This firmly Privacy Policy (this "Privacy Policy") applies to information collected by Firmly, Inc. ("firmly" "we" or "us" or "our") through your use of the firmly website at: https://www.firmly.ai/ and any subdomains thereof (the "Site") and the services, features, and information available on the Site, and interaction with the firmly proprietary, cross-web, intelligent checkout solution (together with the services and features made available thereon, and collectively with the Site, the "Service"). Certain aspects of the Service may be deployed on the websites, webpages, apps, email, print media, billboards, other web properties, and advertisements of brands and businesses from which you purchase goods and services online (each, a "Merchant"). This Privacy Policy is incorporated into, and part of, and governed by the firmly Terms and Conditions of Service.

As used herein: (a) "you" and "your" mean a user of the Service; (b) "GDPR" means the General Data Protection Regulation (EU) 2016/679; (c) "UK Data Protection Laws" means the UK GDPR and the UK's Data Protection Act 2018 ("UK DPA 2018"); (d) "UK GDPR" means the UK equivalent of the GDPR, as defined in section 3(10) (and as supplemented by section 205(4)) of the UK DPA 2018; (e) "European Data Protection Laws" means the GDPR, and/or the UK Data Protection Laws, in each case to the extent applicable; and (f) the terms "using" and "processing" information include using cookies on a computer, subjecting the information to statistical or other analysis and using or handling information in any way, including, but not limited to collecting, storing, evaluating, modifying, deleting, using, combining, disclosing and transferring information within firmly or among our affiliates within the United States or internationally.

If an organization with which you are associated (an "Organization") signs up to use our services, we may receive information about you in connection with our provision of such services to your Organization. To the extent we process that information solely in order to provide our services to your Organization, we will act as a processor on behalf of your Organization in respect of that information, which means: we will handle that information solely at the direction of your Organization; subject to Section 15, your Organization's privacy policy (and not this Privacy Policy) will apply to the processing of that information; and your Organization (and not us) is responsible for obtaining all necessary consents and providing you with all requisite information as required by applicable law. To the extent we process your information for any other lawful business purpose of ours, this Privacy Policy will apply to the processing of such information.

1. What Information About Me Is Collected?

Depending on your use of the Service, we may collect information about you. Such information may include your name, email address, telephone number, billing and shipping address, IP address, unique device identifiers, device types, device information, information about the products you purchase through the Service, information about your interactions with advertisements, browser language, browser types, the pages you view, requested URL, referring URL, date and time of visit, domain names, statistical data involving the use of the Service, and UTM tag.

Additionally, although we do not store it, we collect credit card information and transmit it through the Service to the applicable Merchant in order to fulfil transactions at your direction. This credit card information may be encrypted and stored securely on your device. The foregoing information, including encrypted credit card information may be accessed again in the future when you interact with the Service again and may be transmitted to the same Merchant or other Merchants with whom you interact. To the extent any such information can be used to identify you or can be tied to you in an identifiable manner, such information amounts to 'personal data' for the purposes of and as defined in the European Data Protection Laws (to the extent applicable).

2. Where and When Is Information Collected (Including Through the Use of Cookies and Action Tags)?

We will collect information that you submit to us. We may also receive information about you from third parties providing credit authorization and fraud screening services as part of your use of the Service. We may also receive information about you from or on behalf of Merchants, including when you interact with their websites, webpages, apps, other web properties, and advertisements.

Cookies and Action Tags

We may collect information passively using "cookies" and "action tags."

"Cookies" are small text files that can be placed on your computer or mobile device in order to identify your web browser and the activities of your computer on the Service and other websites. Cookies can be used to personalize your experience on the Service (such as dynamically generating content on webpages specifically designed for you), to assist you in using the Service (such as saving time by not having to reenter your name each time you use the Service), to allow us to statistically monitor how you are using the Service to help us improve our offerings, and/or to determine the popularity of certain content.

You do not have to accept cookies to use the Service. Although most browsers are initially set to accept cookies, you may reset your browser to notify you when you receive a cookie or to reject cookies generally. Most browsers offer instructions on how to do so in the "Help" section of the toolbar. However, if you reject cookies, certain features or resources of the Service may not work properly or at all and you may experience some loss of convenience.

"Action tags," also known as web beacons or gif tags, are a web technology used to help track website usage information, such as how many times a specific page has been viewed. Action tags are invisible to you, and any portion of the Service, including e-mail sent on our behalf, may contain action tags.

By using cookies and action tags together, we can gain valuable information to improve the Service and measure the effectiveness of our marketing campaigns. We may also combine information collected from cookies with information that you may provide, such as information provided in a form that you complete.

