Scope of this Privacy Policy

This Privacy Policy applies to Covenda's products and services, including applicable mobile and desktop applications (collectively, the "Services"), covenda.ai and other Covenda websites (collectively, the "websites"), and other interactions (e.g., customer service inquiries, user conferences, and others) you may have with Covenda. If you disagree with the terms, do not access or use the services, websites, or any other aspect of Covenda's business.

This Privacy Policy does not apply to third-party applications or software that integrate with the Services through the Covenda platform ("Third-Party Services") or any other third-party products, services, or businesses. In addition, a separate agreement governs the delivery, access, and use of the Services (the "MSA"), including the processing of any data submitted through the Services ("Service Data"). The organization (e.g., your employer or another entity or person) that agreed to the MSA ("customer") controls its instance of the services and any associated Service Data (the "Customer Instance").

Information Covenda Collects and Receives

Covenda may collect, generate, and receive Service Data and other information and data ("Other Information"; Service Data and Other information collectively "information")) in a variety of ways:

Service data

Customers and individuals granted access to a Customer Instance by a Customer ("Authorized Users") may submit Service Data to Covenda when using the Services.

Other information

Account information

To create or update a Covenda account, you or a Customer (e.g., your employer) supply Covenda with an email address, phone number, password, domain, and similar account details. In addition, Customers who purchase a paid version of the Services provide Covenda (or its payment processors) with billing details such as credit card information, banking information, and a billing address.

Usage information

Services metadata: When an Authorized User interacts with the Services, it generates metadata that provides additional context about how Authorized Users interact with the Services. For example, Covenda logs what third-party services connect with the Services (if any).

Log data: Like most technology services delivered over the Internet, our servers automatically collect information when you access or use our websites or services and record it in log files. This log data may include the Internet Protocol (IP) address, the address of the web page visited before using the website or services, the browser type and settings, the date and time of use, information about browser configuration and plugins, language preferences, and cookie data.

Device information

Covenda collects information about devices accessing the Services, including the type of device, operating system, device settings, application IDs, unique device identifiers, and crash data. Whether Covenda collects some or all of this information often depends on the type of device used and its settings.

Location information

Covenda receives information from you, your Customer, and other third parties that may help Covenda approximate your location. Covenda may, for example, use a business address your employer submitted or an IP address received from your browser or device to determine the approximate location. Covenda may also collect location information from devices following the consent process your device provided.

Cookie information

Covenda uses cookies and similar technologies on our websites and services to help us collect other information. The websites and Services may also include cookies and similar tracking technologies of third parties, which may collect Other information about you via the Websites and Services and across other websites and online services. For more details about how Covenda uses these technologies and your opt-out opportunities and other options, please see Covenda's cookie policy.

Third-Party Services

A Customer can connect Third-Party Services to its Customer Instance. Typically, third-party services are software services that integrate with Covenda Services, and a customer can permit authorized users to turn on and off these integrations for its customer instance. Covenda may also develop and offer Covenda applications that connect the Services with a Third-Party Service. Once enabled, the provider of a Third-Party Service may share certain information with Covenda. For example, when a single sign-on service connects with Covenda, Covenda may receive the username and email address of Authorized Users, along with additional information that the application has elected to make available to Covenda to facilitate the integration. Authorized Users should check the privacy settings and notices in these Third-Party Services to understand what data may be disclosed to Covenda. When a Third-Party Service is enabled, Covenda is authorized to connect and access Other information made available to Covenda under any permission(s) granted by Customer (including by its Authorized User(s)). Covenda does not, however, receive or store passwords for any of these Third-Party Services when connecting them to the Services.

Contact information

When creating an account on the Services, an Authorized User must provide some contact information (e.g., an email address).

Third-party data

Covenda may receive data about organizations, industries, lists of companies that are customers, website visitors, marketing campaigns, and other matters related to our business from affiliates and subsidiaries, our partners, or others that Covenda engages with to make Covenda's information better or more helpful. This data may be combined with Other information Covenda collects, including aggregate-level data, such as which IP addresses correspond to zip codes or countries. Or it might be more specific, for example, how well an online marketing or email campaign performed.

Additional information provided to Covenda

Covenda receives other information when submitted to our websites or in other ways, such as if you participate in a focus group, contest, activity, or event, apply for a job, enroll in an educational program hosted by Covenda or a vendor, request support, interact with our social media accounts or otherwise communicate with Covenda.

Information transferred via the Google API

Covenda's use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including Limited Use requirements.

How Covenda Uses Information

Covenda will use Service Data under the applicable MSA, Customer's use of Services functionality, and as required by applicable law. Covenda is a processor of Service Data, and Customer is the controller.

