Privacy Policy

Version 1.0 | Effective May 18, 2026

How Myner AG collects, uses, shares, and sells your personal information

Myner AG  •  Gartenstrasse 6, 6300 Zug, Switzerland  •  CHE-202.314.864

1. About This Policy

This Privacy Policy explains how Myner AG collects, uses, shares, and sells your personal information when you use the Myner Service.

Myner is a data intelligence company. We collect behavioral, purchase, and transactional data from enrolled Members and deliver structured consumer and market intelligence to commercial clients including brands, retailers, private equity and investment firms, market research organizations, and data analytics companies. Selling intelligence derived from your data is the core of our business and how we fund the rewards you receive from us.

This Privacy Policy applies to Members located in the United States. Where the law of your state imposes stricter requirements or grants you additional rights, those state-specific rules apply to you. We identify additional documents and state-specific rules in Section 9.

NOTICE: We may sell your sensitive personal data.

Required notice under Texas Business & Commerce Code §541.102(c) for Texas residents. Sale of sensitive personal data is subject to your separate explicit opt-in as described in Section 6.1 and to the state-specific restrictions in Section 9.4.

2. Who We Are

Myner AG (referred to in this Policy as “Myner,” “we,” “us,” or “our”) is a Swiss data intelligence company incorporated under the laws of Switzerland. We collect behavioral, purchase, and transactional data from Members and sell structured consumer and market intelligence to commercial clients. We are the data controller responsible for your personal information.

3. Information We Collect

3.1  Information You Provide Directly

Some information is required to create and maintain a Myner account. Other information is optional and you may choose whether to provide it.

Required at registration: your username, email address, date of birth, country and state of residence, and password. We cannot create an account without this information.

Optional, provided as you use the Service: profile and demographic data (household size, education, employment, income, interests, purchasing and consumption habits) collected through profile surveys; survey responses to research activities; communications you send to our support team; and reward and payment information (such as bank-payment details, gift card delivery details, or wallet addresses) provided when you redeem rewards. You can choose which optional data to provide and how much to participate.

3.2  Precise Geolocation Data

Continuous access to your device’s precise location is integral to every Data Activity. Location data is used to verify receipt authenticity, prevent fraud, and ensure data quality across the panel. Location data includes GPS coordinates, timestamps, and movement patterns collected while the app is in use or running in the background.

Account access without location services. You can create and maintain a Myner account without enabling continuous location services. However, because location verification is integral to every Data Activity, you cannot participate in any Data Activity, and cannot earn Myner Gold, without continuous location services enabled. An account that does not participate in any Data Activity is an Inactive Account; the operational effects of inactivity are described in Terms and Conditions §7.

Aggregated and derived location data (such as merchant visit patterns) may be sold to clients as described in Section 6.1. Precise GPS-level coordinates are sold only with your separate opt-in. State-specific restrictions on the sale and sharing of location data are described in Section 9.4.

3.3  Receipt Scan Data

Receipt scanning is a core part of the Myner Service. When you enroll, you consent to submitting photographs or digital images of purchase receipts. We extract and retain the following structured data from each receipt:

• Transaction details: merchant name and address, transaction date and time, individual line items (product name, quantity, unit price), subtotal, tax, tip, total amount, payment method type (cash, card, or digital, not card numbers), loyalty program identifiers, transaction numbers, location data, and promotion or coupon details.
• Merchant classification: merchant category code, retail sector, and geographic location derived from the merchant address.
• Inferred purchase attributes: product category, brand affinity signals, price sensitivity, and lifestyle inferences derivable from line-item content.

We retain receipt data and original receipt images as described in Section 8.

3.4  Bank and Financial Account Data

Where offered, financial transaction history can be connected for data-collection purposes in two ways. Both are optional, restricted to Members aged 18 and over, and require separate explicit consent provided at the time of connection. You can disconnect at any time. If a connection method is not available to you, the related processing described in this Section does not occur. The 18+ restriction in this Section applies to inbound transaction-data collection only; outbound bank-transfer payouts for reward redemption are a separate feature governed by the Terms and Conditions and are available to all eligible Members regardless of age.