Finally, you should be aware that third parties may use their own cookies or action tags when you click on a link to their websites or services, including on or from the Service. This Privacy Policy does not govern the use of cookies or action tags or the use of your information by such third-party websites or services.

Log Files

We may also collect information through our Internet log files, which record data such as user IP addresses, browser types, domain names, and other anonymous statistical data involving the use of the Service. This information may be used to analyze trends, to administer the Service, to monitor the use of the Service, and to gather general demographic information.

Deidentified Data

To the extent we consider Deidentified Data outside the scope of applicable data protection laws because it is not identifiable, then, to the extent required by such data protection laws or other binding obligation to which we are subject, firmly hereby publicly commits to process Deidentified Data in its possession only in a de-identified fashion and not attempt to re-identify such Deidentified Data. "Deidentified Data" means data that cannot reasonably be used to infer information about, and that cannot reasonably be linked to, an identified individual or an identifiable individual, or to a device linked to such individual.

3. Does Firmly Collect Information from Children Under 13 Years of Age?

We are committed to protecting the privacy of children. The Service is not designed for or directed to children under the age of 13. We do not collect information from any person we actually know is under the age of 13.

4. What Does Firmly Do with the Information It Collects?

Pursuant to the European Data Protection Laws, legal bases for our processing your information may include (without limitation):

• (a) where you have given consent to the processing, which consent may be withdrawn at any time without affecting the lawfulness of processing based on consent prior to withdrawal;
• (b) where it is necessary to perform the contract we have entered into or are about to enter into with you (whether in relation to the provision of the Service or otherwise);
• (c) where it is necessary for us to comply with a legal obligation to which we are subject; and/or
• (d) where it is necessary for the purposes of our legitimate interests (or those of a third party) in providing, improving, or marketing the Service and your interests or fundamental rights and freedoms do not override those legitimate interests.

We use the information collected to provide the Service to you and process your transactions, to help us understand who uses the Service, for internal operations such as operating and improving the Service, to contact you for customer service and billing purposes, and, unless you "opt out" (to the extent permitted by applicable law), so that we and third parties acting on our behalf or on behalf of the applicable Merchant can contact you about products and services that may be of interest to you. In addition, information collected under this Privacy Policy, including encrypted credit card information may be accessed again in the future when you interact with the Service again and may be transmitted to the same Merchant or other Merchants with whom you interact.

Unless you "opt out" (to the extent permitted by applicable law), we and third parties acting on our behalf or on behalf of the applicable Merchant may subsequently send you electronic newsletters, contact you about the Service, products, services, information, and news that may be of interest to you, and provide you with targeted feedback. If you no longer desire to receive these communications, we will provide you with the option to change your preferences in each communication we send to you. You may also inform us by email to: privacy@firmly.ai.

If you identify yourself to us by sending us an e-mail with questions or comments, we may use your information to respond to your questions or comments, and we may file your questions or comments (with your information) for future reference.

We may also use the information collected to send announcements and updates regarding the Service. You will not be able to unsubscribe from these Service announcements and updates as they contain important information relevant to your use of the Service and are necessary for the performance of our contract with you or an Organization with which you are associated.

5. When Does Firmly Disclose Information to Third Parties?

We generally disclose information we gather from you through the Service to the following types of third parties and as otherwise set forth in this Privacy Policy or our Terms and Conditions of Service or as specifically authorized by you.

Merchants

We may disclose your information to the applicable Merchant, including without limitation for product fulfillment purposes in connection with the Service. Additionally, although we do not store it, we collect credit card information and transmit it through the Service to the applicable Merchant in order to fulfil transactions at your direction. Your information, including encrypted credit card information may be accessed again in the future when you interact with the Service again and may be transmitted to the same Merchant or other Merchants with whom you interact.

Laws and Legal Rights

We may disclose your information if we believe in good faith that we are required to do so in order to comply with an applicable statute, regulation, rule or law, a subpoena, a search warrant, a court or regulatory order, lawful requests by public authorities, including to meet national security or law enforcement requirements, or other valid legal process. We may disclose information in special circumstances when we have reason to believe that disclosing this information is necessary to identify, contact or bring legal action against someone who may be violating the firmly Terms and Conditions of Service or another contract with us, to detect fraud, for assistance with a delinquent account, or to protect the safety and/or security of our users, the Service or the general public.

Third Parties Generally

We may provide your information to third parties, including where such information is combined with similar information of other users of the Service. For example, we might inform third parties regarding the number of unique users who use the Service, the demographic breakdown of our users of the Service, or the products and/or services purchased using the Service and the vendors of such products and services. The third parties to which we may provide or who may independently directly collect information may include providers of products or services (including vendors, analytics services providers, and website tracking services), Merchants, affiliates, and other actual or potential commercial partners, and other similar parties.

