Introductions This Privacy Policy has been updated on September 24 , 2025 MATRYOSHKA GAMES PRIVACY POLICY WE RESPECT YOUR PRIVACY If you have any privacy related concerns, please contact us at: support@matryoshka.com MATRYOSHKA GAMES LTD is a company registered in Cyprus, with registration number HE 408160 and address at this date at GRIVA DIGENI 4, OROKLINI SHOPPING CENTER, OFFICE 104, 7040, LARNACA, Cyprus (‘’MATRYOSHKA’’, ‘’We’’ “Us”), who offers entertaining mobile applications (“App(s)’’). This privacy statement describes how MATRYOSHKA GAMES collects and uses the information and/or data (the terms are used interchangeably) you provide. It also describes the choices available to you regarding our use of your information and how you can access the information. We respect your privacy and we take protecting it seriously. Reading Privacy Policy is important so we hope you will give it time and attention. This Policy applies to the following people: visitors to the websites ( “Visitor”, “you”, "your", "yours") (including those submitting a job application). people who use the Games (For the purposes of this policy, we define the term “User ”, “you”, "your", "yours" as a person which has concluded the installation of any App(s) provided by MATRYOSHKA GAMES). people who make complaints to us by email. In this Policy we refer to the Sites, the App(s) and the Ancillary Services together as the Services ”. MATRYOSHKA GAMES do not sell your personal information to third parties. A “sale” of Personal Information under the CCPA is defined broadly to include the “selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means” the Personal Information of a Consumer to another business or third party “for monetary or other valuable consideration.” If we decide to sell our App(s) (our business), we will inform you about this, so you can forbid us to transfer your personal data together with our business. If so, we will delete your data from the databases prior to a business transfer. We adhere to the following principles in order to protect your privacy: principle of purposefulness - we process personal data fairly and in a transparent manner only for the achievement of determined and lawful objectives, and they shall not be processed in a manner not conforming to the objectives of data processing; principle of minimalism - we collect personal data only to the extent necessary for the achievement of determined purposes and do not keep personal data if it is no longer needed; principle of restricted use - we use personal data for other purposes only with the 1
consent of the data subject or with the permission of a competent authority; principle of data quality - we update personal data shall be up-to-date, complete and necessary for the achievement of the purpose of data processing; principle of security - security measures shall be applied in order to protect personal data from unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical and organisational measures; principle of individual participation - the persons shall be notified of data collected concerning him or her, the persons shall be granted access to the data concerning him or her and the persons have the right to demand the correction of inaccurate or misleading data. 1. DEFINITIONS Analytical data means any data that is derived from the data mentioned herein that is used for internal analytics purposes via Our analytic system (e.g., for statistics analysis, marketing, enhancing the in-game experience, enhancing the Games, the Services, etc.). Analytical data may as well include the following data: separate ID of the User in Analytical data, User ID in BrainCloud service by bitHeads Inc., Apps language, Paying information (whether the User spent any money while using the Apps), Platform information (where the Apps were installed), Store information (via which the Apps were installed), Session ID, Start version of the Apps, Version of the Apps, First Seen (time and date of the first launch of the Apps), Last Seen (time and date of the last in-App action of the User), Total Spent (the amount that was spent by the User within the Apps in USD), total amount of all Purchases made by the User, Client Event Time, Client Upload Time, Server Upload Time, Server Received Time. Analytical data is generated by Us. We securely store Analytical data for the above-mentioned internal purposes without sharing it with any third party. Device information means data about your device from which you use our Games and/or Sites that may include: your IP address and unique mobile device identification numbers (e.g., your device ID, advertising ID), device family, device type, RAM information, CPU information, Designated Market Area information, Operating system; Games means Our Apps including "Rescue Dash", "Tribe Dash", "Farming Fever", "Cooking Live", "Idle Mars Colony", "Mega Farm", "Royal Cooking" ; Location information means data about your location, namely broad location data (e.g. country, region or city-level location); Sites means Our websites, including https://matryoshka.com/ and any other MATRYOSHKA GAMES sites on which this Policy is posted; User information means data that we collect about you (such as your nickname, profile picture) that we receive if you link a third-party tool with the Service (for example, Facebook, Google Play), data about your age or other data provided by you regarding yourself. 2. PERSONAL DATA THAT WE COLLECT AND PROCESS We may source, use and otherwise process your personal data in different ways. In all cases we are committed to protecting your personal data. We may use the information collected from you for a variety of purposes, primarily, relating to providing our Services and information about our Services. We may also use the information for such other purposes as otherwise allowed by law. For example, we (or a supplier or our affiliate company acting on our behalf and only under our 2
