DRAMAX PRIVACY POLICY

1. Scope and controller information

1.1. This Privacy Policy explains how Magic Lucky Corporation, a Wyoming profit corporation, Entity ID

2024-001445331 (the "Company", "we"), collects, uses, stores, shares and otherwise processes personal data in

connection with the Dramax Android application, the website dramax.io, customer support channels, reward

functionality and related services (collectively, the "Service").

1.2. For the purposes of applicable data protection law, the Company acts as the controller of the personal data

described in this Privacy Policy, except where another party is expressly identified as a separate controller for a

particular processing activity.

1.3. By accessing or using the Service, you acknowledge this Privacy Policy. Where the law requires separate

consent for a specific processing operation, the Company will request that consent separately.

1.4. This Privacy Policy should be read together with the Dramax Terms of Service, the Dramax Cookie Policy

and any supplemental in-app notices shown when a particular feature is activated.

2. Categories of personal data we collect

2.1. Account and contact data. We may collect your email address, username or display name, password hash or

authentication tokens, language preference, country selection, communication preferences and other information

you provide when creating or maintaining an account.

2.2. Device and technical data. We may collect your IP address, device model, operating system, app version,

time zone, language settings, crash reports, diagnostics, log files, connection metadata and identifiers such as

Android Advertising ID and App Set ID where available and permitted.

2.3. Viewing and interaction data. We may collect information about titles and episodes viewed, watch time,

session length, navigation events, ad impressions, ad interactions, reward-related events, referral or campaign

participation and in-app support activity.

2.4. Reward, payout and compliance data. We may collect your Coin balance, payout requests, payout history,

payment account identifiers such as a PayPal email or similar account handle, chargeback or fraud indicators,

sanctions-screening results, and identity or tax information if we or a payout provider require it for compliance

purposes.

2.5. Communications and support data. We may collect the content of correspondence, support tickets, complaint

submissions, survey responses and records of interactions with our support or legal teams.

2.6. Cookies and similar technologies. We may collect data through browser cookies, SDKs, web beacons,

pixels, local storage, device identifiers and similar technologies used on dramax.io, in webviews and in parts of

the app.

2.7. Sensitive data. We do not intentionally request special categories of personal data, such as health data,

biometric data, political opinions or religious beliefs, unless this becomes strictly necessary for a lawful purpose

and an appropriate legal basis exists. Please do not send us such data unless we specifically request it.

3. Purposes of processing and legal bases

3.1. Performance of a contract. We process personal data to create and manage accounts, authenticate users,

provide streaming functionality, calculate rewards, process payout requests, provide customer support, and

otherwise perform the service relationship with you.

3.2. Legitimate interests. We process personal data where necessary for our legitimate interests, including

maintaining the security and stability of the Service, preventing invalid traffic and fraud, measuring and

improving performance, protecting intellectual property and contractual rights, enforcing our terms, analysing

audience behaviour, improving content planning and defending legal claims.

3.3. Consent. Where required by law, we rely on your consent for non-essential cookies or similar technologies,

certain push notifications, direct marketing, personalised advertising, or other optional processing activities. You

Version

1.0

Effective date

17 April 2026

Controller

Magic Lucky Corporation, a Wyoming profit corporation,

Entity ID 2024-001445331

Privacy contact

privacy@dramax.io

Page 1

DRAMAX PRIVACY POLICY

may withdraw consent at any time, but this does not affect processing already carried out lawfully before

withdrawal.

3.4. Legal obligations. We may process personal data where necessary to comply with legal obligations, court

orders, lawful requests of authorities, accounting and tax requirements, sanctions rules, retention duties, or

verification obligations imposed by payment providers or other regulated partners.

3.5. Vital interests and other lawful bases. Where exceptionally required, we may rely on other lawful bases

recognised by applicable law.

4. How we use reward and payout data

4.1. We use reward-related data to determine qualifying minutes, apply the disclosed coefficients and campaign

rules, calculate Coin balances, monitor payout thresholds and maintain an audit trail of reward events.

4.2. We use viewing, device and event data to validate genuine human viewing, detect invalid traffic, prevent

duplicate-account abuse, investigate manipulative behaviour and protect the integrity of ad-supported reward

mechanisms.

4.3. We use payout and compliance data to process withdrawal requests, screen transactions against fraud or

sanctions concerns, respond to chargebacks or disputes, and comply with payment-provider requirements.

4.4. We may retain reward and payout records after an account is closed where reasonably necessary to

investigate abuse, defend claims, satisfy recordkeeping obligations or comply with law.

5. Disclosure and sharing of personal data

5.1. Service providers. We may share personal data with providers that help us operate the Service, including

cloud hosting providers, content delivery services, analytics and crash-reporting providers, customer support

tools, communication vendors, anti-fraud and security vendors, payment processors, verification providers, and

professional advisers such as lawyers, auditors or accountants.

5.2. Advertising and measurement partners. Because the Service may be ad-supported, we may share technical

identifiers, event data or measurement information with advertising, attribution and anti-fraud partners to deliver,

measure or protect advertising functionality, subject to applicable law and your device or consent settings.

