Privacy Policy.

01 Who we are and how to reach us

Data controller

weDISCOVR, Inc.
9 Annwood Lane, Cincinnati OH 45206, USA

Privacy contact

EU representative under Article 27 GDPR

Devonte Lemonte Roach
Legal resident, Berlin, Germany
Licensed to operate in entertainment and events in Germany

Data Protection Officer

To be appointed. Name and contact will be added upon appointment.

02 What this policy covers

This policy covers personal data we process across all weDISCOVR surfaces:

• The Explorer app (Drop claims, the Passport, weDI Concierge, the My Data panel)
• The B2B platform used by Curators, Spaces, Brands, and Cities
• The website at wediscovr.com and connected subdomains
• AR experiences at activations and partner venues
• The Terminal and any public wSI surface
• Third-party integrations built on top of weDISCOVR through the Powered by weDI partnership layer

If you interact with weDISCOVR through any of these, this policy applies to you.

03 The wEID promise

This is the most important sentence in this document.

The wEID is the only identifier ever shared with brand sponsors, venues, cities, or partners. Your name, email, phone, address, and any payment information are never disclosed to them.

The wEID is:

• Anonymous · generated when you first interact with weDISCOVR, not derived from your real identity
• Persistent · the same wEID stays with you across Drops, Events, and venues so you can build a Passport
• Cryptographically irreversible · a brand sponsor receiving your wEID cannot work backwards to your real identity, even with the wEID and the full data stream
• Yours · you can request the wEID record, delete it, or port it via the My Data panel

This is not a policy commitment that we can change later. It is an architectural commitment. The system is built so that PII and wEID are physically separated and never co-presented to brand-side surfaces.

04 What data we collect

We collect different categories of data depending on which user type you are. Below is the full inventory.

4.1 From Explorers (you, if you use the app)

Account data (name, email, password), Drop claim and redemption signals, optional consent signals (location, dwell time, purchase behavior), DISC token balance, in-app survey responses, and shipping address only when you opt into home delivery.

4.2 From Curators

Account data (name, email, business name), event listings, audience details you provide, Stripe Connect payout information, and Curator Performance Index (CPI) signals derived from your Drops.

4.3 From Spaces

Venue profile, capacity, operating hours, approval logs for Curator and Brand bookings, and aggregated foot-traffic data tied to wEIDs, never to individual Explorer identities.

4.4 From Brands

Company profile, billing information, AR Commerce Studio assets and creative uploads, Drop configuration and SKU data, brand-lift survey responses, and the wSI scores generated for each activation.

4.5 From Cities

City OS partnership agreements only. No individual-level data. We share aggregated, anonymized cultural-health metrics with city partners.

4.6 From everyone (technical)

IP address, device fingerprint, browser type, session timestamps, and cookies necessary to operate the service. See Section 11 for the full cookie inventory.

05 Why we collect this data, and the legal basis for each purpose

GDPR Article 6 requires us to name a legal basis for every processing purpose. We have six. Here is what each one covers.

5.1 Operating the app and delivering Drops · Article 6(1)(b), contract

We need your email to send your pickup code. We need your wEID to confirm at the booth that the Drop is yours. We need the behavioral signals (Drop claimed, redeemed, etc.) to operate the marketplace. Without this data, the service does not work.

5.2 Confirming activation to brand sponsors · Article 6(1)(f), legitimate interest

When you claim a Drop, we send the brand sponsor a confirmation that the sample was redeemed at the event. This contains the wEID and the activation signal, never your name, email, or any PII. The brand sponsor needs this to measure campaign performance and to fund the next activation.

We have weighed this against your interests and concluded it is necessary, minimal, and reasonable: brand sponsors cannot operate without proof of activation, and we use the strictest anonymization (wEID architecture) to protect you.

You have the right to object to this processing at any time. Email privacy@wediscovr.co or use the Object link on any consent surface. Upon objection, we stop sharing your activation signals with brand sponsors.

