Privacy Policy

Last updated: November 2, 2025

Scope
This policy explains how BRIDGE (“we,” “our,” “us”) collects, uses, discloses, and protects personal information across our websites, mixed-reality packaging experiences (e.g., QR/NFC/app triggers), and related services. It applies to visitors, customers, business contacts, and end users who interact with our experiences.

Compliance framework
We design this policy to align with the EU/UK GDPR, the California CCPA as amended by the CPRA, COPPA for children’s data, comparable U.S. state privacy laws (including Colorado, Connecticut, Utah, Virginia, Oregon, Texas, Montana, Delaware, Iowa, New Jersey, and others as applicable), and Québec’s Law 25. Alation+5EUR-Lex+5oag.ca.gov+5

Personal information we collect
• Identifiers and contact data: name, email, phone, postal address, device identifiers.
• Commercial and usage data: pages viewed, features used, scan events, product interactions, referral source, timestamps, in-experience events and rewards activity.
• Technical data: IP address, user agent, OS, app version, network information, SDK diagnostics, cookie or similar IDs.
• Geolocation: approximate location from IP or device settings where enabled.
• User-generated content: feedback, support messages, media voluntarily submitted.
• Professional data: employer, job title, business contact details for B2B outreach.
• Sensitive data: collected only if you choose to provide it and only where necessary (e.g., accessibility preferences). We do not collect precise geolocation, biometric templates, or government IDs unless explicitly requested for a specific, disclosed purpose.

Sources
• Directly from you (forms, accounts, emails, support).
• Automatically from your browser/app or device when you interact with our sites or mixed-reality experiences.
• From customers and partners who deploy our experiences on their packaging and share interaction data under contract.
• From service providers and publicly available sources for fraud prevention, security, and business contact enrichment.

Purposes of use
• Provide, operate, personalize, and secure our sites, apps, and mixed-reality experiences.
• Record scans and triggers, render interactive content, award badges/rewards, and save progress.
• Measure performance and analytics; improve features, UX, and reliability.
• Customer service, training, and incident response.
• Marketing with your choices respected (including opt-out/consent where required).
• Debugging, auditing, and compliance with law and our agreements.
• Protect against fraud, abuse, and security threats.

Legal bases (EEA/UK)
• Contract necessity (to deliver requested services or features).
• Legitimate interests (e.g., security, analytics, product improvement) balanced against your rights.
• Consent where required (e.g., certain cookies, marketing, geolocation).
• Legal obligations.

Our MR technology and SDKs
When you scan a BRIDGE-enabled QR/NFC tag or visual marker, the experience may log a non-human-readable token for the trigger, approximate location/time, device/application metadata, and the in-experience events needed to render content, validate rewards, or resume later. We minimize data stored on-device, cache content for performance, and rotate identifiers where feasible. If a brand embeds third-party SDKs or pixels in its experience, those parties may collect data under their own policies; we contractually require appropriate safeguards and provide configuration options to disable non-essential tracking.

Cookies and similar technologies
We use cookies, local storage, pixels, and mobile IDs for core functionality, session management, analytics, and—where permitted—marketing. You can manage preferences through our cookie banner where available and via browser/mobile settings. Where supported, we honor Global Privacy Control (GPC) signals as an opt-out of “sale”/“sharing” for cross-context behavioral advertising.

Advertising and analytics
We may use first-party analytics and privacy-centric measurement. If we engage in cross-context behavioral advertising, you may opt out as described below. We do not knowingly “sell” personal information as commonly understood; where a jurisdiction defines targeted advertising or analytics as a “sale” or “share,” we treat it accordingly and provide opt-out mechanisms.

AI/ML use
We may use aggregated or de-identified interaction data to improve detection, recommendations, and reliability. We do not use your personal information to train generalized generative AI models without a separate, clear disclosure and a lawful basis (e.g., consent or opt-in).

