Last Updated October 13, 2023
Version 3

POLICY ON PRIVACY & PROCESSING OF PERSONAL DATA AND NOTICE

THIS POLICY IS IMPORTANT. PLEASE READ IT COMPLETELY AND THOUGHTFULLY. IT SHOULD  ASSIST YOUR DECISIONS ON SHARING DATA WITH US. THIS POLICY ON PRIVACY & PROCESSING OF PERSONAL DATA (“Privacy Policy” or “Policy”)  AND NOTICE THEREOF (Notice) IS PROVIDED IN COMPLIANCE WITH APPLICABLE LEGISLATION,  INCLUDING BUT NOT LIMITED TO THE DATA PROTECTION LAWS, REGULATIONS, AND  GUIDELINES IN

ARGENTINA 

BRAZIL 

CANADA (INCLUDING THE PERSONAL INFORMATION PROTECTION AND ELECTRONIC  DOCUMENTS ACT (PIPEDA)) 

CALIFORNIA, US (INCLUDING THE CONSUMER PRIVACY ACT) 

CHILE 

COLOMBIA 

COTE D’IVOIRE 

EUROPEAN UNION (EU) (INCLUDING THE GENERAL DATA PROTECTION REGULATION  (EU GDPR)) 

MONTANA, US (INCLUDING THE CONSUMER DATA PROTECTION ACT (MCDPA))

NIGERIA 

PERÚ 

SOUTH AFRICA 

THE UNITED KINGDOM (UK) (INCLUDING THE GENERAL DATA PROTECTION  REGULATION (UK GDPR)) 

THE UNITED MÉXICAN STATES (MEXICO) 

THE UNITED STATES OF AMERICA (US) (INCLUDING THE ELECTRONIC  COMMUNICATIONS PRIVACY ACT (ECPA)).

ANY QUESTIONS OR CONCERNS CAN BE ADDRESSED TO US ELECTRONICALLY AT  PRIVACY@CONDUIT.FI, OR BY PHYSICALLY WRITING TO US AT 1001 S MAIN STREET, SUITE  4080, KALISPELL, MONTANA 59901, UNITED STATES OF AMERICA. 

We appreciate you wanting to interact and/or participate with Conduit Technology, Inc., including our  subsidiaries, affiliates, and other business under common control (collectively referred to as "Conduit",  “our”, “us”, or "we"). Conduit’s client focus is presently only on businesses (often known as business-to business or “B2B”), which means that we only accept businesses (also commonly known as “legal  entities”, “legal persons”, or “moral persons” and which shall, along with natural persons, hereinafter be  collectively referred to as a “persons”) as our clients. Although our focus is B2B, we do collect data on  natural persons that own, are acting on behalf of, or for, our (actual or potential) clients (hereinafter  collectively referred to as “clients”, “you”, or “your”). We take privacy seriously and are committed to  protecting personal data and privacy rights. This Policy and Notice describes the data we obtain, collect,  how it’s used, and the applicable data rights.  

When you visit our websites (e.g., https://conduit.fi, https://conduit.financial), our platform, or use our  products or services, you are entrusting us with your personal data and we want you to know we value your  privacy. That’s why Conduit, in complying with current personal data privacy, protection, and processing  regulations, and in accordance with the provisions of legislation and other provisions that modify, add or  complement those regulations, presents the following Policy regarding the personal data provided to Conduit by you (the data owner, hereinafter referred to as “Owner”), including clients, collaborators,  partners, suppliers, third-parties, vendors, and any other person from whom Conduit obtains, collects,  processes, or treats personal data, whether said treatment is carried out by us or third parties who do so  on our behalf. 

This Policy aims, among other things, to protect the data rights of persons, along with providing clarity on  how to request Conduit to update, rectify, and ⎯ if permissible under the applicable laws, regulations, and  rules, which often intertwine with anti-financial crime (“AFC”) guidelines, laws, regulations, and rules (AFC  topics include but are not limited to anti-money laundering, countering terrorism financing, financial  sanctions, fraud, theft, impersonation, counterfeiting, anti-bribery, and anti-corruption) ⎯ delete the data  that we have collected and stored. To be clear, Conduit only collects, stores, and treats personal data when  it has been previously authorized to do so by the data’s Owner, and in compliance with our own privacy  and confidentiality provisions as set forth herein. This Policy provides general standards used to protect the  Owners personal data, the reasons we process and use data (treatment), who is responsible for handling  data privacy and protection complaints and claims, and the procedures that must be followed by Owners in  order to know, access, update, rectify, and, if permissible delete, the data provided to Conduit. 

This Policy applies to all data obtained and/or gathered, regardless of the means, methods, or locations from which such data was obtained and/or gathered (in this Policy these means, methods, and locations  include but are not limited to our websites, platform, products, services, onboarding processes, information  requests, and data requests, and are collectively referred to as "Places"). 

If there are any terms in this Policy that you do not agree with, please stop using our Places.  

To exercise any rights regarding your personal data, please contact us at privacy@conduit.fi or at the  physical address provided herein. You may also contact us and request that your data thus far collected be  removed from our systems and we will honor your request up to the limits permitted under the applicable  laws, regulations, and rules (hereinafter collectively referred to as “Laws”). 

TABLE OF CONTENTS 

  1. DEFINITIONS 
  2. PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA OF DATA PROTECTION 3. HOW WE COLLECT THE DATA 
  3. WHAT DATA DO WE COLLECT? 
  4. HOW DO WE USE YOUR DATA? 
  5. WILL YOUR DATA BE SHARED WITH ANYONE?  
  6. WITH WHOM WILL YOUR DATA BE SHARED?  
  7. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?  
  8. HOW WE HANDLE YOUR THIRD-PARTY ACCOUNT LOGINS?  
  9. HOW LONG AND WHERE DO WE KEEP YOUR DATA? 
  10. HOW DO WE KEEP YOUR DATA SAFE?  
  11. DO WE COLLECT DATA FROM MINORS?  
  12. WHAT ARE YOUR DATA PRIVACY & PROTECTION RIGHTS? 
  13. DO ARGENTINIAN RESIDENTS HAVE SPECIFIC DATA RIGHTS? 
  14. DO BRAZILIAN RESIDENTS HAVE SPECIFIC DATA RIGHTS? 
  15. DO CALIFORNIA RESIDENTS HAVE SPECIFIC DATA RIGHTS? 
  16. DO CANADIAN RESIDENTS HAVE SPECIFIC DATA RIGHTS? 
  17. DO CHILEAN RESIDENTS HAVE SPECIFIC DATA RIGHTS? 
  18. DO COLOMBIAN RESIDENTS HAVE SPECIFIC DATA RIGHTS? 
  19. DO COTE D’IVOIRE RESIDENTS HAVE SPECIFIC DATA RIGHTS? 
  20. DO EU AND UK RESIDENTS HAVE SPECIFIC DATA RIGHTS? 
  21. DO MEXICAN RESIDENTS HAVE SPECIFIC DATA RIGHTS? 
  22. DO MONTANA RESIDENTS HAVE SPECIFIC DATA RIGHTS?
  23. DO NIGERIAN RESIDENTS HAVE SPECIFIC DATA RIGHTS? 
  24. DO PERUVIAN RESIDENTS HAVE SPECIFIC DATA RIGHTS? 
  25. DO SOUTH AFRICAN RESIDENTS HAVE SPECIFIC DATA RIGHTS? 
  26. DO WE UPDATE THIS POLICY? 
  27. HOW TO CONTACT US ABOUT THIS POLICY? 
  28. DO WE TREAT SENSITIVE PERSONAL DATA? 
  29. HOW WE TREAT THE PERSONAL DATA OF OUR EMPLOYEES

1. DEFINITIONS 

Address (electronic): Conduit Technology, Inc., at privacy@conduit.fi  

Address (physical): Conduit Technology, Inc., 1001 S Main Street, Suite 4080, Kalispell, Montana  59901, United States of America. 

