   Effective: Jan 12, 2023

SUMMARY OF KEENETIC DEVICE PRIVACY NOTICE ON DATA PROCESSING

   Keenetic GmbH, Berliner Straße 300b, 63067 Offenbach am Main, Germany
   (hereafter “Keenetic”, “we”, “us”, or “our”) as the responsible data
   controller for any personal data collected and processed in connection
   with the use of our devices provide this summary of Keenetic devices
   (“Keenetic Devices”) privacy notice (hereafter “Summary Notice”) of the
   accompanying, detailed Keenetic device privacy notice (hereafter “Full
   Notice”) on data processing to you in order to give you an overview of our
   practices with respect to the collection, storage, use, disclosure or
   erasure (hereafter jointly “Process or Processing”) of information of any
   kind (e.g., Software version installed) related to you (hereafter jointly
   “Personal Data”) in connection with the use of Keenetic devices. Each time
   we use a technical term taken from the applicable privacy laws and
   regulations We shall explain in parentheses first (as shown above) and
   then continue using the defined term with the defined meaning, and shall
   mark statements only applicable to the extent admissible or required in
   your jurisdiction with “*”. You can read the Full Notice and a list of all
   defined terms with more details on their respective meanings below.

  Scope of applicability

   This Summary Notice applies to the use of Keenetic Devices.

  Processing of your Personal Data (categories of Personal Data)

   We Process the following of your Personal Data collected and processed in
   connection with the use of the Devices: IP address of your Keenetic
   Device, Service Tag (unique identification number of device), the device
   serial number, model number, current KeeneticOS software version and
   components list of device, date of your consent with this Device privacy
   notice and End User License Agreement, user interface language, domain
   names booked for the Device with KeenDNS service. For more details see
   Section I of the Full Notice.

  Processing purposes

   We Process your Personal Data for the following purposes: Authenticity
   Status Verification, Time Synchronization, Internet Checker, Automatic
   Updates, Product Improvement Program, Dynamic DNS Service, Automatic SSL
   Certificate Installation, Technical Support, Third-Party Services
   Configuration. For more details see Section II of the Full Notice.

  Legal justifications for the Processing of your Personal Data

   One of the key privacy law requirements is that any Processing of Personal
   Data has to have a legal justification. We generally use the following
   legal justifications: the Processing is based on your consent (Art.
   6(1)(a) GDPR; “Consent Justification”, necessary for (i) fulfilment of a
   contract (Art. 6(1)(b) GDPR; “Contract Justification”), (ii) compliance
   with a legal obligation (Art. 6(1)© GDPR; “Legal Obligation
   Justification”, (iii) realizing a legitimate interest (Art. 6(1)(f) GDPR;
   “Legitimate Interest Justification”). For more details and the matching
   of purposes and corresponding legal justifications see Section III of the
   Full Notice.

  Data transfers and recipients and legal justification for such transfers

   We transfer your Personal Data to other Keenetic group companies and third
   parties (e.g., service providers), certain acquiring or acquired entities,
   and, in accordance with applicable law, governmental authorities, courts,
   external advisors, and similar third parties, some of the aforementioned
   recipients located in jurisdictions outside the EU. For more details see
   Section IV of the Full Notice.

  Retention periods for and deletion of your Personal Data

   Your Personal Data will be deleted once they are no longer needed for the
   purposes that motivated their original collection or as required by
   applicable law. For more details see Section V of the Full Notice.

  Your statutory rights

   As set forth by applicable law, you have a number of rights with regard to
   the Processing of your Personal Data, each as per the conditions defined
   in applicable law, such as the right to get access to your data, to get
   them corrected, erased or handed over. Please refer any of your general
   Personal Data questions to gdpr@keenetic.com (which will be handled by our
   parent company Keenetic Limited, Hongkong, on our behalf and according to
   our instructions). If you have any reports on violations, complaints about
   Personal Data treatment or any questions to Data Privacy Officer please
   refer to dpo@keenetic.de. For more details see Section VI of the Full
   Notice.

  Changes of this Summary Notice and the Full Notice as well as further notices

   Both this Summary Notice and the Full Notice are subject to change. You
   will be notified adequately of any such changes. Further, you will be
   notified adequately through further relevant privacy notices (e.g., for
   specific purposes, systems used by Keenetic) in case such is not covered
   by this Summary Notice and the Full Notice.

  How to contact us

   If you wish to exercise your data subject rights or if you have any other
   questions concerning this Notice, please address your request to Keenetic
   via gdpr@keenetic.com (which will be handled by our parent company
   Keenetic Limited, Hongkong, on our behalf and according to our
   instructions).

