1.1 Your use of any user data collected or processed through the Meta Horizon platform, whether directly or indirectly, is subject to this Developer Data Use Policy (“Policy”).

1.2 This Policy explains your obligations with respect to the receipt, collection, use and processing of User Data (as defined below) in connection with any Content you distribute via the Meta Horizon platform.

1.3 To use the Meta Horizon platform, integrate in-app services (e.g., subscriptions, leaderboards), distribute Content, retrieve data from us, or provide data to us, you must agree to this Policy, as well as our other applicable terms and policies made available to you, including those on our Developer Dashboard.

1.4 This Policy is effective as of the date you accept it or otherwise start accessing or using the Meta Horizon platform, and will continue until you stop accessing and using the Meta Horizon platform, unless earlier terminated as described below.

1.5 If you fail to comply with this Policy, any other applicable terms or policies, or applicable laws or regulations, we may suspend or remove your Content and limit or terminate your developer access to the Meta Horizon platform, as described below.

1.6 Capitalized terms not otherwise defined in this Policy (including in Section 11 (“Glossary”)) have the meaning given in our other terms and policies, including our Terms of Service. The term “including” means “including without limitation.”

2.1 You are responsible, as required by applicable law, to obtain any permissions/consents from the end user and/or rely on any appropriate legal basis for use or other processing of Developer User Data. It is also your responsibility to obtain consent or clear direction from end users before you give Meta any Developer User Data.

2.2 You must clearly articulate your collection, use and processing of Developer User Data and User Data (defined below) in a publicly available and easily accessible privacy policy and abide by that privacy policy. If you distribute your Content as a private app through our business channel in the Developer Dashboard (not directly through the store), your privacy policy does not need to be publicly available, but must be available to all users and potential users of your Content prior to their use of your Content. It is also your responsibility to comply with any and all privacy and data protection laws in all applicable jurisdictions.

2.3 Your privacy policy may not supersede, modify, be less protective than, or otherwise be inconsistent with this Policy or our other applicable terms and policies with respect to User Data. This Policy applies to all User Data regardless of the disclosures you include in your privacy policy. For example, you may not sell User Data even if you disclose your intention to do so in your privacy policy.

2.4 You must retain your privacy policy in effect while using the Meta Horizon platform and maintain a publicly available privacy policy with current, and up to date, links to your privacy policy in the privacy policy field in your Content submission documentation, so that it can be provided to end users of your Content on the applicable product description page.

2.5 You may only process User Data as clearly described in your privacy policy and in accordance with all applicable law and regulations, this policy, and all other applicable terms and policies.

2.6 You must disclose the collection and use of the Advertising ID in a legally adequate privacy notice to users.

3.1 You can use User Data solely for the following purposes:

(a) Running, supporting and maintaining your Content in order to provide or improve the experience to the end user requesting the Content and from whom the User Data was collected;

(b) Conducting analytics pertaining to your Content, and using such insights to improve your Content, provided that such insights are aggregated, de-identified, or anonymized such that you cannot identify individual users or devices from the analytics; and

(c) Complying with applicable laws and regulations.

3.2 In addition, you can use certain User Data for the purposes described below:

(a) As permitted by applicable law, you can use Meta Horizon User Data (which does not include Device User Data) to provide a user with information about or the opportunity to obtain new or existing features or functionality in an app such user has purchased from you, or other applications being offered by your legal entity or Affiliate (as defined in the Developer Distribution Agreement).

(b) You can only use the Advertising ID, and any information obtained through the use of the Advertising ID, for advertising purposes.

(c) You are only allowed to access the Advertising ID if your app is permitted by Meta policies to show ads.

(d) You must verify the status of any user settings regarding the Advertising ID on each access of the Advertising ID.

(e) You may combine the Advertising ID with Developer User Data, but you may not combine it with Meta Horizon User Data or Device User Data. See Section 4 for additional limitations.

(f) You can link persistent device identifiers (e.g., device serial number), or any data derived therefrom, to other User Data only for the following use case(s), which must be disclosed to users:

(i) Managing enterprise device management apps using device owner mode.