Anonymization: use of reasonable technical means available at the time of processing, by which the  data loses the possibility of direct or indirect association with a natural person. 

Anonymized data: data related to an Owner that cannot be identified, considering the use of reasonable  technical means available at the time of processing. 

Authorization: prior, express, and informed consent of the Owner to carry out the processing of personal  data. 

Blocking: temporary suspension of any treatment operation, keeping personal data or the database. 

Communication or transmission of data: disclose in any way the personal data to persons other than  the Owner, whether determined or indeterminate. 

Consent: free, informed, and unequivocal expression by which the Owner accepts the processing of  their personal data for specific purpose(s). 

Data blocking: the temporary suspension of any stored data processing operation. 

Data dissociation procedure: all processing of personal data in such a way that the data obtained  cannot be associated with a specific or determinable person. 

Data modification: any change in the content of the data stored in records or databases. 

Data retention: the amount of time that data is retained within the database; we retain data for ten (10)  years after the relationship with the Owner or our client terminates, or pursuant to the applicable data  Laws, whichever is longer. 

Data sharing: communication, dissemination, international transfer, interconnection of personal data or  shared treatment of personal data banks by public bodies and entities in compliance with their legal  powers, or between them and private entities, reciprocally, with express authorization, for one or more  treatment modalities allowed by these public entities, or between private entities. 

Data: facts, statistics, details, and information provided or collected or learned about something or  someone for reference or use or storage or analysis. 

Database custodian: natural person, within Conduit, who guards the personal databases. 

Database: structured set of data, including personal data, established in one or more places, on  electronic or physical support. 

Elimination: elimination of data or data sets stored in a database, regardless of the procedure used. 

Expired data: which has become out of date by provision of the law, due to the fulfillment of the condition  or the expiration of the period indicated for its validity or, if there is no express rule, due to the change in  the facts or circumstances indicated.

Habeas data: it is the right of the Owner of the personal data to demand from the database custodian  access, inclusion, exclusion, correction, addition, updating and rectification of the data, as well as the  limitation in its disclosure, publication, or transfer. 

Impact report on the protection of personal data: documentation of the database custodian that  contains the description of the personal data processing processes that may generate risks to civil  liberties and fundamental rights, as well as measures, safeguards, and risk mitigation mechanisms. 

International data transfer: transfer of personal data to a foreign country or international organization  of which the country is a member. 

Legislation: includes but is not limited to Brazilian Regulation, Law 13,709 in relation to Law 13,853;  California Civil Code Section 1798.83, also known as the “Shine The Light” law and the California  Consumer Privacy Act of 2018; Canada Personal Information Protection and Electronic Documents Act  (PIPEDA); Chilean Regulation Law 19628; Colombian regulation, Law 1581 of 2012, Decree 1074 of  2015, Law 962 2005, and Law 1480 from 2011; European Union (EU) General Data Protection  Regulation (EU GDPR); Montana Consumer Data Protection Act (MCDPA); Peruvian Regulation Law  29733 and Law 27444; United Kingdom (UK) General Data Protection Regulation (UK GDPR), tailored  by the Data Protection Act of 2018; and the US Electronic Communications Privacy Act (ECPA). 

Operator: a person, under public or private law, who processes personal data on behalf of the person  responsible for the treatment. 

Owner of personal data: natural persons whose data is subject to treatment (Owners). In the context  of this Policy, the Owners may be: (i) clients, including all natural persons related or associated or  involved with such clients; (ii) third-party vendors, suppliers, and partners; and (iii) all those persons not  related to Conduit whose personal data is processed. 

Owner: the person who owns the personal data that is subject to treatment. 

Person in charge of the treatment: person of a public or private nature that, by itself or in association  with others, carries out the processing of personal data on behalf of the database custodian. 

Person: a natural person (also known as (aka) a human being) or legal person (aka legal entity such as  a corporation, or moral person). 

Personal data: any data concerning or linked to specific or determinable natural persons. Personal database: organized set of personal data that are subject to treatment by a person. 

Privacy notice: oral or written communication addressed to the Owners of the personal data that are  being processed by a company, in which they are informed about the existence of the personal data  treatment policies that will be applied to them, the form of access them, and the purposes for which the  Owners personal data will be used. 

Private data: personal data that, due to its intimate or reserved nature, is relevant for the Owner. 

Public data: personal data classified as such according to the Constitution and/or the law, and that has  not been classified as private or semi-private personal data. 

Research body: body or entity of direct or indirect public administration or non-profit private law legal  person, legally constituted under Brazilian law, with headquarters and jurisdiction in the country, which  includes in its institutional mission or in its corporate purpose or basic or applied regulatory research of  a historical, scientific, technological, or statistical nature (wording given by Law No. 13,853, of 2019). 

Responsible for the treatment: person of a public or private nature that by itself or in association with  another or others decides on the processing of personal data. In this case, Conduit will be responsible  for the treatment. 

Semi-private data: personal data known and of interest both for the Owner and for a certain sector of  person or for society in general, so it is not of an intimate, reserved, or public nature.

Sensitive data: personal data that affects the privacy of the Owner and whose incorrect use could  generate discrimination. Sensitive data includes health data, data on sexual orientation, racial and ethnic  origin, political opinions, religious, philosophical, or moral convictions. 

Sources accessible to the public: records, or compilations of personal data, public or private, with  unrestricted access or reserved for applicants. 

Statistical data: the data that, in its origin, or because of its treatment, cannot be associated with an  identified or identifiable owner. 

Transfer: the transfer of personal data takes place when the database custodian and / or person in  charge of the treatment of personal data sends the data or personal data to a recipient, who in turn is  responsible for the treatment and is inside or outside the country. 

Transmission: processing of personal data that implies communication to a third party, within or outside  the territory of the country, when said communication is intended to carry out a treatment by the person  in charge on behalf of and on behalf of the database custodian, for fulfill the purposes of the latter. 

Treatment: any operation or set of operations on personal data, such as the collection, storage, use,  circulation, or deletion. 

Ways to collect personal data: Conduit may know, collect, store, manage the data of the Owner of the data in accordance with the data use policy contained herein through the Conduit Places, including but not limited to following means: (i) mobile applications; (ii) websites; (iii) Conduit platform; (iv) Conduit products; (v) Conduit services; (vi) agreement, alliance, contract, or partnership with Conduit; and (vii) Conduit's third party providers, including but not limited to identity verification partners, financial service provider partners, and blockchain industry partners.

2. PRINCIPLES FOR THE PROCESSING OF PERSONAL DATA AND DATA PROTECTION 

As established in legislation, the protection of personal data will be governed by the congruent and  comprehensive application of the following principles: 

Principle of legality in the processing of personal data: processing of personal data referred to  in legislation is a regulated activity that must be subject to what is established therein and the other  provisions that develop it. 

