1. Privacy Statement SM Prime Holdings, Inc., including its parent company, subsidiaries, affiliates, and related companies, (collectively, the “SM Prime Group”) collect, process and store personal data about you when you avail of their products and services, including its websites and mobile applications, participate in their events, apply for a job with them, or enter into any contract with them (“Services”), provided that you have given your express consent. This privacy policy has been prepared to better serve any person who avails of the Services of the SM Prime Group to inform them on how their personal data are being collected, used and secured by the SM Prime Group. Please read our privacy policy carefully to get a clear understanding of how SM Prime Group collects, uses, protects or otherwise handles your personal data in accordance with Republic Act No. 10173, or the Data Privacy Act of 2012, and its Implementing Rules and Regulations (collectively, the “Data Privacy Act”). For additional information on the SMPHI Privacy Policy shall be provided at the SMPHI website. 2. Collection of Personal Data SM Prime Group collects information you provide directly to it, such as when you attend or participate in any of its events, respond to a survey, register, create or modify your accounts in any of its websites and/or mobile applications, contact customer support, apply for a job with them, enter into any contract with them or otherwise communicate or interact with SM Prime Group (the “Event”). The following personal data may be collected: your name, age, nationality, civil status, mailing address, email address, phone number, credit card information or other details to help you with your experience. 3. Use and Processing of Personal Data SM Prime Group may use and process the personal data collected about you to allow you to participate in the Event, other similar events to be held by the SM Prime Group, including the publication of your name should you win the same, and other discounts, promos, sales, advertisements, marketing activities and commercial communications of the SM Prime Group, including direct marketing. At all times, your personal data shall not be used or processed for any purpose that is contrary to law, morals, or public policy. 4. Sharing of Personal Data SM Prime Group may share personal data between and among the entities comprising the same to enable them to provide you personalized Services. SM Prime Group may also share personal data with vendors, consultants, marketing partners, and other service providers who need access to such information to carry out work on behalf of SM Prime Group. If and when it becomes necessary, a data sharing agreement shall cover any sharing of data between and among the SM Prime Group and/or its vendors, consultants, marketing partners, and other service providers. SM Prime Group may also share information in accordance with any order from any relevant government agency as provided by law. 5. Storage and Protection of Personal Data SM Prime Group has instituted policies and procedures which intend to protect personal data which it has collected and continues to collect. These include securing any document containing personal data, requiring the execution of non-disclosure agreements by its employees, consultants, vendors, suppliers and contractors, among others. SM Prime Group’s websites are scanned on a regular basis for security holes and known vulnerabilities in order to make your visit to said website as safe as possible. SM Prime Group also uses regular Malware Scanning. Your personal data is contained behind secured networks and is only accessible by a limited number of persons who have special access rights to such systems, and are required to keep the personal data confidential. In addition, all sensitive/credit information you supply is encrypted via Secure Socket Layer (SSL) technology. SM Prime Group implements a variety of security measures when a user places an order enters, submits, or accesses their information to maintain the safety of your personal information. All transactions are processed through a gateway provider and are not stored or processed on our servers. While there will always be a risk of unauthorized disclosure of personal data, SM Prime Group believes that the foregoing safeguards are sufficient to prevent the occurrence of such risk and is committed to updating and improving such safeguards in order to protect your personal data in compliance with the Data Privacy Act. 6. Use of Cookies Please note that in visiting SM Prime Group’s websites, cookies are utilized. Cookies are small files that a site or its service provider transfers to your computer's hard drive through your Web browser (if you allow) that enables the site's or service provider's systems to recognize your browser and capture and remember certain information. For instance, SM Prime Group uses cookies to help us understand your preferences based on previous or current site activity, which enables us to provide you with improved Services. SM Prime Group also uses cookies to help it compile aggregate data about site traffic and site interaction so that SM Prime Group can offer better site experiences and tools in the future. You can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off all cookies. You do this through your browser settings. Since browser is a little different, look at your browser's Help Menu to learn the correct way to modify your cookies. If you turn cookies off, some features will be disabled. Some of the features that make your site experience more efficient and may not function properly. 