Manual upload. You upload bank or credit card statements as PDFs or images. We extract transaction date, merchant name, transaction amount and currency, transaction type, running balance, and account-identifier metadata sufficient to distinguish accounts. We retain extracted transaction data and original uploaded documents on the criteria described in Section 8.

Open banking connection. Where you authorize a regulated third-party financial data intermediary to share your transaction data with us, we receive through that connection transaction history (merchant name, amount, date, merchant category code), account type, and available balance. We engage such an intermediary only where this method is offered; the intermediary's identity is disclosed on our sub-processor page at the time it is engaged.

Data minimization for sensitive credentials. We do not store your bank account number, routing number, or any payment credentials in Myner systems. Where ACH processing is used for a payout method, a payment processor holds tokenized credentials for that processing on our behalf; we do not store those credentials in Myner systems. For data cleanroom matching purposes, we receive only one-way salted hashes from the financial data intermediary; raw account numbers are never stored in Myner systems and are never disclosed to research clients. We do not collect bank or credit card numbers, PINs, passwords, or login credentials.

Purpose and consent. The bank connection is offered as part of our rewards-for-data-monetization service. Your consent at connection expressly authorizes us to (1) receive your transaction data, (2) extract and use it to generate behavioral profiles, and (3) sell those profiles as described in Section 6.1, in exchange for the rewards you earn.

Annual reauthorization and revocation. Authorization is renewed annually, consistent with the annual reauthorization cadence applied by regulated financial data intermediaries under applicable open banking frameworks. You may revoke authorization at any time through your Myner account settings or directly through the intermediary’s dashboard. Revocation immediately stops further data flow from your bank and stops further sale of newly-derived profiles. We cannot recall data already incorporated into research deliverables.

Use restrictions. We do not sell, and we do not authorize clients to use, bank-derived data as a primary input in any decision regulated under the Fair Credit Reporting Act, the Equal Credit Opportunity Act, the Fair Housing Act, or in individual insurance underwriting.

3.5  Information Collected Automatically

When you use the Service, we automatically collect:

• Device data: IP address, device type and identifiers (including the advertising identifier on iOS and Android), operating system, app version, and language settings.
• Usage data: screens viewed, features used, time spent, taps and clicks, and survey completion patterns.
• Session data: session duration, screen views, button taps, and in-app navigation.
• Analytics signals: app usage, feature engagement, crash reports, and user flows, collected via third-party software development kits identified at mynerapp.com/subprocessors.

The Myner mobile app does not use cookies. We use mobile-specific tracking technologies described in this Section. You can manage device-level tracking, advertising identifiers, and notifications through your iOS or Android device privacy settings; disabling these settings does not affect our location collection (see Section 3.2).

3.6  Identity Verification and Fraud Detection

When you register, automated systems verify your identity and assess account authenticity. Depending on the verification methods in operation at the time of your registration, these systems may use one or more of the following techniques: checking whether your email address or phone number is associated with accounts on major digital platforms (by analyzing response-time patterns only, without accessing those accounts); cross-referencing your email against known data breach databases; and analyzing behavioral signals during registration (typing patterns, navigation, device characteristics) to detect bots or coordinated fraud. We use only the techniques necessary for fraud prevention at the time, and not all techniques are necessarily in use at any given time.

The outputs of these systems may affect your ability to register or participate. Where an automated decision significantly affects you, you may request human review under Section 9.1.

3.7  Sensitive Personal Information

Under the California Consumer Privacy Act, certain categories of personal information are designated as “sensitive personal information” (SPI). The principal category we collect is precise geolocation, as described in Section 3.2. Continuous location collection is integral to participation in Data Activities and to the verification, fraud-prevention, and panel-data-quality measures that protect the integrity of the Service.

We may also collect SPI when you voluntarily provide it through optional profile fields or research questionnaires (for example, demographic characteristics such as racial or ethnic origin, religious beliefs, or sexual orientation; health-related responses; or financial information). We collect such information only when you voluntarily provide it for a specific purpose disclosed at the time of collection, and we use, retain, and disclose it in accordance with the consent you give and applicable law.

