GDPR Policy

The purpose of the General Data Protection Regulation ("GDPR") is to protect all European Union ("EU") citizens from privacy and data breaches by allowing citizens to maintain control of the personal data kept and processed by organizations, which includes Too Lost LLC ("Too Lost", "us", "we", or "our"). The GDPR also protects the personal data of individuals, regardless of citizenry, in the EU.

Too Lost is committed to safeguarding the privacy of personal data. Furthermore, Too Lost is committed to protecting your privacy online. We are also committed to providing you with the very best experience we can on our website at toolost.com and our other web-based services and other web pages provided by Too Lost (collectively, the "Services"). This Policy also describes how we use personal data, the purpose for sharing and recipients of personal data and your rights and choices associated with that data. By using Too Lost, you are consenting to the practices described in this Privacy Notice.

Use of Information

Our primary goal in collecting personal information is to provide you, the user, with a customized experience on our website. We use the collected data for various purposes including:

• To provide and maintain our Sites and Services, including to take steps to enter into a contract for sale or services, bill you for services and process payments and fulfill transactions
• To enable and allow you to participate in interactive features of our Sites and Services and provide you with a personalized service, content and ads
• To create custom audiences on social media sites
• To provide you with better products and services and improve and grow our business, including to perform research and development, understand our customer base and purchasing trends and understand the effectiveness of our marketing
• To operate and maintain safe, secure and reliable Sites and Services
• To provide customer support, including to contact you in response to an inquiry that you sent, and send administrative messages, technical notices, updates, alerts and other information
• To provide you with news, special offers and general information about other goods, services and events which we offer that are similar to those that you have already purchased or enquired about unless you have opted not to receive such information
• To perform accounting, audits and other internal functions
• To comply with a request or order from courts, law enforcement or other government authorities

Too Lost may also use personal information for other business purposes, including the following: (i) perform accounting, audits and other internal functions; (ii) compliance with our legal obligations or to assert or defend a legal claim; (iii) general business administration; (iv) processing employment applications; and (v) systems and data security.

In addition, if we feel that a user abuses the toolost.com site in any way, we reserve the right to use and share certain information with third parties. Abuses include (but are not limited to) possible copyright infringement, possible libel and slander, and possible fraudulent or illegal activity, and other fraudulent behavior outlined in our Anti-Fraud Policy.

Third Party Use of Sensitive Information

We may disclose your Sensitive Information and other Information as follows:

• Consent: We may disclose Information if we have your consent to do so.
• Business Partners: We may share some or all of the information collected in connection with such service, promotion or contest with the co-sponsor(s).
• Service Providers: We may employ third party companies and individuals to facilitate our Services ("Service Providers"), to provide the Services on our behalf, to perform Service-related services or to assist us in analyzing how our Services are used.
• Social Media: We may share your Information if you share our content through social media, for example by liking us on Facebook, following or tweeting about us on Twitter, or giving us a '+1' via Google Plus, those social networks will record that you have done so and may set a cookie for this purpose.
• Third Party Platform Advertising: We may share your information with third party platform providers who assist us in serving advertising regarding the Services to others who may be interested in the Services.
• Facebook Conversion Tracking Pixel: Our website utilizes the Conversion Tracking Pixel service of Facebook. This tool allows us to follow the actions of users after they are redirected to a provider's website by clicking on a Facebook advertisement. We are thus able to record the efficiency of Facebook advertisements for statistical and market research purposes. The collected data remain anonymous and we cannot see the personal data of any individual user, however the collected data is saved and processed by Facebook. Facebook is able to connect this data with your Facebook account and the data is used for their own advertising purposes in accordance with their policy.
• Combined and Aggregated Data: We may analyze aggregated, de-identified data and share these analytics, including to marketing agencies, media agencies and analytics providers. We may also combine information from the Services with other information we obtain. Additionally, information collected about you from a particular browser or device may be linked to information collected from another computer or device that may relate to you.
• Google Analytics: We may use third-party Service Providers to monitor and analyze the use of our Services: Google Analytics is a web analytics service offered by Google that tracks and reports website traffic. Google uses the data collected to track and monitor the use of our Services. This data is shared with other Google services. Google may use the collected data to contextualize and personalize the ads of its own advertising network. For more information on the privacy practices of Google, please visit the Google Privacy Terms web page.
• Business Transactions: Under certain circumstances, Too Lost LLC may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).
• Disclosure for Law Enforcement: Under certain circumstances, Too Lost LLC may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).
• Legal Requirements: Too Lost LLC may disclose your Personal Data in the good faith belief that such action is necessary to: To comply with a legal obligation; To protect and defend the rights or property of Too Lost; To prevent or investigate possible wrongdoing in connection with the Services; To protect the personal safety of users of the Services or the public; To protect against legal liability.