5.3. Business partners and licensors. We may share limited data with content licensors, promotional partners or

other business counterparties where reasonably necessary to manage rights, campaigns, reporting or contractual

obligations.

5.4. Authorities and legal disclosures. We may disclose personal data where required by law, court order,

regulatory request or to protect the rights, safety and property of the Company, users, partners or third parties.

5.5. Corporate transactions. If we undergo a merger, acquisition, financing, restructuring, asset sale or similar

transaction, personal data may be disclosed to counterparties and advisers and may be transferred as part of that

transaction, subject to applicable law.

5.6. We do not sell personal data for monetary consideration. If applicable law treats certain advertising-related

disclosures as "sharing" or a similar concept, you may use available privacy controls, cookie settings or device

settings to limit such processing where those controls are available.

6. International transfers

6.1. The Company and its service providers may process personal data in countries other than the country where

you reside. Those countries may not provide the same level of legal protection as your home jurisdiction.

6.2. Where applicable law requires safeguards for international transfers, we will use appropriate measures such

as contractual protections, adequacy mechanisms, or other lawful transfer tools recognised under the relevant

legal framework.

7. Retention of personal data

7.1. Account and profile data are generally retained for the life of the account and for up to 24 months after

account closure or the last meaningful interaction, unless a longer period is required or justified.

7.2. Reward, payout, fraud and dispute records may be retained for up to 5 years after the relevant event or

account closure, and tax or accounting records may be retained for up to 7 years where required by law or by a

payment provider.

7.3. Security logs, technical diagnostics and device-level troubleshooting data are generally retained for up to 12

months, unless we need a longer period to investigate security incidents, abuse or legal claims.

7.4. Consent records, suppression lists and marketing preference data are retained for as long as needed to

honour your choices and to demonstrate compliance with applicable law.

Page 2

DRAMAX PRIVACY POLICY

7.5. After the applicable retention period, we delete, anonymise or irreversibly aggregate personal data unless

further retention is required by law, for security, for fraud prevention or for the establishment, exercise or

defence of legal claims.

8. Cookies, SDKs and similar technologies

8.1. We use cookies and similar technologies on dramax.io and related interfaces, and we may use SDKs, local

storage, pixels, mobile identifiers and equivalent tools in the app.

8.2. These technologies help us provide core functionality, remember preferences, secure the Service, measure

performance, understand usage, detect abuse, and where permitted, support advertising and attribution.

8.3. Where required by law, we request your consent before setting or activating non-essential cookies or similar

technologies. You can also manage certain choices through your browser settings, device settings, in-app privacy

controls or the cookie banner where available.

8.4. If we use App Set ID, we use it for permitted purposes such as analytics and fraud prevention, not for ad

personalisation. For additional details, please see the Dramax Cookie Policy.

9. Security

9.1. We implement reasonable technical and organisational measures designed to protect personal data against

unauthorised access, loss, misuse, disclosure, alteration or destruction. Such measures may include access

controls, logging, encryption in transit, vendor due diligence and role-based restrictions.

9.2. No service can be completely secure. You should also take reasonable steps to protect your account

credentials, device and payment information.

10. Your rights and account deletion

10.1. Depending on the law applicable to you, you may have the right to request access to your personal data,

correction of inaccurate data, deletion, restriction of processing, objection to certain processing, data portability,

withdrawal of consent, or review of certain automated decisions where relevant.

10.2. You may exercise privacy rights by contacting privacy@dramax.io or by using the privacy and account

tools available inside the Service. We may ask for reasonable information to verify your identity before acting on

a request.

10.3. If you created an account in the Service, you may request account deletion from within the account settings

or by contacting us at privacy@dramax.io. When we delete an account at your request, we will also delete or

anonymise associated personal data unless we are permitted or required to retain certain data for security, fraud

prevention, financial recordkeeping, dispute management or legal compliance.

11. Children's data

11.1. The Service is not directed to children and is not intended for users under the age of 18. We do not

knowingly collect personal data from persons under that age.

11.2. If we learn that we have collected personal data from a person who does not meet the applicable age

requirement, we may delete the data and suspend or terminate the related account.

12. Third-party services and links

12.1. The Service may link to or integrate with third-party services, including payment providers, advertisers,

licensors and analytics providers. This Privacy Policy does not govern the independent privacy practices of those

third parties.

12.2. We encourage you to review the privacy notices of relevant third-party services before interacting with

them.

13. Changes to this Privacy Policy

13.1. We may update this Privacy Policy from time to time to reflect changes in the Service, legal requirements,

or our data practices. The updated version will be posted in the Service or on dramax.io with a revised effective

date.

13.2. Where required by law, we will provide additional notice or seek renewed consent before a material change

takes effect.

14. Contact details

14.1. Controller: Magic Lucky Corporation, a Wyoming profit corporation, Entity ID 2024-001445331.

14.2. Service and brand: Dramax, available through the website dramax.io and the Dramax Android application.

Page 3

DRAMAX PRIVACY POLICY

14.3. General support: support@dramax.io.

14.4. Privacy enquiries and data subject requests: privacy@dramax.io.

14.5. Legal notices: legal@dramax.io.

Page 4