Principle of adequacy: compatibility of the treatment with the purposes informed to the Owner,  according to the context of the treatment. 

Principle of necessity: limitation of the treatment to the minimum necessary for the achievement  of its purposes, with the scope of the pertinent, proportional, and not excessive data in relation to  the purposes of the data processing. 

Principle of prevention: adoption of measures to prevent the occurrence of damages due to the  processing of personal data. 

Principle of non-discrimination: impossibility of carrying out the treatment for discriminatory illicit  or abusive purposes. 

Principle of accountability: demonstration, by the person responsible for the processing, of the  adoption of effective measures capable of proving the observance and compliance with the  personal data processing and protection regulations, including effectiveness of these measures. 

Principle of purpose: processing of personal data must obey a legitimate purpose in accordance  with the applicable Laws, which must be informed to the Owner. 

Principle of freedom: processing of personal data can only be exercised with the prior, express,  and informed consent of the Owner. Personal data may not be obtained or disclosed without prior  authorization, or in the absence of a legal or judicial mandate that relieves consent.

Principle of truthfulness or quality: the data subject to treatment must be truthful, complete,  exact, updated, verifiable and understandable. Processing of partial, incomplete, fractional, or  misleading data is prohibited. 

Principle of transparency: in the processing of personal data, the right of the Owner to obtain  from the person responsible for the treatment or the person in charge of the treatment, at any time  and without restrictions, information about the existence of data regarding such person must be  guaranteed. 

Security principle: the data subject to treatment by the person in charge of the treatment or person  in charge of the treatment referred to in applicable Laws, must be managed with the technical,  human, and administrative measures that are necessary to provide security to the records avoiding  its adulteration, loss, consultation, use, or unauthorized or fraudulent access. 

Principle of confidentiality: all persons who intervene in the processing of personal data that are  not public in nature are obliged to guarantee the reservation of the data, even after the end of their  relationship with any of the tasks that comprise the treatment, being able only carry out supply or  communication of personal data when this corresponds to the development of the activities  authorized in legislation and in the terms of the same. 

Principle of access and restricted circulation: the treatment is subject to the limits that derive  from the nature of the personal data, the provisions of applicable Laws. The treatment, therefore, can only be done by persons authorized by the Owner and/or by persons provided for in the law. 

Principle of proportionality: all processing of personal data must be adequate, relevant, and not  excessive for the purpose for which the data was collected. 

Principle of adequate level of protection: for the cross-border flow of personal data, a sufficient  level of protection must be guaranteed for the personal data to be processed or, at least,  comparable to that provided by the applicable Law or by international standards on the matter. 

3. HOW WE COLLECT DATA

The personal data we collect depends on the context of your interactions with us and our Places, the  choices you make, and the products, services, and features you use.  

The personal data we collect may include the following: 

By automatically storing the data of the users who access the Conduit Places using cookies. Some of the  data that can be stored automatically are the URL, the browser used, and IP address among others. ▪ by email communications 

▪ through accessing Conduit’s websites and pages 

▪ through access to mobile applications 

▪ through access to platform or environments such as the Conduit sandbox 

▪ creating username and password to access Conduit Places 

▪ through telephone calls regardless of medium (apps, wired, wireless, etc.) 

▪ through events held by Conduit or events attended by Conduit 

▪ through the referral, transfer, or transmission by strategic allies or partners 

▪ through agreements, applications, contracts, forms, or requests for information ▪ through service offers 

▪ through the cooperation contract 

▪ through service provision contracts 

▪ through service portfolios 

▪ through interfacing, regardless of the medium (apps, in person, telephone, video conference, etc.).

4. WHAT DATA DO WE COLLECT?

a. DATA YOU DISCLOSE AND/OR PROVIDE AND/OR AUTHORIZE US TO COLLECT

In sum: As noted above, Conduit only accepts legal persons as our clients, however, during the course of  performing due diligence on our clients we collect data about certain natural persons affiliated or associated  with our clients due to their professional or business capacity, when you visit our Places, that you provide  to us, or when you communicate with us regardless of the medium used. 

All personal data provided must be true, accurate, and complete. You must promptly notify us of any  changes to keep such personal data accurate. The personal data we collect can include the following:

PERSONAL DATA CATEGORYDATA REQUESTED AND/OR OBTAINED
IDENTIFYING DATAlegal name — any combination of given names and surnames
tax identification number (e.g., RFC or Social Security Number)
EIN, TIN, CURP, CIF, CIEC, &/or proof of tax number or situation
photo identification (e.g., passport, driver’s license, INE)
e-signature / FIEL (e.firma)
location data (e.g., residential &/or mailing address, work address)
date of birth, birthplace
CONTACT DETAILSemail address(es) ⎯ work or personal
telephone number(s) ⎯ work, personal, or mobile
EMPLOYMENT DATA

employer’s name

employer’s economic activity

title at employer, employment details

employer’s details, including financial data, location(s), size, tax data,  and contact details

ACADEMIC DATAnot applicable (N/A)
SENSITIVE DATAnot applicable (N/A)
BIOMETRIC DATA CREDENTIALSgovernment-issued photo identification
personal photos and/or liveness video(s)
user ID(s)
password(s)
password hint(s)
authentication data
account access data

b. DATA AUTOMATICALLY COLLECTED 

In sum: Some data – such as IP address and/or browser and device characteristics – is collected  automatically when you visit our Places. 

We automatically collect certain data when you visit, use, or navigate our Places. This data does not reveal  your specific identity (like your name or contact data) but may include device and usage data, such as your  IP address, browser and device characteristics, operating system, language preferences, referring URLs,  device name, country, location, data about how and when you use our Places and other technical data. In  some countries and/or regions, this data is considered personal data under applicable data protection  and/or privacy laws or regulations. Like many businesses, we also collect data about how your device has  interacted with our Places, including the pages and products and services accessed, time spent on Places,  and links clicked through cookies and similar technologies. This data is primarily needed to maintain the  security and operation of our Places, your account security, anti-fraud measures, and for our internal  analytics and reporting purposes. 

c. DATA COLLECTED FROM OTHER SOURCES 

In sum: We may collect data from public databases, marketing partners, social media platforms, and other  outside sources to the extent permitted by applicable laws.  

We may obtain data about you from other legally permissible sources, such as public databases,  governmental databases, joint marketing partners, social media platforms, as well as from other third  parties. Examples of the data we receive from other sources include: profile data (your name, gender,  birthday, email, current city, state, country, user identification numbers for your contacts, profile pictures,  URL, employer, employer’s address, employment title, employment contact data, social media followers, 

employer’s size and status, and any other data that you choose to make public or accessible); marketing  leads, search results, links, including paid listings (such as sponsored links). 

5. HOW DO WE USE YOUR DATA? 

In sum: The legal bases for using your data are legitimate business interests, the fulfillment of a contract  with you and/or your employer, compliance with our legal obligations, and/or your consent. 

We use data collected via our Places or from outside sources for a variety of business purposes that are  legally permissible as described below. We process your data for the following purposes — our legitimate  business interests, in order to enter into or perform a contract with you and/or your employer, with your  consent, and/or for compliance with our legal obligations. We indicate the specific processing grounds we  rely on for each purpose listed below.  

