Privacy Policy

We collect information necessary to operate the App and improve your experience: • Account Information: Name, email, username, date of birth, country, profile picture, bio, skill level, and other profile details you provide during registration. Passwords are stored only as salted, one-way hashes — we never store, view, or process your plaintext password. • Sign-In Identifiers (third-party): If you sign in using Apple, Google, or another supported third-party identity provider, we receive a unique identifier from that provider plus the email address and display name you authorize the provider to share. We do not receive your password from the provider. • Age Verification: We collect your date of birth and country during registration to verify you meet the minimum age requirement for your jurisdiction (see Section 9 for country-specific ages). Users who do not meet the minimum age for their country are not permitted to use Froz. • Precise Location Data: With your permission, we collect precise GPS location data (coordinates, altitude, speed, heading) to enable ski tracking and crew features. Location tracking only occurs when you explicitly enable it. If you grant background location permission for crew features, we may collect your location while the app is in the background. You can disable location tracking at any time in your device settings. Precise geolocation is treated as sensitive personal information under California's CPRA; see Section 8. • Inferred / Estimated Location Data: When the GPS signal becomes weak, intermittent, or unavailable (for example, in tunnels, dense tree cover, between lifts, or in chairlift gondolas), Froz uses a proprietary on-device sensor-fusion engine (combining the last known GPS fix, accelerometer, gyroscope, magnetometer, barometer, and motion classification) to estimate your position, speed, and altitude until GPS is reacquired. These inferred values are derived data — not direct observations — and are treated as personal data of the same sensitivity as precise location. Inferred location is generated locally on your device and is subject to the same on/off control and storage rules as precise location data. Inferred values may be inaccurate or stale; Froz does NOT warrant their accuracy and is NOT liable for decisions made in reliance on them. • Microphone & Audio Data: With your permission, we access your device microphone to record voice memos for messaging. Voice memo audio files are uploaded to our servers and stored with your messages. You can revoke microphone access at any time in your device settings. • Activity Data: Resorts visited, check-ins, ski/snowboard tracks, meetups attended or organized, crew memberships, follow/follower relationships, rankings, leaderboard participation, resort ratings/reviews you submit, live condition reports, Mountain DNA tag contributions, resort comments, social-feed posts and reactions, and event interactions (RSVPs, watches). Public visibility: Froz does not currently provide private-account, friends-only, blocking, or per-feature privacy controls. By using the App, you understand and agree that your username, profile picture, bio, activity statistics, leaderboard placements, resort lists ("Shredded," "On The Radar," favorites), check-ins, social-feed posts, ratings, reviews, Mountain DNA tags, comments, follow/follower relationships, crews you join publicly, and meetups you RSVP or organize are visible to other users of the App by default and are discoverable through in-app search. If you do not want particular activity to be visible to other users, do not perform that activity. Froz may introduce privacy controls in the future at its sole discretion, but is not obligated to do so within any timeframe, or at all. • User Content: Photos, voice memos, comments, direct messages, group/crew/meetup chat messages, posts, profile pictures, and other content you choose to upload, share, or transmit through the App. • Device Information: Device type, operating system, app version, language and locale, time zone, and unique device identifiers used for analytics, crash reporting, and abuse prevention (not advertising). • Usage Information: How you interact with the App, including features used, session duration, action sequences, app performance data, network conditions, and error/crash reports. • Push Notification Tokens: If you enable notifications, we collect device tokens (APNs on iOS, FCM on Android) to send you updates about meetups, messages, and app activity. • Content Moderation Data: When you upload profile photos, we process them through automated content moderation to detect prohibited content. We track failed upload attempts and moderation outcomes to prevent abuse. • Account Metadata: We automatically record the date you joined Froz (member since date) and maintain account status records for moderation purposes (e.g., active, suspended, banned). What we do NOT collect: We do not collect payment-card data, government-issued identifiers, financial-account information, biometric identifiers, race or ethnicity, religious beliefs, sexual orientation, or health/medical information. Note: Precise GPS location is the only category of "sensitive personal information" (as defined under California's CPRA) that we collect, and only with your explicit permission. We do not use precise geolocation for any purpose other than the ski tracking, crew, and meetup features you opt into. You may at any time limit our use of precise geolocation by disabling location permissions in your device settings — see Section 8 for details. Legal Basis for Processing (GDPR Art. 13(1)(c)): • Account info (name, email, DOB) — Contract performance (account creation & management) • GPS location (ski tracking) — Explicit consent (record ski runs & stats) • Inferred/estimated location (sensor-fusion fallback when GPS is unavailable) — Explicit consent (same consent grant as ski tracking; cannot be enabled independently) • GPS location (crew streaming) — Explicit consent (share position with crew) • Background location — Explicit consent (crew position while app closed) • Voice memos — Consent (microphone permission grant) • Profile photos — Contract performance + legitimate interests (display & content moderation for safety) • Device info & usage data — Legitimate interests (analytics & app improvement) • Push notification tokens — Consent • DOB & country — Legal obligation (COPPA, GDPR Art. 8 age verification) • Content moderation logs — Legitimate interests (platform safety & abuse prevention)

