Effective date: 25 May 2018

This Privacy Policy applies to all the entities within the Zone Group, including P & C Micros Pty. Ltd. and Zone Laser Tag Europe B.V., as well as the websites, portals, systems, and services provided by the Zone Group, including, inter alia, Zone Membership.

In this document, we are collectively referred to as "Zone" (or "us", "we", "our", or "P&C").

We respect your privacy and understand that your privacy and personal data is important to you.

This Privacy Policy explains how we collect, store, use, and disclose your Personal Data.

If you have any questions regarding this Policy, you should contact the Zone Privacy Officer (see 'Contact us' below).

While different jurisdictions have different privacy laws and standards, our global privacy and data protection arrangements are based on compliance with:

• European Union ('EU') General Data Protection Regulation ('GDPR'); and
• Australian Privacy Principles and the Privacy Act 1988 (Australian Cth.).

Collectively, we consider the above legislation to be "Privacy Legislation".

For simplicity, the language in this Privacy Policy mirrors GDPR terminology.

First, let's define some key terms to help us explain how we manage your privacy and data…

"Controller": the natural person or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes of and means for the Processing of Personal data as referred to in article 4 section 7 GDPR.

"Data Subject": the natural person to whom the Personal Data relates, as referred to in article 4 section 1 GDPR.

"Personal Data": any information relating to an identified or identifiable natural person (‘Data Subject’) that is processed in the context of the Main Agreement as referred to in article 4 section 1 GDPR; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

"Personal Data Breach": a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed as referred to in article 4 section 12 GDPR.

"Processing": any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction as referred to in article 4 section 2 GDPR.

"Processor": a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of a Controller as referred to in article 4 section 8 GDPR.

We will only collect Personal Data about you if you provide it to us knowingly or otherwise in accordance with this Privacy Policy and/or the Zone Membership Terms of Use. Generally, you control the amount and type of information that you provide to us.

We will never collect more Personal Data than the minimum we need in order to conduct core business operations.

We collect your Personal Data to allow us to conduct our business functions and to market and sell our products and services, as well as the specific purposes set out in the section entitled "Using your Personal Data" below.

Be aware that if you do not provide certain Personal Data, we may not be able to process your application or provide certain services to you (for example you cannot register with Zone Membership without a validated email address).

When you register with us, re-register with us, amend your existing membership details, acquire services, visit our website(s) (see below), visit affiliated entertainment sites worldwide, request information about us or our products, or otherwise contact us (via our website(s) or otherwise), we may collect Personal Data about you including (but not limited to) your full name, email address, telephone number, country of residence, and date of birth.

We may keep a record of visits to our website, using "cookies" and "log files" to store your preferences, record session information and collect information on how you visit and access our web pages. This information is collected automatically whenever you use the website. A cookie is a small amount of data (which may include information about a user's identity, browser type or website visiting patterns) that is sent to your Internet web browser from our web server and stored on your computer. If you do not wish to receive cookies, you can set your browser so that your computer does not accept them. If you disable the use of cookies on your web browser or remove or reject specific cookies from our website or linked sites then you may not be able to gain access to all of the content and facilities in those websites.

We may also log IP addresses (i.e. the electronic addresses of computers connected to the internet) to analyse trends, administer the website, track users' movements on the website, and gather broad demographic information for aggregate use for advertising and business purposes.

We may also collect information on our websites that cannot be used by itself to identify you personally. In certain cases, especially when combined with other data, this information can nonetheless be considered Personal Data as defined in the GDPR. We may also collect information on our websites that does not allow us to identify you, either directly or indirectly; this includes, for example, aggregated information about all users of this website.

Our websites may contain links to other sites. We are not responsible for the privacy policies of such sites. We recommend that you examine the privacy policy for all third-party websites you visit, or third-party affiliated entertainment sites worldwide, to understand their procedures for collecting, using, and disclosing Personal Data.