Disclosures to others
• Service providers and processors under contract (hosting, analytics, support, communications, payment, security).
• Business customers who deploy BRIDGE experiences, for their own lawful purposes, when they are independent controllers.
• Professional advisors, auditors, and insurers.
• Authorities where required by law or to protect rights and safety.
• Corporate transactions (merger, acquisition, financing, or sale) subject to appropriate safeguards.

Retention
We retain personal information only as long as necessary for the purposes above, to comply with legal obligations, resolve disputes, and enforce agreements. De-identification or deletion occurs when information is no longer needed.

Security
We implement technical and organizational measures to protect personal information, including access controls, encryption in transit and at rest (where appropriate), logging, separation of environments, secure development practices, and vendor due diligence. No system is perfectly secure; we maintain incident response procedures and will notify you and regulators as required by law in the event of a qualifying breach.

Your privacy rights
Depending on your location, you may have the right to:
• Access, correct, or delete personal information.
• Obtain a portable copy of certain information.
• Opt out of targeted advertising, the “sale” or “sharing” of personal information, profiling in furtherance of decisions that produce legal or similarly significant effects, and certain automated decision-making.
• Restrict or object to processing and withdraw consent where processing is based on consent.
• Appeal a rights request decision (where required).
• Lodge a complaint with a supervisory authority or attorney general.

How to exercise your rights
Submit a request through our privacy request form or email the address below. We will verify your request using commercially reasonable methods (which may include confirming control of your email/account or requesting limited additional information). Authorized agents may submit requests in some jurisdictions with proof of authority and subject to additional verification.

California disclosures
California residents have rights under the CCPA/CPRA, including to know, delete, correct, and opt out of “sale”/“sharing” and to limit the use/disclosure of sensitive personal information. We honor GPC signals as a request to opt out of “sale”/“sharing.” We do not use or disclose sensitive personal information for purposes that would require a “Limit Use” link unless we provide that link. We provide a “Do Not Sell or Share My Personal Information” mechanism where applicable. oag.ca.gov

Children’s privacy
Our services are not directed to children under 13, and we do not knowingly collect personal information from children under 13 without verifiable parental consent. If we learn we have collected such information without consent, we will delete it. Operators that intentionally offer child-directed experiences must comply with COPPA; we support consent flows and data minimization for those deployments. Federal Trade Commission+1

De-identified and aggregated data
We may create and use de-identified or aggregated data. We commit to maintain de-identification and not re-identify such data except as permitted by law to test effectiveness of safeguards.

Do Not Track and GPC
Browsers may offer Do Not Track; there is no common interpretation. We instead honor legally recognized signals such as Global Privacy Control where required.

Automated decision-making
We do not conduct automated decision-making that produces legal or similarly significant effects without appropriate disclosures, a lawful basis, and meaningful information about the logic involved.

Third-party links and properties
Our websites and experiences may link to third-party sites, content, SDKs, or services. Their privacy practices are governed by their own policies.

Controller/processor roles
For our own websites, apps, and direct services, BRIDGE is typically an independent controller. For certain customer-deployed experiences, BRIDGE may act as a processor/service provider under a data processing agreement; in those cases we process personal information only on documented instructions and subject to contractual restrictions.

Regional information
• EEA/UK: You may contact our representative or Data Protection Officer (if appointed) at the address below. You may lodge a complaint with your local supervisory authority. EUR-Lex
• Canada/Québec: For activities subject to Law 25, you may contact our person in charge of personal information (“Privacy Officer”). Certain rights, including data portability and transparency about cross-border transfers, apply. Alation
• United States: State laws provide additional rights described above; we will not discriminate against you for exercising a privacy right. IAPP+1

Changes to this policy
We may update this policy to reflect changes in laws, technology, or our practices. We will post the updated version with a new “Last updated” date and, where required, provide additional notice.

Contact
To ask questions or exercise rights, contact:
info@digitalbridgex.com
BRIDGE, Attn: Privacy
[Postal address]

Data processing addendums and vendor disclosures
Where required, we offer a data processing addendum and list of sub-processors. Contact us to request copies.

Notice for accessibility
On request, we will provide this policy in an accessible format or alternative language where required by law.