We use your information to: • Operate and improve the App. • Enable ski/snowboard tracking when you activate this feature. • Calculate and display resort rankings and leaderboards. • Display your activity and statistics. • Send push notifications about meetups, messages, and relevant activity (if enabled). • Personalize your experience and show relevant content based on your country/region. • Analyze app usage to improve features and performance. • Provide customer support. • Maintain app security and prevent abuse. • Verify user age eligibility. We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

We use third-party services to operate the App: • Firebase (Google): Authentication (Firebase Auth), database storage (Firestore), file storage (Cloud Storage for Firebase), crash reporting (Crashlytics), performance monitoring (Performance Monitoring), product analytics (Firebase Analytics / Google Analytics for Firebase), and push-notification delivery (Firebase Cloud Messaging). • Apple Sign In with Apple / Google Sign-In: If you choose to register or sign in using your Apple ID or Google account, the respective provider receives the request and returns the identifiers needed for authentication. We do not receive your password. • Google Cloud Vision API: We use Google Cloud Vision's SafeSearch feature to automatically screen user-uploaded profile photos for prohibited content. Images are sent to Google's servers for analysis at the time of upload. Google processes this data according to their Cloud Data Processing terms. • Open-Meteo API: We use Open-Meteo to obtain weather forecast data, which we process using our own algorithms to generate Snow Quality Index (SQI) scores, weather summaries, and recommendations. Open-Meteo provides raw weather data only; we do not transmit your personal information to Open-Meteo. All SQI calculations and generated content are created by Froz. • MapTiler: We use MapTiler to provide map tiles and terrain data for resort maps. When you view maps in the App, MapTiler receives tile requests which may indicate the geographic area you are viewing. MapTiler processes this data according to their privacy policy. • Apple Push Notification service (APNs) and Firebase Cloud Messaging (FCM): Used to deliver push notifications to your device. Apple and Google receive device tokens necessary to deliver the push payload. • Expo (Expo Application Services): App build, over-the-air update delivery, and push-token issuance. Expo's servers may receive device identifiers and update-channel metadata. • Apple App Store / Google Play Store: When you download the App, the respective platform handles distribution and may collect telemetry under its own privacy policy. We may share data in these cases: • With the service providers listed above who help us run the App. • For legal compliance if required by law or to respond to valid legal requests. • To protect the rights, safety, or property of Froz, our users, or the public. • With your consent if you explicitly agree to share information. • In the event of a corporate transaction (such as a merger, acquisition, sale of assets, financing, or bankruptcy), your information may be transferred to the successor or acquirer, subject to the protections of this Privacy Policy or a successor policy that materially preserves your rights. Internal Access by Froz Personnel: • Froz operates a role-based access-control system. Only authorized Froz personnel ("Operators") have administrative access to the production database and to user accounts, and only to the extent necessary to perform their role. • Today, the Operator role is held by Froz's founder and is used to maintain the resort dataset, publish curated event listings, review and process partner applications, respond to user-support and account-deletion requests, investigate abuse, content-moderation, or security incidents, and run other business operations of Froz Technologies LLC. • What the Operator API can access: The Operator role is enforced at the API layer through role-based access controls. Operators acting through Froz's application API do NOT have any endpoint that reads the contents of private direct messages, crew chats, meetup chats, or voice-memo audio. Operator API access is limited to administrative functions such as: maintaining the resort dataset; publishing curated event listings; reviewing and processing partner applications; reviewing user-submitted Problem Reports (Settings → Report a Problem) and content reports; investigating ranking-manipulation signals and other abuse signals that do not require message content; suspending or terminating accounts; responding to user-support and account-deletion requests; and other business operations of Froz Technologies LLC. • Direct database access (Infrastructure Administrator): Separately from the Operator role, Froz's underlying production database (Google Cloud Firestore) and storage (Google Cloud Storage) are administered by an Infrastructure Administrator — currently Froz's founder, acting on behalf of Froz Technologies LLC as the root account holder of Froz's Google Cloud Platform project. The Infrastructure Administrator has the inherent technical ability, by virtue of being the platform's root operator, to read the contents of stored data — including direct messages, crew and meetup chat messages, voice-memo audio files, and other private user content — directly through the Google Cloud console or administrative tooling. This access is exercised only when necessary and proportionate