In compliance with data protection regulations, we process your Personal Data only if permitted by law or if you have given explicit consent. This also applies to our processing of Personal Data for advertising and marketing purposes.

We use your Personal Data to:

• enable us to provide our products and services to you (e.g. laser tag operators),
• enable your membership and use of the Zone Membership system (accessible via https://www.mygameinfo.com),
• assist you by providing you with information and support, and managing and administering your Zone Membership account,
• allow an affiliated laser tag business to access your Personal Data, only where

  a) you have registered your membership account with that business, or

  b) physically logged-in to the Zone Membership system at that business,

• administer our websites, the Zone Membership system, and any related back-office systems,
• conduct research for the purposes of improving existing products or services or creating new products or services,
• comply with legal and regulatory obligations,
• for other purposes required or authorised by law, including other purposes for which you have provided your express consent,
• allow us to provide advertising material to you regarding us, our related entities, and our business partners.

You consent to us using your Personal Data in the above ways.

We may not collect or use your Personal Data for purposes not listed above. If we do, we will advise you at the time and delete that information permanently.

We will not use Personal Data in a manner inconsistent with Privacy Legislation.

1. Within the Zone Group of companies

We will keep your Personal Data strictly confidential, and it will only be shared with our related bodies for the purpose of running, managing, administering, improving, and upgrading both the Zone Membership system and our services generally.

Within the Zone Group we ensure that Personal Data is strictly ‘compartmentalised’, and is only shared between entities, teams, systems, and services where there is a legitimate need consistent with the data and the consent provided for its use and disclosure.

2. Sites running Zone Membership

If you are registered with Zone Membership, 'affiliated' laser tag or entertainment venues (with whom you have "logged on" to the Zone Membership system) may also be able to see your some of your Personal Data.

Note that unless you have physically logged-in to the Zone Membership system at a particular venue then they will not be able to access any of your Personal Data.

Our obligations to Zone Membership members extend to all venues running Zone Membership, even where those sites are not part of the Zone Group. For this reason, all Zone Membership venues must have a ‘Data Processing Agreement’ in place to ensure that our obligations to you are upheld at the ‘local’ venue level.

Additionally, venues that have access to your Personal Data are themselves bound by relevant legislation, privacy principles, and regulations within their individual jurisdictions.

3. Third-parties

We will not provide your Personal Data to any third-party unless we absolutely have to, and we have a practical and legal basis to do so.

We may provide your Personal Data on a confidential basis to third parties on an "as needed" basis, in the course of delivering products and services to you and to achieve the purposes specified in "Using your Personal Data".

These parties may include:

• our third parties that provide products and services to us or through us,
• other third parties such as regulatory or government authorities,
• any authorised representatives on your account (for example a parent or guardian where you are a minor), and
• representatives, agents or contractors who are appointed by us in the ordinary operation, administration or promotion of our business (such as for data storage or processing, printing, mailing, marketing, planning and product or service development).

We may also disclose your Personal Data to our website host(s) or information technology service providers in certain limited circumstances, for example when our website experiences a technical problem or

to ensure that it operates in an effective and secure manner.

• We'll only disclose your Personal Data to third-parties:
• for the purposes set out in this Privacy Policy or any other agreement you enter into with us,
• in circumstances permitted by Privacy Legislation,
• if we are otherwise required or authorised by law,
• if the disclosure is made with your express consent.

Notwithstanding the above, it is our firm commitment that your Personal Data will be kept, to the maximum extent reasonably possible, strictly confidential.

Some of your Personal Data may be processed or stored overseas by us or by our third-party service providers acting on our behalf.

In particular, as at the date of this Policy, your Personal Data may be stored on Amazon Web Services ('AWS') servers in the USA or other countries from time to time, at Amazon's discretion.

P&C, as the operator of Zone Membership (and therefore the Controller of Zone Membership data under the GDPR) is based in Australia. P&C uses AWS as the primary Processor of data, and has a 'Data Processing Addendum' in place with AWS in compliance with our GDPR obligations to ensure the safety and security of your Personal Data.