Asymmetric treatment. You may decline to provide voluntary SPI, request its deletion, or limit our use of it under Section 9.3. The right-to-limit applies to all categories of SPI other than precise geolocation. Precise geolocation cannot be limited while you participate in Data Activities, because continuous collection is integral to the Service. If you wish to limit our use of your location, you may stop participating in Data Activities at any time without penalty; your account remains active and your existing Vested Balance is unaffected. State-specific restrictions on sensitive personal information are described in Section 9.4. In some states, voluntary sensitive PI is collected only where strictly necessary to provide a requested service, and is not sold regardless of any opt-in.

4. How We Use Your Information

4.1  Purposes

We use your personal information for the purposes listed below. We also build demographic and behavioral profiles from your data to match you with research opportunities and to create the data products described in Section 6. You opt in to profiling when you join the Service.

4.2  Digital Twin Participation

Digital twins are synthetic AI models trained on your behavioral data. We train a digital twin for each enrolled Member and use it to deliver aggregate consumer intelligence to clients. The digital twin trains on your purchase history, transaction patterns, survey responses, and demographic profile.

Client query results derived from digital twins are delivered only in aggregate form from groups of Members matching specific criteria (for example, suburban parents earning $80,000 to $120,000). Clients do not receive individual digital twin outputs in any form that can be tied back to you, and cannot identify or contact you on the basis of any digital twin query result.

You may opt out of digital twin training and use at any time through the in-app privacy center or by emailing privacy@mynerapp.com. Opting out stops further training, deletes your individual digital twin, and has no effect on your account, rewards, or participation in any other Data Activity. Pooled or aggregated models continue indefinitely as they no longer contain your personal data. If you delete your account, your individual digital twin is deleted in accordance with applicable law, on the timing described in Section 8.

5. Automated Technologies and AI

The following automated systems operate within the Service. Where an automated decision significantly affects you, you may request human review under Section 9.1.

5.1  Survey Matching

An algorithm matches you with survey invitations based on your demographic profile, participation history, and research client requirements. Human research team members set eligibility criteria; the algorithm applies them automatically. You can update your profile at any time to affect your matching.

5.2  Fraud Detection and Identity Verification

Our fraud detection system evaluates registrations and ongoing participation using one or more of the following signal types, depending on which are in operation at the time:

• Digital identity verification: checks whether your email or phone number is associated with established accounts on major platforms by analyzing response-time patterns. Does not access or log in to those accounts.
• Data breach cross-reference: checks your email against known breach databases.
• Behavioral analysis: evaluates registration and participation behavior (typing speed, navigation patterns, form completion) for signals consistent with bots or automated activity.
• Device fingerprinting: analyzes device and browser characteristics to detect duplicate or coordinated account creation.

Where signals are ambiguous, flagged accounts are reviewed by our Trust and Safety team before final action is taken.

5.3  Receipt Processing and Data Extraction

Submitted receipt images are processed using optical character recognition (OCR) and AI and machine learning models to extract and classify the structured data fields listed in Section 3.3. Original images are retained on the schedule set out in Section 8 to support re-extraction and dispute resolution. OCR is not infallible; you can flag extraction errors through the app and we will correct them.

5.4  Transaction Categorization and Behavioral Profiling

We apply AI and machine learning models to transaction records from receipts and bank connections to: classify each transaction by merchant category and retail or industry sector; build spend pattern summaries (frequency, basket size, category mix); score brand affinities and retailer loyalty; assign lifestyle and consumer segment classifications; and infer demographic and psychographic attributes consistent with observed purchase behavior.

The resulting behavioral profile, linked to a pseudonymous panel identifier (not your name or contact details), may be sold to research clients as described in Section 6.1. You can request a summary of your profile at any time through account settings.

5.5  Response Quality Scoring

Survey responses are evaluated for quality using signals such as consistency, accuracy, completion time, and answer patterns. Low scores may result in responses being excluded from research deliverables (you may still earn rewards for completing the survey). Accounts flagged for repeated low-quality responses are reviewed by a human before any action is taken.

5.6  AI-Assisted Research Tools

We may use AI language models and machine learning tools to assist with research design, data derivation and analysis, and platform improvement. Where these tools process personal data they do so under data processing agreements limiting their use to our specified purposes. We do not use generative AI to make individual decisions about you. Third-party AI sub-processors are listed at mynerapp.com/subprocessors.

