NFT SALE PRIVACY POLICY

INFORMATION IN ACCORDANCE WITH ART. 13 OF REG. (EU) NO. 2016/679 (“GPDR”)

This notice describes which of your personal data is collected by Brand-Cross S.r.l. and TMP
Group S.p.A. (hereinafter referred to as “us“), the purposes for this and how it is processed. You
will also find the information necessary to exercise your rights under GDPR.
In general, we collect your data when you buy NFTs on the virtual store, managed by TMP Group
S.p.A. and accessible via the URL www.musanft.io (hereinafter “Online Store”). You are hereby
informed that the personal data collected during said procedures will be processed in order to
answer to your requests, allow you to purchase NFTs, as set out above.

1. Who processes your data: Joint Controllers

Brand-Cross S.r.l., having its registered office at Milano, Via Medici 13, Italy, Italian tax
registration number and Italian VAT number 09098450969 info@brand-cross.com and TMP Group
S.p.A., having its registered office at Sambuca di Sicilia (AG), via Matteotti 8, Italy, Italian tax
registration number and Italian VAT number 02690730847 segreteria@tmpgroup.it, are joint
controllers of your personal data for the processing activities listed below(hereinafter, “Joint
Controllers”).

2. Which data we process – Type of data processed

Your contact data. We will retain the contact information you provide (for example, your first
name, surname, address, email, country of residence, date of birth, wallet address) when you
purchase an NFT or when you contact us.
Your payment and invoicing data. We will retain the payment and invoicing data that you provide
when you purchase an NFT, for the purpose of managing your order.

3. Where we get your data – Data collection method

Directly from you. For example, if you purchase from the Online Store, or you also ask us a
question.
If you do not send us your data, you will not be able to purchase any NFTs offered for sale.

4. Why and how long we process your data for – Purpose and legal basis for data processing; retention period

a) To supply NFTs and services you have purchased and send you information about your
order or your payment. For example, we will use your data to manage your order, confirm your
purchase and manage any related services. We cannot manage and process your order without
your data.
The legal basis for this processing is the performance of the purchase agreement to which you are
party from the moment you accept the Online Store's terms and conditions of sale.
The retention period for your data is equal to the period required to process the order.

b) To provide you with the necessary after-sales support in accordance with the applicable
warranty laws. For example, we will use your data to provide you with support, in accordance with
the applicable laws and the Online Store’s terms and conditions of sale.
The legal basis for this processing is compliance with the legal requirements and the retention
period is equal to the period required by law (in particular, by the Italian Consumer Code).

c) To correctly manage your billing status. We process your data for the accounting,
administrative and tax purposes directly related to the Joint Controllers’ business activities and
required by the applicable laws.
The legal basis for this processing is compliance with the legal requirements and the retention
period is equal to the period required by law (in particular, fiscal, money laundering, and banking
and public security laws).

d) To prevent or investigate illegal behavior or to protect and assert rights. For example, we
may use your data to prevent the breach of our intellectual property rights (for example,
counterfeiting of our and/or our partners’ trademarks) or other illegal activities, as permitted by the
applicable law.
The legal basis for this processing is the legitimate interest of the Joint Controllers.
The data retention period is equal to the time that is reasonably necessary to assert our rights from
the point at which we become aware of the illegal behavior or the potential to commit illegal
behavior.
e) To answer to your requests collected through the Online Store. For example, Brand Cross
will use your data to answer to your requests received by email.
The legal basis for this processing is the performance of a contract to which the data subject is
party, or the performance of pre-contractual obligations and the retention period is equal to the
time necessary to comply with the data subject’ requests.

5. Nature of the provision of personal data

For the purposes of subparagraphs from a) to e) above, the provision of data is necessary to allow
you to make purchases on the Online Store and receive other services on the latter.

6. Where your data is processed – data transfer

Data will be processed and stored at Joint Controllers’ offices as well as at the suppliers working
site in the European Union.

7. Who we share your data with – personal data recipients

On the understanding that, where required by law, we will obtain your prior consent and carry out
any formalities required by the law, we will share your data with the following third parties (acting
as data processors):
Our service providers. We may share your data with third parties so that they can provide us with
services (for example, suppliers of IT services for the management of the Online Store) but in this
case, we will enter into an agreement in compliance with art. 28 GDPR to protect your data. These
parties will only process data strictly necessary to perform their functions and may use this data
only for the purpose of providing services on our behalf or complying with the law. You can find out
details of such data processors pursuant to Art. 28 GDPR by emailing at the above-mentioned
addresses.
Where we deem it necessary for complying with our legal obligations or to protect legally third
parties or ourselves. Where permitted or required by the law, we may also share the data
requested by a government body or by another authorized third party or organization for the
purpose of protecting or exercising our rights or those of third parties, or for the purpose of limiting
or preventing fraud (including credit card fraud or other fraud that we believe may have occurred
during a promotion or event) and other illegal activities.

8. Minors

The Online Store is not aimed at under-18s, but rather at an adult audience. If you are a parent or
guardian and you think your child may have transmitted data, you can contact us.

9. Security measures

We adopt the security measures required by the law.
We adopt security measures to protect your data. The standard security measures that we use
depend on the type of data that we process and meet the legal requirements and the standards of
European government agencies.

10. Your rights

You can contact Joint Controllers to request access to your personal data, modify it, delete it or
limit its processing, to oppose its processing, and to request the portability of your data; you can

also withdraw your consent at any time (this will not prejudice the lawfulness of the processing on
the basis of the consent granted prior to the withdrawal).
When you exercise your right of access, you have the right to know whether your data is currently
being processed, what the purpose of the processing is, what categories of data are being
processed, who the recipients of your data or categories of recipients are (and, if they reside in a
third country, what guarantees this transfer is based on), the retention period for your data (or the
criteria for determining the retention period), whether automated processing is being carried out
(for example through profiling), what the reason for the processing is, and the origin of the data
(when not initially collected by us).
You have the right to lodge a complaint to the competent supervisory authority and, at any time, to
ask Joint Controllers for information about the data processors and parties that are authorized by
Joint Controllers to process your data.
You can exercise your rights by contacting Joint Controllers at the address provided above.

11. What happens if we change this privacy policy

We may make changes to our privacy policy. We will publish an updated version on the Online
Store. It will have a different date to the one given below. Please visit the Online Store regularly to
check for updates.

Version updated to 24 October 2022.