You will not perform, or facilitate or support others in performing, any of the following prohibited practices (collectively, “Prohibited Practices”):

4.1 Retaining, using, or disclosing User Data for any purpose other than those described in this Policy, the SDK License Agreement, the allowed use cases of Meta Horizon User Data and any other applicable agreements with Meta;

4.2 Using User Data for marketing or advertising purposes other than those explicitly permitted in Section 3;

4.3 Selling, licensing, purchasing, renting, or lending User Data or similar actions, or permitting a third party to do so;

4.4 Using User Data to profile, discriminate, or encourage discrimination in a manner that disadvantages people based on their race, ethnicity, color, national origin, religion, age, sex, sexual orientation, gender identity, family status, disability, medical or genetic condition, or any other categories protected by applicable law, regulation, or other Meta terms or policy; using User Data such as age group to improve the user experience in your Content is permitted under this Section so long as compliant with applicable law or regulation;

4.5 Using User Data to perform, facilitate, or provide tools for surveillance. Surveillance includes the collection, use, or sharing of information about people, groups, places or events for law enforcement, national security, intelligence or counter-intelligence purposes;

4.6 Using User Data to ascertain the identity of a natural person, including real name, or actual facial or body images, to the extent not disclosed by the User Data (for example, through use of AI, facial recognition or gait identifying technologies);

4.7 Combining User Data with any other data, including with data separately collected by you or received from a third party, except as explicitly permitted in Section 3;

4.8 Attempting to decode, circumvent, re-identify, de-anonymize, unscramble, unencrypt, reverse hash, or reverse engineer User Data that is provided to you;

4.9 Using User Data in any manner or for any purpose that infringes, misappropriates, or otherwise violates any intellectual property rights or other rights of any person, or that violates any applicable law or regulation;

4.10 Accessing or collecting User Data or allowing User Data to be collected using automated means such as harvesting bots, robots, spiders, or scrapers; or

4.11 Sending or submitting Device User Data (which does not include Meta Horizon User Data) to Meta through any of Meta’s business tools or products, including Meta’s Ads or Analytics tools or products.

4.12 Using the Advertising ID for any purpose other than advertising purposes;

4.13 Using any permanent or persistent, device-based identifier (e.g., device serial number), or any data derived therefrom, for purposes of advertising or for the purposes of uniquely identifying a device or user, except as permitted in Section 3.2(f); or

4.14 Circumventing the user’s settings for their Advertising ID. Specifically, if a user resets or deletes the Advertising ID, you must not combine, correlate, connect, link, or otherwise associate a previous Advertising ID, or data derived from a previous Advertising ID, with the reset Advertising ID.

You may share User Data only:

5.1 When an end user expressly directs you to share, or expressly consents to your sharing, their User Data with a third party (you must retain proof of the end user’s express direction or consent and provide it to us if we ask for it);

5.2 With Service Providers and, in the event your Service Providers engage another Service Provider (sub-Service Provider), their sub-Service Providers, provided you’ve obtained adequate permission or have other adequate legal basis to do so, and so long as you first have obtained a written agreement with such Service Provider that:

(a) limits the Service Provider’s and their sub-Service Providers use of User Data only to uses on your behalf to provide services to your app (and not for their own purposes or any other purposes);

(b) prohibits Service Providers and their sub-Service Providers from using the User Data in any way that would violate this Policy or any other applicable Meta terms or policies; and

(c) requires Service Providers and their sub-Service Providers to immediately cease using the Meta Horizon platform and processing User Data and promptly delete all User Data in their possession or control when you cease using them as a Service Provider or sub-Service Provider; and

(d) requires Service Providers and their sub-Service Providers to keep User Data secure and confidential. You must ensure that any such Service Providers and sub-Service Providers comply with this Policy and all other applicable terms and policies as if they were in your place, and ensure that such Service Providers and sub-Service Providers are responsible for any non-compliance. In any event, you are responsible to Meta for your own and any such Service Providers and sub-Service Providers’ acts and omissions, including such Service Providers and sub-Service Providers’ noncompliance; or

5.3 When required under applicable law or regulation (you must retain proof of the applicable legal or regulatory requirement or request and provide it to us if we ask for it).

5.4 Upon our request, you must provide us a list of your Service Providers and their sub-Service Providers including up-to-date contact information for each, the types and volume of User Data shared, and proof of written agreements with your Service Providers to demonstrate compliance with these terms.

5.5 We may prohibit your use of any Service Provider or Sub-Service Provider in connection with your use of the Meta Horizon platform or processing of User Data if we believe that (1) they have violated this Policy or other applicable terms or policies or (2) they are negatively impacting the Meta Horizon platform, other Meta Products, User Data, or people who use Meta Products, and will provide notice to you if we do. Promptly upon such notice, you must stop using that Service Provider or Sub-Service Provider in connection with your use of the Meta Horizon platform or processing of User Data.

5.6 We may require that your Service Providers or Sub-Service Providers agree to this Policy or other applicable terms or policies in order to access Meta Products, the Meta Horizon platform, or User Data.

