Privacy Policy

1.1 "Personal Data" has the meaning set forth in the PDPO: any data relating directly or indirectly to a living individual, from which it is practicable for the identity of the individual to be directly or indirectly ascertained, and in a form in which access to or processing of the data is practicable. Under the PDPA, Personal Data means any information relating to a natural person that enables the identification of such person, whether directly or indirectly.

1.2 "Sensitive Personal Data" under the PDPA includes personal data pertaining to race, ethnic origin, political opinions, religious or philosophical beliefs, sexual behaviour, criminal records, health data, disability, trade union membership, and biometric or genetic data. In all cases, any data requiring heightened protection under applicable law shall be treated with the highest level of security.

1.3 "Data User" under the PDPO means a person who, either alone or jointly with others, controls the collection, holding, processing, or use of Personal Data.

1.4 "Data Controller" under the PDPA means a person or entity with the authority to make decisions regarding the collection, use, or disclosure of Personal Data.

1.5 "Data Processor" under the PDPA means a person or entity that processes Personal Data on behalf of a Data Controller.

1.6 "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organisation, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.

1.7 "Tenant" means a bar, nightclub, entertainment venue, or any other commercial establishment that registers on the Platform to use the Services.

1.8 "Performer" means any individual who broadcasts live Content through the Platform on behalf of a Tenant.

1.9 "Viewer" means any individual who watches Content on the Platform.

1.10 "Account" means a registered user account on the Platform.

1.11 "Content" means any livestream video, audio, images, text, messages, or other material transmitted through the Platform.

1.12 "Monetary Transaction" means any payment processed through the Platform, including Tips, virtual drink purchases, paid dance or song requests, paid messages, or any other viewer-to-bar or viewer-to-performer payment.

2.1 Meridian Global Holdings Limited is the Data User under the PDPO and the Data Controller under the PDPA responsible for the collection, use, and processing of Personal Data through the Platform.

2.2 Contact Details for Privacy Matters: • Data Protection Officer (DPO): Steven Donnelly, CEO • Email: privacy@barstreamhub.com • Postal Address: Unit 1603, 16th Floor, The L. Plaza, 367–375 Queen's Road Central, Sheung Wan, Hong Kong

The Company provides the Platform as a Data Processor under the PDPA for Personal Data that Tenants control, processing such data only on the instructions of the Tenant.

The DPO can be contacted at privacy@barstreamhub.com.

3.1 Categories of Personal Data. Depending on your relationship with the Platform (as a Tenant, Performer, or Viewer), we may collect the following categories of Personal Data: • Registration Data — Full name, email address, phone number, business registration number (Tenants), tax identification number • Identification Data — Government-issued ID collected by Tenants for performer age verification • Profile Data — Stage name, biography, profile photo (Performers); venue name, logo, description (Tenants) • Transaction Data — Payment card information (processed by Stripe), Tip history, payout records, payout account details • Technical Data — IP address, browser type, device information, operating system, referring URLs, stream metadata • Usage Data — Platform access logs, stream viewing history, chat messages (stored for 6 months), feature usage • Communications Data — Support tickets, email correspondence, chat messages

3.3 Data Provided by Tenants About Performers. When a Tenant registers a Performer on the Platform, the Tenant must provide the Performer's name, stage name, biography, profile photo, and age verification records. The Tenant warrants that it has obtained all necessary consents from the Performer for the collection, use, and disclosure of such Personal Data to the Company.

3.4 Payment Card Information. All payment card information is processed directly by our third-party payment processor, Stripe, Inc., and is not stored on the Company's servers. Stripe's privacy practices are governed by its own privacy policy, which we encourage you to review.

We collect Personal Data through the following means:

(a) Directly from you: When you register an Account, update your profile, make a transaction, contact support, or communicate with us.

(b) Automatically through your use of the Platform: When you access the Platform, we collect Technical Data and Usage Data through cookies, web beacons, and similar tracking technologies.

(c) From Tenants (for Performers): When a Tenant registers you as a Performer, the Tenant provides your Personal Data to us for the purpose of enabling you to use the Platform.

(d) From third parties: We may receive Personal Data from our payment processor (Stripe), analytics providers (e.g., Google Analytics), and identity verification services used by Tenants.

