Effective Date: 06 February 2026
Last Updated: 27 February 2026
Dear Users,
This Privacy Policy (the “Policy”) is adopted by Neksai Inc., a company with headquarter address at the offices of Conyers Trust Company (Cayman) Limited, Cricket Square, Hutchins Drive, PO Box 2681, Grand Cayman, KY1-1111 and is represented by CFO Tran Anh Tuan (“we”, “us” or “our”), which acts as the data controller in respect of the processing of personal data in connection with the mobile application R10 Ronaldinho Playground (the “R10 App”), its related websites, and any other services operated under the R10 Ronaldinho Playground brand (collectively, the “Services”). By accessing or using the R10 App and/or the Services, you may generate, provide, share, upload, or otherwise disclose your personal data to us. Any such personal data shall be processed in accordance with, and protected pursuant to, the terms and conditions of this Policy. If you do not agree with this Policy, we cannot provide the Services to you.
PERSONAL DATA COLLECTION
Your use of the Services will result in the generation, provision or disclosure of your personal data. We may collect the following categories of your personal data:
Categories of Personal Information Collected (CCPA Disclosure)
In the preceding 12 months, we have collected the following categories of personal information from consumers, as defined under the California Consumer Privacy Act (CCPA):
| CCPA Category | Examples Collected | Collected |
| Identifiers | Email address, name, device IDs, IP address, advertising identifiers | Yes |
| Personal information under Cal. Civ. Code § 1798.80(e) | Name, email address, date of birth | Yes |
| Protected classification characteristics | Age, gender (if provided) | Yes |
| Commercial information | Purchase history, transaction details, subscription status | Yes |
| Biometric information | Voice recordings | Yes |
| Internet or network activity | App usage data, interactions with advertisements, features used | Yes |
| Geolocation data | IP-based location | Yes |
| Sensory data | Audio recordings (voice data) | Yes |
| Professional or employment information | Not collected | No |
| Education information | Not collected | No |
| Inferences | Preferences and characteristics derived from usage patterns, wellness goals | Yes |
| Sensitive personal information | Account credentials; health-related data (height, weight, body fat, calorie intake, body photos, meal photos, activity data); biometric data (voice recordings); racial/ethnic origin, health data, sexual orientation (if voluntarily disclosed through AI conversations) | Yes |
Sources of Personal Information
We collect personal information from the following categories of sources:
Directly from you: When you create an account, provide profile information, input health and wellness data, interact with AI features, or communicate with our support team.
Automatically from your devices: Through cookies, pixels, and similar technologies when you access or use our Services, including device identifiers, IP address, and usage data. Activity data (e.g., steps taken, distance traveled, calories burned) may also be obtained from your device or connected features.
From third parties: When you log in via social media or third-party accounts (such as Facebook or TikTok), we receive limited profile information from those platforms.
From service providers: We may receive information from analytics providers, advertising networks, and payment processors that assist in operating our Services.
Categories of Collected Personal Data
| Categories | Collection Methods |
| Account Data | When you create an account on the R10 App, we will collect account-related information that you provide when you create or manage an account. This may include your username, display name, email address, password (in encrypted form), profile information, account preferences, and other information necessary to authenticate you, maintain your account, and provide core app/Services functionality. |
| Social Media and Third- Party Account Data |
If you choose to interact with the R10 App through social media features or connect your social media accounts, we may collect data that you make available via those platforms. This may include your social media username, profile information, profile image, and other content or data that you authorize the social media platform to share with us, in accordance with its privacy settings and policies. If you choose to log in to the R10 App using other third-party account (e.g., Google or Apple accounts), we will receive certain information associated with that account, such as a unique user identifier, email address, and basic profile details, as permitted by the third-party provider and your privacy settings. We do not control how third-party providers process your data, and their use of your information is governed by their own privacy. |
| Contents |
The R10 App offers recording features, including recording, re-recording, video uploading, video playing and video archiving (collectively, “Recording Features”), which are used at your discretion. If you choose to use the Recording Features, your records may directly or indirectly disclose your identifiable and/or sensitive personal data such as:
The recording features are offered to assist your training, performance tracking and entertainment purposes, our Service will automatically collect the disclosed personal data to process for your enjoyment of the Services upon your effective and explicit consents. Videos uploaded to our Services may contain images of individuals, including facial features that can be considered biometric characteristics, biometric identifiers, and biometric information under applicable personal data protection laws. However, we do not use any special technology to process your physical characteristics for the purpose of converting them into data for identification or authentication purposes. That means we do not analyze, extract, store, or otherwise process the biometric information derived from face images or videos to identify individuals. For the avoidance of doubt, we do not require you to provide any personal data that may be considered sensitive or otherwise afforded special protection under applicable data protection laws for your usage of this feature. Any personal data that you choose to share, generate, record, or otherwise disclose through your use of the Recording Feature of the R10 App and/or your uploaded contents is provided to us at your sole discretion and responsibility. |