6.1 Data Security Requirements: You must always have in effect and maintain administrative, physical, and technical safeguards that do the following:

(a) Meet or exceed industry standards given the sensitivity of the User Data;

(b) Comply with applicable law and regulations, including data security and privacy laws, rules, and regulations; and

(c) Are designed to prevent any unauthorized (including in violation of this Policy or any other applicable terms or policies) processing (including, for the avoidance of doubt, access, destruction, loss, alteration, disclosure, distribution, or compromise) of User Data.

6.2 Data Deletion: You must delete User Data, and ensure your Service Provider(s) and your Service Providers’ sub-Service Provider(s) delete User Data without undue delay when:

(a) a user requests their User Data be deleted;

(b) a user deletes their account, or no longer has an account (unless the User Data has been obscured, or de-identified so that it cannot be associated with a particular user, browser or device);

(c) User Data is no longer necessary to provide an app experience or service to users;

(d) deletion is requested by Meta, or when deletion is required by applicable law or regulations.

6.3 You must give all users an easily accessible and clearly marked way to ask for their User Data to be corrected or deleted.

6.4 Incident Notification: You must notify us using this form as soon as practicable after becoming aware of unauthorized processing of data or incidents that could compromise your IT systems. You must immediately begin remediation of the incident and keep us informed.

6.5 You must have an easily accessible way for people to report security vulnerabilities in your Content to you, and you must promptly address identified deficiencies.

6.6 You may use Meta Products to authenticate users (e.g., Login with Facebook), but you must not separately request or collect a Meta user’s login credentials.

6.7 You must protect and not transfer or share user IDs or access tokens, and app secrets, except with a Service Provider who helps you build, run, or operate your Content.

7.1 Content Review: In order to publish Content that uses our data-sharing APIs or otherwise accesses Meta Horizon User Data (“Data Sharing”), you will need to submit your Content for review (“Content Review”). You must ensure that your Content is compliant with this Policy and all other applicable terms and policies prior to submitting it for Content Review. If your Content doesn’t pass Content Review, you will not be entitled to Data Sharing and we may take additional actions further detailed below.

7.2 Regular Monitoring: We will review your Content for compliance with this Policy and other applicable terms and policies from time to time, including at least once a year, in our sole discretion. We also will conduct regular monitoring of your Content and its access to and/or processing of Meta Horizon User Data using technical and operational measures. You agree to cooperate with our Content Review and provide any additional information we may request in connection therewith. We may verify information you provide to us in connection with any such Content Review.

7.3 Certification: We will require an annual self-certification of your continued compliance with this Policy in order for you to continue Data Sharing (i.e., Data Use Checkup). This will include certifying:

(a) your compliance with this Policy and all other applicable terms and policies, and

(b) the purpose or use for the Data Sharing you have requested or have access to, and that each such purpose or use complies with this Policy and all other applicable terms and policies. In addition, from time to time, we may request information, certifications, and attestations relating to your use of the Meta Horizon platform or processing of Meta Horizon User Data, which you will provide to us in the requested time frame and form. All such certifications and attestations must be provided by your authorized representative.

7.4 Audit: In the event of a Necessary Condition (defined in Section 11: Glossary below), we, or third-party professionals working at our direction (including auditors, attorneys, consultants, and/or computer forensics analysts), may conduct a review, inspection, or audit (Audit) of your and your Service Providers’ and their sub-Service Providers’ IT Systems or Records (defined in Section 11: Glossary), to ensure that your and your Content’s processing of Meta Horizon User Data is and has been in compliance with this Policy and all other applicable terms and policies.

7.5 Any Audit will be conducted during normal business hours, with as little business interruption as reasonably possible, after providing you with at least 10 business days’ written notice (email will suffice), unless we determine in our sole discretion a Necessary Condition requires more immediate access. You will cooperate with the Audits, including by:

(a) providing all necessary physical and remote access to your IT Systems and Records, and

(b) providing information and assistance as reasonably requested (including making your personnel who are knowledgeable about your or your Content’s processing of Meta Horizon User Data available for our questioning).