We use the data we collect or receive: the personal data that Conduit collects are included in a database  to which the authorized personnel of Conduit have access in the exercise of their functions, noting that in  no case is the processing of the data authorized for purposes other than those described herein, and they  are communicated to the Owner directly at the latest at the time of collection.

a. PRIMARY TREATMENT PURPOSES 

Facilitate account creation and logon processes. If you choose to link your third-party account  (such as your Google account or LinkedIn account), we use the data you allowed us to collect from  those third parties to facilitate and/or expedite account creation and logon processes. See Section  6. HOW WE HANDLE YOUR THIRD-PARTY ACCOUNT LOGINS below for further details. 

Send marketing and promotional communications. We and/or our third-party marketing  partners may use the data you give to us for our own marketing purposes, if this is in accordance  with your marketing preferences. You can opt-out of our marketing emails at any time. 

Send administrative information. We may use your data to send you account, product, service,  and new feature details and/or information about changes to our terms, conditions, and policies. 

Fulfill and manage requests. We may use your data to fulfill and manage your requests,  payments, returns, and exchanges made through our Places. 

Post testimonials. We post testimonials on our Places that may contain your data. Prior to posting  a testimonial, we will obtain your consent to use your data. If you wish to update or delete your  testimonial, please contact us at privacy@conduit.fi and be sure to include your name, testimonial  location, and contact information. 

Deliver targeted advertising. We may use your data to develop and display content and  advertising (and work with third parties who do so) tailored to your interests and/or location and to  measure its effectiveness. 

Request feedback. We may use your data to request feedback and to contact you about your use  of our Places. 

Protect our Places. We may use your data as part of our efforts to keep our Places compliant with  the applicable Laws, safe, and secure (e.g., for AFC, fraud monitoring, and fraud prevention). 

Enforce our agreements, conditions, contracts, policies, and terms. 

Respond to legal requests and prevent harm. If we receive a subpoena or other legal request,  we may need to inspect the data we hold to determine how to best respond. 

Fulfill other business purposes. We may use your data for other business purposes, such as  data analysis, identifying usage trends, determining the effectiveness of our promotional  campaigns, and to evaluate and improve our Places, products, services, marketing, and user  experience. 

b. SECONDARY TREATMENT PURPOSES

▪ Collect personal data, incorporate, and store in our databases. 

▪ Classify, catalog, divide, separate, or sort the provided data. 

▪ Use the data provided in communications, disclosures and promotion campaigns, or offer Conduit  activities, products, and/or services. 

▪ Maintain historical records and Owner contact details. 

▪ Verify or validate the data provided. 

▪ Study and analyze the data provided to monitor and improve products, services, and support. ▪ Deliver the personal data to third parties with whom Conduit contracts the storage and/or  administration, pursuant to the applicable Laws. 

▪ Transfer personal data internationally to servers any country.

▪ Communicate and permit access to all Owners’ personal data provided to third party providers who  provide general support services to Conduit. 

▪ Collect, maintain, manage, and use the data to control and prevent AFC. 

▪ Execute, maintain, and manage business agreements, contracts, and proposals for the products  and services provided by Conduit. 

▪ Transmitting communications through any medium including, but not limited to, apps, messaging  services, social networks, text messages, push notifications, email, phone call, etc., related to  Conduit's commercial objectives, including marketing activities and/or handling Owner’s requests. 

▪ Provide the Places, products, and services offered and/or agreed and/or contracted. ▪ Creation and administration of the client’s account. 

▪ Provide the maintenance, development, and/or control of the commercial relationship between the  client and Conduit, including all Owners resulting therefrom. 

▪ Provide clients and/or Owners with the necessary information, including through Places, to  formalize the relationship and usage of Conduit’s products and services. 

▪ Carry out processes within Conduit, for operational development and/or systems administration  purposes. 

▪ Provide Conduit’s products and services, and respond to our (potential or actual) client’s needs,  including maintaining or expanding or improving or iterating on our present products and services  that result therefrom. 

▪ Keep a historical record of the data, for the purposes of clients’ and Owners’ satisfaction,  developing analysis of interests and needs to attempt or enable better products or services. ▪ Carry out market strategies by studying behavior towards various approaches including articles,  advertising, or offers in attempts to improve content, products, services, and personalization. ▪ Preparation of commercial prospects, market segmentation, and the like. 

▪ Carry out satisfaction surveys, offer benefits or recognition of benefits inherent to our clients, after sales service, rating the quality of our products and services, and providing support. ▪ Carry out the activities necessary to manage the requests, complaints, and claims of our clients, the Owners, or third parties; including directing them to the areas responsible for issuing responses. ▪ Present data and/or reports to the applicable regulatory authorities and process requests made by  administrative or judicial bodies. 

▪ Managing the accounting, economic, tax, and general administration of clients. ▪ Data retention by the terms established in the applicable Laws. 

▪ Transfer or transmission of personal data nationally and/or internationally to third parties with whom  Conduit develops activities in compliance with its commercial purposes. Including transmission or  transfer to Conduit’s strategic allies to carry out marketing, advertising, and/or promotional activities  associated with our commercial purposes. 

▪ Sending data to data processors to facilitate and improve the quality of Conduit's products and  services. 

▪ Require our clients to have the authorization from Owners for the collection of personal data. ▪ Transfer and transmit personal data to Conduit’s third-party commercial partners that offer their  products and services on Conduit Places to make efficient contact between the Owner and the  commercial partner, in the terms of the applicable Laws. 

▪ Access and consult your personal data in the credit and financial data centers, collect relevant data  on credit behavior, and preserve, store, and use personal data to send commercial and advertising  guidelines, and to contact in relation to matters of the Conduit business activities. This purpose  corresponds to those Owners who expressly accept our offered products and services. 

▪ Request or carry out consultancies, audits, or related services. 

▪ Comply with the internal processes of Conduit in matters of administration. ▪ Improve Conduit’s operational development and/or systems administration. ▪ Make tax declarations or management of tax and tax collection data. 

▪ Carry out, in accordance with the applicable Laws, reports to credit bureaus for non-compliance  with financial obligations derived from business relationships. 

▪ Carry out operations and procedures related to the generation and payment of invoices, issuance  of certifications, accounting, etc. 

▪ Compliance with the applicable Laws, legal duties, and obligations resulting therefrom.

For other purposes or treatment, prior, express, and informed authorization will be requested from the  Owner. 

6. WILL YOUR DATA BE SHARED WITH ANYONE? 

In sum: We only share data with your consent, to comply with applicable Laws and legal obligations, to  protect your rights, or to fulfill contracts and other business requirements. 

We may process or share data based on the following legal principles: 

Consent: we may process your data if you have given us consent to use your data in a specific  purpose. 

Legitimate business interests: we may process your data when it is reasonably necessary to  achieve our legitimate business interests. 

Performance of an agreement or contract: where we have entered into an agreement or contract  with you, we may process your data to fulfill the terms of that agreement or contract. 

Legal obligations: we may disclose your data where we are legally required to do so in order to  comply with applicable Law, governmental or regulatory requests, a judicial proceeding, court  order, or other legal processes, such as in response to an order or subpoena from a tribunal  (including in response to regulatory authorities to meet national security or law enforcement  requirements). 

Anonymized: we may disclose your data if it is anonymized. It will be subject to a procedure  whereby personal data is decoupled from the data subject rendering the data shared incapable of  being used or combined to identify the data subject. 