7. Your Rights under the Data Privacy Act As a data subject, you have the following rights under the Data Privacy Act: a. You have the right to be informed of the collection and processing of your personal data, the purpose for which they will be processed, among others. Thus, you are required to read this privacy policy before giving your consent to the collection and processing of your personal data. If you have questions, please do not hesitate to ask us questions or clarifications and you may also contact our Data Protection Officer; b. You have the right to object to the processing of your personal data. You will be given an option or opportunity to withhold your consent to the processing of your personal data whenever the SM Prime Group communicates with you or by notifying our Data Protection Officer; c. You have the right to have reasonable access to your personal data by notifying our Data Protection Officer; d. You have the right to rectify or correct any inaccuracy or error in your personal data by submitting your request for rectification or correction to our Data Protection Officer; e. You have the right to suspend, withdraw or order the blocking, removal or destruction of your personal data in accordance with the requirements of the Data Privacy Act. Please notify our Data Protection Officer if you wish to exercise this right; f. You have the right to obtain a copy of your data in an electronic or structured format if the same is processed by electronic means and in a structured and commonly used format by submitting your request to our Data Protection Officer; and g. You have the right to be indemnified if you incur damages due to inaccurate, incomplete, outdated, false, unlawfully obtained or unauthorized use of your personal data. 8. Changes to the Privacy Policy SM Prime Group may change this Privacy Policy from time to time. If SM Prime Group makes any significant change in the collection, use, and protection of personal data, SM Prime Group will provide you notice through the Services or by some other means, such as email. It is encouraged that you periodically review the Privacy Policy in the SMPHI website for the latest information. 9. Contacting Us If there are any questions regarding this privacy policy, you may contact our Data Protection Officer with the following contact details: 1. Title/Designation: Data Protection Officer 2. Postal Address: 10/F Mall of Asia Arena Annex Building, Coral Way corner J.W. Diokno Boulevard, Mall of Asia Complex, Pasay City, 1300 Philippines 3. Telephone Number: (02) 8 831-1000 4. Email Address: dpo@smprime.com. 10. Consent We will secure your consent prior to the collection and processing of your personal data, or as soon as practicable and reasonable in order to ensure continuation of the Services. Before you give your consent, you will be provided with an opportunity to read and review this Privacy Policy. If you are below eighteen (18) years old, SM Prime Group requires you to secure consent from your parents or legal guardians in order to use any of the Services. SM Prime Group does not specifically market to persons under eighteen (18) years old. If you consent to the collection and processing of your personal data in accordance with the Privacy Policy, such consent shall be valid for a period of ten (10) years from the date such consent was given or such longer period as may be required by applicable law or when necessary as provided by the Data Privacy Act, or unless you have expressly withdrawn such consent. By signing the accompanying sign-up sheet or ticking the “Agree” button if your personal data was collected manually or electronically, respectively, you are expressly giving your consent to the collection, processing and storage of your personal data as provided herein.

Welcome to Cyberzone (the "Site"). We understand that privacy online is important to users of our Site, especially when conducting business. This statement governs our privacy policies with respect to those users of the Site ("Visitors") who visit without transacting business and Visitors who register to transact business on the Site and make use of the various services offered by Cyberzone (collectively, "Services") ("Authorized Customers"). "Personally Identifiable Information" refers to any information that identifies or can be used to identify, contact, or locate the person to whom such information pertains, including, but not limited to, name, address, phone number, fax number, email address, financial profiles, social security number, and credit card information. Personally Identifiable Information does not include information that is collected anonymously (that is, without identification of the individual user) or demographic information not connected to an identified individual. What Personally Identifiable Information is collected? We may collect basic user profile information from all of our Visitors. We collect the following additional information from our Authorized Customers: the names, addresses, phone numbers and email addresses of Authorized Customers, the nature and size of the business, and the nature and size of the advertising inventory that the Authorized Customer intends to purchase or sell. What organizations are collecting the information? In addition to our direct collection of information, our third party service vendors (such as credit card companies, clearinghouses and banks) who may provide such services as credit, insurance, and escrow services may collect this information from our Visitors and Authorized Customers. We do not control how these third parties use such information, but we do ask them to disclose how they use personal information provided to them from Visitors and Authorized Customers. Some of these third parties may be intermediaries that act solely as links in the distribution chain, and do not store, retain, or use the information given to them. How does the Site use Personally