Professional Advisors

We may provide your information to professional advisors, such as lawyers, auditors, bankers, and insurers, where necessary in the course of the professional services that they render to us.

Outside Contractors

We may employ independent contractors, vendors, and suppliers (collectively, "Outside Contractors") to provide specific services and products related to the Service, such as hosting and maintaining the Service, providing credit card processing, financing a purchase and fraud screening, and developing applications for the Service. In the course of providing products or services to us, these Outside Contractors may have access to information collected through the Service, including your information. We use reasonable efforts to ensure that these Outside Contractors are capable of protecting the security of your information.

Sale of Business

We reserve the right to transfer information to a third party in connection with a sale, merger, general corporate reorganization, or other transfer of all or substantially all of the assets of firmly or any of its Corporate Affiliates (as defined below), or that portion of firmly or any of its Corporate Affiliates to which the Service relates, or in connection with a strategic investment by a third party in firmly, or in the event that we discontinue our business or file a petition or have filed against us a petition in bankruptcy, reorganization or similar proceeding.

Affiliates

We may disclose information about you to our Corporate Affiliates. For purposes of this Privacy Policy: "Corporate Affiliate" means any person or entity which directly or indirectly controls, is controlled by or is under common control with firmly, whether by ownership or otherwise; and "control" means possessing, directly or indirectly, the power to direct or cause the direction of the management, policies or operations of an entity, whether through ownership of fifty percent (50%) or more of the voting securities, by contract or otherwise.

6. Does This Privacy Policy Apply When I Link to Other Websites or Services?

Our Service may provide you with access to other websites and services. This may include providing you with the ability to automatically post updates on Facebook, Twitter/X or similar services. Please be aware that we are not responsible for the privacy practices of any websites or services other than the Service. A link to a third-party website does not constitute or imply endorsement by us. Additionally, we cannot guarantee the quality or accuracy of information presented on those websites. We encourage you to read the privacy policies or statements of each and every such website and service. This Privacy Policy applies solely to information collected by us or on our behalf through the Service.

7. Is the Information Collected Through the Service Secure?

We want your information to remain secure. We strive to provide transmission of your information from your computer or mobile device to our servers through techniques that are consistent with commercially reasonable standards and to employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.

Notwithstanding the above, you should be aware that there is always some risk involved in transmitting information over the Internet. There is also some risk that others could find a way to thwart our security systems. As a result, while we strive to protect your information, we cannot ensure or warrant the security or privacy of any information you transmit to us, and you do so at your own risk.

8. Could My Information Be Transferred to Other Countries?

Information collected on the Service may be transferred from time to time to our offices or personnel, or to third parties, located throughout the world, and the Service may be viewed and hosted anywhere in the world, including countries that may not have laws of general applicability regulating the use and transfer of such information. To the extent required by applicable law: whenever we transfer your information to third parties (as described in this Privacy Policy) located in countries that do not ensure adequate protection for your information (as determined by the European Commission or the UK Information Commissioner's Office, as applicable, each, an "Inadequate Jurisdiction"), we ensure a similar degree of protection is afforded to it; we may rely on the DPF (as further specified in Section 13) or we may use specific contracts approved by the European Commission (accessible at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj) or the UK Information Commissioner's Office (accessible at https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf), as applicable, which give your information the same protection it has in the European Economic Area or the United Kingdom, as applicable, under the European Data Protection Laws; and if we rely on another basis to transfer your information to an Inadequate Jurisdiction, we will keep you updated or contact you if required. Please contact us if you want further information on the specific mechanisms used by us when transferring your information to an Inadequate Jurisdiction. If you are a user accessing the Service from a jurisdiction with laws or regulations that differ from those of the United States, please be advised that all aspects of the Service are governed by the internal laws of the United States and the State of Washington USA, regardless of your location.

9. For How Long Will My Information Be Kept?

We will only retain your information for as long as necessary to fulfill the purposes for which we collected it or as otherwise permitted by applicable law.

To determine the appropriate retention period for information, we consider the amount, nature, and sensitivity of that information, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process your information and whether we can achieve those purposes through other means, and the applicable legal requirements.

10. What Choices Do I Have Regarding My Information?

We generally use your information as described in this Privacy Policy or our Terms and Conditions of Service or as authorized by you or as otherwise disclosed at the time we request such information from you. You generally must "opt in" and give us permission to use your information for any other purpose. You may also change your preference and "opt out" of receiving certain marketing communications from us by following the directions provided in association with the communication or such other directions we may provide or by contacting privacy@firmly.ai.