| Survey, research and analytical data | For the purposes of research, promotions, events or contests for marketing purposes to improve the Services and user experience (collectively, “Events”), we may ask you to provide your personal data such as name, gender, or other identifiable personal information during such Events. If you choose to participate in the Events, your personal data will be collected for the aforementioned purposes. |
| Technical Data | We automatically collect your hardware and software information such as IP address, operating system type and version, app version, device ID and type, performance logs, crash data, advertising IDs and identifiers associated with cookies or other technologies that may uniquely identify a device or browser. Location information may be inferred from your IP address, however, precise geolocation, which may be classified as sensitive personal data under applicable personal data protection laws, is only collected if you enable it in your device settings. |
| Usage Data | Using the Services will generate data about your activity, including how you use it (e.g., when you logged in, features you’ve been using, actions taken, information shown to you, referring webpages, ads you interacted with) and how you interact with others (e.g., searching, matching, communicating). We may also receive data related to interactions you had with our ads on third party websites or apps. |
THE PURPOSE OF OUR PERSONAL DATA PROCESSING
Your collected personal data will be processed for the main purposes of
Our provision of the Services;
Your entertainment, training, and performance tracking while using our Services;
Improving the Services and user experience;
Advertisement and promotion purposes to the extent permitted by laws; and
Compliance and legal purposes.
Our data processing activities may include but are not limited to collection, recording, organisation, structuring, storage, retrieval, use, disclosure by transmission, dissemination or other activities affecting your personal data.
Business and Commercial Purposes for Collection (CCPA Disclosure)
We collect personal information for the following business and commercial purposes:
Providing, maintaining, and improving our Services
Processing transactions and enabling in-app purchases
Personalizing user experience, wellness missions, and avatar interactions
Supporting habit formation, wellness routines, and personalized coaching
Communicating with you about your account, purchases, and updates
Conducting research and analytics to improve our products
Detecting, preventing, and addressing fraud, abuse, or security issues
Complying with legal obligations and enforcing our terms
Advertising and marketing (to the extent permitted and with your consent)
You agree and understand that before generating, uploading, providing or otherwise disclosing any personal data through your use of our Services, you must consent to us and our authorized processors to process your personal data. Otherwise, we may not be able to provide the Services to you. Your personal data will be processed by us for the following specific purposes:
| Data Processing Purposes | Legal Basis for Data Processing | Categories of Processed Data |
|
Account creation and maintenance of your profile on the Services
|
Your effective and explicit consent for personal data processing. |
Account Data, Social Media and Third Party Account Data
|
| Enabling your use and enjoyment of various functions and features of the Services | Your effective and explicit consent for personal data processing. | Account Data, Social Media and Third Party Account Data, Contents, Technical Data, Usage Data |
| Monitoring the well functioning of the Services and troubleshooting and fixing issues as needed | Your effective and explicit consent for personal data processing. | Technical data, Usage data |
| Advertisement and marketing purposes | Your effective and explicit consent for personal data processing; Our legitimate interest: It is our legitimate interest to promote the Services. | Survey, research and analytical data, Account Data, Contents, Technical Data, Usage Data |
| Research and development to improve the Services and user experience | Your effective and explicit consent for personal data processing; Our legitimate interest: It is our legitimate interest to improve the Services over time | Account Data, Social Media and Third Party Account Data, Contents, Technical Data, Usage Data, Survey, research and analytical data |
| For compliance with applicable law, disclosure upon requests of competent State authorities; reporting of crimes or illegal activities; and/or litigation | It is our legitimate interests and/or obligations to comply with applicable laws, to respond to law enforcement upon request, and to protect the legal rights of ourselves and other users of the Services | The categories of shared personal data will be determined based on the specific circumstances. |
DATA PROCESSING
Your data will be disclosed to our authorized processors and/or third parties for the purposes set forth under Section 2 of this Policy. All authorized processors will have the following responsibilities:
Provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of applicable laws and ensure the protection of your rights as a data subject;
Cooperate with us to enable the timely response to and fulfillment of your lawful and valid requests;
Process your data in an accurate manner in accordance with applicable law on personal data protection and data processing contracts signed between us and each authorized processor; and
Not to engage any other processor without prior specific or written authorization from us.