5.3 wSI scoring and indexing · Article 6(1)(f), legitimate interest

The weDISCOVR Signal Intelligence Index (wSI) is the patent-pending protocol that scores Drops, Curators, Spaces, Brands, Events, and Cities based on permissioned behavioral data. Your wEID's signals contribute to these scores. The scores are used to price activations, surface relevant Drops to you, and rank Curators and Spaces.

This is profiling under Article 22 GDPR. You have the right to:

• Request a human review of any wSI-driven decision that materially affects you
• Object to wSI-driven personalization (your experience defaults to non-personalized)
• See your contribution to the scores via the My Data panel

5.4 Photo and video for marketing · Article 6(1)(a), consent

If we want to use your image or video for marketing, promotional, or social media purposes, we need your active consent. This is asked for either in-app at the activation or on a signed release form. At physical activations, clearly posted signage notifies attendees that filming is taking place, satisfying the documentary coverage provisions of Kunsturhebergesetz §23. This signage is posted at all weDISCOVR activation points.

You can opt out of in-app consent at the activation. You can withdraw consent at any time by emailing privacy@wediscovr.co. Withdrawal does not affect the lawfulness of any use before withdrawal.

5.5 Future session and marketing communications · Article 6(1)(a), consent

We send emails about upcoming sessions, Drops, and weDISCOVR updates only if you have given consent. You can unsubscribe from any email in one click.

5.6 Fraud prevention and security · Article 6(1)(f), legitimate interest

We log IP addresses, device fingerprints, and login attempts to prevent account abuse, multi-claim fraud, and unauthorized access. This is balanced against your interest: we collect the minimum needed and keep it short.

06 Who we share your data with

We share data only with the parties below, only for the purposes named, and only in the forms specified.

6.1 Brand sponsors

What they receive: wEID, activation signal (claimed, redeemed, time-on-site), and aggregated demographic buckets (city, age range if you have provided it).

What they never receive: name, email, phone, address, exact location, payment info, or any other PII.

6.2 Curators

What they receive: wEID + session registration data + first name + email for Explorers who explicitly pre-register for their sessions.

Why: Curators need to communicate with confirmed attendees (changes, cancellations, content).

6.3 Spaces (venues)

What they receive: Aggregated foot-traffic data tied to wEIDs, never to your name.

6.4 Cities (City OS partners)

What they receive: Fully anonymized, aggregated cultural-health metrics. No wEID, no individual-level data.

6.5 Service providers (data processors)

We use vetted service providers for hosting, payments (Stripe), email delivery, fulfillment logistics, and customer support. Each is bound by a Data Processing Agreement under Article 28 GDPR. A current list of sub-processors is available on request from privacy@wediscovr.co.

6.6 Authorities and legal compliance

We disclose data when legally required (court order, valid government request) or to protect lives, prevent fraud, or defend our rights. We always seek to limit the scope of disclosure to what is strictly required.

6.7 What we never do

• We never sell your data.
• We never share PII with brand sponsors.
• We never use your data for advertising outside of weDISCOVR-permissioned surfaces.
• We never use your data to train third-party AI models without explicit consent.

07 International data transfers

weDISCOVR, Inc. is established in the United States. Some processing happens on US infrastructure. When your data leaves the European Economic Area, we use one or more of the following safeguards:

• Standard Contractual Clauses (SCCs) approved by the European Commission, included in every Data Processing Agreement.
• EU-US Data Privacy Framework certification where the recipient is certified (Stripe is, for example).
• Adequacy decisions where the EU has determined the destination country provides adequate protection.

You can request a copy of the SCCs in place for any specific transfer by emailing privacy@wediscovr.co.

08 How long we keep your data

Detailed retention per purpose is in Section 5. In summary:

• Account data: while your account is active + 12 months after last interaction
• Anonymized behavioral records: up to 5 years for product analytics
• wEID-level activation records: 7 years for tax and financial compliance
• Photo and video: up to 3 years from date of capture
• Security logs: 90 days
• Marketing preferences: until you unsubscribe or close your account

You can request earlier deletion at any time via the My Data panel or by emailing privacy@wediscovr.co. We delete within 30 days unless we are legally required to retain for compliance (in which case we explain why).