Under certain circumstances and in compliance with the European Data Protection Laws, you may have the right to:

• Request access to your information (commonly known as a 'subject access request'). This enables you to receive a copy of the information we hold about you and to check that we are lawfully processing it;
• Request correction of the information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected;
• Request erasure of your information. This enables you to ask us to delete or remove your information where there is no good reason for us to continue processing it. You also have the right to ask us to delete or remove all of your information in certain circumstances;
• Object to processing of your information where we are relying on a legitimate interest (or that of a third party) and there is something about your particular situation which makes you want to object to processing on this ground;
• Request the restriction of processing of your information. This enables you to ask us to suspend the processing of your information, for example, if you want us to establish its accuracy or the reason for processing it;
• Request the transfer of your information to another party; and
• Lodge a complaint with the relevant supervisory authority (as defined in the European Data Protection Laws). If you have any complaints about the way we process your information, please do contact us. Alternatively, you may lodge a complaint with the supervisory authority which is established in your country.

If you want to review, verify, correct or request erasure of your information, object to the processing of your information, or request that we transfer a copy of your information to another party, please contact privacy@firmly.ai.

Such updates, corrections, changes, and deletions will have no effect on other information that we maintain, or information that we have provided to third parties in accordance with this Privacy Policy prior to such update, correction, change or deletion. To protect your privacy and security, we may take reasonable steps (such as requesting a unique password) to verify your identity before granting you profile access or making corrections. You are responsible for maintaining the secrecy of your unique password and account information at all times.

You should be aware that it may not be technologically possible to remove each and every record of the information you have provided to us from our system. The need to back up our systems to protect information from inadvertent loss means that a copy of your information may exist in a non-erasable form that will be difficult or impossible for us to locate. After receiving your request, we will use commercially reasonable efforts to update, correct, change, or delete, as appropriate, your information stored in databases we actively use and other readily searchable media as appropriate, as soon as and to the extent reasonably practicable.

Do Not Track

The term "Do Not Track" refers to a HTTP header offered by certain web browsers to request that websites refrain from tracking the user. We take no action in response to automated Do Not Track requests. However, if you wish to stop such tracking, please contact us with your request, using our contact details provided below.

11. How Will I Know If There Are Any Changes to This Privacy Policy?

We may revise this Privacy Policy from time to time. We will not make changes that result in significant additional uses or disclosures of your information without allowing you to "opt in" to such changes. We may also make non-significant changes to this Privacy Policy that generally will not significantly affect our use of your information, for which your opt-in is not required. We encourage you to check this page periodically for any changes. If any non-significant changes to this Privacy Policy are unacceptable to you, you must immediately contact us and, until the issue is resolved, stop using the Service.

12. Who Do I Contact If I Have Any Privacy Questions?

If you have any questions or comments about this Privacy Policy, please contact us in any of the following ways:

By e-mail: privacy@firmly.ai

13. Privacy Notice for California Residents

This Section 13 shall apply only to the extent that we are regulated as a business (as defined in the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively with any regulations promulgated thereunder, the "CCPA")) under the CCPA. This Section 13 shall apply to you only if you are a California resident. As used in this Section 13, "sell" (including any grammatically inflected forms thereof) means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, consumer information (as defined below) to a third party for monetary or other valuable consideration.

13.1 Consumer Information Collected

We collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with particular California residents or households ("consumer information"). Consumer information does not include deidentified or aggregated information, publicly available information or lawfully obtained, truthful information that is a matter of public concern, or any other information that is excepted from the definition of "personal information" under the CCPA.

13.2 Purposes for Collection of Consumer Information; Categories of Sources

We collect consumer information for the business or commercial purposes described in Section 2 and Section 4 of this Privacy Policy. Regarding the categories of sources from which consumer information is collected, we collect consumer information from the categories of sources described in Section 2 of this Privacy Policy.

13.3 Disclosures of Consumer Information for a Business or Commercial Purpose

Firmly may disclose your consumer information to a third party for a business or commercial purpose, as described in Section 5 of this Privacy Policy.

13.4 Sharing and Sales of Consumer Information

In the preceding twelve (12) months, firmly has not shared or sold, nor does it or will it share or sell, consumer information collected under this Privacy Policy.

13.5 California Residents' Rights and Choices

The CCPA provides California residents with specific rights regarding their consumer information. You may have the right to request that firmly disclose certain information to you about our collection and use of your consumer information over the past twelve (12) months. You also have the right to request that firmly delete any of your consumer information that we collected from you and retained, subject to certain exceptions. You have the right to request that we correct inaccurate consumer information about you that we maintain.