Authorized processors act solely on our documented instructions and are contractually prohibited from using personal data for their own purposes.
TRANSFER OF PERSONAL DATA
Given our Services are operated globally, by disclosing your personal data while using our Services, your data may be transferred to authorized processors and/or third parties who operate in different jurisdictions who partner with us to process for the purposes set forth under Section 2 of this Policy. Any such cross-border transfer will be carried out in accordance with applicable data protection laws, and data processing agreements between us and our authorized processors and/or third parties , which bind the processors to apply appropriate safeguards to protect the privacy and security of your data and your rights as a data subject.
We may use and/or share your information with law enforcement agencies, public authorities or other organizations if legally required to do so, or if such use is reasonably necessary to comply with legal obligation or to reporting of crimes or illegal activities; and/or litigation.
SALE AND SHARING OF PERSONAL DATA
We do not sell personal information for monetary consideration, nor do we “share” personal information for cross-context behavioral advertising purposes, as those terms are defined under the California Consumer Privacy Act (CCPA). Because we do not sell or share personal information, we have not included a “Do Not Sell or Share My Personal Information” link on our website. If our practices change in the future, we will update this Policy and provide the required opt-out mechanism.
Disclosure of Personal Information for Business Purposes
We may disclose personal information to our service providers and processors for the business purposes described in this Policy. In the preceding 12 months, we have disclosed the following categories of personal information to service providers: identifiers, commercial information, internet/network activity, geolocation data, sensory data, and health-related data. These disclosures are made under written contracts that prohibit the service provider from retaining, using, or disclosing the personal information for any purpose other than performing the services.
YOUR RIGHTS
As a data subject, you retain rights and exercise control over our processing of your personal data. The scope and extent of these rights may vary depending on the jurisdiction in which you reside, and we will comply with and give effect to such rights in accordance with applicable laws and regulations. For the purposes of this Policy, we recognize and observe the following standard rights of data subjects to the extent permitted by applicable laws:
-
Request us to provide you with the following information at any time:
The identity and contact details of us and our legal representatives;
The contact details of our data protection officers;
The purpose of data processing and relevant legal bases;
Our legitimate interests for lawful data processing;
Recipients or categories of recipients of the personal data, if any;
Information on data transfer, applicable safeguards for data protection in the case of data transfer;
Confirmation of existence of the processing;
Access to your personal data;
Correction of incomplete, inaccurate or outdated data, other rectification of your data;
The existence of automated decision-making used by us;
Anonymization, blocking or erasure of unnecessary or excessive data or data processed;
Portability of data to another service provider or product provider;
Erasure of your personal data despite you had given a consent;
Information on entities with which we have shared your data;
Information on the possibility of denying consent and the consequences of such denial; and
Revocation of your consent.
Request us to restrict our data processing to the extent permitted by applicable laws;
Object our legitimate rights for lawful data processing;
Object our processing for direct marketing purposes;
Object to being subjected to a decision based solely on automated processing, including profiling which produces legal effects and similar significant effects for you;
Oppose to the processing based on the events of waiver of consent and/or our noncompliance of applicable laws on personal data protection;
Petition regarding your data before the competent authorities;
Brazilian-Specific Rights (LGPD): In accordance with Article 18 of the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados – LGPD), Brazilian users have the right to obtain confirmation of the existence of processing, access to personal data, correction of incomplete or outdated data, anonymization, blocking or deletion of unnecessary data, portability, information regarding data sharing with public and private entities, and revocation of consent.
Brazilian users also have the right to lodge complaints with the Brazilian National Data Protection Authority (ANPD).
Vietnam-Specific Rights: Users in Vietnam have the rights to be informed, consent or not consent or withdraw consent to processing; access, correct; request the provision, delete, restrict, and object to the processing of their personal data and other rights in accordance with the Law on Personal Data Protection.
Users in Vietnam may lodge complaints or initiate lawsuits with competent Vietnamese authorities or courts where applicable. Users in Vietnam also have certain obligations regarding their personal data in accordance with the Law on Personal Data Protection.
Japan-Specific Rights: We will cease to provide personal data that can be used to identify Japan users to a third party at the request of Japan users in accordance with the Act on the Protection of Personal Information of Japan (“APPI”).