09 Your rights

Under GDPR, you have the following rights. You can exercise each one through the My Data panel in the Explorer app, or by emailing privacy@wediscovr.co. We respond within 30 days.

9.1 Right of access · Article 15

You can see all data we hold about you, in machine-readable format, through the My Data panel. You can also request a full export by email.

9.2 Right to rectification · Article 16

You can correct any inaccurate data through the My Data panel or by email.

9.3 Right to erasure / right to be forgotten · Article 17

You can request that we delete your data. We comply within 30 days unless we are legally required to keep specific records (in which case we explain why and delete what we can).

9.4 Right to restriction · Article 18

You can ask us to stop processing your data while a dispute or correction is pending.

9.5 Right to portability · Article 20

You can download your data in machine-readable format through the My Data panel. You can also ask us to transfer it directly to another controller.

9.6 Right to object · Article 21

You can object to any processing based on legitimate interest (Article 6(1)(f)). This specifically includes:

• Sharing activation signals with brand sponsors
• wSI scoring and personalization
• Fraud prevention beyond the strict minimum

Upon objection, we stop the processing unless we can demonstrate compelling legitimate grounds that override your interests. We always tell you the outcome.

9.7 Right to withdraw consent · Article 7(3)

For any processing based on consent (Article 6(1)(a)), you can withdraw at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

9.8 Right to lodge a complaint

You have the right to file a complaint with your national data protection authority.

For users in Germany:
Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI)
Graurheindorfer Straße 153, 53117 Bonn
Web: bfdi.bund.de

For users elsewhere in the EU, find your authority at edpb.europa.eu.

10 Automated decision-making and profiling

The wSI protocol uses your behavioral signals to:

• Price Drops dynamically
• Rank Drops in your feed by predicted relevance
• Adjust the DISC multiplier you earn (tier 1.0× to 2.5×)
• Surface recommended Curators, Spaces, and Events

These are automated decisions that materially affect your experience. Under Article 22 GDPR, you have the right to:

• Request human review of any wSI-driven decision
• Receive a meaningful explanation of how a decision was reached
• Contest the decision and have it reviewed by a human

To exercise these rights, email privacy@wediscovr.co with "wSI Review" in the subject line.

11 Cookies and similar technologies

We use only the cookies needed to operate the service.

We do not use third-party advertising cookies or trackers. No Facebook Pixel, no Google Ads tags, no LinkedIn Insight Tag, no retargeting pixels of any kind on weDISCOVR-owned surfaces.

Brand-built Drop pages reached through the Recall Deck or Powered by weDI partnerships may load their own first-party cookies for their analytics. We label these clearly when they appear.

12 Children

weDISCOVR is for users 16 years and older. We do not knowingly collect data from anyone under 16. If you believe a child has signed up, email privacy@wediscovr.co and we will delete the account within 7 days.

13 Security

We use industry-standard security:

• TLS 1.3 for all data in transit
• AES-256 encryption for data at rest
• wEID generation via cryptographically secure pseudo-random functions
• Role-based access control internally, with PII access limited to a small named list
• Regular security audits (next scheduled: date to be confirmed)
• Bug bounty program: in development

No system is perfectly secure. If we discover a breach affecting your data, we notify you and the relevant supervisory authority within 72 hours as required by Article 33 GDPR.

14 Changes to this policy

We may update this policy as the product evolves. For any material change (new categories of data, new sharing partners, weakening of your rights), we will:

• Notify you by email and in-app at least 30 days before the change takes effect
• Highlight what changed in plain language
• Give you the chance to object, delete your account, or export your data before the change

For non-material changes (typo fixes, contact updates, clarifications), we update the policy and bump the version number without notification.

Past versions are available on request.

15 Contact

For any privacy question, complaint, or rights request:

For urgent matters (suspected breach, account compromise, etc.), use email and include "URGENT" in the subject line.