PRIVACY POLICY AND DATA PROTECTION NOTICE

Effective Date: February 28th 2026

Governing Entity: Wuddabooth Photobooth

---

ARTICLE I — PREAMBLE AND SCOPE OF APPLICATION

Wuddabooth Photobooth (hereinafter referred to as the "Company," "Controller," "we," "our," or "us") hereby establishes this Privacy Policy and Data Protection Notice (hereinafter "Policy") to govern the collection, processing, storage, disclosure, and destruction of personally identifiable information and associated data in connection with the Company's provision of photo booth services, digital media services, and all ancillary commercial activities conducted through its website and physical operations.

This Policy constitutes a legally binding statement of the Company's data governance practices and obligations owed to its clients, event guests, and website visitors (collectively, "Data Subjects"). By engaging the Company's services or accessing its digital platforms, Data Subjects acknowledge and accept the terms set forth herein.

---

ARTICLE II — CATEGORIES OF DATA COLLECTED

Section 2.1 — Personally Identifiable Information (PII)

The Company may lawfully collect and process the following categories of personal data from Data Subjects:

(a) Identifying and contact particulars, including but not limited to full legal name, electronic mail address, telephone number, and postal mailing address;

(b) Event-specific information, including the date, venue location, and nature of the contracted event;

(c) Financial and transactional data, including payment instrument details, processed exclusively through compliant third-party payment processors pursuant to applicable financial data security standards (PCI-DSS); and

(d) Communication and marketing preference designations as expressed by the Data Subject.

Section 2.2 — Digital Media and Photographic Content

The Company further collects and processes the following categories of media data:

(a) Photographic images, video recordings, animated image files (GIFs), boomerang sequences, and other digital media formats captured through the Company's equipment during contracted events;

(b) Digital reproductions transmitted to Data Subjects or third parties via electronic mail, Short Message Service (SMS), or third-party social media platforms at the Data Subject's direction.

---

ARTICLE III — LAWFUL BASIS AND PURPOSES OF PROCESSING

Section 3.1 — Authorized Purposes

The Company processes personal data solely on lawful grounds and exclusively for the following enumerated purposes:

(a) Performance of contractual obligations — to provide, coordinate, and deliver the photo booth services contracted by the Data Subject;

(b) Transaction administration — to process financial consideration, issue payment confirmations, and maintain transactional records;

(c) Service communications — to transmit booking confirmations, scheduling notices, and event-related correspondence;

(d) Direct marketing communications — where the Data Subject has provided express, informed, and freely given consent to receive such communications;

(e) Service improvement and product development — to analyze operational performance and enhance service offerings; and

(f) Legal compliance — to fulfill any obligations imposed upon the Company by applicable statute, regulation, court order, or governmental directive.

---

ARTICLE IV — PHOTOGRAPHIC RIGHTS, USAGE, AND CONSENT

Section 4.1 — Delivery of Media to Data Subjects

All photographs and digital media captured during a contracted event shall be made available to the contracting party and their event guests through the Company's designated digital distribution channels.

Section 4.2 — Company's Limited Marketing License

Subject to prior written consent obtained from the contracting party, the Company reserves a non-exclusive, royalty-free, limited license to reproduce, display, and publish photographic content in the Company's portfolio, promotional materials, and official social media platforms for marketing purposes only. Under no circumstances shall the Company sell, transfer, assign, or otherwise commercially exploit photographic content to unaffiliated third parties.

Section 4.3 — Right to Withdraw Consent and Opt-Out

A Data Subject may revoke consent to the Company's marketing use of photographic content by submitting written notice to the Company prior to the contracted event or within thirty (30) calendar days following the event date. Upon receipt of such notice, the Company shall cease and refrain from any further marketing use of the applicable photographic content.

---

ARTICLE V — DISCLOSURE TO THIRD PARTIES

Section 5.1 — Authorized Third-Party Disclosures

The Company does not sell, rent, or otherwise transfer personal data to third parties for commercial consideration. The Company may, however, disclose personal data to the following categories of authorized recipients:

(a) Data Processors and Service Vendors: Third-party entities engaged by the Company to perform functions essential to service delivery, including but not limited to payment processing, cloud-based data storage, and digital communications infrastructure, subject to data processing agreements ensuring equivalent data protection standards;

(b) Event Coordinators and Venue Operators: To the extent reasonably necessary for the logistical coordination and execution of contracted event services; and

(c) Governmental and Regulatory Authorities: Where disclosure is mandated by applicable law, judicial order, subpoena, regulatory directive, or where disclosure is necessary to assert, defend, or enforce the Company's legal rights and interests.