In addition, Covenda uses information to further our legitimate interests in operating our services, websites, and business. Covenda uses information as follows:

• To provide, update, maintain, and protect our Services, websites, and business. It includes using Service Data and Other information to support delivery of the Services under an MSA, prevent or address service errors, security or technical issues, analyze and monitor usage, trends, and other activities, or at an Authorized User's request.
• As required by applicable law, legal process, or regulation.
• To communicate with you by responding to your requests, comments, and questions. If you contact us, Covenda may use the information to respond.
• To develop and provide additional features. Covenda tries to make the Services as helpful as possible for Customers and Authorized Users. Covenda may use aggregated and anonymized Services Data and Other information to develop new Services or improve existing Services.
• To send emails and other communications. Covenda may send you service, technical, and administrative emails, messages, and other communications. Covenda may also contact you to inform you about changes in our Services, our Service offerings, and important Service-related notices, such as security and fraud. These communications are considered part of the Services, and you may not opt-out. In addition, Covenda sometimes sends emails about new product features, promotional communications, or other news about Covenda. These are marketing messages, so you can control whether you receive them. If you have additional questions about a message you received from Covenda, please reach out through the contact mechanisms described below.
• For billing, account management, and other administrative matters. Covenda may need to contact you for invoicing, account management, and similar reasons. Covenda uses account data to administer accounts and keep track of billing and payments.
• To investigate and help prevent security issues and abuse.

When information is aggregated or de-identified so that it is no longer reasonably associated with an identifiable natural person, Covenda may use it for any business purpose. To the extent information is associated with an identified or identifiable natural person and is protected as personal data under applicable data protection law, it is referred to in this Privacy Policy as "Personal Data."

Data Retention

Covenda will retain Service Data under the applicable MSA, Customer's use of Services functionality, and as required by applicable law.

Covenda may retain Other information for as long as necessary for the purposes described in this Privacy Policy. It may include keeping Other information for the period Covenda needs to pursue legitimate business interests, conduct audits, comply with (and demonstrate compliance with) legal obligations, resolve disputes, and enforce our agreements.

• We retain customer data and credentials up to 365 days following account termination unless deletion is requested earlier.
• We retain applicant data for up to three (3) years unless deletion is requested earlier.
• We retain website visitor information under retention periods stated in the Cookie Policy.

How Covenda Shares and Discloses Information

This section describes how Covenda may share and disclose information.

Displaying and operating the Services

Because of the nature and functionality of the Services, information will be displayed as part of the Services to Authorized Users in a Customer Instance. For example, information about which of the Customer's employees may have two-factor authentication enabled may be displayed as part of the Services.

Third-party service providers and partners

Covenda may engage third parties as service providers or business partners to process information and support our business. These third parties may, for example, provide virtual computing and storage services. To the extent necessary and applicable, these third-party service providers and partners will be bound under appropriate and commercially reasonable confidentiality obligations.

Third-Party Services

The Customer may enable or permit Authorized Users to enable Third-Party Services. Covenda requires each third-party service to disclose all permissions for information access in the services. However, Covenda does not guarantee that they will do so. When enabled and as requested by the Customer, Covenda may share information with Third-Party Services. Third-party services are not owned or controlled by Covenda, and third parties-granted access to information may have their policies and practices for its collection, use, and sharing. Please check the permissions, privacy settings, and notices for these Third-Party Services or contact the service provider for any questions.

Corporate affiliates

Covenda may share information with its corporate affiliates, parents, and subsidiaries.

During a change to Covenda's business

If Covenda engages in a merger, acquisition, bankruptcy, dissolution, reorganization, sale of some or all of Covenda's assets or stock, financing, public offering of securities, acquisition of all or a portion of Covenda's business, a similar transaction or proceeding, or steps in contemplation of such activities, some or all information may be shared or transferred, subject to appropriate and commercially reasonable confidentiality arrangements.

Aggregated or de-identified data

Covenda may disclose or use aggregated or de-identified information for any purpose. For example, Covenda may share aggregated or de-identified information with prospects or partners for business or research purposes.

To Comply with Laws

Suppose a law enforcement or government agency sends Covenda a demand for information about a Customer. In that case, Covenda shall attempt to redirect the agency to request that data directly from the Customer. Covenda may provide the Customer's basic contact information to the law enforcement or government agency as part of this effort. If compelled to disclose information to law enforcement or government agencies, Covenda will give the Customer reasonable notice of the demand and cooperation to allow the Customer to seek a protective order or other appropriate remedy unless Covenda is legally prohibited. Covenda will not voluntarily disclose information related to a Customer to any law enforcement or government agency.

To enforce our rights, prevent fraud, and ensure safety

To protect and defend the rights, property, or safety of Covenda or third parties, including enforcing contracts or policies or investigating and preventing fraud or security issues.

With consent

Covenda may share information with third parties when it has consent to do so.

