1. Data collection by the Company through the Services

The personal data about you or the Users (hereinafter the "Data") that can be collected by us through the use of the Services are as follows:

Browsing. We do not collect any personal data if you are merely browsing the Platform, except as indicated in our Cookie Policy.

Account Data

• Registration.
  On registering for TimeOutIQ Services, we will collect the following personal data: first name, last name, email address and mobile telephone. This data is obligatory and if they are not provided, an account cannot be created.


• Payments.
  Our payment provider (Stripe) collects certain payment data which is processed according to their terms and privacy policy which is provided to you during the payment process. See https://stripe.com/en-ca/privacy. We may contract further payment gateways, and their conditions will be provided to you during the payment process.


• Web-forms.
  If you submit any web form to us (Contacts, comments), we collect the data indicated in the forms indicated in and submitted through these forms by you, including name and email address. Required data in order to send the web form is indicated. This data is used for processing your request and contacting you for further communication.


• Information about your computer.
  Due to the communications standards on the internet, when you visit our Platform we automatically receive the URL of the site from which you came and the site to which you are going when you leave the site. We also receive the internet protocol (“IP”) address of your computer and the type of web browser you are using. We use this information to analyse overall trends and to help improve the service. This information is not shared with third parties without your permission.

Your User Data. On your behalf, as a principal function of the service, we collect and process some basic personal data relating to your children/Users (as defined in the Terms) in accordance with the provisions set out in section 3 below.

Collection methods

We use different methods to collect Account Data from and about you including through:

Direct interactions. You may give us your personal data by registering or contacting us. This includes personal data you provide when you create an account on our website, subscribe to our service or publications, request marketing to be sent to you, or give us feedback.

Automated technologies or interactions.As you interact with our app, we may automatically collect Technical Data about your devices.

Minors. We do not let minors subscribe to the TimeOutIQ Service.

2. Use of Account Data collected by the Company

Please note that this Section does NOT relate to the processing of User Data, which is regulated by Section 3 below and Appendix 1 hereto.

General. We are responsible for processing your Account Data, which is solely used for the development of our contract and communications with you and for the provision and management of your TimeOutIQ Account and our Services provided to you (as described in the Terms). It is also used to measure and improve the services and functionality and to provide customer service, send email notifications and (unless no longer in the distribution list) newsletters, or communications, in general, about the Services, products and novelties, and product offers or promotions offered by Us. We will use the Account Data in order for these purposes and to comply with the Terms, applicable law, and other legal notices. Registered users are also sent notification emails about activities of the Service.

Service optimization. We may process such information on an aggregated non-identifiable basis for establishing user general attributes and profiles and share such anonymous information with third party service providers to help improve or promote our service. We also use your data in a non-identifying and aggregated manner (i.e. dissociated data) to better design our web site, software and services.

Disclosure. We treat your Account Data with strict confidentiality in accordance with applicable law. However, we shall disclose any information about you or your use of our Services (i) in compliance with a legal obligation, (ii) in order to correctly deliver our Services or perform other obligations in accordance to the applicable regulations and rules set forth in the Terms, (iii) in the event of a sale of change of control of the Company for the purpose of appropriate due diligence; or (iv) to service providers providing us a service in relation to the data. We require all third parties to respect the security of your Account Data and to treat it in accordance with the law. We do not allow our third-party service providers to use your Account Data data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

Lawful Bases. Below are the lawful bases that we rely on to process your Account Data:

• Performance of Contract: processing your data is necessary for the performance of our contract with you, or to take steps at your request before entering into such a contract.


• Legitimate Interest: we have a legitimate interest to process your Account data for our business, in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us at info@TimeOutIQ.com.


• Comply with a legal or regulatory obligation: we may process your personal data where it is necessary for compliance with a legal or regulatory obligation that we are subject to.