6. How We Share and Sell Your Information

We sell personal information of Members enrolled in our Data Activities. Your enrollment consent covers the sale of standard behavioral data described in this Section. Sale of sensitive personal information categories — including precise geolocation and sensitive PI inferences — requires a separate explicit opt-in described below. You can opt out of any of these at any time.

6.1  Data Products: What We Sell and to Whom

We sell personal information. We sell the personal information of Members enrolled in our receipt or bank data programs in the form of structured behavioral profiles to research clients. This is a sale under the California Consumer Privacy Act. You have the right to opt out at any time. See Section 9.

What we sell. Structured behavioral intelligence derived from your transaction and purchase records, including:

• Purchase category profiles (product types, frequency, price points).
• Brand and retailer affinity scores.
• Spend pattern summaries and basket analysis.
• Consumer segment and lifestyle classifications.
• Location visit patterns derived from merchant transaction geocoding (aggregate-level; precise location only with separate consent).
• Survey responses.

Form of sale. We sell behavioral intelligence in two forms. Aggregated and anonymized: statistical summaries in which no individual can be identified, which are not personal data. Individual-level behavioral profiles: linked to a pseudonymous panel identifier, not your name or contact details.

Who buys it. Brands, retailers, investment firms (for market and competitive diligence), data analytics companies, and commercial research clients. We do not sell, and we do not authorize clients to use, our data products as a primary input in any decision regulated under the Fair Credit Reporting Act, the Equal Credit Opportunity Act, the Fair Housing Act, or in individual insurance underwriting.

What we never sell. We never sell:

• Your name, email, phone number, or any direct contact information.
• Account numbers, card numbers, routing numbers, and credentials are tokenized at our payment processor; raw values are not stored in Myner systems.
• Raw bank statements or original receipt images.
• Government-issued ID numbers.

What we sell only with your separate, explicit opt-in. We sell the following only when you have given separate, explicit consent:

• Precise geolocation, subject to the state-specific restrictions in Section 9.4.
• Voluntarily provided sensitive personal information from surveys or optional profile fields, including responses revealing racial or ethnic origin, religious beliefs, political affiliation, sexual orientation, or health. Sale of this category requires your separate explicit opt-in, as required by the California Consumer Privacy Act §1798.121 and equivalent provisions in other state laws. The opt-in is presented either at the point of collection (where a specific survey or profile field discloses the sale purpose) or as a standalone opt-in in the privacy center. Where a specific survey discloses a narrower purpose at the point of collection, that narrower purpose controls for those responses. State-specific restrictions in Section 9.4 may further limit or prohibit sale of this data regardless of any opt-in you give.
• Sensitive personal information inferences. Behavioral inferences about your racial or ethnic origin, religious beliefs, political affiliation, sexual orientation, or health drawn from your transaction, purchase, survey, or profile data — for example, a wellness lifestyle classification or a religious-product affinity segment. These inferences are sold only with your separate explicit opt-in, subject to the state-specific restrictions in Section 9.4 that prohibit their sale regardless of any opt-in you have given.

6.2  Data Cleanrooms and Hashed Identifiers

To enable data cleanroom matching, we use one-way cryptographic hashes of your email address and phone number. For bank-connected Members, salted hashes of bank account and routing numbers are generated by our regulated financial data intermediary and provided to us already hashed; raw account numbers are never stored in Myner systems. These hashed values allow clients to match your behavioral data with their own customer records without exposing your actual contact information or account numbers to either party. Matching occurs in a secure environment operated by an independent third-party cleanroom provider. Cleanroom matching does not transfer your direct contact data to clients.

6.3  Survey and Research Activities

In addition to behavioral and transactional data programs, we conduct surveys, questionnaires, and other structured research activities. Outputs are delivered to clients as aggregated or anonymized datasets, or, where you have enrolled in our individual-level data programs, as pseudonymous behavioral profiles under the consent you gave at enrollment.

6.4  Service Providers

We share data with companies that help us operate the Service. They may only process your data on our instructions and may not use it for their own purposes. Categories include cloud hosting and infrastructure; AI and large language model services for receipt data extraction and analysis; survey platform technology; identity verification and fraud detection; receipt processing and OCR; financial data intermediary for open banking connections; payment processing and tokenized credential storage for reward redemptions; email and communications delivery; customer support and in-app chat; custodial cryptocurrency wallet services for reward redemptions; bot and abuse detection; crash and performance monitoring; and platform analytics. Analytics and monitoring providers do not receive your name or email address; they receive an internal account identifier and technical and usage data.

