Cross-Border Data Transfer Policy

1. Purpose & Regulatory Context

Friendium operates a global social networking platform that connects users, organizations, and communities across jurisdictions. In order to deliver services reliably, securely, and at scale, Friendium may process personal data outside the country in which it was originally collected.

This policy is designed to ensure that all cross-border data transfers conducted by Friendium comply with applicable legal frameworks, including:

• EU General Data Protection Regulation (GDPR)
• UK GDPR
• California Consumer Privacy Act (CCPA) / CPRA
• Brazil LGPD
• Other applicable national and regional privacy laws

2. Scope of This Policy

This policy applies to all personal data processed by Friendium, including data relating to:

• Registered users and visitors
• Creators, influencers, and business accounts
• Advertisers and commercial partners
• Developers and API consumers
• Employees, contractors, and affiliates

It covers transfers initiated directly by Friendium as well as transfers conducted by authorized subprocessors acting on Friendium’s behalf.

3. Categories of Data Subject to Transfer

Depending on the service context, Friendium may transfer the following categories of data across borders:

• Account identifiers and profile information
• Contact details (email, phone number)
• Content posted or shared on the platform
• Usage data, logs, and interaction metadata
• Payment and transaction data (processed via third parties)
• Security, fraud-prevention, and audit records

4. Transfer Destinations

Personal data may be transferred to and processed in countries where Friendium or Nexa-Group maintains infrastructure, service providers, or operational teams. These locations may include, but are not limited to:

• European Union and European Economic Area (EEA)
• United States
• United Kingdom
• Asia-Pacific regions
• Other jurisdictions where authorized service providers operate

5. Legal Mechanisms for International Transfers

Friendium relies on one or more of the following lawful transfer mechanisms when transferring personal data internationally:

• European Commission adequacy decisions
• Standard Contractual Clauses (SCCs)
• UK International Data Transfer Addendum
• Binding contractual obligations with equivalent safeguards
• Derogations permitted under applicable law (where applicable)

6. Supplementary Safeguards

Where required, Friendium implements additional technical and organizational measures to ensure an equivalent level of protection, including:

• Encryption of data at rest and in transit
• Strict access controls and role-based permissions
• Pseudonymization or minimization of transferred data
• Regular security audits and risk assessments

7. Subprocessors & Service Providers

Friendium may engage trusted third-party subprocessors to support platform operations, including cloud hosting, analytics, customer support, and payment processing. All subprocessors are:

• Subject to contractual data protection obligations
• Required to process data only on documented instructions
• Assessed for security, privacy, and compliance readiness

8. Government Access & Legal Requests

Friendium evaluates all government or law enforcement requests for access to personal data in accordance with its Law Enforcement Request Guide and applicable law. Where legally permitted, Friendium:

• Challenges overbroad or unlawful requests
• Limits disclosures to the minimum required
• Notifies affected users where allowed by law

9. User Rights

Users retain all applicable data protection rights regardless of where their data is processed, including:

• Right of access
• Right to rectification
• Right to erasure
• Right to restrict or object to processing
• Right to data portability

10. Data Retention & Deletion

Transferred data is retained only for as long as necessary to fulfill legitimate business purposes or legal obligations. When no longer required, data is securely deleted or anonymized in accordance with Friendium’s Data Retention Policy.

11. Accountability & Governance

Nexa-Group maintains internal governance structures to oversee cross-border transfers, including privacy leadership, compliance audits, and documented transfer impact assessments where required.

12. Policy Updates

This policy may be updated periodically to reflect changes in legal requirements, regulatory guidance, or operational practices. Material changes will be communicated through the Friendium platform or official notices.

13. Contact Information

For questions regarding cross-border data transfers or privacy compliance:

• Privacy Office: privacy@nexa-group.org
• Data Protection Officer: dpo@nexa-group.org
• Legal Department: legal@nexa-group.org