to: (i) comply with valid legal process or government requests; (ii) investigate severe abuse, harassment, threats to safety, or illegal activity; (iii) investigate platform-security incidents; (iv) respond to a user's own data-subject access, correction, or deletion request submitted under Section 8; (v) perform necessary database maintenance, migrations, or data-integrity repairs; or (vi) defend Froz against actual or threatened legal claims. Direct database access by the Infrastructure Administrator is the only path by which any Froz personnel can read the contents of private messages or voice memos, and it is restricted to the minimum content reasonably necessary for the listed purposes. • No end-to-end encryption: Froz does NOT currently offer end-to-end encrypted messaging or voice memos. Message contents and voice-memo audio are stored in a form that the Infrastructure Administrator can technically read under the narrow circumstances described above. You should not rely on direct messages, crew chats, meetup chats, or voice memos to transmit content (including secrets, credentials, confidential business information, or unlawful material) that you would not want a Froz Infrastructure Administrator to be able to read in the course of a legitimate investigation, legal process, or maintenance event. • As the business grows, additional Operators may be added (e.g., employees, contractors). All Operators are bound by confidentiality obligations and must comply with this Privacy Policy and applicable law. Access is restricted to what is necessary for each Operator's function. • Partners (event organizers and other third parties using the partner dashboard) have access only to their own tenant — their own events, listings, payments, and analytics. Partners do NOT have access to other users' personal data and do NOT have administrative access to the platform. • Operator access to personal data is logged and reviewed for abuse-prevention purposes. Sponsored content may appear in the App, but sponsors do not have access to your personal data unless you explicitly interact with their content. Resort Information: • Froz displays informational metadata about ski and snowboard resorts (the "Resort Information"), including resort name, location, elevation, trails, lifts, skiable acres, amenities, pass affiliations (e.g., Ikon, Epic, Mountain Collective, Indy), websites, and similar fields. Resort Information is compiled by Froz from public sources and third-party databases. It is NOT personal information about you and is NOT covered by your data-subject rights under this Policy. • Resort Information may be inaccurate, incomplete, or out of date. Froz makes no warranty about its accuracy or currency. Decisions you make in reliance on Resort Information (including travel planning and pass purchases) are at your own risk and are governed by Section 15 of our Terms of Service. • Pass-program names (Ikon Pass®, Epic Pass®, Mountain Collective®, Indy Pass®) and resort names, logos, and trade dress are trademarks of their respective owners. Their inclusion in the App is for descriptive and identification purposes only and does not imply endorsement, sponsorship, partnership, or any commercial relationship with Froz unless expressly stated. Featured Lists, Curated Listings & Event Listings: • Froz publishes informational listings for resorts, gear, après spots, events, and other skiing/snowboarding-related content. Some listings are curated editorially by Froz; others are submitted by third-party partners (event organizers, brands, retailers, ticket vendors, businesses) and labeled "Sponsored," "Partner," or similar. The terms governing these listings — including that Froz is not the seller, organizer, or operator of any listed event — are described in our Terms of Service. • Curated listings are compiled from public sources (organizer websites, news, public calendars). They do not require Froz to collect any personal data from you to display. • Partner-submitted listings may include the partner's public business contact information (organizer name, business address, website URL, ticket-purchase URL, contact email, social handles). This information is provided by the partner and displayed in the App. • If you tap a "ticket link," "purchase link," organizer website, contact email, or other third-party link in a listing, you leave the App and interact directly with the third party. That third party's privacy practices govern any data you share with them — Froz does not control, receive, or have access to that interaction or any data they collect from you. Froz is not responsible for the privacy practices, data security, or content of any third-party site or service. • Partners do NOT receive your personal data from Froz simply because their listing is displayed to you. Froz does not transmit your identity, account information, or behavior data to partners as a result of you viewing a listing in the App. • If we provide aggregated, anonymized analytics to a partner about a listing's performance (for example, the total number of impressions or click-throughs), the data will not identify you individually. • With your permission, we may use your location to show locally-relevant listings. Your precise location is not transmitted to the partner. • Featured brands, businesses, ticket vendors, and event organizers do not receive your personal data unless you choose to interact with them outside the App (for example, by purchasing a ticket on their site or emailing them).