Our bot detection provider, Cloudflare, Inc., is a dual-role case. Cloudflare processes technical request signals (IP address, TLS fingerprint, User-Agent string, and sitekey) on our instructions to detect and block bot traffic on our web surfaces. Cloudflare also uses the same signals as an independent controller to improve its bot-detection product across its customer base. That independent-controller use is governed by Cloudflare's Turnstile Privacy Addendum on Cloudflare's website and is not directed by us. Cloudflare is located in the United States; the transfer is protected as identified for Cloudflare on the sub-processor page below.

Our current sub-processor list is published at mynerapp.com/subprocessors and is updated as providers change.

6.5  Other Disclosures

We may disclose your personal information outside the categories above only where strictly necessary, including: to comply with a valid legal obligation, court order, subpoena, or regulatory request; to protect the rights, safety, or property of Myner, our Members, or the public; in connection with a merger, acquisition, financing, reorganization, or sale of assets, where the recipient agrees to honor this Policy; and with your separate consent.

7. International Data Transfers

Myner AG is incorporated in Switzerland. When you use the Service, your personal information is transferred outside the United States and is processed and stored in Switzerland and the European Economic Area (EEA). Although you are a US resident, your personal information is handled primarily in Switzerland and the EEA, not in the United States.

This does not reduce your rights. The privacy law of your state of residence continues to apply to your personal information regardless of where it is processed, and the rights and restrictions described in Section 9 apply in full. While your personal information is held on our infrastructure in Switzerland and the EEA, it is also protected under Swiss and EEA data protection law. Switzerland and the EEA recognize each other's data protection regimes as adequate, so no additional transfer mechanism applies to the storage of your data on our EEA-hosted infrastructure.

Some of our sub-processors are located in the United States or in other countries. Where personal information is transferred to a sub-processor outside Switzerland and the EEA, we put in place an appropriate transfer safeguard before that transfer begins, either the sub-processor's certification under the Swiss-US Data Privacy Framework or Swiss-amended Standard Contractual Clauses. The specific safeguard relied on for each sub-processor is identified on our sub-processor page at mynerapp.com/subprocessors.

You can request information about the safeguards in place for any specific transfer by contacting us at privacy@mynerapp.com.

8. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes described in this Policy and to comply with our legal obligations, resolve disputes, and enforce our agreements. We do not disclose specific retention periods because they vary by category, by Member, and over time, and the criteria-based approach better reflects how the data is actually used. The criteria we apply when determining retention are:

• The nature, sensitivity, and source of the data, and the purposes for which we process it.
• Applicable legal record-keeping requirements, including Swiss commercial record-keeping under Article 958f of the Swiss Code of Obligations and US federal and state tax record-keeping requirements.
• The existence of any pending or anticipated legal claims, regulatory proceedings, or fraud investigations.
• Your account status (active, closed, deleted) and whether you have submitted a deletion request.
• Operational considerations including data quality (such as the ability to re-extract receipt or transaction data when our extraction systems improve), dispute resolution, and audit trail.

When we no longer need your personal information, we delete it or render it anonymous so that it can no longer be associated with you. Deidentified, aggregated, or anonymous data may be retained indefinitely for analytics, model training, and product development, as it is no longer personal information. Where you opt out of an optional feature or close your account, we delete the relevant personal information in accordance with applicable law.

9. Your Privacy Rights

9.1 Privacy Rights Framework

The rights and protections in this Section apply to you based on your state of residence and the privacy law applicable to you. Section 9.2 lists state-specific documents that may apply to you in addition to this Policy. Section 9.3 sets out rights for California residents. Section 9.4 sets out state-specific data restrictions that apply in Maryland, Nevada, Connecticut, New York, and other states. Section 9.5 sets out the channels through which you may exercise any of these rights.

Where the law of your state imposes stricter requirements or grants you additional rights than those described in this Policy, those state-specific rules apply to you and prevail over this Policy to the extent of any conflict.