We collect and use your Personal Data for the following purposes (PDPO DPP1 and PDPA Section 19):

(a) Provision of Services: To create and manage your Account, enable livestreaming, process Tips and other Monetary Transactions, facilitate payouts, and provide customer support.

(b) Age Verification (Performers): To enable Tenants to verify the age and identity of Performers as required by Thai law.

(c) Compliance with Legal Obligations: To comply with applicable laws, including the Computer Crime Act B.E. 2550 (2007) of Thailand, the PDPO, the PDPA, and the National Security Law of Hong Kong.

(d) Enforcement of Terms & Conditions: To enforce our Terms & Conditions, including the detection and prevention of Prohibited Content and fraudulent or illegal activities.

(e) Platform Improvement and Analytics: To analyse usage patterns, improve Platform performance and user experience, and develop new features.

(f) Communication: To send you service announcements, technical notices, updates, security alerts, and support messages.

(g) Direct Marketing: To send you promotional materials about our products and services, only where we have obtained your prior consent as required under Part 6A of the PDPO (for Hong Kong users) and under Section 24 of the PDPA (for Thai users). You may opt out of direct marketing at any time by clicking the unsubscribe link in any marketing email or by contacting us at privacy@barstreamhub.com.

Under the PDPA, we process Personal Data on the following legal bases: • Creating and managing your Account — Contract necessity (Section 24(1)(c)) • Processing Tips and payouts — Contract necessity (Section 24(1)(c)) • Age verification (Performers) — Legal obligation (Section 24(1)(g)) / Consent • Compliance with Thai and Hong Kong laws — Legal obligation (Section 24(1)(g)) • Platform improvement and analytics — Legitimate interests (Section 24(1)(f)) • Direct marketing — Consent (Section 24) • Fraud detection and security monitoring — Legitimate interests (Section 24(1)(f))

Where we rely on consent as the legal basis for processing, you have the right to withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

Where we rely on legitimate interests, we have balanced our interests against your fundamental rights and freedoms to ensure that the processing is not unwarranted.

7.1 Payment Processors. We disclose Transaction Data to Stripe, Inc. for the purpose of processing payments, facilitating payouts, and handling refunds. Stripe is a PCI-DSS Level 1 certified payment processor. Your payment information is subject to Stripe's privacy policy and security measures.

7.2 Tenants (for Performers). We disclose Performer Personal Data (name, stage name, biography, profile photo, stream data, tip history) to the Tenant that registered the Performer, as necessary for the Tenant to manage its venue and make payouts.

7.3 Tenants' Performers (for Viewers). If you are a Viewer who has tipped or messaged a Performer, we may disclose your username and the content of your message to that Performer. We do not disclose your real name, email address, or other contact information unless you choose to include it in your message.

7.4 Service Providers. We engage third-party service providers to perform functions on our behalf, including: • Cloud hosting providers (e.g., AWS, DigitalOcean) • Real-time communication providers (e.g., Ant Media Server) • Customer support software providers • Analytics providers (e.g., Google Analytics) • Email providers (e.g., Mailgun)

These service providers may have access to your Personal Data only to perform their functions and are contractually obligated to maintain the confidentiality and security of such data.

7.5 Law Enforcement and Regulatory Authorities. We may disclose Personal Data to law enforcement, regulatory authorities, or other government agencies if required by law, court order, or lawful request from the Ministry of Digital Economy and Society (MDES) of Thailand under the Computer Crime Act B.E. 2550 (2007), the National Security Law of Hong Kong, the PDPO, the PDPA, or other applicable legal requirements.

7.6 Corporate Transactions. In the event of a merger, acquisition, restructuring, or sale of all or substantially all of our assets, your Personal Data may be transferred to the successor entity. We will notify you of any such transfer via email or a prominent notice on the Platform.

7.7 Cross-border Transfer Disclosure. When we transfer Personal Data to recipients outside Hong Kong, we comply with DPP1 by informing you of the possibility of such transfer. We ensure that any cross-border transfer is made only to jurisdictions with adequate data protection laws or under contractual arrangements that provide comparable protection to the PDPO.

We currently transfer Personal Data to cloud hosting providers located outside Thailand (including in Singapore, Japan, and the United States). For Thai data subjects, we rely on explicit consent as the legal basis for such transfers, or where appropriate, we implement SCCs that meet Thai standards.

We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law (PDPO Section 26 / DPP2; PDPA Section 57).