Froz offers optional GPS-based features that use your device's location. Ski/Snowboard Tracking: • Location tracking is OFF by default and only activates when you explicitly enable it. • When enabled, we collect precise location data (coordinates, altitude, speed) to record your ski runs and generate statistics. • You can disable location tracking at any time through the App or your device settings. Background Location & Crew Position Streaming: • If you join a crew and enable background location, Froz may collect your location while the app is closed or not in use. • Background location requires a separate permission grant ("Always Allow" on iOS, "Allow all the time" on Android). • When crew position streaming is active, your real-time location, speed, and heading are shared with members of your crew so they can see you on the map. • Your username and profile picture are displayed alongside your location to crew members. • Crew position streaming only operates within ski resort areas. • Crew positions may be delayed, stale, or unavailable due to connectivity, GPS signal, terrain, or device factors. Displayed positions may not reflect a crew member's current location. • You can stop sharing your position or disable background location at any time. • Location data is stored securely and associated with your account. • We do not share your precise location with users outside your crew without your consent. • We do not sell location data to third parties.

With your express permission, we send push notifications and electronic messages for: • Meetup invitations and updates • New messages from other users • Activity on your posts or profile • App updates and announcements You can disable notifications at any time: • Through your device settings • Within the App notification preferences • By contacting support@froz-app.com Canadian users: In accordance with Canada's Anti-Spam Legislation (CASL), we obtain your express consent before sending commercial electronic messages. You may withdraw consent at any time.

We implement technical and organizational measures designed to protect personal data against unauthorized access, accidental loss, alteration, or disclosure, taking into account the nature of the data, the risks of processing, and the state of the art (consistent with GDPR Art. 32): • Encryption in transit using TLS 1.2 or higher for all client-server communication. • Encryption at rest of personal data stored on Google Cloud Platform (Firestore, Cloud Storage), provided by the underlying GCP infrastructure. • Authentication via Firebase Auth with industry-standard token-based session management; passwords stored only as salted, one-way hashes. • Role-based access controls and the principle of least privilege for personnel with administrative access to production systems. • Audit logging of access to production data stores. • Network isolation, firewalling, and Cloud Run service segregation provided by GCP. • Automated content-moderation tooling to reduce abuse vectors. • Periodic dependency and security review of the application and its third-party libraries. No system is 100% secure, and we cannot guarantee absolute protection. You are responsible for maintaining the security of your account credentials, keeping your device software up to date, and notifying us promptly at support@froz-app.com if you suspect unauthorized access to your account.

We retain your data for specific periods based on category and purpose: • Account & profile data — Retained while your account is active; deleted upon account deletion. • GPS tracking sessions — Retained while your account is active so you can review historical activity and statistics. You can delete individual sessions at any time. Deleted upon account deletion. • Crew position data (live streaming) — Not stored; distributed in real-time only and discarded when streaming stops. • Chat and meetup/crew messages — Retained while your account is active. On account deletion, your authored messages are anonymized in shared conversations (your name is replaced with "[Deleted User]") to preserve conversation context for other participants, and any direct-message threads tied solely to you are deleted. • Voice memos — Retained while your account is active; deleted upon account deletion. • Photos and other uploaded content — Retained while your account is active; deleted upon account deletion. • Analytics & usage data — Aggregated and de-identified. May be retained indefinitely in a form that does not identify you. • Content moderation logs — Retained for up to 90 days after the moderation event for abuse-prevention and dispute-resolution purposes. • Tax, accounting, legal-hold, or compliance records — Retained for the period required by applicable law (typically up to 7 years), notwithstanding account deletion. Account deletion: When you delete your account, your personal data is deleted or de-identified without unreasonable delay, except for (i) anonymized aggregate data, (ii) anonymized chat content as described above, and (iii) records we are required by law to retain. Account deletion cannot be undone.