9.2 State-Specific Documents

Some states require us to publish additional documents or apply rules that go beyond this Privacy Policy. The table below identifies them. Each document or section governs in its specific scope; where a state-specific document or section applies, it controls over the general provisions of this Privacy Policy to the extent of any conflict.

9.3 California Residents: Rights Under State Privacy Laws

California residents have rights under the California Consumer Privacy Act and California Privacy Rights Act (together, the CCPA). Residents of Colorado, Connecticut, Texas, Virginia, and other states with comprehensive privacy laws have substantially equivalent rights and may exercise them through the same channels. In the event of any conflict with the rights set out elsewhere in this Section 9, this Section 9.3 prevails for California residents.

Categories of Personal Information We Collect

We collect the following categories of personal information: identifiers; personal information under Cal. Civ. Code Section 1798.80(e); commercial information including purchase records and transaction data from receipt scans and bank connections; internet and electronic network activity; geolocation data, including precise geolocation, which is sensitive personal information under the CCPA; financial data (transaction amounts, merchant names, category codes); and inferences drawn from the above.

How We Sell and Disclose Personal Information

We sell personal information as described in Section 6.1. The following table discloses what we sell, consistent with CCPA Section 1798.115.

Note on "Yes, with consent" entries above: "Yes, with consent" means the category is sold under your enrollment-stage consent to participate in Data Activities. Data is provided to clients identified only by a pseudonymous panel identifier; we do not provide your name, email, phone, or other direct contact information. Where a client participates in cleanroom matching as described in Section 6.2, the client may use one-way hashed identifiers to match the data we provide with customer records the client already maintains about you (for example, retailer loyalty data).

Right to Opt Out of Sale, Sharing, and Targeted Advertising

You have the right to opt out of the sale and sharing of your personal information, and of the use of your personal information for targeted advertising, at any time. The same mechanism — the Do Not Sell or Share My Personal Information link at mynerapp.com/do-not-sell or in the app footer — satisfies these rights under the California Consumer Privacy Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Texas Data Privacy and Security Act, the Virginia Consumer Data Protection Act, and equivalent laws in other states. We honor the Global Privacy Control (GPC) signal as an opt-out of sale, sharing, and targeted advertising.

Because every Myner Data Activity involves the collection and sale of personal information for which we pay rewards, opting out ends your participation in Data Activities and your ability to earn further rewards. Your existing Vested Balance is unaffected and may be redeemed under Terms and Conditions §7. You may keep your account open or close it at any time without penalty. The Financial Incentive Notice below explains the rationale for this structure under California Civil Code §1798.125.

Right to Limit Sensitive Personal Information

You may exercise the right to limit our use of any sensitive personal information you have voluntarily provided — including health, demographic, religious, sexual orientation, or other sensitive responses — to the purposes permitted under the CPRA. Use the Limit Sensitive PI link at mynerapp.com/limit-sensitive-pi or contact us under Section 9.5.

The right to limit does not apply to precise geolocation, because continuous location collection is integral to participation in Data Activities and to the verification and fraud-prevention measures that protect the integrity of the Service. If you wish to limit our use of your location, you may stop participating in Data Activities at any time without penalty; your account remains active and your existing Vested Balance is unaffected.

Right to Correct

You have the right to request correction of inaccurate personal information we maintain about you.

Right to Non-Discrimination

Exercising your privacy rights will not result in lower-quality service. Reward earnings depend on Data Activity participation, and Data Activity participation requires the data collection and sale described in this Policy. Members who opt out keep their existing Vested Balance, can redeem under Terms and Conditions §7, and may keep their account open without further activity or close it at any time without penalty.

Right to Appeal

If we deny your request, you may appeal to our privacy team at privacy@mynerapp.com and thereafter to the California Privacy Protection Agency at cppa.ca.gov.

Financial Incentive Notice (CCPA Section 1798.125)

The Myner Gold rewards program is a financial incentive in exchange for your personal information. By enrolling you consent to this arrangement.

Good-faith value of your data to Myner. We estimate the good-faith value to Myner of an active Member's annual data contribution at between US$50 and US$150. We calculate this estimate by dividing total data-product revenue attributable to Member contributions by the active panel size in the relevant period; individual contributions vary based on Data Activity participation, demographic profile, and Client demand. This is a good-faith estimate of panel-average value to Myner, not a guarantee of individual earnings or of the rewards you will receive.