13.6 Exercising Access, Data Portability, Correction, and Deletion Rights

To exercise the access, data portability, correction, and deletion rights described above, please submit a verifiable consumer request to us by either: (1) emailing us at privacy@firmly.ai (2) visiting www.firmly.ai/privacy or (3) contacting us in accordance with Section 12.

13.7 Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights, including, unless permitted by the CCPA, by denying you goods or services, charging you different prices or rates for goods or services, or providing you a different level or quality of goods or services.

14. State Privacy Rights

Without limitation of any other provision in this Privacy Policy, in connection with the Service: firmly processes the information described in Section 1 and 2 of this Privacy Policy for the purposes described in Sections 2 and 4 of this Privacy Policy; and firmly may disclose each of the categories of information described in Sections 1 and 2 of this Privacy Policy to the categories of third parties described in Section 5 of this Privacy Policy.

Some US states, such as Colorado, Connecticut, Virginia, and Utah, may provide their state residents with rights to confirm whether we process their information, access and delete certain information about them, data portability, and opt-out of personal data processing for targeted advertising and sales. Some US states, such as Colorado, Connecticut, and Virginia, may also provide their state residents with rights to correct inaccuracies in their information and opt-out of profiling in furtherance of decisions that produce legal or similarly significant effects.

To exercise any of these rights please contact us in accordance with Section 12. To appeal a decision regarding a consumer rights request, please contact legal@firmly.ai. If possible, it would be helpful if you can detail the basis of your appeal in your communication.

15. Data Privacy Framework

firmly complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), and the UK Extension to the EU-U.S. DPF (collectively, the "DPF") as set forth by the U.S. Department of Commerce. firmly has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. The EU-U.S. DPF Principles shall be referred to herein as the "Principles". If there is any conflict between the terms in this Privacy Policy and the Principles, the Principles shall govern. To learn more about the DPF program, and to view our certification, please visit https://www.dataprivacyframework.gov/ and https://www.dataprivacyframework.gov/list. firmly commits to subject all personal data received from the European Union and the United Kingdom (and Gibraltar) under the DPF to the Principles.

For the categories of personal data collected by firmly, please see Sections 1 and 2 of this Privacy Policy; for the purposes for which firmly collects and uses personal data, please see Sections 2 and 4 of this Privacy Policy; for the categories of third parties to which firmly discloses personal data and our purposes for doing so, please see Section 5 of this Privacy Policy; and for more information regarding your right to access your personal data and your choices and the means firmly offers you for limiting the use and disclosure of your personal data, please see Section 10 of this Privacy Policy.

Before firmly discloses your personal data to a third party, we will require that such third party provide the same level of privacy protection as is required by the Data Privacy Framework. firmly remains liable under the Data Privacy Framework if third-party agents that it retains to process your personal data on our behalf process your personal data in a manner inconsistent with the Data Privacy Framework, unless firmly can prove that it is not responsible for the event giving rise to the damage. For more information regarding firmly's disclosure of personal data to third parties, please see Section 5 of this Privacy Policy.

Notwithstanding any other provision of this Privacy Policy, and for the avoidance of doubt, with respect to personal data processed by firmly solely on behalf of a third-party controller, the provisions of this Privacy Policy specific to such data continue to apply in accordance with the DPF, but may be limited to working with the respective controller, given our role as a processor. firmly collects and uses such information only on the instructions of the applicable third-party controller and will work with the applicable third-party controller to facilitate your data subject rights.

In compliance with the DPF, firmly commits to resolve Principles-related complaints about our collection and use of your personal data. EU and UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the DPF should first contact firmly at: privacy@firmly.ai.

In compliance with the DPF, firmly commits to refer unresolved complaints concerning our handling of personal data received in reliance on the DPF to BBB National Programs, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit www.bbbprograms.org/dpf-complaints for more information or to file a complaint. The services of BBB National Programs are provided at no cost to you.

If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. For more information, please visit: https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf.

Adherence by firmly to the Principles and the provisions set forth in this Section 15 may be limited (a) to the extent necessary to comply with a court order or meet public interest, law enforcement, or national security requirements, including where statute or government regulation create conflicting obligations; (b) by statute, court order, or government regulation that creates explicit authorizations; or (c) if the effect of the European Data Protection Laws, to the extent applicable, is to allow exceptions or derogations, under the conditions set out therein, provided that such exceptions or derogations are applied in comparable contexts.

In certain circumstances, firmly may be required to disclose your personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Finally, the Federal Trade Commission has jurisdiction over firmly's compliance with the DPF.