Depending on your location, you may have the following rights regarding your personal data: General Rights: • Access: Request a copy of the data we hold about you. • Correction: Request correction of inaccurate data. • Deletion: Request deletion of your data. • Portability: Request a copy of your data in a portable format. • Opt-out: Disable location tracking, notifications, or analytics. • Withdraw Consent: Withdraw consent for data processing at any time. EU/EEA Residents (GDPR): In addition to the rights above, you have the right to: • Restriction of Processing (Art. 18): Request that we restrict processing of your data in defined circumstances (e.g., while the accuracy of the data is being verified). • Object to Processing (Art. 21): Object, on grounds relating to your particular situation, to processing based on our legitimate interests (Art. 6(1)(f)). The legitimate interests we rely on are described in Section 14 — primarily app analytics and improvement, content moderation for platform safety, and fraud/abuse prevention. To exercise this right, email support@froz-app.com describing the processing you object to and your situation; we will cease the relevant processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or the processing is required for the establishment, exercise, or defense of legal claims. • Automated Decision-Making (Art. 22): Not be subject to a decision based solely on automated processing that produces legal effects or similarly significant effects on you. Section 15 describes the limited automated processing we perform; none of it produces such effects, but you may request human review of any decision you believe significantly affects you. • Lodge a Complaint: File a complaint with your local supervisory authority. You may also seek judicial remedies. • Response Timeline: We will respond to data-subject requests within 30 days of receipt. For complex requests, this may be extended by up to two further months with notice to you. California Residents (CCPA/CPRA): Categories of personal information collected in the last 12 months (Cal. Civ. Code § 1798.140): • Identifiers (name, email, username, account ID, third-party-provider identifiers if you sign in with Apple/Google, date of birth) • Customer records (profile picture, bio, skill level, country) • Internet or other electronic network activity (interactions with the App, app performance, error/crash data, usage patterns, device identifiers) • Geolocation data (precise GPS — sensitive personal information under CPRA, collected only with your permission) • Audio (voice memos you record) • Visual (profile photos and other photos you upload) • Inferences drawn from the above (activity stats, leaderboard rankings, ranked-mountain inferences) Categories of sources from which the information is collected: • Directly from you (registration, profile, content you submit, permissions you grant) • Automatically from your device when you use the App (device info, performance data, push tokens) • From third-party identity providers (Apple, Google) if you choose third-party sign-in • From other users (e.g., when another user invites you to a meetup or crew, or mentions your username) Business or commercial purposes for which we collect and use the information: • Providing and operating the App and its features • Authenticating you and securing your account • Personalizing your experience and surfacing relevant content (resorts, events, crews) within your country/region • Calculating activity statistics, leaderboard rankings, and other in-app metrics • Sending you push notifications you have opted into • Detecting, preventing, and responding to fraud, abuse, harassment, content-policy violations, and security incidents • Complying with legal obligations (age verification, lawful requests) • Auditing and improving App performance, reliability, and quality Categories of personal information disclosed to service providers for business purposes: • Firebase (Google) — identifiers, device info, crash and performance data, push tokens, app activity (Firebase Analytics) • Google Cloud Vision — profile photos at upload time, for content-moderation purposes only • MapTiler — approximate geographic area viewed via map tile requests • Apple / Google identity providers — minimal sign-in identifiers if you choose third-party sign-in • Apple Push Notification service / Firebase Cloud Messaging — push tokens and notification payloads We do NOT sell personal information for monetary consideration, and we do NOT share personal information for cross-context behavioral advertising. We have not done so in the prior 12 months and have no plans to do so. Sensitive Personal Information: We collect one category of "sensitive personal information" as defined under CPRA — precise geolocation (GPS) — and only with your explicit permission. We use it solely to provide the ski-tracking, crew, and meetup features you opt into. We do not use or disclose sensitive personal information for any purpose other than those that are necessary to provide the features you request, are reasonably expected by an average consumer who requests such features, or are otherwise permitted under Cal. Civ. Code § 1798.121(a). We do not infer characteristics about you from sensitive personal information for any purpose. You may at any time limit our use of sensitive personal information by disabling location permissions in your device settings; doing so will disable the features that depend on location. Your California rights: right to know what personal information is collected, used, shared, or sold; right to correct inaccurate personal information; right to delete personal information; right to opt out of the sale or sharing of personal information; right to limit the use and disclosure of sensitive personal information; right to non-discrimination for exercising any of the above rights. How to exercise your California rights: Email support@froz-app.com with the request type and your account email. We will verify your identity (typically by confirming control of the account email) and respond within 45 days. We may extend this period by an additional 45 days where reasonably necessary, with notice to you. Authorized agents may submit requests on your behalf with written permission. Canadian Residents (PIPEDA): You have rights under the Personal Information Protection and Electronic Documents Act, including the right to access your personal information, request corrections, and withdraw consent. You may file a complaint with the Office of the Privacy Commissioner of Canada. Quebec Residents: Under Quebec's Law 25, you have additional rights including privacy by default and the right to data portability. To exercise any of these rights, contact us at support@froz-app.com.

