1. Personal Data We Collect

We collect different categories of personal data depending on how you interact with the
Services. “Personal data” means any information relating to an identified or identifiable
natural person.

Categories of personal data

Identifiers

• Name (if provided)

• Username or display name

• Email address (if provided)

• IP address

• Account identifiers

Account and usage information

• Account preferences and settings

• Game or application usage history

• Interaction data within the Services (such as in-app actions and progression signals)

Voice and audio data (optional features)

• If you choose to enable voice features, audio input may be processed to support real-time communication or speech-to-text functionality

• Voice data is processed only for the relevant feature and is not used for biometric identification

Communications and user-generated content

• Content you create or share within the Services

• Messages or information you submit through chats, feedback forms, or support requests

Technical and device information

• Device type

• Operating system

• Log files

• Crash reports and diagnostic data

We may also process aggregated or anonymized information that does not identify you. This
information is not considered personal data under GDPR.

2. Children and Age Restrictions

Fronterra is designed for young learners, and we take additional measures to protect children’s
privacy.

The Services may be subject to age restrictions in certain jurisdictions. In accordance with
GDPR and Maltese law, where processing is based on consent and the user is under the age of 13,
consent must be provided or authorized by a parent or legal guardian.

Privacy-protective defaults

We aim to apply privacy-protective settings by default for younger users. Certain features may
be limited based on age and applicable law.

No targeted advertising to children

We do not use personal data of users under the age of 13 for targeted advertising.

Parents and guardians are encouraged to supervise children’s use of the Services and to contact
us if they have questions or wish to exercise rights on a child’s behalf.

We do not knowingly collect personal data from children below the applicable age threshold
without appropriate authorization.

3. Sources of Personal Data

We collect personal data from the following sources:

Directly from you

• When you create an account

• When you use features of the Services

• When you communicate with us

• When you voluntarily provide information through forms, surveys, or support requests

Automatically through use of the Services

• Technical data collected through cookies or similar technologies (where applicable)

• Usage and interaction data

From third parties

• Platform providers (such as app stores or device platforms)

• Cloud hosting and infrastructure providers such as AWS and Google Firebase as Data Processors

• Payment providers (if purchases are enabled)

• Analytics service providers

We process personal data received from third parties in accordance with this Privacy Policy.

4. Cookies and Similar Technologies

We use cookies and similar technologies, where applicable, to operate and improve the Services.

Cookies are small data files placed on your device that help us understand how users interact
with the Services and improve functionality.

Types of cookies we use

• Essential cookies required for operation

• Analytics cookies to understand usage patterns

Some cookies are provided by third-party analytics providers, which may process personal data
in accordance with their own privacy policies.

You can manage cookie preferences through your browser settings. Disabling certain cookies may
affect the functionality of the Services.

5. Purposes and Legal Bases for Processing

We process personal data only where permitted by law and for the following purposes:

Provision of the Services

• To create and manage user accounts

• To enable gameplay, learning experiences, and interactive features

Service improvement and analytics

• To understand usage patterns

• To improve performance, design, and educational effectiveness

Speech-to-text and voice features

• To support optional voice-based interactions when enabled by the user

Educational support and feedback

• To provide learning feedback and interactive educational experiences

• AI-assisted tools may be used to support these functions in an assistive manner, without determining final academic outcomes

Marketing and promotional purposes

• To promote our Services, features, events, and updates

• To communicate marketing or promotional messages to users where permitted by law

• To measure, analyze, and improve the effectiveness of our marketing activities

Communications and support

• To respond to inquiries

• To provide customer support

• To send service-related messages about the Services

Legal and safety purposes

• To comply with legal obligations

• To protect users, the Company, and others

• To enforce our terms and policies

Lawful bases under GDPR

Depending on the context, processing is based on:

• Performance of a contract

• User consent, where required

• Legitimate interests that are not overridden by user rights

• Compliance with legal obligations

6. Use of Artificial Intelligence and Automated Processing

The Company uses limited artificial intelligence and automated processing tools to support
certain features of the Services.

These include:

• Speech-to-text functionality, where enabled by the user

• Analytics and personalization to improve user experience

• AI-assisted educational feedback

• Conversational interactions with in-app virtual characters that generate responses based on user input

These systems are designed to assist users and do not produce legal or similarly significant
effects on users. AI systems are not used to determine final grades, formal evaluations, or
outcomes for learners.

The Company does not engage in automated decision-making within the meaning of Article 22 GDPR.

AI-assisted chat and user inputs

When using AI-assisted chat features or conversational interactions within the Services, users
should avoid sharing personal data, sensitive information, or any information they do not wish
to be processed by automated systems. User inputs provided to AI-assisted features may be
processed to generate responses and to deliver the requested functionality. Such inputs may be
transmitted to third-party AI service providers acting as data processors, as described above.

AI training

We do not use user content to train general-purpose AI models unless we clearly inform users
and, where required, obtain consent.