FULL NOTICE

  I. Categories of Personal Data

   We process the following Personal Data about you:

     * IP address of your Keenetic Device (referred to as “IP Address”);
     * Service Tag (device’s unique identification number), the device serial
       number, model number, KeeneticOS software version of device and
       components list, date of your consent with this Device privacy notice
       and End User License Agreement, user interface language, domain names
       booked for the Device with KeenDNS service (jointly referred to as
       “Basic Device Data”).

  II. Processing purposes

   We process your Personal Data to the extent permitted or required under
   applicable law, for the following purposes:

     * to ensure the operation of your Keenetic Device (such as to (i)
       maintain a permanent secure connection with Keenetic servers, (ii)
       check the originality of your Keenetic Device and the presence of a
       valid license (as applicable), (iii) record your consent to the this
       Device privacy notice and End User License Agreement) (jointly
       referred to as “Authenticity Status Verification”).

       For this purpose your Keenetic Device transmits IP address, Service
       Tag, the device serial number, model number, End User License
       Agreement version and the date of consent, Data Privacy Notice version
       and the date of consent.

     * to set and synchronize the time between your Keenetic Device and
       Keenetic time server (referred as “Time Synchronization”).

       For this purpose, only the IP address of your Keenetic Device is
       transmitted. By default, the Keenetic Device will synchronize time
       with Keenetic time servers. You can change this by configuring your
       preferred NTP time server under the “General system settings” section.

     * to verify the availability, proper operation and speed of the internet
       connection (such as to (i) establish a periodical connection to the
       Keenetic test server; (ii) measure the internet speed between your
       Keenetic Device and Keenetic speed test server) (referred as “Internet
       Checker”).

       For this purpose only the IP address of your Keenetic Device is
       transmitted.

     * to ensure your Keenetic Device stability, safety and security (such as
       to send KeeneticOS software updates to your Keenetic Device) (referred
       to as “Automatic Updates”).

       In order to determine the necessary updates, your Keenetic device
       sends Service Tag, the device serial number, model number, device’s
       current KeeneticOS software version and components list, to us at
       regular intervals. We use this data in order to build required
       KeeneticOS software image for your Keenetic device and perform
       targeted update.

       The “KeeneticOS automatic updates” option is disabled by default.
       However, in order to ensure the security and reliable operation of
       your device, we recommend enabling this option during installation or
       later under “General system settings” section. In a Mesh Wi-Fi System
       configuration, the “KeeneticOS automatic updates” option is
       automatically applied from the Main Keenetic router to the Extenders.

     * to improve your Keenetic Device quality and performance (such as to
       share anonymous Keenetic device diagnostic and usage information)
       (referred to as “Product Improvement Program”).

       The Product Improvement Program collects and periodically sends
       statistically relevant data on quality, application scenarios and
       ambient parameters from a random sample of Keenetic devices. This
       information serves to detect technical problems, to guide useful
       further development, and to make qualitative improvements measurable.

       Diagnostics data do not include any names assigned by the customer.
       Insofar as diagnostics data must be logged and evaluated, we do so in
       anonymized form, that is, without any reference to the person of the
       user. This way you can benefit from optimizations implemented in
       updates or necessary adjustments by Keenetic. Examples of diagnostics
       data are quality and configuration parameters of the LTE and DSL
       modems, internet and Wi-Fi connections, basic performance parameters,
       configurations of the KeeneticOS operating system, and crash reports
       resulted from errors in operation.

       The “Product Improvement Program” option is disabled by default.
       However, in order help Keenetic improve your experience, we recommend
       enabling this option during installation or later under “General
       system settings” section. In a Mesh Wi-Fi System configuration, the
       “Product Improvement Program” option is automatically applied from the
       Main Keenetic router to the Extenders;

     * to provide you with the opportunity to securely access your Keenetic
       Device remotely (referred to as “Dynamic DNS Service”).

       Keenetic operates a dynamic DNS server (KeenDNS Service) to provide
       remote access to your Keenetic Device over the Internet. For this
       purpose, your Keenetic Device transmits its IP address, Service Tag
       and requested Domain Name to the KeenDNS server. KeenDNS server keeps
       Domain Name reference to the device’s Service Tag and its current IP
       address. Your Keenetic Device will keep transmitting its IP address at
       regular intervals to KeenDNS server as long as KeenDNS Service is
       enabled. Outdated IP address are deleted immediately. Keenetic Device
       will automatically request an SSL certificate issued by the
       letsencrypt.org certificate authority for selected domain name after
       the booking. The certificate is renewed automatically at regular
       intervals. The KeenDNS Service is disabled by default. You can enable
       it under “Domain name” section by booking a desired domain name. If
       necessary, KeenDNS Service can be fully removed from your Keenetic
       Device by uninstalling “Cloud-based remote control and KeenDNS”
       component under the “General system settings” section.

