in accordance to the Applicable Privacy Laws or acting as autonomous data controllers (such as, by way of example only, suppliers providing IT maintenance and development services, IT or filing services providers, suppliers of mobile marketing services, in case this Notice refers that marketing activities are performed).

The complete and updated list of such entities is available for consultation upon request at the Company’s headquarters or by sending an email to privacy@bendingspoons.com.

Users’ data will not be disclosed for any reason other than those stated above nor disseminated, unless such disclosure is deemed necessary for the fulfillment of legal obligations and/or regulations.

V. Transfer of Personal Data outside EEA

The Company may also transfer Personal Data of the Data Subjects to countries located outside the European Economic Area (EEA). In such cases, the Company will make sure that such transfer is based on appropriate safeguards listed in the GDPR, including (a) the standard contractual clauses developed by the European Commission; (b) the decisions of adequacy of the European Commission concerning the States in which the addressees are based; (c) binding corporate rules adopted by the Company and approved by the competent authorities or that are parties of agreements with the Company in this regard.

Copies of appropriate warranties are available for consultation upon request at the Company’s headquarters or by sending an email to info@nextAI.co.uk..

VI. Rights of the Data Subjects

The Users, at any time and free of charge, can have and/or exercise the following rights, as specified in the GDPR:

1. the right to be informed on the purposes and methods of the processing;

2. the right of access;

3. the right to obtain a copy of the data held overseas and obtain information concerning the place in which such data are kept;

4. the right to ask for updating, rectification or integration of the data;

5. the right to request the cancellation, anonymization or blocking of the data;

6. the right to restrict the processing;

7. the right to object to the processing, wholly or partly, also where it is carried out through automated individual decision-making, including profiling;

8. the right to withdraw the consent to the processing of the data freely and at any time – in such a case, the processing carried out before withdrawal of consent shall remain valid;

9. the right to data portability (i.e. to receive an electronic copy of User’s personal data, if the User would like to port his/her personal data to himself or a different provider);

10. the right to limitation of the processing.

Data Subjects also have the right to lodge a complaint before the competent national data protection or judicial authority.

For the exercise of their rights, Users may contact the Data Controller, in writing by sending a letter with proof of receipt to the Company’s headquarters, or by sending an email to info@nextAI.co.uk..

If a Data Subject is under the age of 18 in California, in certain circumstances, he/she may request and obtain removal of Personal Data or content shared by him/her and posted on the App. To make any request pursuant to California privacy law, please send an email toinfo@nextAI.co.uk..

Please be aware that such a request does not ensure complete or comprehensive removal of the content or information posted on the App by the User and that there may be circumstances in which the law does not require or allow removal even if requested.

VII. Automated decision-making

No entirely automated decision-making is carried out within the processing of the Users’ Personal Data (there included profiling under Article 22(1) and 22(4) of GDPR).

VIII. Third party websites and apps

The App may include links to other websites or apps operated by third parties. The practices described in this Notice do not apply to data gathered through these third party websites and apps. The Company has no control over, and is not responsible for, the actions and privacy policies of third parties and other websites and apps.

IX. Changes and updates of this Notice

The Company may modify, integrate and/or update, in whole or in part, this Notice, also in view of future changes that may involve the Applicable Privacy Laws. It is understood that any modification, integration or update will be communicated to the Data Subjects promptly and on time via email or at the time of the start of the App. In this regard, it could be required to the User to read the new version of the Notice and to accept it before continuing to use the App.

Date of last amendment: October 20, 2020

he EU General Data Protection Regulation (GDPR) requires that data controllers provide certain information to people whose information (personal data) they hold and use. A privacy notice is one way of providing this information. This is sometimes referred to as a fair processing notice.

A Privacy Notice should identify who the data controller is, with contact details for its Data Protection Officer. It should also explain the purposes for which personal data are collected and used, how the data are used and disclosed, how long it is kept, and the controller’s legal basis for processing.

NHS England and NHS Improvement are cooperating to establish a joint enterprise. We may collect and use personal data for the functions that we exercise jointly. Our joint privacy notice explains how we do this.

As the two organisations still have distinctive statutory responsibilities and accountabilities, NHS England and NHS Improvement will continue to publish separate privacy notices explaining how we use personal data for our respective purposes.

This privacy notice (the “Notice”) applies to the processing of personal data (hereinafter, “Personal Data”) of the users (hereinafter, the “User/s” or the “Data Subject/s”) carried out by next AI Ltd., Company number 12727655, with Registered office address at 11 Leadenhall Street, London, United Kingdom, EC3V 1LP, hereinafter, the “Data Controller” or the “Company”) through the application called “VPN + TOR Browser Private Web” (hereinafter, the “App”) in accordance with Regulation (EU) 2016/679 - General Data Protection Regulation or the “GDPR” and other applicable local laws, as amended or replaced (jointly, the “Applicable Privacy Laws”).

I. Data Controller’s contact details

The Data Controller is next AI Ltd., Company number 12727655, with Registered office address at 11 Leadenhall Street, London, United Kingdom, EC3V 1LP.