California-Specific Privacy Rights
This section applies to California residents and supplements the information provided elsewhere in this Privacy Policy. If you are a California resident, you have the following rights under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (“CCPA”):
Right to Know/Access. You have the right to request that we disclose to you the categories of personal information we have collected about you, the categories of sources from which we collected the personal information, the business or commercial purposes for collecting, selling, or sharing the personal information, the categories of third parties to whom we have disclosed personal information, and the specific pieces of personal information we have collected about you.
Right to Delete. You have the right to request that we delete personal information we have collected from you, subject to certain exceptions permitted by law.
Right to Correct. You have the right to request that we correct inaccurate personal information that we maintain about you.
Right to Opt-Out of Sale or Sharing. You have the right to opt out of the “sale” of your personal information or the “sharing” of your personal information for cross-context behavioral advertising purposes. As stated in this Policy, we do not sell or share your personal information for these purposes.
Right to Limit Use of Sensitive Personal Information. If we collect sensitive personal information (as defined under the CCPA), you have the right to limit our use of such information to purposes necessary to provide the Services.
Sensitive Personal Information Collected
This app may collect the following categories of sensitive personal information as defined under the CCPA: (i) health-related information, including physical metrics (height, weight, body fat, calorie intake), body photos, meal photos, and activity data; (ii) biometric information (voice recordings); and (iii) account login credentials. You have the right to limit our use and disclosure of sensitive personal information to purposes necessary to provide the Services. To exercise this right, please contact us at dpo@aiavatar.work.
Note Regarding Health Privacy Laws
Neksai Inc. is not a “covered entity” or “business associate” as defined under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the health and wellbeing data collected through this app is not subject to HIPAA protections. However, we are committed to protecting your health-related data in accordance with the CCPA and other applicable privacy laws.
Right to Non-Discrimination. We will not discriminate against you for exercising any of your CCPA rights. We will not deny you goods or services, charge you different prices, provide a different quality of service, or suggest you will receive a different price or quality based on your exercise of these rights.
How to Exercise Your California Rights. To submit a request to exercise any of the rights described above, please contact us at: dpo@aiavatar.work. We will verify your identity before processing your request and may require you to provide additional information to confirm your identity. If you use an authorized agent to submit a request, we may require verification that you authorized the agent to act on your behalf.
Authorized Agents. You may designate an authorized agent to submit a request to exercise your California privacy rights on your behalf. To do so, you must provide the authorized agent with written permission to act on your behalf, and we may require you to verify your own identity directly with us and confirm that you provided the authorized agent permission to submit the request.
Verification Process. When you submit a request to know, delete, or correct personal information, we will verify your identity by matching the information you provide with information we already maintain about you. For requests for specific pieces of personal information, we apply a heightened verification standard and may require a signed declaration under penalty of perjury that you are the consumer whose personal information is the subject of the request.
Response Timing. We will respond to verifiable consumer requests within 45 days, or notify you if we require additional time (up to an additional 45 days).
Metrics Disclosure. In accordance with CCPA requirements, we will publish annually the number of requests to know, delete, and opt-out received, complied with in whole or in part, and denied.
OUR PROCESS OF HANDLING YOUR REQUESTS TO EXERCISE YOUR DATA SUBJECT RIGHTS
We have appointed Data Protection Officers to oversee data protection compliance.
For any request to exercise your rights, please contact our Data Protection Officers via email: dpo@aivatar.work. Your request to exercise your above rights will be handled by us free of charge, within the time periods and terms set out in applicable laws. Nevertheless, we may reject your requests, including if we are unable to authenticate you; if the request is unlawful or invalid; or if it may infringe on trade secrets or intellectual property, or the privacy and other rights of others. Once your request is accepted and performed accordingly by us, we are further obligated to ensure that our authorized processors take necessary actions to conform to your rightful requests.
EXISTENCE OF AUTOMATED-DECISION MAKING
We may use automated processing, including profiling, to support certain functionalities of the Services, such as content personalization, performance analytics, service optimization, security monitoring, and the delivery of relevant advertisements or recommendations. Such automated processing is used solely to enhance user experience and improve the performance, safety, and efficiency of the Services. Where automated processing is used, appropriate safeguards are implemented to protect your relevant rights and interests.