instructions) may use your personal information, including personally identifiable information, for such purposes, including but not limited to the purpose examples listed below. 2.1. VISITORS TO THE SITES The Website is essentially a brochure for MATRYOSHKA/s business, its Apps and opportunities to work with and for MATRYOSHKA GAMES. The Website collects personal data from you for the following purposes and on the following legal bases: Categories of Personal Data Purpose examples Legal basis Email; Any other data that you submit in connection with a contact request T o collect this information because you choose whether to contact us or not and can choose how much personal data to provide to us in doing so Legitimate interest in provision with the most detailed information regarding Our business, Apps and opportunities to work with and for MATRYOSHKA GAMES Your data in CV; Any other data that you submit in connection with a job request To be able to receive your requests via the recruitment enquiries section and reply to them Legitimate interest in assessing you as a potential candidate Information about the candidate is stored indefinitely, until we receive a written notification with the requirement to delete the information; Source of the above-mentioned personal data: we collect it directly from you. 2.2. USERS We may collect the following categories of personal data relating to our Users for the purposes and on legal basis mentioned below: Categories of Personal Data Purpose examples Legal basis Data about your progress of the game, using connected your social networks, if you link a third-party tool with the Service (for example, Facebook, Google Play) To provide you with the access to the Apps; To track and analyze your in-game experience in order to improve Our Services and Games. Legitimate interest in statistics analysis of the use of our Apps and Services Data about in-app purchases that you make in any App(s) provided by MATRYOSHKA GAMES (details of orders, amount spent, date, time, used vouchers or offers) To track purchases and usage information; To prevent cheating, crime or fraud; To obtain statistical data. Legitimate interest in preventing fraud and other illegal actions , research and statistic analysis. Data from platforms that the games run on To verify payments; To prevent cheating, crime or fraud. Legitimate interest in preventing fraud and other illegal actions Device information To monitor the Services, 3
including the Website, App(s) and operation thereof; To prevent cheating, crime or fraud. Legitimate interest in preventing fraud and other illegal actions Location information For marketing and promotion of our Services or related products; To obtain statistical data. Legitimate interest in marketing and statistic analysis User information To provide the tech support; To obtain statistical data on the target audience App(s). Legitimate interest in provision of User support, research and statistic analysis. Other data that you choose to provide to us For analytics, tech support or other purposes depends on the provided data Consent Source of the above-mentioned personal data: we collect it directly from you and from Our partners; We also process Analytical data based on the combination of the collected data. Source of the Analytical data: it is generated by Us. 2.3. PEOPLE WHO CONTACT OR MAKE COMPLAINTS TO MATRYOSHKA GAMES BY EMAIL We may collect personal data from you for the following purposes and on the following legal bases: Categories of Personal Data Purpose examples Legal basis Email; Any other relevant data that you submit in connection with a complaint, including data of other individuals identified therein. To analyze and respond to your complaint Legitimate interest in processing a complaint We shall retain information in relation to a complaint for a maximum of six (6) years after its closure, in a secure environment and access to it will be restricted on a ‘need to know’ basis; The items of personal data collected are not of a nature whereby your rights and freedoms as a data subject are outweighed by such data collection; Source of the above-mentioned personal data: we collect it directly from you. 3. USE OF COLLECTED PERSONAL DATA Based on you consent and our legitimate interest to fulfill our obligation for providing you with Apps, replying to your requests, enhancing your experience and Our Services and Games, we may use any of the collected Personal data in order and in relation to: contacting you (for example as part of customer service or to send you updates about our Services) or receiving request from you (for example as part of Our User support); 4