Generally we do not rely on consent as a legal basis for processing your Account Data other than in relation to sending own marketing communications to you via email or text message. However, for transparency and clarity, we ask you to provide this consent, which is given by you on registering your account. You have the right to withdraw consent at any time by contacting us at info@TimeOutIQ.com. This will not affect the processing of your Account Data for service provision until you cancel your account.

Data retention.We will only retain your Account Data for as long as necessary to fulfil the purposes we collected it for, including (a) the performance of the contract with registered users and (b) for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Generally speaking, we will retain your Account Data for the period of your subscription (active) and up to 5 years thereafter (blocked), for legal and administrative purposes.

Statistical use.We may anonymize your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use and retain this information indefinitely without further notice to you.

3. Processing of User Data on your behalf: the Company as data processor

User Data.In registering for a TimeOutIQ Account, the Services start collecting data from the Devices associated to the Account, which may include personal data relating to you, to the Users of the Devices or to third parties (“User Data”, including information about your Devices, websites and apps that your Users use, contacts, connections, payments, messages and other communications, posted and received content, etc.). In accordance with applicable privacy law, to the extent that it applies to the Services, you are the Data Controller of this User Data and you appoint us as a Data Processor of such data for the purpose of providing the TimeOutIQ Services.

Service optimization. We may process such information on an aggregated non-identifiable basis for establishing user general attributes and profiles and share such anonymous information with third party service providers to help improve or promote our service. We also use your data in a non-identifying and aggregated manner (i.e. dissociated data) to better design our web site, software and services.

The provisions of Appendix 1 of this Policy apply to the processing of User Data.

Warranties. You, as the person responsible for User Data that we process on your behalf as Data Processor for the provision of the Services, represent and warrant to us that:

a) You comply with all applicable legislation with respect to the monitoring and control of equipment and devices used by Users within your organisation.

b) You are not in any situation described in the section on “Prohibitions” in the Terms (see clause 1.3 of the Terms)

c) You have all the appropriate informed consents from each and every data subjects whose personal data are submitted to us in the course of the provision of the Services or collected and transmitted to us by the TimeOutIQ Software.

Indemnity. You agree to indemnify and keep us harmless from all claims, damages and losses we may suffer relating to or arising out of the processing of User Data and other third party personal data submitted to our systems during the course of use and provision of the Services.

4. International transfers of data

We use third party technological services for the provision of Services, whose providers may process Account Data and User Data collected in the course of providing us their services indicated below, as sub-processors. These entities may be in jurisdictions that generally don’t provide adequate safeguards in relation to the processing of personal data. However, we have entered into contracts with such entities that do include such safeguards, including the EC model clauses. For more information, please contact info@TimeOutIQ.com. In addition, our providers which are in the USA are companies within the EU-US Privacy Shield.

5. Data Security

We have adopted technical and organizational measures to preserve and protect your personal information from unauthorized use or access and from being altered, lost or misused, taking into account the technological state of art, the features of the information stored and the risks to which information is exposed. However, due to the nature of the information and related technology, we cannot ensure or guarantee the security of your personal information and expressly disclaims any such obligation. If we learn of a security breach, then we will attempt to notify you electronically so that you can take appropriate steps.

6. Analytics and other anonymous data use

For the purpose of improving our services and providing sector/segment reports, we anonymise your Account Data and certain generic User Data and store and process this data on an anonymous basis, even after your Account has been closed. The principal purpose is to analyze on an aggregated non-identifiable basis how our Services are used, measuring their effectiveness, and providing general customer service. We may also provide this data (or parts of it) on a fully anonymous aggregate basis to third party business partners, including for conducting academic research and surveys or commercial analytics, and to publish periodic sector or segmented information and reports about behaviour patterns and tendencies.

7. User Rights

Account Data: You have rights under data protection laws in relation to your personal Account Data. You have the right to:

• Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
• Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
• Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
• Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights.
• Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the data's accuracy; (b) where our use of the data is unlawful but you do not want us to erase it; (c) where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or (d) you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
• Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
• Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

To exercise your rights, please contact us at info@TimeOutIQ.com.