Vital interests: we may disclose your data where we believe it is necessary to investigate, prevent,  or take action regarding potential violations of our agreements, contracts, policies, applicable Laws, AFC, suspected fraud, situations involving potential threats to the health or safety of any person,  illegal activities, or as evidence in litigation in which we are involved. 

We may also process and/or share your data in the following situations:  

Vendors, consultants, and other third-party service providers: we may share your data with  vendors, third-party service providers, contractors, or agents who perform services for us or on our  behalf and require access to such data to do that work. Examples include account onboarding,  identity verification, legal requirements, legal obligations, funds flows, payment processing, data  analysis, email delivery, hosting services, client services, support services, and marketing efforts.  We may allow selected third parties to use tracking technology on the Places, which will enable  them to collect data about how you access and interact with the Places over time. This data may  be used to, among other things, analyze and track data, AFC, fraud prevention, quality of certain  content, or better understand online activity. Unless described in this Policy, we do not share, sell,  rent, or trade any of your data with third parties for their promotional purposes. 

Business transfers: we may share or transfer your data in connection with, or during negotiations  of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business  to another company. 

Business partners: we may share your data with our business partners in order to offer you certain products, services, or promotions.

Conduit may share the information of the personal data with those third parties that are necessary for the  development of its activities and commercial purposes, whilst always protecting the rights and data of the  Owner. The transmission or transfer of personal data that is carried out will observe the applicable Laws  and the supervisory authorities provide for such purposes. 

In the case of domestic (intranational) transfers of personal data, Conduit will ensure compliance with  applicable Laws of current data protection legislation and protection measures by the person in charge or  new controller. 

If it is an international transfer, we make sure that the recipient party and its country receiving the personal  data provides adequate levels of protection. 

When the receiving country does not comply with the appropriate data protection standards, the  transmission or transfer will be prohibited unless one of the following legal exceptions is configured: 

▪ That the Owner has given express and unequivocal authorization for the transfer or transmission  of their data, which by providing such personal data to Conduit is inherent in such provision and as  set forth in this Policy and Notice. 

▪ Exchange of medical data when required by the Owner's treatment for health and public hygiene  reasons. 

▪ Financial (e.g., fiat or cryptocurrencies) or stock transfers, in accordance with the applicable Laws. ▪ Transfers agreed in the framework of international treaties to which the country of origin is a party,  based on the principle of reciprocity. 

▪ Transfers necessary for the execution of a contract between the Owner and the person responsible  for the treatment, or the execution of pre-contractual measures if there is authorization from the  Owner. 

Please note that our servers are in the US; meaning they may be located outside of the country in which  the Owner is domiciled and the Owner’s personal data, therefore, may be transmitted internationally to the  US. This means that the Owner’s personal data may be transferred to and processed in countries other  than the country in which the Owner resides. Data protection laws may be different in the US and other 

countries than in your own country and, in some cases, may be less protective. Please be assured that we  take appropriate steps to ensure that your personal data is protected in accordance with this Policy. 

7. WITH WHOM WILL YOUR DATA BE SHARED? 

In sum: We only share data with the following categories of recipients: 

Our own group of companies, third-party service providers, product content providers, and partners; 

Law enforcement bodies, regulators, governmental agencies, courts and tribunals, legal  proceedings, or other regulatory or governmental entities with relevant powers; and 

Any other third parties in which you have provided specific consent. 

8. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES? 

We may use cookies and similar tracking technologies (like web beacons and pixels) to access or store data. Cookies are small text files that are stored on your browser or device by websites, apps, online media, and advertisements that are used to remember your browser and/or device and/or IP address during and across website visits. Cookies are widely used by website owners to make their websites more efficient, as well as to provide reporting data. Pixels, which are also called web beacons, are small blocks of code installed on, or called by, a web page, app, or advertisement which can retrieve certain data about your device and browser, including the device type, operating system, browser type and version, website visited, time of visit, referring website, IP address, advertising identifiers, location, and other similar data that uniquely identifies your device. Pixels enable the ability to recognize when someone has visited a website or opened an email and allows monitoring the traffic patterns of users within websites, delivery or communication with cookies, determining whether a user has come to a website from an online advertisement displayed on a third-party website, to improve website performance, to measure the success of email marketing campaigns, and to set and read browser cookies from third-party domains and collect data about visitors to that domain, typically with the permission of the domain owner.

a. Can you control cookies? 

In sum: Yes, in certain jurisdictions, such as California, Mexico, the EU, and the UK, data subjects may  have the right to choose whether or not to accept cookies and/or pixels. Cookies and/or pixels may be an  important part of how our Places work. You should be aware that if you choose to refuse or remove cookies  and/or pixels, this could affect your ability to access and use our Places. 

Most web browsers are configured to accept cookies and/or pixels by default. You can generally configure  your browser to remove or reject browser cookies and/or pixels. If interested, follow the instructions  provided by your browser, which are usually located in the “help” or “preferences” menu. Some third parties  also provide the ability to refuse their cookies and/or pixels directly by clicking on an opt-out link. 

Please be aware that removing or rejecting browser cookies or pixels does not necessarily affect third-party  cookies or pixels. For more information about cookies, including how to see which cookies have been set  on your device and how to manage or delete them, visit https://youronlinechoices.com/, or  https://www.youronlinechoices.eu for EU visitors. 

For mobile users, your device’s operating system provides controls that enable you to choose whether or  not to allow cookies or share your unique identifier with companies like us or our third-party providers. For  information on controlling your mobile choices, visit https://www.networkadvertising.org/mobile-choices. 

To help control or block certain ads in mobile applications, you can download and utilize the DAA mobile  app, which is available at https://youronlinechoices.com/appchoices.  

In addition, many advertising networks offer you a way to opt out of targeted advertising. If you would like  to find out more information, visit http://www.aboutads.info/choices/. 

b. Can you control Do-Not-Track features? 

In sum: Yes, most web browsers and some mobile operating systems and mobile applications include a  Do-Not-Track (DNT) feature or setting you can activate to signal your privacy preference not to have data  about your online browsing activities monitored and collected. 

No uniform technology standard for recognizing and implementing DNT signals has been finalized,  however. As such, we do not currently respond to DNT browser signals or any other mechanism that  automatically communicates your choice not to be tracked online. If a standard for online tracking is adopted  that we must follow in the future, we will inform you about that practice in a revised version of this Policy. 

9. HOW DO WE HANDLE YOUR THIRD-PARTY ACCOUNT LOGINS? 

In sum: If you choose to share access to your social media accounts and/or other third-party accounts,  we may have access to certain data about you. 

Our Places may offer you the ability to share access to your third-party social media account details (like  your Google or LinkedIn logins) and/or other third-party accounts. Where you choose to do this, the  providers will send us certain profile data about you, not access into your account. The profile data we  receive will vary depending on the provider, but will often include your name, date of birth, email address,  friends list, profile picture, as well as other data you choose to make public and/or is contained within that  account. 

We will use the data we receive only for the purposes that are described in this Policy or that are otherwise  made clear to you on our Places. Please note that we do not control, and are not responsible for, other  uses of your data by your third-party social media providers or other third-party accounts. We recommend  that you review their respective privacy policy to understand how they collect, use and share your data, and  how you can set your privacy preferences on their sites and apps. 