managing your account and improving your experience when you use our Services; marketing and promotion of our Services or related products, including those of a third party’s products which are related to our Services (If you do not want us to use your data in this way, please let us know by contacting us at: support@matryoshka.com creating reports, analysis or similar services for use by us for the purposes of research or business intelligence, for example to track potential problems or trends with our Services; delivering relevant advertising to you and measuring and analyzing the effectiveness of advertising, including advertising of third parties placed within the Services; resolving disputes or issues; tracking purchases and usage information; enforcing the legal terms governing your use of our Services; and any other purpose as we determine, in our sole discretion, to be necessary or required to ensure the safety and/or integrity of our users, employees, third parties, public, and/or our Services, or to comply with requirements of any applicable law. 4. С OMPLIANCE WITH GENERAL DATA PROTECTION REGULATION (GDPR), CALIFORNIA CONSUMER PRIVACY ACT (CCPA) AND BRAZIL'S GENERAL DATA PROTECTION LAW (LGPD ( LEI GERAL DE PROTEÇÃO DE DADOS )) 4.1. If you are located in the European Economic Area (EEA) privacy rights are granted and all processing of Personal Data is performed in accordance with regulations and rules following the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, known as the General Data Protection Regulation (“GDPR”). 4.2. If you are located in California, all processing of Personal Data is performed in accordance with regulations and rules following the California Consumer Privacy Act , Cal. Civ. Code § 1798.100 et seq. (“CCPA”). 4.3. If you are located in Brazilia, all processing of Personal Data is performed in accordance with regulations and rules following the Lei Geral de Proteção de Dados (“LGPD”). 4.4. The Child Online Privacy and Protection Act (“COPPA”) regulates online collection of information from persons under the age of 13 (covered person). Covered persons are required to obtain parental consent before providing personal information via this App(s). If you are a parent of a COPPA covered person, you have the option to agree to the collection and use of your COPPA covered person’s information. You may revoke your consent, review your COPPA covered person’s personal information, ask to have it deleted, and/or refuse to allow any further collection or use of your COPPA covered person’s information at any time, contact us at support@matryoshka.com. 5
5. DATA ACCESS, DATA CORRECTION, DATA DELETION, DATA PORTABILITY AND WITHDRAWAL OF THE CONSENT 5.1. You can review, correct, update, delete or transfer their personally identifiable information. For that, contact us directly at support@matryoshka.com or via the "Support" button inside our games. We will acknowledge your request within seventy-two (72) hours and handle it promptly and as required by law. 5.1.1. Right to access. You may contact us to get confirmation as to whether or not we are processing your personal data. When we process your personal data, we will inform You of what categories of personal data we process regarding You, the processing purposes, the categories of recipients to whom personal data have been or will be disclosed and the envisaged storage period or criteria to determine that period. 5.1.2. Right to withdraw consent. In case our processing is based on consent granted, You may withdraw the consent at any time by contacting us or by using the functionalities of our Services. You can withdraw your consents at any time by replying to the email with your withdrawal and your Personal Data will be deleted in 48 hours. Withdrawing consent may lead to fewer possibilities to use our Services. 5.1.3. Right to object. In case our processing is based on our legitimate interest to run, maintain and develop our business, You have the right to object at any time to our processing. We shall then no longer process your personal data unless for the provision of our Services or if we demonstrate other compelling legitimate grounds for our processing that override your interests, rights and freedoms or for legal claims. Notwithstanding any consent granted beforehand for direct marketing purposes, You have the right to prohibit us from using personal data for direct marketing purposes, by contacting us or by using the functionalities of the Services or unsubscribe possibilities in connection with our direct marketing messages. 5.1.4. Right to restriction of the processing. You have the right to obtain from us restriction of processing of your personal data, as foreseen by applicable data protection law, e.g. to allow our verification of accuracy of personal data after your contesting of accuracy or to prevent us from erasing personal data when personal data are no longer necessary for the purposes but still required for your legal claims or when our processing is unlawful. Restriction of processing may lead to fewer possibilities to use our Services. 5.1.5. Right to data portability. You have the right to receive your personal data from us in a structured, commonly used and machine-readable format and to independently transmit those data to a third party, in case our processing is based on your consent and carried out by automated means. 5.1.6. How to use these rights. To exercise any of the above-mentioned rights, You should primarily use the functions offered by our Services. If such functions are however not sufficient for exercising such rights, You shall send us a letter or email to the address set out below under Contact, including the following information: name, address, phone number, email address, and a copy of a valid proof of identity. We may request additional information necessary 6