Cookies and Other Technology

Too Lost LLC use of cookies and other data can be found in the Too Lost Privacy Policy and Cookie Policy.

Data Protection

This Data Protection section applies to all users of any services owned or controlled by Too Lost LLC. Furthermore, this section extends to Service Providers, Contractors, Affiliates, Vendors, Agents, and Entities; their parent company and subsidiaries, or their respective employees, officers, directors, members, managers, shareholders, agents, vendors, licensors, licensees, contractors, customers, successors, and assigns (each referred to as "Parties" in the following paragraph).

By executing any Agreement with Too Lost LLC, which uses any personal information, Parties agree to abide by the following paragraph. Violation of this section is cause for termination of Service or rights granted by Too Lost LLC. Moreover, if an agreement has been executed between Too Lost LLC and a Party, violation of this section is considered a material breach.

Each party shall, at its own expense, ensure that it complies with and assists Too Lost LLC to comply with the requirements of all legislation and regulatory requirements in force from time to time relating to the use of personal data, including (without limitation) (i) any data protection legislation from time to time in force in the UK including the Data Protection Act 1998 or 2018 and any successor legislation (ii) for so long as and to the extent that the law of the EU has legal effect in the UK, the General Data Protection Regulation ((EU) 2016/679) ("GDPR") and any other directly applicable EU regulation relating to privacy; and (iii) and any applicable U.S Data Protection Laws, not limited to the California Consumer Privacy Act (CCPA). This clause is in addition to, and does not reduce, remove or replace, a party's obligations arising from such requirements. Parties confirm that they will not rent or sell customer lists, contact details or other data without the customers' express prior approval. Either party may treat a breach of this clause 15 as a reason for termination of this Agreement in accordance clause 11 of this Agreement. Furthermore, under Article 5 of GDPR both parties will comply with the following principles to ensure any personal data will be: a) Processed for limited purposes and not in any way incompatible with those purposes, b) Adequate, relevant and will not be excessive, c) Accurate Not kept for longer than necessary, d) Processed in accordance with the individual rights of any data subject, and e) Secure Not transferred to countries or other parties without adequate data protection.

Retention and Destruction of Your Information

Your information will be retained by Too Lost in accordance with applicable state and federal laws, and the applicable retention periods in the Privacy Policy. Your information will be destroyed upon your request unless applicable law requires destruction after the expiration of an applicable retention period. The manner of destruction shall be appropriate to preserve and ensure the confidentiality of your information given the level of sensitivity, value and criticality to Too Lost.

Your Rights

You have the right to request access to, a copy of, rectification, restriction in the use of, or erasure of your information in accordance with all applicable laws. The erasure of your information shall be subject to applicable state and federal laws, and the applicable retention periods in the Too Lost Privacy Policy. If you have provided consent to the use of your information, you have the right to withdraw consent without affecting the lawfulness of Too Lost LLC use of the information prior to receipt of your request. Information created in the European Union will be transferred out of the European Union to Too Lost. If you feel Too Lost has not complied with applicable foreign laws regulating such information, you have the right to file a complaint with the appropriate supervisory authority in the European Union.

Updates to This Policy

We may update or change this policy at any time. Your continued use of the Too Lost website and third party applications after any such change indicates your acceptance of these changes.