7.6 You will also use commercially reasonable efforts to get permission and cooperation from your Service Providers and their sub-Service Providers for us to conduct such Audits with respect to their IT Systems, Records, and applicable personnel. You will remedy any non-compliance revealed by an Audit as soon as reasonably practicable (as we determine based on the facts and circumstances), after which we may conduct follow-up Audits to ensure proper remediation of the non-compliance. If an Audit reveals any non-compliance by you or your Service Provider(s) or your Service Providers’ sub-Service Providers then you will reimburse us for all of our reasonable costs and expenses associated with conducting the Audit and any related follow-up Audits. Our Audit rights under this section will survive until one year after the later of when you affirmatively demonstrate that you have stopped processing all Meta Horizon User Data and when any data derived from Meta Horizon User Data that are in your, your Service Providers’, and your Service Providers’ sub-Service Providers’ possession or control have been deleted. For the avoidance of doubt, nothing in this Section limits any other rights or remedies we may have by law, in equity, or under this Policy or other applicable terms or policies.

8.1 With or without advance notice to you, we may enforce against you and/or your Content, including permanently removing your Content and account, if we conclude you have violated this Policy or are negatively impacting the Meta Horizon platform, and/ or suspend your Content, while we investigate suspected violations of this Policy. You must keep your contact information up to date, respond to our requests to delete User Data and users’ requests to delete User Data.

8.2 We may take enforcement action against you and/or your Content, including permanently removing your Content and account, if we believe, in our sole discretion, that:

(a) You have not timely responded to our requests related to certifications, monitoring or auditing;

(b) You or your Content has violated or may have violated this Policy or any other applicable terms or policies or is negatively impacting the Meta Horizon platform, other Meta Products, User Data, or people who use Meta Products.

(c) It is needed to comply with applicable laws or regulations or otherwise required or requested by a court order or

(d) It is needed to protect the Meta Companies from legal or regulatory liability. Enforcement can be both automated and manual. It can include suspending or removing your Content from any distribution channels, including the Meta Horizon Store, suspending or removing Data Sharing with you or your Content, removing your access and your Content’s access to the Meta Horizon platform, requiring that you stop processing and delete User Data, terminating our agreements with you, or any other action that we consider to be appropriate, including terminating other agreements with you or your ability to use Meta Products. We may suspend or end your Content’s access to any APIs, permissions, or features that your Content has not used or accessed within a 90-day period with or without notice to you.

8.3 We may take enforcement action against you and/or your Content, including permanently removing your Content and account, if you create or maintain Content to circumvent, or attempt to circumvent, our enforcement actions. An attempt to circumvent could include creating or maintaining Content to bypass any restrictions or enforcement we’ve placed on your other Content or developer account due to a violation(s) of our terms and policies.

9.1 In accordance with our Terms of Service, you will not transfer any of your rights or obligations under this Policy to anyone else without our prior consent. Transfer can include assignment, acquisition, merger, change of control, or other forms of transfer. Any unpermitted transfer will be considered null and void. For any permitted transfer of Content, you will obligate the transferee to comply with this Policy and other applicable terms and policies, and re-submit such App and Content through our App Review process for our review and approval. After any such permitted transfer by you of Content, you can only access, use, share, and retain User Data to the extent permitted by, and in compliance with, this Policy and applicable laws and regulations.

9.2 You also must comply with all applicable laws and regulations, including with respect to your collection, use, or other processing of User Data (including without limitation the European General Data Protection Regulation, ePrivacy Directive and any related EEA countries’ requirements, California Consumer Privacy Act, California Privacy Rights Act, Virginia Consumer Data Protection Act, Colorado Privacy Act, Utah Consumer Privacy Act, Connecticut Privacy Act, the Children’s Online Privacy Protection Act, and the Video Privacy Protection Act). If there is any conflict between this Policy and any other applicable online terms, the terms that are more restrictive on you and your Content or more protective of us apply.

9.3 We reserve the right to amend this Policy at any time and will use commercially reasonable efforts to provide you with prior notice of any material amendments to this Policy. Your continued use of or access to Meta Horizon platform or User Data after any such amendment will constitute your binding agreement to this Policy as amended.

9.4 We may need to modify, change, suspend, or discontinue the availability of the Meta Horizon platform from time to time, for example, for safety and security reasons or to otherwise protect our legitimate interests. In addition, we may impose limits on certain features and services or restrict your access to parts or all of the Meta Horizon platform or our other APIs or websites and discontinue any support or modification for the Meta Horizon platform that we have previously elected to provide for you. If we elect to discontinue the entirety of the Meta Horizon platform, we will use commercially reasonable efforts to provide you with prior notice.

9.5 When this Policy has ended, all rights granted to you under this Policy will immediately stop and you will immediately stop using the User Data. The following Sections will remain in effect after this Policy has ended: Section 4 (Prohibited Uses of User Data), Section 5 (Sharing User Data), Section 6 (Security & Deletion), Section 8 (Enforcement), Section 9 (General), Section 10 (International Transfers – EEA Data Transfers), and Section 10A (International Transfers – UK Data Transfers).