to confirm your identity. We may reject requests that are unreasonably repetitive, excessive or manifestly unfounded. 5.2. You have the right to lodge a complaint with a supervisory authority if you think that we violate your rights. You could contact The Data Protection Inspectorate in Cyprus via their email commissioner@dataprotection.gov.cy . 5.3. If you are from California and dissatisfied with how we have used your personal information you could contact The California Department of Justice (Department) via their website ( https://www.oag.ca.gov/privacy/caloppa/complaint-form/privacy-notice ). 5.4. If you are from Brazil, you can also file a complaint with Brazil’s National Data Protection Authority (ANPD) through its official channels. 6. STORING OF INFORMATION AND DELETION 6.1. We store your Information for as long as needed to provide you with our services unless the specific time period for storing some of your Information is additionally defined herein. We may store Information longer, but only in a way that it cannot be tracked back to you. When Information is no longer needed, we delete it using reasonable measures to protect the Information from unauthorized access or use. 6.2. We may store your Information both by using the services of Our partners (please see Section 8 hereof) and by using Our own servers without sharing any of your data to the third parties. Amid personal data that is stored solely by Us is Analytical data and Device information. 6.3. We implement and maintain appropriate technical, security and organizational measures to protect Personal Data against unauthorized or unlawful processing and use, and against accidental loss, destruction, damage, theft or disclosure (please see Section 7 hereof for more details). 6.4. EU Territory. We store Personal Information as long as it is needed for the provision of our services. Traffic information is erased or made anonymous when it is no longer needed for the purpose of the transmission or, in the case of payable services, up to the end of the period during which the bill may lawfully be challenged or payment pursued. Direct marketing and provision of value-added services information (including traffic information used for these purposes) is stored as long as the same is necessary for the provision of these activities, or up to the time when a user opts out from such use in accordance with this Privacy Policy. Other information is stored for as long as we consider it to be necessary for the provision of our services. This Section shall not prevent any technical storage or access to information for the sole purpose of carrying out the transmission of a communication or as strictly necessary in order for us to provide the service you requested. 6.5. As explained in the GDPR statement, we strive to anonymize the data when possible. Our technical logs will be automatically deleted within one (1) month and backup logs within two (2) months. If you decide to exercise your right to erasure we will also inform our Providers to delete all your data. 6.6. US Territory. We will retain collected information for the period necessary to fulfill the purposes outlined in this Privacy Policy unless a longer retention period is required or permitted by applicable legislation. 7
6.7. Storing might be different depending on the territory of collecting the information and the applicable legislation, but we always strive to store the information only as long as it is needed for the purposes of providing, improving or personalizing our services. 6.8. We do not use our App(s) to knowingly solicit information from or market to children under the age of 13. In the event that we learn that we have collected personal information from a child under 13 years of age we will delete that information as quickly as possible. If you believe that we might have any information from or about a child under 13 years of age please contact us at support@matryoshka.com. 7. INFORMATION SECURITY 7.1. We care to ensure the security of personal data. We follow generally accepted industry standards to protect the information submitted to us, both during transmission and once we receive it. We maintain technical, physical, and administrative security measures to provide reasonable protection for your Personal Data. When we or our contractors process Your information , we also make sure that your information is protected from unauthorized access, loss, manipulation, falsification, destruction or unauthorized disclosure. This is done through appropriate administrative, technical and physical measures. 7.2. There is no 100% secure method of transmission over the Internet or method of electronic storage. Therefore, we cannot guarantee its absolute security. 7.3. We never process any kind of sensitive data and criminal offence data. Also we never undertake profiling of personal data. 8. CONTRACTORS Please note that We may transfer some of your personal data to Our partners and third parties indicated below as well as receive your personal data from the third parties (for example, from social networks). We strongly encourage you to read carefully the privacy documents of all mentioned partners as We are not liable for the services of third parties and do not control their data usage processes. 8.1. We work with third party service providers who provide website, application development, hosting, maintenance, and other services for us. They may be located outside of the EEA. These contractors may have access to, or process Personal Data on behalf of us as part of providing those services for us on the basis of the respective Data Processing Agreements and Partners’ Privacy Policy. We limit the information provided to these service providers to that which is reasonably necessary for them to perform their functions. 8.2. All data transfers are performed in accordance with the highest security regulations. Transfer of Personal Data to countries outside of the European Economic Area may be possible only in the case, when we have obtained your consent for it. 8.3. All processed data that is not stored by Us is stored exclusively in secure hosting facilities provided by Vultr and Amazon CloudFront . 8.4. In order to make a purchase from us, you must use our third party checkout options to finalize and pay for your order. In-app purchases may 8