Method of valuation. Reward rates per activity reflect data value, client demand, and activity complexity, and are set independently of the value disclosure above. Current per-activity reward rates are displayed in the app and may change as market conditions change. We update this estimate on any material change to our pricing methodology.

Right to withdraw. You may withdraw from any Data Activity at any time without penalty to your base account access. Because every Data Activity involves data collection and sale, withdrawing from Data Activities ends further data collection and further reward earning, but your existing Vested Balance and account access remain unaffected.

Shine the Light

California residents may request information about Myner's disclosures of personal information to third parties for those third parties' direct marketing purposes by contacting privacy@mynerapp.com. We will respond within 30 days as required by California Civil Code §1798.83.

California residents may designate an authorized agent to submit access, correction, or deletion requests on their behalf. Authorized agents must submit the request via privacy@mynerapp.com with a signed letter from the Member confirming permission. We may request additional information to verify identity and authority.

9.4 State-Specific Data Restrictions

The following state-specific rules apply in addition to the general practices described in this Policy. Where these rules conflict with anything else in this Policy, these rules control for residents of the relevant state.

Washington. If you reside in Washington, our collection, use, sharing, and sale of your consumer health data is governed by our separate Washington Consumer Health Data Privacy Policy, published at mynerapp.com/wa-chd-privacy and as required by the Washington My Health My Data Act. That policy describes the categories of consumer health data we collect, our purposes, our sharing practices, and your rights under the Act. We do not share your precise location data with external parties under any circumstances; we use it internally for receipt validation and fraud prevention only.

Maryland. If you reside in Maryland, the following applies in addition to the rights described in Section 9.3:

• We do not sell precise geolocation, consumer health data, or any sensitive personal data as defined under the Maryland Online Data Privacy Act, including data revealing racial or ethnic origin, religious beliefs, sex life, sexual orientation, status as transgender or nonbinary, national origin, citizenship or immigration status, or genetic or biometric data. These sale prohibitions apply regardless of any consent or opt-in you may have given.
• We do not sell or share, in identifiable form, any personal data of Maryland residents under the age of 18. Aggregate inclusion of Members aged 16 or 17 is permitted only with appropriate de-identification.
• We collect voluntarily provided sensitive personal data from you only where strictly necessary to provide a product or service you have requested.

Nevada. If you reside in Nevada, we do not share your precise geolocation with external parties and we do not include any behavioral segments coded to health conditions, diagnoses, or health service usage in data products sold or shared externally.

Connecticut. If you reside in Connecticut, we obtain your separate affirmative opt-in before collecting your sensitive personal data, including precise geolocation, racial or ethnic origin, religious beliefs, sexual orientation, citizenship or immigration status, or health-related data. Location data collected within 1,750 feet of any mental health, reproductive health, or sexual health facility is used internally only for receipt validation and fraud prevention; it is never used to build behavioral profiles and is never shared externally or monetized in any form.

New York. If you reside in New York, we do not use location data collected within 1,850 feet of any healthcare facility to build behavioral profiles or for external sharing.

Texas residents. NOTICE: We may sell your sensitive personal data. We sell sensitive personal data of Texas residents, as defined under the Texas Data Privacy and Security Act, only with your separate explicit opt-in as described in Section 6.1. You may withdraw your opt-in at any time through the Do Not Sell or Share My Personal Information link at mynerapp.com/do-not-sell, the in-app privacy center, or by contacting privacy@mynerapp.com.

Other states with applicable privacy laws. Residents of states with comprehensive privacy laws, including Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia, have rights to access, correct, delete, and obtain a portable copy of their personal data, and to opt out of the sale or processing of their data for targeted advertising or for profiling that produces legal or similarly significant effects. To exercise these rights, contact us through the channels in Section 9.5. We respond within the timeline required by the applicable state law. The Do Not Sell or Share My Personal Information link at mynerapp.com/do-not-sell or in the app footer satisfies the opt-out rights described above for all states whose laws recognize that mechanism.