Froz enforces country-specific minimum age requirements to comply with local privacy laws. We collect your date of birth and country during registration and block account creation for users who do not meet the minimum age for their country. Minimum Age by Country: • 16 years old: Germany, Netherlands, Luxembourg, Ireland • 15 years old: France, Czech Republic, Greece, Slovenia • 14 years old: Brazil, South Korea, Italy, Spain, Austria, Bulgaria, Lithuania • 13 years old: United States, Canada, United Kingdom, and all other countries We do not knowingly collect personal information from users below the minimum age for their jurisdiction. Users below the minimum age for their country are blocked from creating accounts. If you believe a user below the applicable minimum age has created an account, please contact us at support@froz-app.com and we will promptly delete the account and associated data.

Froz Technologies LLC is established in the United States. Your information is primarily stored and processed in the United States on Google Cloud Platform infrastructure. Transfer mechanisms (EU/EEA): Where personal data is transferred from the EU/EEA to the United States, we rely on the following lawful transfer mechanisms, as applicable: • The EU-U.S. Data Privacy Framework (DPF), under which Google LLC is certified to receive personal data from the EU; and/or • The European Commission's Standard Contractual Clauses (SCCs), as incorporated into our service providers' standard data-processing terms (for example, Google Cloud Platform's standard Data Processing Addendum incorporates the EU SCCs by reference). Transfer mechanisms (UK): For transfers from the United Kingdom, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs as incorporated into our service providers' standard terms. Other jurisdictions: For transfers from other jurisdictions with cross-border transfer requirements, we rely on the contractual safeguards in our service providers' standard data-processing terms together with technical measures including encryption in transit (TLS 1.2 or higher) and encryption at rest. You may request a copy of the relevant transfer mechanism documentation by contacting support@froz-app.com.

We use analytics and performance tools to understand how users interact with the App and to detect and fix problems: • Firebase Analytics (Google Analytics for Firebase) — collects in-app event data, screen views, session duration, and similar product-analytics metrics. • Firebase Crashlytics — collects crash reports and stack traces to help us diagnose and fix bugs. • Firebase Performance Monitoring — collects app performance metrics (e.g., startup time, network request latency) to help us improve app responsiveness. • Device identifiers (such as the iOS IDFV / Android Advertising ID) may be used by these analytics SDKs solely for analytics, abuse prevention, and product improvement — not for cross-app behavioral advertising. We do not use traditional web cookies in the mobile App, but mobile SDKs may store local data on your device for functionality and analytics purposes. The Froz marketing website (froz-app.com) likewise does not currently load third-party advertising cookies; if this changes, we will update this Privacy Policy and where required obtain your consent through a cookie banner. How to limit analytics collection: • iOS 14.5 and later: Settings > Privacy & Security > Tracking — disable "Allow Apps to Request to Track" (App Tracking Transparency). • Android: Settings > Privacy > Ads — choose "Delete advertising ID" or "Opt out of Ads Personalization." • Within the App, you can also disable optional features (location, push notifications, voice memos) that contribute to data collection.

