UK & EEA Supplement

1. Who is the controller

Falken Ltd., 402 Foxcroft Drive, Winston-Salem, NC 27102, United States, is the data controller for direct platform users. Organizations you join are also controllers for the data they collect about you.

UK Article 27 representative. Falken has not yet appointed a UK representative. Until one is appointed, UK users may contact us directly at privacy@falken.ltd on matters relating to the processing of your personal data. We will update this notice within 30 days of an appointment.

We do not currently appoint an EU representative. If you are in the EEA, you may still contact us directly at privacy@falken.ltd.

2. The lawful bases we rely on

We process your personal data on the following lawful bases under Article 6 (and where applicable Article 9) of the UK GDPR:

• Contract performance (Art. 6(1)(b)) — for providing the platform, processing payments, and sending transactional email.
• Legitimate interests (Art. 6(1)(f)) — for AI-generated coaching insights (you can opt out), bot protection, abuse detection, and defense of claims. We balance these interests against your rights and document our balancing tests internally.
• Consent (Art. 6(1)(a)) — for marketing email and the future training of AI on usage patterns. Consent is freely revocable.
• Explicit consent (Art. 9(2)(a)) — for special-category data such as heart-rate readings (when offered). Falken does not currently process biometric identifiers.
• Legal obligation (Art. 6(1)(c)) — for tax records, financial records, and responding to lawful authority requests.

3. Your UK GDPR rights

• Access (Art. 15) — request a copy of your data; we deliver within one month.
• Rectification (Art. 16) — correct inaccurate data.
• Erasure / "right to be forgotten" (Art. 17) — with the standard carve-outs (legal obligations, defense of claims, etc.).
• Restriction of processing (Art. 18).
• Data portability (Art. 20) — machine-readable export of data we hold under a contract or consent basis.
• Objection (Art. 21) — to processing based on legitimate interests; absolute right to object to direct marketing.
• Withdraw consent at any time (Art. 7(3)) — for future AI training, marketing email, etc.
• Not be subject to solely-automated decisions (Art. 22) — Falken does not make solely-automated decisions with legal or significant effect on users; AI recaps are advisory.

To exercise these rights, contact privacy@falken.ltd. We respond within one month. We may extend by two months for complex requests under Art. 12(3) and will inform you if so.

4. International transfers

Falken is based in the United States. Your data is transferred to the US.

We rely on the UK International Data Transfer Addendum to the EU Standard Contractual Clauses for transfers from the UK; for EEA users (when EEA service launches), we rely on the EU SCCs.

Where sub-processors are EU-US Data Privacy Framework (DPF) certified — Auth0, Microsoft, AWS, Google, Stripe — we additionally rely on DPF. Verify at dataprivacyframework.gov.

You may request a copy of the SCCs we have in place by emailing privacy@falken.ltd.

5. Retention

We retain your information for as long as needed for the purpose we collected it, or as required by law. The full retention table is in section 7 of the main Privacy Policy.

6. Right to complain to a supervisory authority

UK users may complain to the Information Commissioner's Office: ico.org.uk/concerns · Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.

EEA users may complain to the data protection authority of the country where you live or work; the European Data Protection Board lists each authority at edpb.europa.eu/about-edpb/about-edpb/members_en.

You can also contact us first — privacy@falken.ltd — and we'd appreciate the chance to fix the issue.

7. Children in the UK and EEA

In the UK, the digital-consent age is 13 under the Data Protection Act 2018. In most EEA member states, the digital-consent age is 16; some lower it (some to 13). Until we localize on a per-country basis, we treat 16 as the floor for EEA and require parental consent below 16.

See the Children's Privacy Notice.

8. Cookies and similar technologies

Falken uses two categories of cookies:

• Strictly-necessary cookies for session, authentication, and CSRF protection (Auth0 + ASP.NET Core). These do not require consent under PECR / ePrivacy.
• Google Analytics 4 cookies (_ga, _ga_*) for aggregate traffic measurement on this website and on the admin dashboard at https://falken.nexus.

Known compliance gap (UK / EEA users): under PECR (UK) and the EU ePrivacy Directive, Google Analytics cookies require prior consent before being set in your browser. Falken currently loads Google Analytics unconditionally, which means UK and EEA visitors receive these cookies without having given prior consent. This is a known gap that we are working to close by gating analytics on a consent banner. Until that work ships:

• You can prevent Google Analytics from tracking your activity by installing the Google Analytics opt-out browser add-on.
• You can clear or block Google Analytics cookies through your browser's privacy controls.
• If you have already visited Falken and wish to have your analytics record disassociated from your future activity, email privacy@falken.ltd with the subject line "GA opt-out request" and we will honor it.

We do not use advertising cookies or any third-party behavioral-tracking cookies. If we ever add additional non-essential cookies, we update this section first.

9. Changes

Material changes to this supplement trigger a UK / EEA-user email notice and an in-app banner at least 30 days before the effective date. Non-material changes are reflected in the version metadata above.