This section shall apply to the extent that your processing of User Data includes personal data controlled by Meta Platforms Ireland Limited (“Meta Ireland Data”) and the transfer of such Meta Ireland Data to a territory outside of the European Economic Area that, at the time of such transfer, does not have a positive adequacy decision from the European Commission under Article 45 of Regulation (EU) 2016/679 (each an “EEA Data Transfer”).

Whenever there is an EEA Data Transfer, your use of Meta Ireland Data is subject to your compliance with the Clauses in so far as they relate to controller to controller transfers (Module One). The term “Clauses” is defined as the standard contractual clauses annexed to European Commission Decision (EU) 2021/914. In each case, you agree that for the purposes of Section IV, Clauses 17 and 18 in the Clauses, Option 1 and Option (b) shall apply respectively and the Member State shall be Ireland. Nothing in this Section 10 (International transfers – EEA Data Transfers) is intended to vary or modify the Clauses. For the purposes of the Appendix to the Clauses, the following will apply:

10.1 For the purposes of Annex I(A) to the Clauses, Meta Platforms Ireland Limited is the “data exporter” and you are the data importer as defined in the Clauses.

10.2 For the purposes of Annex I(B) to the Clauses:

(a) “Categories of data subjects” are the Users who visit, access, use, or otherwise interact with the Content and the products and services of Meta Platforms Ireland Limited;

(b) “Categories of personal data” are Meta Ireland Data, which includes profile information, avatar data, and friends data or data about interactions between users, or as otherwise set forth in the Data Policy;

(c) “Frequency of the transfer” is on a continuous basis to the extent required to fulfill the purpose outlined in Section 10.2(e) below;

(d) “Nature of the processing and purpose(s) of the data transfer(s)” is the provision of the Content and other products and services by you to Users pursuant to your applicable terms and conditions and privacy policy; and

(e) “Period for which personal data will be retained” is as set out in Section 6.2 unless applicable laws require the Meta Ireland Data be retained for a longer period, in which case you shall only retain such Meta Ireland Data for the period required by such applicable laws and subject always to Section 10.4.

10.3 For the purposes of Annex I(C) to the Clauses, the competent supervisory authority will be the Data Protection Commission in Ireland; and

10.4 For the purposes of Annex II to the Clauses, you will implement and maintain the technical and organizational security measures set out in Annex II to the SCCs - Technical and Organizational Measures and such other measures as we may require from time to time.

This Section 10A shall apply to the extent that your processing of User Data includes personal data controlled by Meta Platforms, Inc. that is subject to the UK GDPR (as defined in the UK’s Data Protection Act 2018 (“DPA”)) (“UK Data”) and the transfer of such UK Data to a territory outside of the United Kingdom that, at the time of such transfer, does not have a positive adequacy decision from the Secretary of State in accordance with the relevant provisions of the UK GDPR and the DPA (“UK Data Transfer”).

10A.1 Whenever there is a UK Data Transfer, your use of UK Data is subject to your compliance with the Approved Addendum (which is hereby incorporated by reference into these terms and is deemed to have been entered into and completed as set out below). Nothing in this Section 10A (International transfers – UK Data Transfers) is intended to vary or modify the Approved Addendum. All defined terms used below shall have the meanings given to them in the Approved Addendum. For the purpose of the Approved Addendum, the following will apply:

(a) In Table 1 of the Approved Addendum, the parties’ details are as follows:

i. Meta Platforms, Inc. is the “data exporter” and you are the “data importer” as defined in the Approved Addendum.

ii. The parties details and key contact information are:

iii. The parties agree that execution of these terms by the parties shall constitute execution of the Approved Addendum.

(b) For the purposes of Table 2 of the Approved Addendum, the selected modules of the Approved EU SCCs shall be Module 1 (controller to controller).

(c) Table 3 of the Approved Addendum shall be populated as follows:

i. Annex 1A: List of Parties: See Table 1 references above and the activities relevant to the data transferred are as described in these terms.

ii. Annex 1B: Description of Transfer: The information in Section 10(b) shall apply, albeit references to “Meta Platforms Ireland Limited” shall be replaced with “Meta Platforms, Inc.” and references to “Meta Ireland Data” shall be replaced with “UK Data”.

iii. Annex II: Technical and organizational measures: For the purposes of Annex II, you will implement and maintain Meta’s Technical and Organiszational Measures.

(d) In Table 4 of the UK Addendum, the data exporter may end the UK Addendum in accordance with the terms of the UK Addendum.