We may update this Privacy Policy from time to time. When we make material changes: • We will update the "Last Updated" date at the top of this policy. • For significant changes, we may notify you via the App or email. • Continued use of Froz after changes means you accept the updated policy. We encourage you to review this policy periodically.

In the event of a personal-data breach within the meaning of applicable law, we will: • Investigate the breach promptly upon discovery. • Notify affected users and any required regulatory authorities without undue delay and within the timeframes required by applicable law (for example, the 72-hour supervisory-authority notification requirement under GDPR Art. 33 where applicable). • Provide information about the nature of the breach, the categories of data affected, and the measures we have taken or propose to take to address it, to the extent then known and as required by applicable law. The exact timing, format, and recipients of any breach notification will depend on the nature of the incident, our investigation, applicable legal requirements, and any guidance from competent authorities or law enforcement.

Under the GDPR, we process your personal data based on the following legal bases: • Contract Performance (Art. 6(1)(b)): Processing necessary to provide the Froz service — account creation, profile management, core app functionality. • Consent (Art. 6(1)(a)): GPS location tracking, background location for crew features, voice memo recording, push notifications. You may withdraw consent at any time through your device settings or the App. • Legitimate Interests (Art. 6(1)(f)): Analytics and app improvement, content moderation for platform safety, fraud prevention. Our legitimate interests do not override your fundamental rights and freedoms. • Legal Obligation (Art. 6(1)(c)): Age verification to comply with COPPA, GDPR Article 8, and other applicable child protection laws.

Froz uses automated processing in the following ways: • Content Moderation: Every profile picture uploaded to the App is screened by Google Cloud Vision AI (SafeSearch) before it is stored or shown to any other user. Images flagged as containing adult, explicit, violent, racy, or otherwise prohibited content under Google's SafeSearch categories are automatically rejected. The rejection decision is made algorithmically; Froz does not commit to or guarantee human review. You may re-upload a different image. Repeated submissions of prohibited content may result in account restrictions (see Section 13 of our Terms of Service). • User-Activity Leaderboards: Activity rankings (resorts visited, runs tracked, vertical feet, distance, max speed, etc.) are calculated algorithmically from your activity data and are displayed publicly within the App together with your username and profile picture. Participation in leaderboards is a default-on consequence of using the App's tracking and activity features; Froz does not currently offer a leaderboard opt-out, a private-account mode, or per-statistic visibility controls. If you do not want a statistic to appear on a leaderboard, do not generate that statistic in the App. Froz may, at its sole discretion, exclude any session, run, ranked-list entry, speed record, or other result from any leaderboard at any time (see Section 12 of our Terms of Service for the integrity policy). No human review of individual rankings occurs. • Resort Ranked Lists ("Top Resorts" / "Featured Mountains"): Resort rankings displayed in the App are derived by aggregating your individual resort ratings and pairwise resort comparisons together with those submitted by other users, processed through Froz's proprietary ranking algorithm. The aggregate ranking is not a ranking of you — it is a ranking of resorts. Once your submission has been incorporated into an aggregate value, the aggregate may persist after you delete your submission or your account; however, individual identifying details of your submissions are not displayed publicly. • Snow Quality Index (SQI): Scores are generated by proprietary algorithms from weather data. No individual user data is used in SQI calculations. None of these automated processes produce legal effects or similarly significant effects on users. You have the right to request human review of any automated decision that significantly affects you.