Security

Security is critical to Covenda's mission, and Covenda takes data security seriously. Covenda uses industry-standard technical and organizational measures to protect information from loss, misuse, and unauthorized access or disclosure. These steps consider the sensitivity of the information Covenda collects, processes, and stores and the current state of technology. Given the nature of communications and information processing technology, Covenda cannot guarantee that information in our care will be safe from intrusion by others during transmission through the Internet or while stored on our systems or otherwise. When you click a link to a third-party site, you will leave our site, and Covenda doesn't control or endorse what is on third-party sites.

Age Limitations

To the extent prohibited by applicable law, Covenda does not allow the use of our Services and websites by anyone younger than 16 years old to use our Services and websites. If Covenda learns that anyone younger than 16 has unlawfully provided Personal Data, Covenda will take steps to delete such information.

Changes to This Privacy Policy

Covenda may change this Privacy Policy occasionally. Laws, regulations, and industry standards evolve, making those changes necessary, or Covenda may change our services or business. Covenda will post the changes to this page and encourage you to review our Privacy Policy to stay informed. When Covenda makes changes that materially alter your privacy rights, Covenda will provide additional notice, such as via email or the Services. If you disagree with the changes to this Privacy Policy, you should cease interacting with the Services. Contact the applicable Customer if you wish to request the removal of Personal Data under their control.

International Data Transfers

Covenda may transfer your Data to countries other than the one you live in - generally, from locations outside the United States to the United States. Covenda deploys the following safeguards when Covenda transfers Personal Data from jurisdictions with differing data protection laws:

European Union Model Clauses

Covenda offers European Union Model Clauses ("Model Clauses"), also known as Standard Contractual Clauses, to meet the adequacy and security requirements for our Customers that operate in the EEA, Switzerland, and the UK and for other international transfers of Customer data as relevant.

E.U.-U.S. Privacy Shield and Swiss-U.S. Privacy Shield

While Covenda is self-certified under the E.U.-U.S. Privacy Shield and the Swiss-U.S. Privacy Shield, it is not currently relying on those frameworks to transfer personal data. For more information, see the Privacy Shield section below.

Identifying the Data Controller and Processor

Data protection law in certain jurisdictions differentiates between the "controller" and "processor" of information. In general, the customer is the controller of service data. Covenda is the processor of service data and the controller of other information.

Your Rights

Individuals in certain US States, such as California and Virginia, and countries, including those in the European Economic Area and the United Kingdom, have certain statutory rights concerning their data. Subject to any exemptions provided by law, you may have the right to request access to information in a portable form or seek to update, delete, or correct this information. You can exercise your privacy rights by requesting them via email at privacy@covenda.ai or in writing to Covenda Inc., Attention: Data Privacy Officer, 6508 Embassy Blvd., Port Richey, FL, 34668, United States.

To the extent that Covenda's processing of your data is subject to the General Data Protection Regulation or applicable laws covering the processing of personal data, such as the UK Data Protection Act and the Brazilian General Data Protection Act (Lei Geral de Proteção de Dados), Covenda relies on its legitimate interests, described above, to process your data. Covenda may also process other information that constitutes your data for direct marketing purposes, and you have a right to object to Covenda's use of your data for this purpose at any time.

Your California Privacy Rights

This section provides additional details about the personal information Covenda collects about California consumers and their rights under the California Consumer Privacy Act, as the California Privacy Rights Act, or "CCPA," is amended.

For more details about the personal information Covenda has collected over the last 12 months, including the categories of sources, please see the Information Covenda Collects and Receives section above. Covenda collects this information for the business and commercial purposes described in the How Covenda Uses Information section above. Covenda shares this information with the categories of third parties described in the How Covenda Shares and Discloses Information section above. Subject to certain limitations, the CCPA also provides California consumers the right to request more details about the categories or specific pieces of personal information Covenda collects (including how Covenda uses and discloses this information), to delete their personal information, correct their personal information that may be occurring, and not to be discriminated against for exercising these rights. Please also note that Covenda does not collect sensitive personal information as defined under the CCPA.

As described in our Cookie Policy, we have incorporated cookies from certain third parties into our website. These cookies allow those third parties to receive information about your activity on our services associated with your browser or device. Those third parties may use that data to serve you relevant ads on our website or other websites you visit. Under the CCPA, sharing your data through third-party cookies for online advertising may be considered a "sale" or "share" of information, and you may opt-out by following the instructions in this section.

We may "sell" or share your data with the following categories of third parties:

• Ad Networks
• Analytics providers
• Marketing providers

Over the past 12 months, we may have "sold" the following categories of your data to categories of third parties listed above:

• Usage information
• Cookie information

We have "sold" or shared the preceding categories of personal data for improving the services, including testing, research, internal analytics, and product development, and for showing you advertisements, including interest-based or online behavioral advertising.