We note both that our internal data storage arrangements with Amazon include rigorous privacy and confidentiality provisions, and that Amazing also has its own Privacy Policy and stringent legislative and regulatory privacy and confidentiality requirements.

You consent to us using your Personal Data from time to time to send you information regarding special offers or promotions about us or our products and services, as well as the products and services of our related entities and our business partners.

You also consent to us sending you such information by means of direct mail, telemarketing, email, and SMS messages.

We will only do this if we believe this will be of interest to you.

If you do not want us to send you any of this material or if you want to stop receiving direct marketing, you can let us know by using the 'Contact us' information specified below.

Additionally, wherever possible, any contact from us will come with an "opt out" or "unsubscribe" option.

We will take all reasonable steps to preserve the security and confidentiality of your Personal Data and other information or data collected by us or on our behalf.

This includes technological, organisational, and contractual steps designed to maximise security and minimise risk.

In the event of a Personal Data Breach we will notify you by email or telephone as soon as possible (and within the notification requirements required by legislation, inc. the GDPR).

You are entitled to access all the Personal Data that we hold on you.

If you request access to your Personal Data, we will give you full access as quickly as we can.

If you believe that some or all of the Personal Data we hold about you is incorrect, incomplete or inaccurate, then you may request amendment of it, and we will process that as quickly as we can.

Note that Personal Data held as part of the Zone Membership system can be accessed, managed, updated, and deleted online and in real-time via the Zone Membership portal (www.mygameinfo.com).

In principle, we store your Personal Data as long as we have a legitimate interest in its storage, and we do not consider our importance to outweigh your interests in the non-continuation of the storage.

Even without a legitimate interest, we can continue to store the data if we are legally obligated to do so (for example, to fulfil record-keeping obligations).

We also delete your Personal Data without your involvement as soon as its retention is no longer necessary to fulfil the purpose for which it was processed, or in cases where storing your data is otherwise legally inadmissible.

Any Personal Data we need to keep in order to fulfil our retention obligations will be kept until the end of the respective retention obligation.

Any Personal Data kept solely for the purpose of fulfilling retention requirements are generally blocked so that they can only be accessed if necessary with respect to the purpose of the retention obligation.

In relation to Zone Membership, all data associated with a member account will be deleted fully and permanently upon deletion of the member account (whether by you or us or automatically following an extended period of non-use).

You have the right to object

You have the right, at any time, to object to our processing of your Personal Data.

In the event of your objection, we will no longer process the Personal Data concerning you, unless we can demonstrate compelling legitimate grounds for processing that outweigh your interests, rights, and freedoms, or if the processing is for the purpose of asserting, exercising, or defending legal claims.

If we process Personal Data relating to you for the purpose of direct marketing, you have the right to object at any time. If you object to the processing for purposes of direct marketing, the personal data related to you will no longer be processed for these purposes.

Revocation of consent

If you have given us consent (for example, in connection with information by email), you may revoke such consent at any time with future effect.

In marketing communications, we always provide a link to “opt-out” or “unsubscribe”.

Further rights

As the Data Subject, you have the right:

• to information about what personal data has been collected and saved,
• to correction of incorrect or incomplete data,
• to the deletion of Personal Data,
• to the restriction of processing, and
• to data portability.

To exercise these rights, you may contact us at any time (see 'Contact us' at the end of this Privacy Policy).

We reserve the right to modify this Privacy Policy from time to time.

We may change this Privacy Policy by posting an updated version to the websites and portals managed by the Zone Group (including www.playzonelaser.com, www.live.playzonelaser.com, and www.mygameinfo.com, and Member Kiosks at venues running Zone Membership).

If you would like to access the Personal Data that we hold about you, have a query or complaint, or would like further information about this Privacy Policy, you can contact us by emailing membership@lasertag.com.

We will investigate your queries and complaints as quickly as possible and within a reasonable period of time and will notify you of the outcome of our investigation.