• Viewers' account data — Duration of account + 36 months
• Performers' verification records (collected by Tenants) — Duration of performer relationship + 24 months
• Payment transaction data — 7 years (Tax and financial audit)
• Stream logs and metadata — 12 months
• Chat message content — 6 months
• Age verification documents (collected by Tenants) — Duration of performer relationship + 24 months
• Direct marketing consent records — Duration of consent + 5 years

We will respond to deletion requests immediately and within 60 days of receiving the request. If we cannot fulfil the request immediately, we will take interim measures to restrict access and protect the data from unauthorised use or disclosure.

We implement and maintain appropriate technical and organizational security measures to protect Personal Data against unauthorised or accidental access, processing, erasure, loss, or use, as required under PDPO DPP4 and PDPA Section 37. Our security measures include:

(a) Encryption: Personal Data is encrypted in transit using TLS 1.2 or higher, and at rest using AES-256 encryption.

(b) Access Controls: Access to Personal Data is restricted to authorised personnel on a need-to-know basis, with multi-factor authentication required for administrative access.

(c) Regular Security Assessments: We conduct regular vulnerability assessments, penetration testing, and security audits.

(d) Incident Response Plan: We maintain a data breach incident response plan that includes procedures for containment, investigation, notification, and remediation.

(e) Staff Training: All personnel receive regular training on data protection obligations under the PDPO and PDPA.

Under PDPA Section 37(1), failure to implement adequate security measures may result in administrative fines of up to THB 5 million. If the breach involves Sensitive Personal Data and is for commercial gain, criminal penalties may include imprisonment for up to one year.

10.2 Thailand PDPA (Section 37(4)). Under Section 37(4) of the PDPA, we must notify the Personal Data Protection Committee (PDPC) of a personal data breach without undue delay and, when feasible, within 72 hours of becoming aware of the breach if it is likely to result in risks to the rights and freedoms of data subjects. We will:

(a) Notify the PDPC within 72 hours of becoming aware of a qualifying breach. The 72-hour clock starts when we reasonably believe a breach has occurred based on a preliminary assessment.

(b) Notify affected data subjects where the breach is likely to result in a high risk to their rights and freedoms, providing a description of the breach, the categories of data involved, mitigation measures, and contact information for our DPO.

(c) Document all breaches, including the nature of the breach, the categories and volume of Personal Data affected, the potential impact, and the remedial actions taken.

(d) Where a breach is assessed as posing no risk to data subjects' rights and freedoms (e.g., minor administrative errors that do not expose sensitive information), we are not required to notify the PDPC but must document the breach and retain our risk assessment.

Failure to notify the PDPC within the required timeframe may result in an administrative fine of up to THB 3 million.

11.1 Rights under the Hong Kong PDPO:

(a) Right of Access (Sections 18 and 22): You have the right to request access to your Personal Data held by us. We will comply with a data access request within 40 days of receipt.

(b) Right of Correction (Section 23): You have the right to request correction of your Personal Data where it is inaccurate. A data correction request must be preceded by a data access request.

(c) Right to withdraw consent for direct marketing (Part 6A): If we process your Personal Data for direct marketing purposes, you have the right to withdraw your consent at any time.

11.2 Rights under the Thailand PDPA: • Right to be informed (Section 23) — At or before the time of collection • Right of access (Section 30) — Response within 30 days • Right to data portability (Section 31) — Response within 30 days • Right to object (Section 32) — Response within 30 days • Right to erasure / deletion (Section 33) — Immediately, and within 60 days • Right to restrict processing (Section 34) — Response within 30 days • Right to withdraw consent (Section 19) — Immediately • Right to lodge a complaint (Section 73) — Contact the PDPC

We may request additional information to verify your identity before processing your request. Where permitted by law, we may charge a reasonable fee (not exceeding the direct cost of compliance) for processing a data access request.

If you are a Performer, your primary relationship is with the Tenant that registered you. For certain rights (e.g., correction of your stage name or biography), you should first contact the Tenant, as the Tenant is the Data Controller for that data.

If you have consented to direct marketing, you may opt out at any time by clicking the unsubscribe link in any marketing email or by contacting us at privacy@barstreamhub.com.

12.2 Thailand PDPA. Under the PDPA, processing of Personal Data for direct marketing purposes constitutes a distinct processing activity. Data subjects have the right to object to the processing of their Personal Data for direct marketing purposes at any time. We will provide a clear and visible opt-out mechanism in all direct marketing communications.