EU AI Act compliance and Annex III (Education)

The Company has assessed the use of AI within the Services against Annex III of the EU Artificial
Intelligence Act relating to education and vocational training systems. Fronterra does not
deploy high-risk AI systems as defined under Annex III, based on the current design and intended
use of the Services. In particular, the AI systems used within the Services are not
intended to be used for any of the following:

• Determining access to or admission into educational or vocational training institutions at any level

• Evaluating learning outcomes where such evaluation is used to make binding or determinative decisions about a learner’s educational progression or results

• Assessing or assigning the appropriate level of education that an individual will receive or be able to access within an educational or vocational training institution

• Monitoring or detecting prohibited behaviour of students during tests or formal assessments within educational or vocational training institutions

AI systems used in Fronterra are designed to support engagement, exploration, and learning
feedback in an assistive manner and do not replace human judgment, formal assessment, or
institutional decision-making.

Use of third-party AI service providers

To provide certain AI-assisted features, the Company may use third-party AI service providers
acting as data processors on our behalf. Where such services are used, limited categories of
personal data (such as text input, audio input for speech-to-text, or contextual interaction
data) may be transmitted to those providers solely for the purpose of delivering the relevant
functionality.

Some AI service providers may be located outside the European Union or European Economic Area,
including in the United States. Where this occurs, the Company ensures that appropriate
safeguards are in place in accordance with GDPR, including the use of European Commission
approved standard contractual clauses.

These providers are contractually restricted from using personal data for their own purposes,
including for training their models, unless otherwise explicitly disclosed and permitted by
law.

7. Disclosure of Personal Data

We may disclose personal data in the following circumstances:

• To service providers acting on our instructions (processors)

• To affiliated group companies acting as data processors

• To professional advisors under confidentiality obligations

• In connection with a corporate transaction such as a merger, acquisition, or sale of assets

• Where required by law or legal process

• To protect rights, safety, or property

• With your consent

We do not sell personal data.

You may request information about our current processors and service providers by contacting
privacy@axonpark.com.

8. Data Retention and Security

Retention

We retain personal data only for as long as necessary to fulfill the purposes described in this
Policy or to comply with legal obligations. Retention periods may vary depending on the type of
data and the context in which it was collected.

Security

We implement appropriate technical and organizational measures to protect personal data against
unauthorized access, loss, alteration, or misuse.

In the event of a personal data breach, we will notify the relevant supervisory authority and
affected users in accordance with applicable law.

9. International Data Transfers

The Company is established in Malta and primarily processes personal data within the European
Union.

Where personal data is transferred outside the EU or EEA, we implement appropriate safeguards,
including European Commission approved standard contractual clauses, in accordance with
applicable law.

10. Your Rights Under GDPR

Subject to applicable law, you have the right to:

• Access your personal data

• Correct inaccurate data

• Request deletion of your dataThe Right of Erasure

• Restrict processing

• Object to processing

• Withdraw consent at any time where processing is based on consent

• Receive a copy of certain personal data in a structured, commonly used, and machine-readable format (Right to Data Portability)

• You also have the right to lodge a complaint with a supervisory authority in the EU or EEA, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.

Requests may be subject to identity verification and legal limitations.

To exercise your rights, please contact privacy@axonpark.com with the subject
line “Data Subject Rights”.

Data portability

Where applicable, users may request to receive personal data they have provided to us, or that
has been generated through their use of the Services, in a structured, commonly used, and
machine-readable format.

Such requests may be fulfilled by providing a downloadable file through the Services or by
responding via our Data Protection Officer or designated privacy contact, depending on
technical feasibility.

We will respond to data portability requests within one month of receipt, subject to identity
verification and applicable legal limitations. This period may be extended by up to two
additional months where necessary, in accordance with applicable law.

Data made available under this right generally covers information associated with the user
account during the period the account was active and does not include anonymized or aggregated
analytics data.

Data retention and deletion

We retain personal data only for as long as necessary to fulfill the purposes described in this
Privacy Policy, unless a longer retention period is required or permitted by law.

Account data
Personal data associated with a user account is deleted when the user deletes their account or
requests deletion, subject to legal or regulatory retention requirements.

Analytics and service improvement data
Usage and analytics data is retained in an aggregated, anonymized, or pseudonymized form. Once
personal identifiers are no longer required, data is anonymized and can no longer be used to
identify individual users.

Educational and learning interaction data
Learning interaction data is retained for as long as the account remains active and is deleted
or anonymized following account deletion, unless retention is required for legal, research, or
statistical purposes in an anonymized form.

Legal and compliance data
Certain data may be retained for longer periods where required to comply with legal
obligations, resolve disputes, or enforce our agreements.

Anonymized data is not considered personal data under applicable data protection laws and may
be retained for analytical and research purposes.

11. Data Protection Contact

The Company has appointed a data protection contact for matters relating to personal data.

Email: privacy@axonpark.com

12. Changes to This Policy

We may update this Privacy Policy from time to time. Changes will be reflected by updating the
date at the top of this Policy. Where required by law, we will provide additional notice and, if
applicable, seek consent.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, please contact:

Axon Park Malta Ltd

Email: support@axonpark.com

For privacy-specific questions or rights requests, please use:
privacy@axonpark.com