10. HOW LONG AND WHERE DO WE KEEP YOUR DATA? 

In sum: We only keep your data, which are stored on servers located in the US, for as long as necessary  to fulfill the purposes outlined in this Privacy Policy. Our retention requirements vary, depending on  jurisdictional requirements; however, for more details please see the information provided in Section 1.  Definitions in Data retention. 

We will only keep your data for as long as it is necessary for the purposes set out in this Privacy Policy,  unless a longer retention period is required or permitted by applicable Law (such as AFC, tax, accounting,  etc.). 

When we have no ongoing legal requirements or legitimate business need to process your data, we will  either delete or anonymize it, or, if this is not possible (for example, because your data has been stored in  backup archives), then we will securely store your data and isolate it from any further processing until  deletion is possible. 

As noted in multiple locations throughout the Policy, our servers are in the US, which may be located outside  the country in which the Owner resides. Our group companies, third-party service providers, and partners,  with whom we may share your data as outlined in this Policy, are located in and transfer data to various  jurisdictions around the world. This means that your data may be transferred and processed in countries  other than the country in which you reside. The data protection laws may be different in these countries  versus your own country and, in some cases, may be less protective. Be assured, we take appropriate  measures to ensure that your data is protected in accordance with this Policy. 

For further information about retention time periods or international data transfers, contact us at privacy@conduit.fi.

11. HOW DO WE KEEP YOUR DATA SAFE?  

In sum: We aim to protect your data through a system of organizational and technical security measures.  

We have implemented appropriate technical and organizational security measures designed to protect the  security of any data we collect and process, which are designed to provide a level of security appropriate  to the level of risk presented; however, please also remember that we cannot guarantee that the internet  itself is 100% secure. Although we will do our best to protect your data, transmission of data to and from  our Places is at your own risk. You should only access our Places within a secure environment.

12. DO WE COLLECT DATA FROM MINORS? 

In sum: We do not knowingly collect data from or market to natural persons under 18 years of age. 

We do not knowingly solicit data from, or market to, natural persons under 18 years of age. By using our Places, you represent that you are at least 18 or that you are the parent or guardian of such a minor and consent to you minor’s use of the Places. If we learn that data from Owners less than 18 years of age has been collected without authorization from the parent or guardian, we will deactivate the minor’s access and take reasonable measures to promptly delete such data from our records. If you become aware of any data we have collected from natural persons under age 18, please contact us at privacy@conduit.fi.

13. WHAT ARE YOUR DATA PRIVACY & PROTECTION RIGHTS? 

In sum: Depending on your domicile, you may have certain data rights. To learn more about your rights or  to exercise any of your rights please consult the information referred to in sections 14 to 21 or contact our  Privacy team through the communications methods provided in Section 24. 

In certain locations you may be a data subject and have some of the following data rights, which can be  exercised through the communications methods provided in Section 24: 

Right of access. You may have the right to access and receive copies of your data we hold and  receive details about how and why we use your data. 

Right to request proof of the authorization granted for the treatment. You may request the  person in charge to allow you to know about the record where the consent you granted for the  processing of your personal data is recorded. 

Right of portability. You may have a right to obtain your data for your own purposes, including so  that you can provide or “port” that data elsewhere. 

Right of erasure. You may have the right to request us to delete the data we hold about you. We  may also pass your requests on to other third parties to which we have shared your data.  

Right to exercise your rights without discrimination. You may have the right to exercise these  rights without being discriminated against. 

Right to file a complaint. You may have the right to complain to your applicable data protection  authority about our collection and use of your data. 

Right to not participate. If you do not agree with us collecting your data, you can inform us of  your choice not to participate. 

Right to opt-out and/or revoke. You may have the right to revoke your consent to us collecting  and/or processing your data and/or stop marketing communications and/or opt-out of participating  and receiving future marketing communications, even if our reasons are based on legitimate  business interests. You may also have the right to opt out of other processing activities. For email  marketing communications, where applicable, click on the “unsubscribe” link found in those  emails. To opt-out of other activities, you may note your preferences when going through the  registration process or by accessing your account and updating your preferences. 

Right to correct. You may have the right to have us correct any inaccurate or incomplete personal  data. 

Right to restrict. In certain circumstances you may be able to request that we restrict collecting  and/or processing your data. Contact us to learn more about the circumstances in which this right  exists at privacy@conduit.fi. 

Right to appoint others. Certain locations permit you to appoint someone else to act on your  behalf. Typically, this is done through a document such as a power of attorney. If your domicile  allows this, please understand that we will require this appointed person to provide proof of such  appointment, which may include you verifying your identity directly with us and/or our third-party  identity verification partner.

Right to confidentiality. You have the right to have your personal data protected in a manner  appropriate to its degree of confidentiality. 

Right to anonymization, blocking or deletion. You have the right to have your personal data  anonymized, blocked, or deleted of unnecessary, excessive, or processed data in contravention of  the provisions of the applicable Law. 

Right to obtain confirmation of existence of treatment. At any time and upon request, you have the right to obtain from the person responsible for the treatment, in relation to the data of the Owner processed by such person, the confirmation of the existence of treatment.

a. UPDATING OR EDITING ACCOUNT DATA OR CLOSING AN ACCOUNT 

You can review or change the data pertaining to you in your account by contacting us at privacy@conduit.fi or, if available, by logging into your account with us and updating your user data.  

If you close your account with us, we will deactivate your account and certain data from our active  databases; however, some data will be retained in our systems for AFC, to prevent fraud, troubleshoot  problems, assist with any investigations, enforce our agreements and contracts and policies and  procedures, and/or comply with the applicable Laws and/or legal requirements.  

14. DO ARGENTINIAN RESIDENTS HAVE SPECIFIC DATA RIGHTS? 

In sum: Yes, if you are a resident of Argentina, you are granted specific rights regarding access to your  personal data. 

Argentinian Law No. 25,326 (the Personal Data Protection Act or “PDPA”) focuses directly on data  protection. The PDPA defines several data protection-related terms and includes general principles  regarding data collection and storage, outlining the Owner's rights and setting out the guidelines for the  processing of personal data. 

To understand your rights, please review the PDPA in this link  http://www.jus.gob.ar/media/3201023/personal_data_protection_act25326.pdf 

If you wish to assert any of your personal data rights, please contact our privacy team through the  communications methods provided in Section 24. 

15. DO BRAZILIAN RESIDENTS HAVE SPECIFIC DATA RIGHTS? 

In sum: Yes, if you are a resident of Brazil, you are granted specific rights regarding access to your personal  data.  

Brazilian regulation, Law 1581 of 2012, Decree 1074 of 2015, Law 962 2005 and Law 1480 from 2011 sets  forth the rights of Brazilian residents regarding their personal data held by private parties such as Conduit.  

To understand your rights, please review the Regulations in this link  http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/L13709compilado.htm 

If you wish to assert any of your personal data rights, please contact our privacy team through the  communications methods provided in Section 24.

16. DO CALIFORNIA RESIDENTS HAVE SPECIFIC DATA RIGHTS? 

In sum: Yes, if you are a resident of the State of California in the US, you are granted specific rights  regarding access to your personal data.  