Email: info@nextAI.co.uk

II. Categories of the processed Personal Data, purposes and legal basis for the processing

The Company’s apps and services are not for children under the age of 16. The Company does not knowingly collect personal data from children. If you believe we have received personal data from children under the age of 16, please email us at info@nextAI.co.uk.

If the Data Subject is under the age of 16, the consent must be given by a parent or other holder of parental responsibility (the Data Controller shall make every reasonable effort to verify that consent is given or authorized by the holder of parental responsibility).

Should the Data Controller realize that some Users are aged below 16 and consents have not been given by parents (or holders of parental responsibility), it shall immediately delete the processed data and close the related account forthwith.

III. Data retention of User’s Personal Data

Personal Data may processed by both paper and electronic means.

The Data Controller adopts all technical and organizational measures for preventing the loss, improper use and alteration of Data Subjects’ Personal Data, and, in some cases, may adopt data encryption measures, too. Your Personal Data shall be stored at the Data Controller’s and at its IT services providers’ premises

User’s Personal Data processed will be kept for no more than two years from the termination of the agreement (i.e., after the cancellation of the App’s account) except for any legal obligation that sets a longer data retention period. At the end of this period, the processed data will be deleted or anonymized.

IV. Recipients of Personal Data

Personal Data may be disclosed to the following categories of recipients:

1. public, judicial or police authorities, within the limits established by applicable laws and regulations;

2. third parties carrying out activities that are related or instrumental to the Data Controller’s activities, as outsourced data processors duly appointed in writing by the Company in accordance to the Applicable Privacy Laws or acting as autonomous data controllers (such as, by way of example only, suppliers providing IT maintenance and development services, IT or filing services providers, suppliers of mobile marketing services, in case this Notice refers that marketing activities are performed).

The complete and updated list of such entities is available for consultation upon request at the Company’s headquarters or by sending an email to privacy@bendingspoons.com.

Users’ data will not be disclosed for any reason other than those stated above nor disseminated, unless such disclosure is deemed necessary for the fulfillment of legal obligations and/or regulations.

V. Transfer of Personal Data outside EEA

The Company may also transfer Personal Data of the Data Subjects to countries located outside the European Economic Area (EEA). In such cases, the Company will make sure that such transfer is based on appropriate safeguards listed in the GDPR, including (a) the standard contractual clauses developed by the European Commission; (b) the decisions of adequacy of the European Commission concerning the States in which the addressees are based; (c) binding corporate rules adopted by the Company and approved by the competent authorities or that are parties of agreements with the Company in this regard.

Copies of appropriate warranties are available for consultation upon request at the Company’s headquarters or by sending an email to info@nextAI.co.uk..

VI. Rights of the Data Subjects

The Users, at any time and free of charge, can have and/or exercise the following rights, as specified in the GDPR:

1. the right to be informed on the purposes and methods of the processing;

2. the right of access;

3. the right to obtain a copy of the data held overseas and obtain information concerning the place in which such data are kept;

4. the right to ask for updating, rectification or integration of the data;

5. the right to request the cancellation, anonymization or blocking of the data;

6. the right to restrict the processing;

7. the right to object to the processing, wholly or partly, also where it is carried out through automated individual decision-making, including profiling;

8. the right to withdraw the consent to the processing of the data freely and at any time – in such a case, the processing carried out before withdrawal of consent shall remain valid;

9. the right to data portability (i.e. to receive an electronic copy of User’s personal data, if the User would like to port his/her personal data to himself or a different provider);

10. the right to limitation of the processing.

Data Subjects also have the right to lodge a complaint before the competent national data protection or judicial authority.

For the exercise of their rights, Users may contact the Data Controller, in writing by sending a letter with proof of receipt to the Company’s headquarters, or by sending an email to info@nextAI.co.uk..

If a Data Subject is under the age of 18 in California, in certain circumstances, he/she may request and obtain removal of Personal Data or content shared by him/her and posted on the App. To make any request pursuant to California privacy law, please send an email toinfo@nextAI.co.uk..

Please be aware that such a request does not ensure complete or comprehensive removal of the content or information posted on the App by the User and that there may be circumstances in which the law does not require or allow removal even if requested.

VII. Automated decision-making

No entirely automated decision-making is carried out within the processing of the Users’ Personal Data (there included profiling under Article 22(1) and 22(4) of GDPR).

VIII. Third party websites and apps

The App may include links to other websites or apps operated by third parties. The practices described in this Notice do not apply to data gathered through these third party websites and apps. The Company has no control over, and is not responsible for, the actions and privacy policies of third parties and other websites and apps.

IX. Changes and updates of this Notice

The Company may modify, integrate and/or update, in whole or in part, this Notice, also in view of future changes that may involve the Applicable Privacy Laws. It is understood that any modification, integration or update will be communicated to the Data Subjects promptly and on time via email or at the time of the start of the App. In this regard, it could be required to the User to read the new version of the Notice and to accept it before continuing to use the App.

Date of last amendment: October 20, 2020