Identifiable Information? We use Personally Identifiable Information to customize the Site, to make appropriate service offerings, and to fulfill buying and selling requests on the Site. We may email Visitors and Authorized Customers about research or purchase and selling opportunities on the Site or information related to the subject matter of the Site. We may also use Personally Identifiable Information to contact Visitors and Authorized Customers in response to specific inquiries, or to provide requested information. With whom may the information may be shared? Personally Identifiable Information about Authorized Customers may be shared with other Authorized Customers who wish to evaluate potential transactions with other Authorized Customers. We may share aggregated information about our Visitors, including the demographics of our Visitors and Authorized Customers, with our affiliated agencies and third party vendors. We also offer the opportunity to "opt out" of receiving information or being contacted by us or by any agency acting on our behalf. How is Personally Identifiable Information stored? Personally Identifiable Information collected by Cyberzone is securely stored and is not accessible to third parties or employees of Cyberzone except for use as indicated above. What choices are available to Visitors regarding collection, use and distribution of the information? Visitors and Authorized Customers may opt out of receiving unsolicited information from or being contacted by us and/or our vendors and affiliated agencies by responding to emails as instructed, or by contacting us at Customer Service. Are Cookies Used on the Site? Cookies are used for a variety of reasons. We use Cookies to obtain information about the preferences of our Visitors and the services they select. We also use Cookies for security purposes to protect our Authorized Customers. For example, if an Authorized Customer is logged on and the site is unused for more than 10 minutes, we will automatically log the Authorized Customer off. How does Cyberzone use login information? Cyberzone uses login information, including, but not limited to, IP addresses, ISPs, and browser types, to analyze trends, administer the Site, track a user's movement and use, and gather broad demographic information. What partners or service providers have access to Personally Identifiable Information from Visitors and/or Authorized Customers on the Site? Cyberzone has entered into and will continue to enter into partnerships and other affiliations with a number of vendors. Such vendors may have access to certain Personally Identifiable Information on a need to know basis for evaluating Authorized Customers for service eligibility. Our privacy policy does not cover their collection or use of this information. Disclosure of Personally Identifiable Information to comply with law. We will disclose Personally Identifiable Information in order to comply with a court order or subpoena or a request from a law enforcement agency to release information. We will also disclose Personally Identifiable Information when reasonably necessary to protect the safety of our Visitors and Authorized Customers. How does the Site keep Personally Identifiable Information secure? All of our employees are familiar with our security policy and practices. The Personally Identifiable Information of our Visitors and Authorized Customers is only accessible to a limited number of qualified employees who are given a password in order to gain access to the information. We audit our security systems and processes on a regular basis. Sensitive information, such as credit card numbers or social security numbers, is protected by encryption protocols, in place to protect information sent over the Internet. While we take commercially reasonable measures to maintain a secure site, electronic communications and databases are subject to errors, tampering and break-ins, and we cannot guarantee or warrant that such events will not take place and we will not be liable to Visitors or Authorized Customers for any such occurrences. How can Visitors correct any inaccuracies in Personally Identifiable Information? Visitors and Authorized Customers may contact us to update Personally Identifiable Information about them or to correct any inaccuracies by emailing us at Customer Service Can a Visitor delete or deactivate Personally Identifiable Information collected by the Site? We provide Visitors and Authorized Customers with a mechanism to delete/deactivate Personally Identifiable Information from the Site's database by contacting Customer Service. However, because of backups and records of deletions, it may be impossible to delete a Visitor's entry without retaining some residual information. An individual who requests to have Personally Identifiable Information deactivated will have this information functionally deleted, and we will not sell, transfer, or use Personally Identifiable Information relating to that individual in any way moving forward. What happens if the Privacy Policy Changes? We will let our Visitors and Authorized Customers know about changes to our privacy policy by posting such changes on the Site. However, if we are changing our privacy policy in a manner that might cause disclosure of Personally Identifiable Information that a Visitor or Authorized Customer has previously requested not be disclosed, we will contact such Visitor or Authorized Customer to allow such Visitor or Authorized Customer to prevent such disclosure. Links: This web site contains links to other web sites. Please note that when you click on one of these links, you are moving to another web site. We encourage you to read the privacy statements of these linked sites as their privacy policies may differ from ours.