You can decline the "sale" or share your data using the following methods:

• Accessing your cookie consent settings here
• Implement the Global Privacy Control or similar control legally recognized by a government agency or industry standard that complies with the CCPA. Your browser must initiate the signal the control issued and apply it to the specific device and browser you use when you cast the signal. Please note that this does not include Do Not Track signals.

Once you have submitted an opt-out request, we will not ask you to reauthorize the sale of your data for at least 12 months.

To our knowledge, we do not sell the personal data of minors under 16 years of age.

California consumers may make all other requests to access, correct, or delete under their rights under the CCPA by contacting us at privacy@covenda.ai or by mailing us at

Covenda will verify your request using the information associated with your account, including your email address. Government identification may be required. Consumers can also designate an authorized agent to exercise these rights.

Your Virginia Privacy Rights

Subject to certain limitations, the Virginia Consumer Data Protection Act ("VCDPA") provides Virginia consumers the right to request to access personal information we collect about them, to correct inaccuracies in their data, to request a portable copy of your information, and to delete your information. You also have the right to opt out of processing your Personal Data for profiling in furtherance of decisions that produce legal or similarly significant effects on you, which Covenda does not. You also have the right to opt out of targeted advertising and selling (as such terms are defined under the VCDPA); however, Covenda does not participate in selling your information. To opt-out from targeted advertising, please

• Access your Cookie consent settings here
• By implementing the Global Privacy Control or similar control that is legally recognized by a government agency or industry standard and that complies with the CCPA. Your browser must initiate the signal the control issued and apply it to the specific device and browser you use when you cast the signal. Please note that this does not include Do Not Track signals.

If we refuse to take action on a request within a reasonable period after receiving your request, follow this section. In such an appeal, you must (1) provide sufficient information to allow us to verify that you are the person to whom the original request pertains, identify the original request, and (2) describe the basis of your appeal. Please note that your appeal will be subject to the rights and obligations afforded to you under the VCDPA. We will respond to your appeal within 60 days of receiving your access. If we deny your appeal, you can contact the Virginia Attorney General using the methods described at https://www.oag.state.va.us/consumer-protection/index.php/file-a-complaint.

Covenda will honor the exercise rights or appeals of decisions of Virginia residents requested via email at privacy@covenda.ai or in writing to

Data Protection Authority

Subject to applicable law, you also have the right to (i) restrict Covenda's use of information that constitutes your data and (ii) lodge a complaint with your local data protection authority or the Irish Data Protection Commissioner, which is Covenda's lead supervisory authority in the European Union. When you are a resident of the European Economic Area and believe we maintain your data within the scope of the General Data Protection Regulation (GDPR), you may direct questions or complaints to privacy@covenda.ai or our lead supervisory authority:

If you are a resident of the United Kingdom and believe we maintain your Personal Data within the scope of the applicable laws relating to personal data in the United Kingdom, you may direct questions or complaints to the UK supervisory authority, the information Commissioner's Office.

Privacy Shield

While not currently used as the basis of transfer, Covenda complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework(s) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. Covenda has certified that it adheres to the Privacy Shield Principles of the Department of Commerce. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program and view our certification, please visit https://www.privacyshield.gov/.

In compliance with the Privacy Shield Principles, Covenda commits to resolving complaints about our collection or use of your information. European Union and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should contact Covenda at privacy@covenda.ai.

This arbitration option may not be invoked if the individual's same claimed violation of Principles (1) previously underwent binding arbitration; (2) was the subject of a final judgment entered in a court action to which the individual was a party; or (3) was previously settled.

In addition, this option may not be invoked if an EU Data Protection Authority or the Commissioner has authority under Sections III.5 or III.9 of the Principles or has the authority to resolve the claimed violation directly with Covenda. A DPA's or the Commissioner's authority to determine the same claim against an EU or a Swiss data controller does not preclude invoking this arbitration option against a different legal entity not bound under the DPA or Commissioner's authority.

The Federal Trade Commission has jurisdiction over Covenda's compliance with the Privacy Shield.

In the context of an onward transfer, Covenda is responsible for processing the personal information it receives under the Privacy Shield and transferring it to a third party acting as an agent on its behalf. Covenda shall remain liable under the Principles if its agent processes such personal information in a way inconsistent with the Principles—unless we prove that we are not responsible for the event giving rise to the damage.

While Covenda is a Privacy Shield participant, Covenda does not rely on Privacy Shield to lawfully transfer data from non-US locations into the US.

Contacting Covenda

Please also feel free to contact Covenda if you have any questions about this privacy policy, Covenda's practices, or if you seek to exercise any of your statutory rights. Covenda will respond within a timeframe that is compliant with all applicable regulations. Contact us at privacy@covenda.ai or our mailing address 167-169 Great Portland Street, 5th Floor, London, W1W 5PF, United Kingdom, Attention: Data Privacy Officer.