     * to protect the default management interface of your Keenetic Device
       with an SSL certificate (referred to as “Automatic SSL Certificate
       Installation”).

       After the successful initial connection to the Internet, your Keenetic
       Device will automatically request a self-assigned domain name with SSL
       certificate in the *.keenetic.io subdomain via KeenDNS service.

       The automatic SSL certificate installation is enabled by default. Upon
       the successful booking all local requests to the default management
       address of your Keenetic Device (my.keenetic.net) will be redirected
       to the self-assigned domain name in the *.keenetic.io subdomain using
       the secure https link. To cancel the use of self-assigned domain name
       with SSL certificate remove “Cloud-based remote control and KeenDNS”
       component under the “General system settings” section of your Keenetic
       Device.

     * to deliver Keenetic Device support services (such as to (i) enable the
       context-sensitive display of the embedded online help, (ii) provide
       remote technical support assistance upon your request) (jointly
       referred to as “Technical Support”).

       Your Keenetic Device sends the model number, installed KeeneticOS
       software version, language, and information on the context of the user
       interface in which the help was accessed, in order to enable the
       context-sensitive display of contents appropriate to the product being
       used. Remote technical support assistance works by means of temporary
       domain name booking via KeenDNS Service upon user consent.

     * to deliver easy configuration of the third-party services with your
       Keenetic Device (such as to obtain the up to date lists of Captive
       Portal and Voice over IP Telephony Providers along with their
       recommended settings) (referred to as “Third-Party Services
       Configuration”).

       For this purpose, only the IP address of your Keenetic is transmitted.
       No further processing takes place.

  III. Legal justification for the Processing of your Personal Data

   In general, you are required to provide your Personal Data, except in
   limited instances when we indicate that certain information is voluntary.
   However, if you do not provide your Personal Data, the certain
   functionalities might be delayed or impossible.

   Furthermore, Keenetic relies on the following legal justifications for the
   processing of your Personal Data:

                                 PERSONAL DATA
   +------------------------------------------------------------------------+
   | General         | Specific           | Categories   |                  |
   | description of  | Processing         | of Personal  | Legal basis      |
   | Processing      | Purposes           | Data         |                  |
   | Purposes        |                    | Involved     |                  |
   |-----------------+--------------------+--------------+------------------|
   | To guarantee    | Authenticity       | IP address   | Consent          |
   | the operation   | Status             | Basic Device | Justification,   |
   | of your         | Verification,      | Data         | Contract         |
   | Keenetic Device | Dynamic DNS        |              | Justification,   |
   |                 | Service,           |              | Legal Obligation |
   |                 | Technical Support  |              | Justification,   |
   |                 |--------------------+--------------| Legitimate       |
   |                 | Time               | IP address   | Interest         |
   |                 | Synchronization,   |              | Justification    |
   |                 | Internet Checker,  |              |                  |
   |                 | Third-Party        |              |                  |
   |                 | Services           |              |                  |
   |                 | Configuration      |              |                  |
   |-----------------+--------------------+--------------|                  |
   | To guarantee    | Automatic Updates, | IP address   |                  |
   | stability,      | Automatic SSL      | Basic Device |                  |
   | safety and      | Certificate        | Data         |                  |
   | security of     | Installation       |              |                  |
   | your Keenetic   |                    |              |                  |
   | device          |                    |              |                  |
   |-----------------+--------------------+--------------|                  |
   | To improve the  | Product            | IP Address   |                  |
   | quality and     | Improvement        |              |                  |
   | performance of  | Program            |              |                  |
   | your Keenetic   |                    |              |                  |
   | device          |                    |              |                  |
   +------------------------------------------------------------------------+

  IV. Data transfers and recipients and legal justification for such transfers

    1. Recipients

   To other group companies: We transfer your Personal Data to other Keenetic
   group companies, as permitted under applicable data privacy law pursuant
   to Art. 6 (1)(f) GDPR for the legitimate interests of Keenetic to assure
   high quality support services and maintenance for Keenetic Devices.

   Third parties: Keenetic and/or other Keenetic group companies may also
   transfer your data to governmental agencies and regulators (e.g. tax
   authorities), social insurance carriers, courts, and government
   authorities, all in accordance with applicable law based on Art. 6 (1)©
   GDPR and to external advisors acting as controllers (e.g., lawyers,
   accountants, auditors etc.) based on Art. 6 (1)(f) GDPR.

   Service providers (within and outside the Keenetic group): Keenetic
   contracts with third party service providers or other Keenetic group
   companies as part of its normal business operations to assure high quality
   support services and maintenance for Keenetic Devices.

    2. Cross-Border Data Transfers

   We transfer your Personal Data outside of the country you are located.
   Some recipients of your Personal Data are located in another country for
   which the European Commission has not issued a decision that this country
   ensures an adequate level of data protection, namely: Hong Kong, or some
   of the locations of non-European Keenetic group companies.