User Data: You are Data Controller of your User Data, and you can access, delete, restrict, correct and request a copy of your data at any time. We will assist you in accordance with the functionalities of the Platform and the term of this agreement to attend any end-user request with regard to the processing of their personal data, as provided in Appendix 1 hereto.

8. Commercial Communications.

An integral part of our service involves informing you of new options, configurations and service offerings. On registration or contacting us, you expressly consent to receive electronic commercial communications regarding the subject matter of the Services in accordance with applicable law, including alerts, notices, newsletters, offers and promotions. Once opted in, if afterwards you do not wish to receive information from this Platform you can expressly opt out by sending a notification to info@TimeOutIQ.com.

9. Consent

Although we have a legal basis other than consent for the processing of the data set out in this form (other than marketing communications), we also would like to ensure that we additionally have your express consent.

By registering for a TimeOutIQ Account, you declare to have read and accepted the terms of this Policy. Without prejudice to the generality of the foregoing, you expressly and unequivocally consent to:

• The collection and processing of your personal data by us in accordance with the indicated purposes and this Policy;
• The collection and processing of User Data on your behalf, as indicated herein; and
• The processing of all personal data stated in this Privacy Policy outside the European Economic Area (particularly in the United States of America) by the subcontractors indicated above.

Your consent to personal data collection and processing may be revoked, without retroactive effects, in accordance with the General Data Protection Regulation. This will not prevent processing of your Account Data for providing you the service, unless you also cancel your account with us.

Appendix 1 – Processing of User Data

We process User Data under instruction from you (the client) as “Data Controller”. This means that you can control which child/User to monitor and the education level for that child/User. Without prejudice to the issue that such data is in most cases processed within a domestic context, we are providing a commercial service to you and therefore our processing of the data on your behalf is governed by the terms of this Appendix, in addition to the provision of the above terms of our Privacy Policy.

This Addendum sets out the obligations of the parties in relation to the processing of the User Data by TimeOutIQ on behalf and following the instructions of the client as Data Controller

Details of Processing

Your use of User Data. As Data Controller, you warrant that you have the appropriate authority to collect and process the Child/User Data and you agree to (i) process and use the User Data in accordance with this Privacy Policy, the Terms and applicable law, and only for the explicit purposes of the Services. You will not submit to the Services any personal data relating to any individual over 14 that has not authorized such processing. Through the Services, you may also access a copy of the User Data collected by us on your behalf. You will protect the confidentiality of any accessible User Data and prevent access by or disclosure to any unauthorized third person. You will inform us within 24 hours about any problem arising in relation with management of your TimeOutIQ Account and/or User Data. You and your Users will be responsible for any illegal use of other person’s data (personal or not) through the Services, including any use contrary to applicable data protection laws and/or in violation this Privacy Policy.

Service Configuration. The Services and TimeOutIQ Platform and Device Software (as defined in the Terms) provide device monitoring and controlling services, as described in the Terms. As part of the same, significant amounts of User Data may be collected and transmitted by the TimeOutIQ Device Software to the TimeOutIQ Platform, including data relating to Users and use of the Devices, URLs that are visited and communications sent by the Users. Client is responsible for setting the parent control panel configurations on the TimeOutIQ Platform that (i) controls Screen time management, monitoring of activities and (ii) determines the educational level to be set for the Child/User. The installation of the TimeOutIQ Device Software and your configuration of the control panel constitute instructions for us to process User Data on your behalf, to provide you the Services. The level and degree of such surveillance and monitoring is entirely under your control and we will not be liable for any such configuration and control carried out by you. All such User Data will be under your responsibility, with the Company as data processor in accordance with this Privacy Policy.

Location Data. Location Data is an optional feature. TimeoutIQ collects location data to enable the parent, to know where their child is. Location data is only captured when screen monitoring is activated. Location data is not collected in the background but as a visible foreground service. The child's location is only visible to the parent and is not shared with third parties or for advertising.