be made only upon entering the app store password and you are responsible for maintaining the security of such password. Your authentication and security maintaining is subject to specific terms of the app store and the OS of your mobile device. You should be aware of iOS' 15-minute and Android’s 30-minute window after the downloading of an Application, during which in-app purchases may be made without inserting an in-app store password. You should also take into account that OS 2.1 or older versions of Android mobile phones do not require entering of the app store account password to carry out in-app purchases. 8.4.1. Google Wallet: If you choose to use Google Checkout to finalize and pay for your order, you will provide your credit card number directly to Google Checkout. Google's Privacy Policy will apply to the information you provide to the Google Checkout web site. 8.4.2. Apple AppStore: If you choose to use AppStore to finalize and pay for your order, you will provide your credit card number directly to Apple. Apple's Privacy Policy will apply to the information you provide to Apple. 8.5. We use Google Analytics for Firebase allows us to collect data on the usage of our Apps. We use your data only for the purposes of our internal analytics to improve our Apps and we do not allow sharing of your data with other parties and their products or services. Google Analytics for Firebase collects these data: Online Identifiers, browser type and settings, operating system, mobile network information, cookie identifiers, IP Address (which is anonymised before any storage takes place), crash reports, device identifiers as well as App-Instance Identifier (a randomly generated number that identifies a unique installation of an App for the first time). This data is collected by Google Firebase when the Users installs the App from Google Play or App Store. We use Firebase Analytics' own unique user ID (app.instance id), which separates one mobile phone from another, but does not personally identify you. We are using the following Google Analytics for Firebase features: Remote Config., Crash Reporting, Events (about usage of our App in a pseudonymized way), Analytics in general, Firebase Cloud Functions and Firebase Communication Manager. 8.6. We use Google and Facebook login so you can save your progress in our App(s). Third-party social networks/platforms may provide your publicly available data to us if you so allow. 8.7. We use Google Analytics to collect the Information in order to analyze and improve our App(s). If you are using one of our child directed App(s) or mixed audience App(s) and you identified yourself as under the age of 13, the collected Information will only be used for support for internal operations. 8.8. We use AppsFlyer in purpose marketing analytics that enables us to measure and analyze the effectiveness of our marketing campaigns by understanding which marketing campaigns contributed to the download/installation of mobile applications or such other conversion metric (e.g. relaunch of Application) and measure and analyze certain events and actions within Application or websites, such as in-app purchases made by Users. 8.9. We use Amplitude Analytics for analytic user behavior and understand how users are navigating through App(s) and which features engage the most. 8.10. We use Unity Ads, Google Ads, Facebook Ads and Apple Search Ads as a 9
video ad networks for iOS and Android Apps to attract new Users. 8.11. We use ironSource for advertising purposes, to analyze ads statistics and to attract new Users. 8.12. We use BrainCloud to maintain and enhance our Apps. 8.13. When you link a Freecash account, we share your device identifier (IDFA/GAID) with Almedia GmbH (Freecash.com) for reward attribution and fraud-prevention. The legal basis for this is Art. 6 (1)(b) GDPR. 9. OPT-OUT 9.1. You can deactivate local notifications by changing the notification settings in accordance with the instructions of the operating system running on the Users’ device. 10. APPLICATION OF THIS PRIVACY POLICY 10.1. This Privacy Policy is applicable to our website and our App(s). Our website contains links to other websites. Once redirected to another website, this Policy is no longer applicable. 11. ACCEPTANCE OF THESE CONDITIONS 11.1. We assume that all Users have carefully read this document and agree to its content. If one does not agree with this privacy policy, they should refrain from using our website and App(s). 12. CHANGES AND UPDATES TO OUR PRIVACY POLICY 12.1. We may update this Privacy Policy to reflect changes in our Information processing practices. We encourage you to periodically review this page for the latest information on our privacy practices. You will be informed about material changes to our data processing practices with local in-app notification and you can get acquainted with the changes by reviewing the Privacy Policy link available within the App(s). 13. CONTACT US! 13.1. If you have any questions please contact us at support@matryoshka.com . MATRYOSHKA GAMES (CY) LTD GRIVA DIGENI 4, OROKLINI SHOPPING CENTER, OFFICE 104, 7040, LARNACA, Cyprus HE 408160 10