Froz uses the following software development kits (SDKs) and technologies that may store data on your device: • Firebase SDK (Google): Authentication, crash reporting, performance monitoring, product analytics, and push-notification delivery (FCM). May store local identifiers and tokens on your device for functionality. • MapLibre / MapTiler: Map rendering. Cached map tiles may be stored locally for performance. • Device identifiers (IDFV on iOS, Android ID): Used for analytics, abuse prevention, and crash diagnostics only — not for cross-app behavioral advertising. Apple App Tracking Transparency (ATT): On iOS 14.5 and later, applications must request your permission before using the IDFA to track you across apps and websites for advertising. Froz does not use the IDFA for cross-app advertising and does not currently request ATT permission. If this changes, we will request your permission through Apple's standard ATT prompt. Froz does not use traditional web cookies in the mobile App. However, mobile SDKs may store local data on your device for functionality and analytics purposes. How to opt out / limit: • iOS: Settings > Privacy & Security > Tracking — disable "Allow Apps to Request to Track." • Android: Settings > Privacy > Ads — choose "Delete advertising ID" or "Opt out of Ads Personalization." • Disabling optional features in the App (location, push notifications, voice memos) reduces data collection associated with those features.

If you are located in Brazil, the Lei Geral de Proteção de Dados (LGPD) applies to our processing of your personal data. Legal Bases: We process your data based on consent, contract performance, and legitimate interests as described in Section 14. Data Protection Officer: Neeve Kadosh, support@froz-app.com Your Rights Under LGPD: Confirmation of data processing, access to your data, correction of incomplete or inaccurate data, anonymization/blocking/deletion of unnecessary data, data portability, information about third parties with whom data is shared, withdrawal of consent. Age Requirement: Users in Brazil must be at least 14 years old. Response Timeline: We will respond to data subject requests within 30 days. Complaints: You may petition the Autoridade Nacional de Proteção de Dados (ANPD) regarding data protection matters.

If you are located in South Korea, the Personal Information Protection Act (PIPA) applies. Consent: We obtain your consent for data collection during registration. Age Requirement: Users in South Korea must be at least 14 years old. Users under 14 are blocked from creating accounts. Location Information: In accordance with the Location Information Act, location data is collected only with your explicit consent and can be disabled at any time. Cross-Border Transfer: Your data is transferred to and processed in the United States for the purpose of providing the Froz service. Complaints: You may contact the Personal Information Protection Commission (PIPC) for data protection inquiries.

If you are located in the United Kingdom, the UK General Data Protection Regulation (UK GDPR) applies to our processing of your personal data. Your rights under the UK GDPR are equivalent to those described in the EU/EEA section of this policy, including access, rectification, erasure, restriction, portability, and the right to object. Complaints: You may file a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

If you are located in Japan, the Act on the Protection of Personal Information (APPI) applies. Third-Party Sharing: We disclose your data to the third-party service providers listed in Section 3 (Firebase, Google Cloud Vision, MapTiler) for the purposes described in this policy. Cross-Border Transfer: Your data is processed in the United States with contractual data protection safeguards in place. Complaints: You may contact the Japan Personal Information Protection Commission (PPC) for data protection inquiries.

If you are located in Australia, your data is handled in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988. Cross-Border Disclosure: Your data is transferred to and processed in the United States. We ensure our service providers maintain data protection standards through contractual obligations. Complaints: You may file a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.

Users in India must be at least 13 years old to use Froz. If you are located in India, our processing of your personal data is subject to India's Digital Personal Data Protection Act, 2023 (DPDP) and its implementing rules, as in force from time to time. You may have rights under the DPDP including the right to obtain confirmation and access, the right to correction and erasure, the right of grievance redressal, and the right to nominate. To exercise these rights or to raise a grievance, contact support@froz-app.com. We will respond within the timeframe required by the DPDP. The DPDP imposes additional restrictions on the processing of personal data of children (defined as individuals under 18 in India) and "persons with disabilities" who have a lawful guardian, including a requirement of verifiable consent of the parent or lawful guardian. Where these requirements apply, we comply or, where compliance is not feasible, decline to process such data.

If you have questions about this Privacy Policy or wish to exercise your data rights, contact us at: Froz Technologies LLC 37 Brook Road, New Providence, NJ 07974, United States Email: support@froz-app.com Data Protection Officer: Neeve Kadosh Email: support@froz-app.com Canadian Users: You may also file a complaint with the Office of the Privacy Commissioner of Canada at www.priv.gc.ca. Quebec Users: You may contact the Commission d'accès à l'information du Québec at www.cai.gouv.qc.ca. EU/EEA Users: You may lodge a complaint with your local supervisory authority. UK Users: You may file a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.