Data removal. During your subscription, we generally retain your User Data on a partially identifiable basis for 12 month periods, for providing our annual behaviour report. It is then deleted or diassociated for our analytical purposes. In addition, through the Platform control panel, you may delete all historical data saved at any time. This data will no longer be accessible and will be fully removed from our systems on the next back-up, except as indicated below. If you wish to remove all the User Data in your TimeOutIQ Account, please, uninstall TimeOutIQ of your devices, and send an email (as set out below), with a digital copy of your ID or other identification document to prove your identity. Once your identity confirmed, we will immediately remove all Data from our active systems and back-ups within fifteen (15) days from confirmation of identity (except as indicated in section 10 below).

1. Definitions

For the purpose of this Addendum, the following terms shall take the meaning set out herein:

• Personal Data: all information about an identified or identifiable individual; An identifiable natural person shall mean any person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or more identity elements Physical, physiological, genetic, psychological, economic, cultural or social.
• Data Processor: the natural or legal person, public authority or other organisation processing personal data on behalf of the Data Controller.
• Data Subject: is the individual that is identified or identifiable. Data Controller: the natural or legal person, public authority, or other organisation that, alone or jointly with others, defines the purposes and means of the processing.
• Processing: Any operation or set of operations carried out on personal data or personal data sets, whether by automated processes or not, such as collection, registration, organization, structuring, preservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of access, collation or interconnection, limitation, suppression or destruction.
• Security breach of the personal data: any breach of security that results in the destruction, loss or accidental or unlawful alteration of personal data transmitted, preserved or otherwise processed, or unauthorized communication or access to such data.
• User Data: as set out in the Privacy Policy: Data collected from Devices as indicated in the table above.

2. Object and Term

The purpose of this addendum is to regulate the processing of the User Data indicated above. The term of validity of this Addendum is established by virtue of the client subscription with TimeOutIQ.

3. Data Protection Laws Compliance

Each Party shall comply with all applicable laws relating to privacy and data protection, including (without limitation) the Canadian Personal Information Protection and Electronic Documents Act (PIPEDA) and the EU General Data Protection Regulation (GDPR) (2016/679) on and from 25 May 2018, and any amending or replacement legislation from time to time (collectively and individually, “Data Protection Laws”).

4. Rights and responsibilities of the Client as Data Controller, Service Configuration

As established in the applicable law, Client shall:

a) Inform and obtain all such necessary consent from the Device users for the processing of their personal data.

b) Implement appropriate technical and organizational measures to ensure and be able to demonstrate that the processing is carried out in accordance with applicable legislation.

c) Respond to the legal rights of Device Users established by applicable law on the protection of personal data and comply with the stipulations indicated in clause 6 even if these were originally addressed to the TimeOutIQ.

5. Rights and responsibilities of TimeOutIQ as Data Processor

As established in the applicable laws and regulations, the TimeOutIQ shall:

a) Process User Data only on the basis of documented instructions from the Client, including transfers of User Data to a third country or international organization, unless otherwise required to do so under Union law or applicable Member State law; In such case, TimeOutIQ will inform the Client of that legal requirement prior to the processing, unless otherwise prohibited by such law or in the public interest.

b) Ensure that the persons authorised to process User Data have undertaken to respect confidentiality or are subject to an obligation of confidentiality of a statutory nature.

c) Take all appropriate technical and organisational measures to ensure a level of safety appropriate to the risk of processing.

d) Respect the conditions for having recourse to another Data Processor, as established in the current legislation on protection of personal data.

e) Assist the Client, taking into account the nature of the processing, through appropriate technical and organisational measures, whenever possible, so that it can comply with its obligation to respond to requests for the exercise of the rights of the data subjects, here the Device users.

f) Assist the Client in ensuring that Client complies with its obligations, taking into account the nature of the processing and the information that is available to TimeOutIQ.

