(Updated 13 September 2019)

IVCT Greece Pty Limited has been engaged by AIA to operate the Athens Spotlighted Pass. IVCT Greece is a member of the iVenture Group of companies. iVenture Group understands that privacy is important to you. The purpose of this Privacy Policy is to inform you as to what information may be collected from you, how such information will be used by iVenture Group and/or other persons or entities, with whom such information may be shared, your choices regarding the collection, use and distribution of such information, and the security procedures that we have implemented to protect your privacy.

Data Controller:

iVenture Card International Pty Ltd PO Box, 1605, Crows nest, NSW 1585, Australia Holds all rights and obligations reserved for such capacity under the General Data Protection Regulation (GDPR 2016/679) for processing personal data through the Website.

Data Protection Officer:

Manager, Data Protection & Compliance iVenture Card International Pty Ltd At the above address or:

Email Address: data.privacy@iventurecard.com

We collect the following type of information:

• Personal information collected from customers includes name, address, contact details, credit card details;
• Personal information collected from business contacts includes name, business position, and business telephone and fax numbers and email addresses;
• Personal information collected from our employees and contractors includes all information required for the employment or contractual relationship;

Generally, all personal information is collected directly from you, or with your consent, and our policy is to collect only personal information that we need for a particular purpose. We do not collect personal information that we do not need.

iVenture Group collects personal information in order to provide our customers with our products or services, and in order to manage our relationship with our customers and with the people we do business with.

In relation to our customers, iVenture Group may also request information about you in order to help you decide which of our products or services would best suit your requirements.

We will not collect sensitive information about you (such as details of your race, political beliefs, religion or health) without your consent.

You directly provide the iVenture Group with the data we collect. We collect and process data when you:

• Register for the Athens Spotlighted pass or place an order for any of the products listed for purchase on the Athens Spotlighted website
• Voluntarily complete a customer survey or provide feedback via email or an enquiry form
• Use or view our website via your browser’s cookies
• Redeem your Athens Spotlighted pass offers or a booking voucher from a product purchase, by having it scanned at a participating merchant
• Perform any of the above actions on websites under the iVenture Group or AIA

The personal information collected from you by iVenture Group is used:

• to provide our customers with our products or services and to notify our customers about existing or new iVenture Group and AIA products or services or promotions from time to time; and
• to notify our customers about existing or new products or services or promotions from time to time offered by one of iVenture Group’s business partners.

If at any time you no longer wish to be notified about products or services or promotions offered by iVenture Group, AIA or iVenture Group’s business partners, please let us know by contacting data.privacy@iventurecard.com or click HERE.

Aside from the uses defined in section 3. personal information collected by iVenture Group may be disclosed to third parties to whom iVenture Group contracts out specialized functions (including subcontracted software development services, mailing houses and printing companies). If iVenture Group does disclose personal information to third party contractors under outsourcing or contracting arrangements, iVenture Group takes steps to ensure that those contractors:

• Comply with iVenture Group’s Privacy Policy when they handle your personal information, and
• Are authorized only to use personal information in order to provide the services or to perform the functions required by iVenture Group.

As the owner of the Athens Spotlighted brand, your personal information may also be shared with AIA for the purposes described in section 3. iVenture Group and AIA do not sell, rent or trade personal information to or with third parties.

Your data is stored securely in Amazon Web Services and Google Cloud servers which hold a high level of certification to information security standards, including ISO 27001. Details on compliance for these standards can be found at

Amazon Web Service (AWS): https://aws.amazon.com/compliance/programs

Google Cloud: https://cloud.google.com/security/compliance

In addition, steps are taken by iVenture Group to ensure the security of personal information held by it from such risks as loss or unauthorized access, destruction, use, modification or disclosure. Our IT systems are password protected and comply with our security standards, and if personal information is held on paper files, it is stored in locked compact uses. iVenture Group only permits your details to be accessed by authorized personnel.

This privacy statement outlines iVenture Group’s approach to all personal information we handle, whether collected online or offline. However, particular issues that arise in the online environment are noted below.

Sometimes we may generate statistics about how many people visit our site and what they look at. This enables us to keep our site relevant and useful. Generally the information we collect and use about website usage will not identify you, only the computer you are using. Most web browsers are set by default to accept cookies. However, if you do not wish to receive cookies you may set your browser to either refuse cookies or prompt you before accepting them.

Sometimes Athens Spotlighted website contains links to other websites, for your convenience and information. When you access a website other than ours we are not responsible for the privacy practices of that site. You may wish to review the privacy policies of each site you visit.

Our Company would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:

The right to access - You have the right to request Our Company for copies of your personal data. We may charge you a small fee for this service.

The right to rectifications - You have the right to request that Our Company correct any information you believe is inaccurate. You also have the right to request Our Company to complete information you believe is incomplete.

The right to erasure - You have the right to request that Our Company erase your personal data, under certain conditions.

The right to restrict processing - You have the right to request that Our Company restrict the processing of your personal data, under certain conditions.

The right to object to processing - You have the right to object to Our Company's processing of your personal data, under certain conditions.

The right to data portability - You have the right to request that Our Company transfer the data that we have collected to another organization, or directly to you, under certain conditions.

If you make a request, we have one month to respond to you. See the “How to Contact Us” section in this document for details on how to contact us to discuss the use of your personal information.

Your personal details obtained from purchasing our products will only be kept for 18 months unless:

• you have opted in to hear from us,
• you set up a personal profile with us or
• you extend the validity of your purchase

Cookies are text files placed on your computer to collect standard Internet log information and visitor behavior information. When you visit our websites, we may collect information from you automatically through cookies or similar technology. For further information, visit https://www.allaboutcookies.org/.

Our Company uses cookies in a range of ways to improve your experience on our website, including:

• Keeping you signed in
• Understanding how you use our website

There are a number of different types of cookies, however, our website uses:

• Functionality - Our Company uses these cookies so that we recognize you on our website and remember your previously selected preferences. These could include what language you prefer and location you are in. A mix of first-party and third-party cookies are used.
• Advertising - Our Company uses these cookies to collect information about your visit to our website, the content you viewed, the links you followed and information about your browser, device, and your IP address. Our Company sometimes shares some limited aspects of this data with third parties for advertising purposes. We may also share online data collected through cookies with our advertising partners. This means that when you visit another website, you may be shown advertising based on your browsing patterns on our website.

You can set your browser not to accept cookies, and the above website tells you how to remove cookies from your browser. However, in a few cases, some of our website features may not function as a result.

The Athens Spotlighted website contains links to other websites. Our privacy policy applies only to our website, so if you click on a link to another website, you should read their privacy policy.

Our Company keeps its privacy policy under regular review and places any updates on this web page. This privacy policy was last updated on 23rd August, 2019.

If you have any questions about Our Company's privacy policy, the data we hold on you, or you would like to exercise one of your data protection rights, please contact us.

Email us at: data.privacy@iventurecard.com

Or write to us at: PO Box, 1605, Crows nest, NSW 1585, Australia

Should you wish to report a complaint or if you feel that Our Company has not addressed your concern in a satisfactory manner, you may contact the Information Commissioner's Office.