California Civil Code Section 1798.83, also known as the “Shine The Light” law, or the California Consumer  Privacy Act of 2018 (SB-1121), may permit our clients who are California residents to request and obtain  from us, once a year and free of charge, information about categories of personal data (if any) we disclosed  to third-parties for direct marketing purposes and the names and addresses of all third-parties with which  we shared such personal data in the immediately preceding calendar year. If you are a California resident  and would like to make such a request, please submit your request in writing to us using the contact  information provided. 

If you are under 18 years of age, reside in California, and have a user account with our Places, you may  have the right to request removal of unwanted data. To request removal of such data, please contact us  using the communications methods provided in Section 24 and include the email address associated with  your account and a statement that you reside in California. We will make sure your data is not publicly  displayed on our Places, but please be aware that your data may not be completely or comprehensively  removed from our systems due to applicable Laws and/or other requirements. 

17. DO CANADIAN RESIDENTS HAVE SPECIFIC DATA RIGHTS? 

In sum: Yes, if you are a resident of Canada, you are granted specific rights regarding access to your  personal data.  

The Personal Information Protection and Electronic Documents Act (PIPEDA) sets forth the rights of  Canadian residents regarding their personal data held by private parties such as Conduit. To understand  your rights, please review the Regulations via this link https://laws-lois.justice.gc.ca/eng/acts/P-8.6/. If you  wish to assert any of your personal data rights, please contact our privacy team through the  communications methods provided in Section 24. 

18. DO CHILEAN RESIDENTS HAVE SPECIFIC DATA RIGHTS? 

In sum: Yes, if you are a resident of Chile, you are granted specific rights regarding access to your personal  data.  

Chilean regulation, Law 19628 sets forth the rights of Chilean residents regarding their personal data held  by private parties such as Conduit. To understand your rights, please review the Regulations in this link  https://www.bcn.cl/leychile/navegar?idNorma=141599. If you wish to assert any of your personal data  rights, please contact our privacy team through the communications methods provided in Section 24. 

19. DO COLOMBIAN RESIDENTS HAVE SPECIFIC DATA RIGHTS? 

In sum: Yes, if you are a resident of Colombia, you are granted specific rights regarding access to your  personal data.  

Colombian regulation, Law 1581 of 2012, Decree 1074 of 2015, Law 962 2005 and Law 1480 from 2011  sets forth the rights of Colombian residents regarding their personal data held by private parties such as  Conduit. To understand your rights, please review the Regulations in this link  https://www.funcionpublica.gov.co/eva/gestornormativo/norma.php?i=49981. If you wish to assert any of  your personal data rights, please contact our privacy team through the communications methods provided  in Section 24.

20. DO COTE D’IVOIRE RESIDENTS HAVE SPECIFIC DATA RIGHTS? 

In sum: Yes, if you are a resident of Cote d'Ivoire (Ivory Coast), you are granted specific rights regarding  access to your personal data. 

Cote d’Ivoire Law No. 2013-450 on the Protection of Personal Data (Data Protection Act). Data Protection  Act was enacted in 2013 to regulate the collection, processing, use, and storage of personal data in Cote  d'Ivoire. The Data Protection Act aims to protect the privacy rights of individuals in Cote d'Ivoire by ensuring  that their personal data is collected and processed fairly, lawfully, and transparently. To understand your  rights, please review the Data Protection Act in this link  http://www.ilo.org/dyn/natlex/docs/ELECTRONIC/104182/126984/F366961585/CIV-104182.pdf or English  in this link https://dataprotection.africa/wp-content/uploads/2022/09/Cote-dIvoire_DPA.pdf. If you wish to  assert any of your personal data rights, please contact our privacy team through the communications  methods provided in Section 24. 

21. DO EU AND UK RESIDENTS HAVE SPECIFIC DATA RIGHTS? 

In sum: Yes, if you are a resident of the EU or the UK, you are granted specific rights regarding access to  your personal data.  

The European Commission’s General Data Protection Regulation (EU GDPR) sets forth the rights of EU  residents regarding their personal data held by others, such as Conduit. The UK’s Data Protection Act 2018,  which tailors its General Data Protection Regulation (UK GDPR) and sets forth the rights of UK residents  regarding their personal data held by others, such as Conduit. To understand your rights, please review the  information provided via the hyperlinks above. If you are a resident of the EU or the UK and wish to assert  any of your personal data rights, please contact our privacy team through the communications methods  provided in Section 24. 

22. DO MEXICAN RESIDENTS HAVE SPECIFIC DATA RIGHTS? 

In sum: Yes, if you are a resident of Mexico, you are granted specific rights regarding access to your  personal data.  

Mexico’s Regulations to the Federal Law on the Protection of Personal Data Held by Private Parties sets  forth the rights of Mexican residents regarding their personal data held by private parties such as Conduit.  To understand your rights, please review the Regulations via the hyperlink above. If you wish to assert any  of your personal data rights, please contact our privacy team through the communications methods  provided in Section 24. 

At any time, you can exercise the rights enumerated therein (your ARCO rights) by sending such a request  through the communications methods provided in Section 24. Your request must contain (i) your full legal  name (all given names and surnames) and contact information (email address, mobile phone number,  primary residential address), (ii) documentary evidence that proves your identity (or we may require you to  verify your identity with our third-party identity verification partner), or the items outlined in the second to  last bullet point of Section 13 Right to appoint others, (iii) a clear description of the right(s) you wish to  exercise, (iv) any other evidence or details that support your request, and (v) if you’re seeking the Right to  correct, evidence that supports your request.

23. DO MONTANA RESIDENTS HAVE SPECIFIC DATA RIGHTS? 

In sum: Yes, if you are a resident of the State of Montana in the US, as of 1 October 2024, you are granted  specific rights regarding access to your personal data. 

The Montana Consumer Data Privacy Act (MCDPA), SB0384 enacted by the 68th Legislature 2023, sets  forth the rights of Montana residents regarding their personal data held by private parties if the private party  controls or processes the personal data of not less than 50,000 consumers, excluding personal data  controlled or processed solely for the purpose of completing a payment transaction; or (b) controls or  processes the personal data of not less than 25,000 consumers and derives more than 25% of gross  revenue from the sale of personal data. To understand your rights, please review the MCDPA in this link  https://leg.mt.gov/bills/2023/billpdf/SB0384.pdf. If Conduit would qualify under (a) or (b) above and you wish  to assert any of your personal data rights on or after 1 October 2024, please contact our privacy team  through the communications methods provided in Section 24. 

24. DO NIGERIAN RESIDENTS HAVE SPECIFIC DATA RIGHTS? 

In sum: Yes, if you are a resident of Nigeria, you are granted specific rights regarding access to your  personal data. 

The Nigeria Data Protection Regulation 2019 (NDPR) was enacted by the National Information Technology  Development Agency (NITDA) to regulate the collection, use, storage, and sharing of personal data by data  controllers and processors in Nigeria. To understand your rights, please review the NDPR in this link  https://ndpb.gov.ng/Files/NigeriaDataProtectionRegulation.pdf and the NDPR implementation framework  established by NITDA in this link https://nitda.gov.ng/wp-content/uploads/2021/01/NDPR-Implementation 

Framework.pdf. If you wish to assert any of your personal data rights, please contact our privacy team  through the communications methods provided in Section 24. 

25. DO PERUVIAN RESIDENTS HAVE SPECIFIC DATA RIGHTS? 

In sum: Yes, if you are a resident of Peru, you are granted specific rights regarding access to your personal  data.  