Contact Us

If you have any questions about this GDPR Policy or wish to exercise one of your Data Subject rights, please contact us:

By emailing us: [email protected]

Or by mailing us a written notice to:

Too Lost LLC
915 Broadway
Suite 802
New York, New York 10010
USA

---

GDPR Privacy Notice Addendum

Effective Date: Jan 1, 2026

This GDPR Privacy Notice Addendum (the "Addendum") supplements the Too Lost LLC Privacy Policy and the GDPR/Data Protection Policy and applies to individuals located in the European Union and the United Kingdom ("EU/UK Data Subjects"). This Addendum is intended to satisfy the transparency and disclosure requirements set forth in Articles 12 through 14 of the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR") and the UK GDPR. In the event of any conflict, this Addendum controls solely for GDPR compliance purposes.

Data Controller

For purposes of the GDPR, the data controller is:

Too Lost LLC
915 Broadway, Suite 802
New York, NY 10010
United States
Email: [email protected]

Too Lost has not currently appointed a Data Protection Officer. Should a Data Protection Officer be required under applicable law, this Addendum will be updated accordingly.

Personal Data Processed

Too Lost processes personal data as described in the Privacy Policy and GDPR/Data Protection Policy, including but not limited to identifiers, account credentials, transaction and billing information, device and usage data, communications with Too Lost, marketing and analytics data, and any other personal data voluntarily provided or generated through use of the Services.

Purposes of Processing and Legal Bases

Personal data is processed for the following purposes and pursuant to the following lawful bases under Article 6 GDPR:

• Provision and operation of the Services; account creation and administration (contract necessity)
• Billing, payments, and transaction processing (contract necessity and legal obligation)
• Customer support and communications (contract necessity and legitimate interests)
• Security, fraud prevention, and abuse detection (legitimate interests)
• Analytics, service improvement, and internal research (legitimate interests)
• Marketing communications where permitted (legitimate interests or consent)
• Legal compliance and enforcement of rights (legal obligation and legitimate interests)

Where processing is based on consent, consent may be withdrawn at any time without affecting the lawfulness of processing prior to withdrawal.

Legitimate Interests

Where processing is based on legitimate interests, such interests include operating and improving the Services, ensuring platform security, preventing fraud, communicating with users regarding the Services, and promoting and growing the business in a proportionate manner.

Whether Provision of Data Is Required

Certain personal data is required in order to create and maintain an account, perform contractual obligations, process payments, and comply with legal requirements. Failure to provide required personal data may prevent Too Lost from providing some or all of the Services.

Recipients of Personal Data

Personal data may be disclosed to service providers and processors acting on our behalf, analytics and advertising partners where permitted, payment processors, legal authorities or third parties as required by law, and professional advisors and auditors. Processors are subject to contractual obligations consistent with GDPR requirements.

International Data Transfers

Personal data may be transferred from the EU or UK to the United States or other jurisdictions outside the EU/UK. Where required, such transfers are conducted using appropriate safeguards, including Standard Contractual Clauses approved by the European Commission and/or the UK International Data Transfer Addendum or IDTA. Additional information regarding these safeguards may be requested by contacting [email protected].

Data Retention

Personal data is retained only for as long as necessary to fulfill the purposes for which it was collected, including the duration of the contractual relationship, compliance with legal and regulatory obligations, and the resolution of disputes. When personal data is no longer required, it is securely deleted or anonymized.

Automated Decision-Making and Profiling

Too Lost does not engage in automated decision-making, including profiling, that produces legal or similarly significant effects on EU or UK data subjects within the meaning of Article 22 GDPR.

Your GDPR Rights

EU/UK Data Subjects have the right to request access to personal data, rectification of inaccurate data, erasure of personal data subject to legal exceptions, restriction of processing, objection to processing based on legitimate interests, data portability where applicable, and withdrawal of consent where processing is based on consent. Requests may be submitted by contacting [email protected].

Supervisory Authority

EU/UK Data Subjects have the right to lodge a complaint with a supervisory authority in their country of residence, place of work, or where an alleged infringement occurred.

Updates to This Addendum

Too Lost may update this Addendum from time to time to reflect changes in applicable law or data processing practices. Material changes will be communicated in accordance with applicable legal requirements.