   Some recipients located outside of the European Economic Area (EEA) are
   certified under the EU-U.S. Privacy Shield and others are located in
   countries for which the European Commission has issued adequacy decisions.
   In each case, the transfer is thereby recognized as providing an adequate
   level of data protection from a European data protection law perspective
   (Art. 45 GDPR).

   By way of entering into appropriate data transfer agreements based on
   Standard Contractual Clauses (2010/87/EU and/or 2004/915/EC) as referred
   to in Art. 46(5) GDPR or other adequate means, which are accessible via
   the contact details above we have established that all other recipients
   located outside the EEA will provide an adequate level of data protection
   for the Personal Data and that appropriate technical and organizational
   security measures are in place to protect Personal Data against accidental
   or unlawful destruction, accidental loss or alteration, unauthorized
   disclosure or access, and against all other unlawful forms of processing.
   Any onward transfer (including our affiliates outside the EEA) is subject
   to appropriate onward transfer requirements as required by applicable law.

  V. Retention periods for and deletion of your Personal Data

   Your Personal Data is stored by Keenetic and/or our service providers,
   strictly to the extent necessary for the performance of our obligations
   and strictly for the time necessary to achieve the purposes for which the
   Personal Data is collected, in accordance with applicable data protection
   laws. When Keenetic no longer needs to process your Personal Data, we will
   erase it from our systems and/or records and/or take steps to properly
   anonymize it so that you can no longer be identified from it unless we
   need to keep your information to comply with legal or regulatory
   obligations to which Keenetic is subject.

   We will retain your contact details and interests in our products or
   services for a longer period of time if Keenetic is allowed to send you
   marketing materials. Also, we typically erase contracts, communications,
   and business letters containing Personal Data, or we redact Personal Data
   from such documents, 10 years after their termination or creation, as such
   data may be subject to statutory retention requirements, which often
   require retention of up to 10 years. In addition, if a judicial or
   disciplinary action is initiated, the Personal Data will be stored until
   the end of such action, including any potential periods for appeal, and
   will then be deleted or archived as permitted by applicable law.

  VI. Your statutory rights

   If you have declared your consent for any personal data processing
   activities, you can withdraw this consent at any time with future effect.
   Such a withdrawal will not affect the lawfulness of the processing prior
   to the consent withdrawal.

   Under the conditions set out under applicable law (i.e., the GDPR), you
   have the following rights:

    1. Right of access: You have the right to obtain from us confirmation as
       to whether or not Personal Data concerning you is being processed,
       and, where that is the case, to request access to the Personal Data.
       The access information includes — inter alia — the purposes of the
       processing, the categories of Personal Data concerned, and the
       recipients or categories of recipients to whom the Personal Data have
       been or will be disclosed.

       You have the right to obtain a copy of the Personal Data undergoing
       processing. For additional copies requested by you, we may charge a
       reasonable fee based on administrative costs.

    2. Right to rectification: You have the right to obtain from us the
       rectification of inaccurate Personal Data concerning you. Depending on
       the purposes of the processing, you have the right to have incomplete
       Personal Data completed, including by means of providing a
       supplementary statement.

    3. Right to erasure (right to be forgotten): You have the right to ask us
       to erase your Personal Data.

    4. Right to restriction of processing: You have the right to request the
       restriction of processing your Personal Data. In this case, the
       respective data will be marked and may only be processed by us for
       certain purposes.

    5. Right to data portability: You have the right to receive the Personal
       Data concerning you which you have provided to us in a structured,
       commonly used and machine-readable format and you have the right to
       transmit those Personal Data to another entity without hindrance from
       us.

    6. Right to object:

       You have the right to object, on grounds relating to your particular
       situation, at any time to the processing of your Personal Data by us
       and we can be required to no longer process your Personal Data. If you
       have a right to object and you exercise this right, your Personal Data
       will no longer be processed for such purposes by us. Exercising this
       right will not incur any costs. Such a right to object may not exist,
       in particular, if the processing of your Personal Data is necessary to
       take steps prior to entering into a contract or to perform a contract
       already concluded.

   Please note that the aforementioned rights might be limited under the
   applicable national data protection law. Keenetic remains the universal
   point of contact for your execution of these rights.

   Please refer any of your general Personal Data questions to
   gdpr@keenetic.com (which will be handled by our parent company Keenetic
   Limited, Hongkong, on our behalf and according to our instructions). If
   you have any reports on violations, complaints about Personal Data
   treatment or any questions to Data Privacy Officer please refer to
   dpo@keenetic.de.

   In case of complaints, you also have the right to lodge a complaint with
   the competent supervisory authority, in particular in the Member State of
   your habitual residence or alleged infringement of the GDPR.