9.5 How to Exercise Your Rights

You can exercise any of the rights described in this Section 9 through any of the following channels:

• The in-app privacy center
• Email to privacy@mynerapp.com
• Post to Myner AG, Gartenstrasse 6, 6300 Zug, Switzerland

We respond to verifiable requests within 45 calendar days of receiving a complete request. We may extend response time by up to 45 additional days for complex requests, and will notify you within the initial period if we do. Requests are free of charge. We will verify your identity before processing. Where applicable state law specifies a different response timeline, we comply with the applicable law.

Rights Available to All Members

In addition to the state-specific rights described above, you have the rights set out below to the extent provided under the privacy law applicable to you:

Appeal of Denied Requests

If we deny your request, you may appeal by replying to our response within 45 days. We will respond to the appeal within a reasonable time and will explain our reasoning. If we deny the appeal, you may complain to your applicable state Attorney General or, for California residents, to the California Privacy Protection Agency at cppa.ca.gov.

10. Mobile App Tracking

The Myner mobile app does not use cookies. The categories of device data, analytics signals, session data, and location data we collect through the app are described in Sections 3.2 and 3.5. Our current sub-processor list, including third-party SDKs integrated into the Myner mobile app and the categories of data each receives, is published at mynerapp.com/subprocessors and is updated as providers change. Each sub-processor operates under a data processing agreement requiring it to handle your data in accordance with this Policy.

Mobile privacy controls. You can manage device-level tracking through your iOS or Android privacy settings. On iOS: Settings > Privacy and Security > Tracking to disable ad tracking; Settings > Notifications > Myner to manage push notifications. On Android: Settings > Google > Ads to opt out of Ads Personalization; Settings > Apps > Myner > Notifications to manage push notifications. As described in Section 3.2, location services cannot be disabled if you wish to participate in any Data Activity.

11. Members Aged 16 to 17

The Service is open to persons aged 16 and over. This Section sets out provisions that apply to Members aged 16 or 17 (“Minor Members”). Minor Members have all the rights described in Section 9. For Maryland Members aged 16 or 17, we do not sell or share personal information in identifiable form regardless of any opt-in, as required by the Maryland Online Data Privacy Act. Aggregate inclusion is permitted only with appropriate de-identification.

11.1  Age Verification

We do not knowingly accept registrations from persons under 16. At registration we collect your date of birth to verify eligibility, and we reject applications that indicate an age under 16. If we later learn we have collected personal information from a person under 16, we will delete it and close the account.

11.2  Compliance with Minor Privacy Laws

Where required by applicable law, we obtain opt-in consent before selling or sharing a Minor Member’s personal information, before using it for targeted advertising, or before using it for profiling that produces legal or similarly significant effects. We comply with applicable laws governing the processing of minors’ personal information.

11.3  Age-Restricted Features

The bank data connection feature described in Section 3.4 and cryptocurrency redemption are available only to Members aged 18 and over. Cash, gift card, and physical gold redemption options are available to Minor Members.

11.4  California Minors: SB 568 Removal Right

California Minor Members may request removal of content they have posted to the Service, even where the account remains active. Submit removal requests under Section 9.5. We will honor verified requests within the timeframe required by applicable law.

12. Security

We implement technical measures including encryption in transit and at rest, multi-factor authentication, role-based access controls, and regular penetration testing, alongside organizational measures including staff training, background verification for personnel with data access, and incident response procedures. No security system is impenetrable. If a breach affects your personal information, we will notify you and the relevant authorities as required by law.

13. Changes to This Policy

We may modify this Privacy Policy from time to time. When we do, we will publish the updated version, set a new effective date in the document footer, and notify you by email or in-app notification. The notification will identify the change and the effective date. Your continued use of the Service after the effective date constitutes acceptance of the modified Policy. If you do not accept a modification, you may close your account before the effective date.

14. Contact Us

For privacy inquiries, including any of the rights described in Section 9, contact our privacy team at privacy@mynerapp.com, by post at Myner AG, Gartenstrasse 6, 6300 Zug, Switzerland, or through the privacy center accessible from your account settings.

You also have the right to lodge a complaint with the relevant regulatory authority. California residents may complain to the California Privacy Protection Agency at cppa.ca.gov. Residents of other US states may contact their state Attorney General. Where Swiss law applies, you may complain to the Swiss Federal Data Protection and Information Commissioner at fdpic.ch.