RETENTION OF PERSONAL DATA
We retain information for as long as necessary to provide the Services and for the other purposes set out in this Policy. In case you delete your account from our Services, , to the extent permitted and/or requested by applicable laws, we will retain your personal data for legal and and compliance purposes for a maximum period of five years from the date of your account closure. The criteria to determine the retention window are as follows:
| Scope of Retained Data | Purposes | Retention Period |
| All Personal Data | For compliance with applicable laws and regulations, and for the establishment, exercise, or defense of legal claims arising out of or in connection with the Services. | Six months from the date of account closure |
| Customer services exchange, records, supporting data | For compliance with applicable laws and regulations, and for the establishment, exercise, or defense of legal claims arising out of or in connection with the Services. | Two years from the date of the exchange |
| All Personal Data | Where there is a reasonable basis to believe that the Services may have been used in violation of applicable law or our terms, we may retain relevant personal data as necessary for investigation, compliance, and the establishment, exercise, or defense of legal claims. | Five years from the date of account closure |
Following the expiration of the applicable retention period, personal data will be deleted or restricted from further processing unless continued retention is required or permitted by law for compliance, legal, or legitimate business purposes. Where possible, data will be anonymized or aggregated so that it can no longer be attributed to an identifiable individual and may be used for service improvement and development purposes.
Retention by Category of Personal Information (CCPA Disclosure)
We retain each category of personal information for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law. The following table summarizes our retention practices:
| Category of Personal Information | Retention Period or Criteria |
| Identifiers (account data, device IDs) | Duration of account plus six months after account closure; up to five years if required for legal compliance |
| Transaction and financial data | Two years from transaction date for general records; up to five years for tax/legal compliance |
| Biometric data (voice recordings) | Only for the session in which it is used, unless retained as part of user-generated content; deleted or anonymized upon account closure |
| Usage and technical data | Two years from collection |
| User communication data (AI conversations) | Duration of account plus six months after closure; may be anonymized for research |
| Health and wellbeing data | Duration of account plus six months after closure; subject to user deletion requests |
| Sensitive personal information | Retained only as long as necessary for the disclosed purpose; subject to user deletion requests |
CHILDREN’S PRIVACY
Our Services are intended solely for individuals who are 13 years of age or older. We do not knowingly collect, use, or process personal data from children under the age of 13, and individuals under 13 are not permitted to create accounts or otherwise use the Services. If we become aware that personal data has been collected from a child under the age of 13, we will take appropriate steps to promptly delete such data and terminate the associated account.
Parents or legal guardians who believe that a child under the age of 13 has provided personal data to us may contact us at dpo@aiavatar.work to request review or deletion of such information. We may take reasonable steps to verify the identity and authority of the requesting party before acting on such requests. We reserve the right to implement age-verification or other measures, where required or appropriate, to prevent access to the Services by individuals under the age of 13 and to ensure compliance with applicable child protection and data protection laws.
Additional Rights for California Minors
If you are a California resident under 18 years of age and a registered user of the Services, you may request removal of content or information you have publicly posted on the Services. To request removal, please contact us at dpo@aiavatar.work with a description of the content you wish to have removed. Please note that removal does not ensure complete or comprehensive removal of the content, as there may be circumstances under which the law does not require or allow removal.
POLICY CHANGES
We may update this Privacy Policy periodically. Material changes will be communicated to you, and we will obtain your consent if required by applicable laws, before material changes take effect.
SHARED USE OF PERSONAL DATA
We may jointly use personal data within our corporate group or with designated service providers for the purposes described in this Policy.
The scope of shared personal data may include Account data, Social Media and Third- Party Account Data, Contents, Usage Data, Technical Data, Survey, research and analytical data, interaction content (such as chat messages or voice inputs), interaction memory and preferences, user-generated media metadata, customer support communications, subscription and transactional metadata, security and fraud-prevention signals, and compliance-related records, to the extent necessary for service operation, safety, and legal compliance.
The purpose of shared use is limited to service operation, security, customer support, analytics, and legal compliance.
The entity responsible for the management of jointly used personal data is Neksai Inc., a company with the headquarter address at the offices of Conyers Trust Company (Cayman) Limited, Cricket Square, Hutchins Drive, PO Box 2681, Grand Cayman, KY1-1111, and is represented by CEO Tran Anh Tuan
Shared use will be conducted in accordance with APPI and subject to appropriate safeguards.
CONTACT INFORMATION
If you have questions, concerns, or requests related to this Privacy Policy or the processing of your personal data, please contact our Data Privacy Officers: dpo@aiavatar.work.