---

ARTICLE VI — DATA SECURITY MEASURES

The Company employs commercially reasonable technical, administrative, and physical safeguards designed to protect personal data against unauthorized access, acquisition, alteration, disclosure, or destruction. Notwithstanding the foregoing, the Company expressly acknowledges that no method of electronic transmission or digital storage constitutes an absolute guarantee of security, and the Company cannot warrant the inviolability of its information systems. The Company shall notify affected Data Subjects in accordance with applicable breach notification statutes in the event of a confirmed security incident.

---

ARTICLE VII — DATA RETENTION AND DISPOSAL

The Company shall retain personal data for the minimum period necessary to fulfill the purposes identified in this Policy and to satisfy applicable legal, regulatory, contractual, or audit retention obligations. Digital photographic and media files are subject to a standard retention period of ninety (90) calendar days following the date of the contracted event, after which such files shall be purged and rendered irretrievable from the Company's systems, unless an alternative retention arrangement has been expressly agreed upon in writing by both parties.

---

ARTICLE VIII — RIGHTS OF DATA SUBJECTS

Section 8.1 — General Rights

Subject to applicable legal limitations, Data Subjects retain the following substantive rights with respect to their personal data held by the Company:

(a) Right of Access — to obtain confirmation of and access to personal data being processed;

(b) Right to Rectification — to request correction of inaccurate, incomplete, or outdated personal data;

(c) Right to Erasure — to request deletion of personal data where continued retention is no longer legally justified;

(d) Right to Withdraw Consent — to revoke previously granted consent to marketing communications at any time, without prejudice to the lawfulness of prior processing;

(e) Right to Data Portability — to request a transferable copy of personal data in a commonly used, machine-readable format.

To exercise any of the foregoing rights, Data Subjects must submit a verifiable written request to the Company using the contact information specified in Article XII of this Policy.

---

ARTICLE IX — CALIFORNIA CONSUMER PRIVACY ACT (CCPA) COMPLIANCE

Section 9.1 — Rights of California Residents

California residents possess additional statutory rights under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA"), including without limitation:

(a) The right to know the categories and specific pieces of personal information collected, the sources of collection, the business purposes for which it is used, and the categories of third parties with whom it is shared;

(b) The right to request deletion of personal information subject to applicable statutory exemptions; and

(c) The right to opt out of the sale of personal information. The Company hereby represents and warrants that it does not engage in the sale of personal information as defined under the CCPA.

California residents wishing to exercise their CCPA rights may submit a verified consumer request to the Company via the contact information set forth in Article XII.

---

ARTICLE X — COOKIES AND AUTOMATED TRACKING TECHNOLOGIES

The Company's website may deploy cookies, web beacons, pixel tags, and analogous automated tracking technologies to optimize user experience and analyze website traffic. Data Subjects retain the ability to manage or disable cookie functionality through the settings of their respective web browsers; however, the Company advises that disabling such technologies may impair certain features or functionality of the Company's digital platforms.

---

ARTICLE XI — CHILDREN'S ONLINE PRIVACY PROTECTION

The Company's services are not directed to, marketed toward, or intended for individuals under the age of thirteen (13). The Company does not knowingly collect, solicit, or maintain personal information from minors under the age of thirteen (13). In the event the Company becomes aware that personal data has been collected from a minor under thirteen (13) without verifiable parental consent, the Company shall take prompt remedial action to delete such data. Parties with knowledge of such collection are directed to notify the Company immediately via the contact information provided in Article XII.

---

ARTICLE XII — AMENDMENTS AND POLICY REVISIONS

The Company expressly reserves the right to modify, amend, or restate this Policy at its sole discretion to reflect changes in applicable law, regulatory guidance, or business practices. Amendments shall become effective upon posting to the Company's website, as indicated by the revised "Effective Date." Data Subjects are encouraged to review this Policy periodically to remain informed of any modifications. Continued use of the Company's services following the posting of amendments shall constitute acknowledgment of the revised Policy.

---

ARTICLE XIII — CONTACT INFORMATION AND DATA CONTROLLER DETAILS

All inquiries, requests, complaints, or correspondence concerning this Policy or the Company's data protection practices shall be directed to:

Wuddabooth Photobooth

11202 Bentcreek Road

Moorpark, CA 93021

United States of America

Electronic Mail: hello@wuddabooth.com

Telephone: (805) 870-53044

---

This Policy is intended to satisfy applicable federal and California state privacy law requirements. Nothing contained herein shall be construed as a waiver of any legal right or as creating any contractual obligation beyond those expressly stated.