g) At the choice of the Client, either destroy or return all personal data once the processing services have been completed, and destroy any existing copies unless the retention of personal data is required under Union or applicable Member State law.

h) Make available to the Client all information necessary to demonstrate compliance with the obligations established in herein, as well as to allow and contribute to the performance of audits, including inspections, by the controller or other authorised auditors for the Client.

i) Process the User Data placed at the disposal of TimeOutIQ in a way that ensures that the personnel in charge follow the instructions of the Client.

j) Ensure that the appointed Data Protection Officer (if applicable) or, in his / her absence, the Privacy Officer is involved in an adequate and timely manner in all matters relating to the protection of User Data.

k) Adhere to a Code of Conduct that is approved by the Office of the Privacy Commissioner of Canada or other competent authority.

l) Keep a record of processing activities in the case of processing personal data that may pose a risk to the rights and freedoms of the data subject and / or in a non-occasional manner, or which involves the processing of special categories of data and / or data relating to convictions and infractions.

m) Respond to the legal rights established by applicable law and comply with the stipulations indicated in clause 6 even if these were originally addressed to the Client.

6. Data subjects’ exercise of their rights

If the Data Subjects (Device users) address a request or exercises any of the rights established in the General Data Protection Regulation, the Client and / or TimeOutIQ must provide the information requested and perform any required actions, without delay and, at the latest, within one month from receiving the request, which may be extended for a further two months if necessary, taking into account the complexity of the application and the number of applications.

Similarly, in the event that the Client and / or TimeOutIQ do/es not proceed with the request of the Device user, he/she shall inform the latter without delay, and no later than one month after receipt of the request, shall provide the Device user with the reasons why he/she/they has/ve not acted and inform the Device user of his/her right to file a complaint before a competent authority and to file a judicial appeal. The response to the Device user’s request shall be made in the same format as that used by the person concerned, unless he/she requests that it be done otherwise.

7. Subcontracting

TimeOutIQ may subcontract its obligations and/or reveal User Data to third party service providers without further authorization of the Client. For this purpose, the Client hereby expressly agrees to TimeOutIQ subcontracting the entities indicated in the Privacy Policy. TimeOutIQ will establish a list of subcontractors, and further or substitute sub-processors will be informed to Clients, who may request a list at any time to info@TimeOutIQ.com.

8. International transfer of data

International transfers of User Data may only be performed if the requirements of national or Community laws and regulations that regulate them, are met. If TimeOutIQ carries out an international transfer of data without the other party’s consent, the latter shall be exempted from any liability that may arise as a result of or in connection with such transfer. TimeOutIQ uses third party technological services for the provision of Services, whose providers may process User Data collected in the course of providing us their, as sub-processors. These entities may be in jurisdictions that generally don’t provide adequate safeguards in relation to the processing of personal data. However, we have entered into contracts with such entities that do include such safeguards. For more information, please contact info@TimeOutIQ.com.

9. Security breach of the personal data

Insofar as there exists an instruction from a competent supervisory authority, a development of a national legislation or a delegated act, in the event of a security breach of the personal data, the Client and/or TimeOutIQ shall notify the competent supervisory authority of such breach without undue delay, and if possible, no later than seventy-two (72) hours after it happened.

10. Termination, resolution and expiration

In the event of termination, resolution or expiration of the contractual relationship for the provision of services hereunder between the Client and TimeOutIQ, the latter shall not keep the User data unless otherwise legally required or advisable to do so. Otherwise, upon termination, resolution or expiration, or when no longer legally required to keep the data, TimeOutIQ shall destroy or return to the Client all personal data and any copies of it, as well as any support or other document containing any personal data. This is without prejudice to the right of TimeOutIQ to continue process User Data where such data is being processed by TimeOutIQ or for the defense of its legal interests.

11. Governing law

This Appendix shall be governed by and construed in accordance with the laws of Canada and shall be subject to the exclusive jurisdiction of the Courts of Ontario, Canada.