We use cookies and similar tracking technologies to collect Technical Data and Usage Data. Cookies are small text files stored on your device when you visit our Platform.

Types of cookies we use: • Essential cookies — Necessary for the operation of the Platform (e.g., authentication, session management). Duration: Session / Persistent • Analytics cookies — Collect information about how you use the Platform (e.g., Google Analytics). Duration: Persistent (up to 2 years) • Preference cookies — Remember your preferences (e.g., language, theme). Duration: Persistent • Marketing cookies — Track your browsing behaviour to deliver targeted advertisements. Duration: Persistent

Managing cookies: Most web browsers allow you to control cookies through their settings. You may refuse the use of cookies by selecting the appropriate settings on your browser. However, if you disable essential cookies, some parts of the Platform may not function properly.

Lawful basis for cookies (PDPA): For non-essential cookies that collect Personal Data, we rely on your consent, which we obtain through our cookie consent banner when you first visit the Platform.

Our Platform is not intended for individuals under the age of 18 for Viewers, or under the age of 20 for Performers (as required under Thai law). We do not knowingly collect Personal Data from individuals under these age thresholds. If you are a parent or guardian and believe that your child has provided us with Personal Data without your consent, please contact us at privacy@barstreamhub.com, and we will take steps to delete such Personal Data.

The Platform may contain links to third-party websites, applications, or services (e.g., Stripe, YouTube, Facebook). This Policy does not apply to those third parties. We are not responsible for the privacy practices or content of any third-party websites or services. We encourage you to review the privacy policies of any third-party websites or services you access.

We will conduct DPIAs for any new processing activities that pose a high risk to data subjects and will update our DPIA regularly to reflect changes in our processing activities or applicable law. A summary of our DPIA is available upon request to our DPO.

We encourage you to review this Policy periodically to stay informed about how we are protecting your Personal Data.

(a) Direct Marketing Opt-Out: If you have consented to receive direct marketing communications, you may opt out at any time by clicking the unsubscribe link in any marketing email or by contacting us at privacy@barstreamhub.com.

(b) Cookies: You may manage cookies through your browser settings. Instructions for managing cookies can be found in the settings for Google Chrome, Mozilla Firefox, Apple Safari, and Microsoft Edge.

(c) Disabling Location Services: Our Platform does not collect precise geolocation data without your permission. You may disable location sharing through your device settings.

(d) Account Deletion: You may request deletion of your Account at any time by contacting support@barstreamhub.com. Upon deletion, your Personal Data will be retained as set out in Section 8 (Data Retention) above.

19.1 Hong Kong. If you believe that we have violated your data protection rights under the PDPO, you have the right to lodge a complaint with the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD): • Address: Room 1303, 13/F, Dah Sing Financial Centre, 248 Queen's Road East, Wan Chai, Hong Kong • Email: enquiry@pcpd.org.hk • Website: www.pcpd.org.hk

We ask that you first attempt to resolve any complaint with our DPO by contacting us at privacy@barstreamhub.com before lodging a complaint with the PCPD.

19.2 Thailand. If you believe that we have violated your data protection rights under the PDPA, you have the right to lodge a complaint with the Personal Data Protection Committee (PDPC): • Address: Office of the Personal Data Protection Committee, 120, 7th Floor, 18-Year Building, Government Complex, Chaeng Watthana Road, Thung Song Hong, Lak Si, Bangkok 10210, Thailand • Website: www.pdpc.or.th • Complaint Procedure: You may file a complaint under Section 73 of the PDPA in person, by registered mail, or through the PDPC's online complaint system.

We ask that you first attempt to resolve any complaint with our DPO by contacting us at privacy@barstreamhub.com before lodging a complaint with the PDPC.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data protection practices, please contact us at:

Meridian Global Holdings Limited Unit 1603, 16th Floor, The L. Plaza 367–375 Queen's Road Central Sheung Wan, Hong Kong

• General Privacy Inquiries: privacy@barstreamhub.com
• Data Protection Officer (DPO): dpo@barstreamhub.com
• Data Access / Correction Requests: datarequest@barstreamhub.com
• Data Breach Reporting: breach@barstreamhub.com
• Thai-language support: privacy-th@barstreamhub.com (response within 5 business days)