Peruvian regulation, Law 29733 and Law 27444 sets forth the rights of Peruvian residents regarding their  personal data held by private parties such as Conduit. To understand your rights, please review the  Regulations in this link https://www.minjus.gob.pe/wp-content/uploads/2013/04/LEY-29733.pdf and  http://www.pcm.gob.pe/wp-content/uploads/2013/09/Ley-de-Procedimiento-Administrativo-de 

PersonalLey27444.pdf. If you wish to assert any of your personal data rights, please contact our privacy  team through the communications methods provided in Section 24. 

26. DO SOUTH AFRICAN RESIDENTS HAVE SPECIFIC DATA RIGHTS? 

In sum: Yes, if you are a resident of South Africa, you are granted specific rights regarding access to your  personal data.  

The South African Protection of Personal Information Act (POPIA) was signed into law in 2013, and became  fully operational on 1 July 2021. POPIA is designed to regulate the processing of personal information in  South Africa and to protect the privacy rights of individuals. It establishes principles for the collection, use,  and storage of personal information by organizations and gives individuals the right to access and control  their personal information. To understand your rights, please review the POPIA in this link  https://www.gov.za/documents/protection-personal-information-act. If you wish to asset any of your  personal data rights, please contact our privacy team through the communications methods provided in  Section 24.

27. DO WE UPDATE THIS POLICY? 

In sum: Yes, we update this Policy as necessary to stay compliant with applicable Laws.  

We may update this Privacy Policy from time to time. The updated version will be indicated by the “Last  updated” date at the beginning of the Policy and the updated version will be effective as soon as it is  accessible. If we make material changes to this Privacy Policy, we may notify you either by prominently  posting a notice of such changes or by directly sending you a notification. We encourage you to review this  Privacy Policy frequently to be informed of how we are protecting your data. 

Conduit has the right to modify this Privacy Policy at any time. On top of posting it on our websites, we may  inform you that we have updated this Policy by emailing you, if we have your email address.  

28. HOW TO CONTACT US ABOUT THIS POLICY? 

Regarding the exercise of your personal data protection rights as Owner (including the Owner’s successors,  legal representatives and / or proxies (collectively included within in the definition of “Owner”)) Conduit will  enable access channels for the Owners.  

All communications, queries, complaints and / or claims must be directed to Conduit by any of the following  means: 

Electronic attention: The Owner may make a request to the following email: privacy@conduit.fi. 

Written attention: The Owner may make a request to Conduit Technology, Inc. at the following address:  1001 S Main Street, Suite 4080, Kalispell, Montana 59901, United States of America. 

If you have questions or comments about this Policy, you may contact our Chief Legal & Compliance Officer, Mark Graves, who is the head of our Privacy team by email at the address provided above. 

29. DO WE TREAT SENSITIVE PERSONAL DATA? 

Conduit will not collect, store, or process sensitive data, unless strictly necessary. If such a situation arises,  it will not carry out any treatment without the due prior, informed, and express authorization of the data  Owner, and only in the following cases: 

When the Owner or his legal guardian consents, specifically and prominently, for specific purposes. Without giving the consent of the Owner, in cases where it is essential: 

▪ compliance with a legal or regulatory obligation by the data controller. 

▪ shared treatment of the data necessary for the execution, by the public administration, of the public  policies established in the laws or regulations. 

▪ carry out studies by a research body, ensuring, whenever possible, the anonymity of sensitive  personal data. 

▪ regular exercise of rights, including in contracts and in judicial, administrative, and arbitration  processes. 

▪ protection of the life or physical safety of the Owner or a third party. 

▪ health protection, exclusively, in a procedure performed by health professionals, health services, or health authorities. 

▪ guarantee of fraud prevention and security of the Owner, in the processes of identification and  authentication of the record in electronic systems, safeguarding the rights referred to in the Legislation and, except in the case in which the fundamental rights and freedoms of the Owner prevail, require the protection of personal data. 

▪ When the treatment is necessary to safeguard the vital interest of the Owner and he is physically  or legally incapacitated. 

▪ When an anonymization or disassociation procedure has been applied. 

▪ When there is a norm for the promotion of competition in regulated markets issued in the exercise  of the normative function by the regulatory bodies referred to in Peruvian Law 27332, Framework  Law of the Regulatory Bodies of Private Investment in Public Services, or the to take its place,  provided that the information provided is not used to the detriment of the Owner's privacy. 

▪ When the treatment is carried out during legitimate activities and with the due guarantees by a  foundation, non-governmental organization, association, or any other non-profit organization,  whose purpose is political, philosophical, religious, or union, provided that they refer exclusively to  their members or to people who maintain regular contacts by reason of their purpose, in which  cases, the data may not be provided to third parties without the authorization of the Owner. 

▪ When the treatment refers to data that are necessary for the recognition, exercise, or defense of a  right in a judicial process. 

▪ When the treatment has a historical, statistical, or scientific purpose. In this event, the measures  leading to the suppression of the identity of the Owners must be adopted. 

The answers to the questions about sensitive data are optional, therefore, they will not be mandatory. In  any case, Conduit will strictly observe the legal limitations on the processing of sensitive data. Conduit, will  not condition, in any case, any activity to the delivery of sensitive data. Sensitive data will be treated with  the greatest possible diligence and with the highest security standards. Limited access to sensitive data will  be a guiding principle to safeguard the Owner’s privacy and, therefore, only authorized personnel may have  access to this type of data. 

Sensitive data may not be processed for purposes other than those expressly authorized by the Owner.

30. HOW WE TREAT THE PERSONAL DATA OF OUR EMPLOYEES 

Conduit is responsible for the treatment of the personal data that you provide from your selection process,  recruitment and, where appropriate, if the selection process is successful, when the employment  relationship begins and until it concludes, regardless of the cause. The personal data collected will be  processed in order to integrate the file as an applicant or candidate or employee or contractor or consultant  or agent at the service of Conduit (collectively referred to as “employees”), prove your identity, location,  carry out selection and recruitment, administrative and tax procedures, cover the job profile, pay salaries  and benefits, assign and verify travel expenses and domestic and international travel tickets, integrate  billing, be insured on Social Security or other similar governmental obligations or benefits, designate  beneficiaries in terms of the Labor Laws, receive all kinds of legal and extra-legal benefits, control  attendance and grant benefits of social security, economic, in-kind, and health benefits; and schedule  training actions. It is made known to you that Conduit, in addition to the transfers that you make and that  do not require your consent, may carry out the transfer of your personal data for the legal purposes that  may arise due to the selection and recruitment process to which you are subjected or the individual  employment relationship once you have signed the respective agreement; for all extraordinary transfers we  will require your consent, therefore, if you do not want your personal data to be transferred for any or all of  the purposes indicated, from this moment forward you can communicate the above, omitting the electronic  signature of this notice or using the communications methods provided in Section 24; however, please  understand that your refusal to allow such transfers shall also mean that Conduit will be incapable of hiring  you or continuing to keep you as an employee depending on the timing of your notification to Conduit.  

TO BE CLEAR: if you notify Conduit that you do not want your personal data to be transferred while  employed by Conduit, this shall be considered as your written voluntary resignation notification from your  employment with Conduit. If you do not express your refusal for said transfers, we will understand that you  have given us such consent.

Likewise, at any time you can exercise your data protections rights contact our Privacy team through the  communications methods provided in Section 24.