CapitalOS Privacy Policy

CapitalOS, Inc. and its affiliates (“we” or “us”) collect data when users sign-up for, use, or engage with our applications, products, services and websites (collectively, our "Services"). The data that we collect includes data that identifies or could reasonably be used to identify natural persons (“Personal Information”). The purpose of this Privacy Policy (“Policy”) is to inform natural persons identified by Personal Information we hold (“you” in this Policy refers to each such person) of our Personal Information management practices.

This Policy describes:

• the Personal Information we collect when a user signs-up for, uses, or engages with any of our applications, products, services, or websites (collectively, the "Services");
• how we manage, use and secure Personal Information; and
• the choices you have regarding how we manage Personal Information.

Please read this Policy carefully. If you use or access our Services, you consent to the practices described in this Policy. The Cookies and Tracking Technologies Disclosure is incorporated into and forms part of this Privacy Policy.

2.1 CapitalOS Account Information. As part of the creation and maintenance of CapitalOS Accounts we collect names, email addresses, phone numbers, birth dates, government-issued identification numbers and payment card and bank information, as well as other information related to Service eligibility, risk management, compliance, identity verification and fraud prevention. We may collect this information from you directly, or from the sources described below.

2.2 Other Data. We collect the following categories of data, which may include Personal Information:

• Transaction Data: when, where and how a transaction takes place including the devices and payment methods used;
• Device Data: hardware model, operating system, unique device identifiers, mobile network data as well as other data generated by a device's interaction with our Services;
• Location Data: to prevent fraudulent or unlawful use of the Services;
• User Data: browser data, Internet Protocol ("IP") addresses and other data describing user engagement;
• Cookies: small data files we may store on your computer or mobile device memory to help us manage your engagement with our Services, including gathering aggregated data about engagement;
• Beacons: small electronic images we may use in our Services and emails to deliver cookies and measure user engagement.
• Information to Enhance your Experience: other data such as a profile picture that may enhance your experience.

2.3 Sources of Information. We collect Personal Information from:

• you directly, when you submit information to us or allow us to access information;
• your devices and your interactions with the Services;
• CapitalOS account holders, where you are nominated as an owner, administrator or authorized user of the account holder; and
• other sources, including information from third-party services that help us with risk management, compliance, identity verification and fraud prevention. With consent, we may also collect Personal Information from your service providers or the service providers of CapitalOS account holders with which you are associated. Finally, we may also use publicly available sources.

We use Personal Information:

• to provide, maintain and improve the Services;
• to protect the integrity of the Services and the safety of our users, and to mitigate and avoid harm;
• as required by law, our financial partners (including card issuers, card program managers and banking partners) and payment card networks (including Visa and Mastercard);
• for account-related purposes, such as underwriting, identity verification, transaction reporting, fraud prevention, account information verification, and spending limit determination;
• for internal analytics and reporting;
• to enforce our rights, including as part of a dispute resolution process; and
• as otherwise permitted by law.

We may derive data from your Personal Information in such a way that you can no longer be identified via the derived data. For example we may combine your Personal Information with other Personal Information to create an aggregated dataset, or we may modify your Personal Information so that it is anonymized. Derived data is not Personal Information, and this Privacy Policy does not apply to such data.

We share Personal Information under controlled circumstances:

• With third-party services that help us with risk management, compliance, identity verification and fraud, or otherwise assist us to provide the Services;
• With financial institutions, payment processors, payment card issuers, payment card program managers, payment card networks and other entities that provide or facilitate payments infrastructure;
• With government and law enforcement where reasonably necessary to comply with applicable law, regulation, legal process, or governmental request;
• With a merchant where you are disputing your purchase of a good or service from the merchant;
• With others where reasonably necessary to protect the integrity of the Services or the safety of our users, or to mitigate or avoid harm;
• In connection with any financing, acquisition, divestiture or dissolution of all or a portion of our business; and
• With your consent.

We take reasonable measures, including administrative, technical and physical safeguards, to help protect Personal Information from unauthorized access, disclosure, alteration and destruction. We maintain strict security standards and procedures designed to prevent unauthorized access to your data by anyone, including our staff. We use technologies such as data encryption, firewalls and server authentication to protect the security of Personal Information, both at rest and in transit.

• Personal Information: You can access, change or correct data about yourself through the CapitalOS Account with which you are associated, or emailing support@capitalos.com. We may retain data about you for a period of time consistent with applicable law.
• Location Data, if applicable: Our mobile applications may require location data. If you do not grant us access to this data then you may not be able to access the Services. If you grant access to location data but later revoke this access your mobile device may no longer be able to access the Services. You may also uninstall the mobile applications to stop collection of location data.
• Cookies: You can set your browser to reject cookies but the Services may not function properly in this setting.
• Marketing: You can opt-out of marketing messages by following instructions in these messages. If you opt-out we may still send you transactional messages related to the Services.
• Website Tracking: Certain websites you visit may provide options regarding advertisements you receive. For more information or to opt out of certain online behavioral advertising, please visit www.aboutads.info.
• Do Not Track: Some browsers support a “Do Not Track” feature, which is intended to be a signal to websites that you do not wish to be tracked across different websites you visit. The Services do not currently change the way they operate based upon detection of a Do Not Track or similar signal.

You may have rights with respect to Personal Information granted under applicable law, in which case you may exercise those rights by emailing support@capitalos.com.

The Services contain hyperlinks to other websites or locations that we do not control and are operated and controlled by third parties (“Third-Party Websites”). This Policy does not apply to these Third-Party Websites and we make no representations regarding the policies or business practices of any such Third-Party Websites.

We may amend this Policy from time to time by posting a revised version and updating the “Last Updated” date above. The revised version will be effective on the “Last Updated” date listed. If you keep using the Services, you consent to any amendment of this Policy.

If you have questions or comments, feel free to email us at support@capitalos.com.

We and our partners may use cookies or similar technologies to analyze trends, administer the website, track users' movements around the website, and gather information about our user base, such as location information based on IP addresses. You can control the use of cookies at the individual browser level.

Cookies are small text files that are placed on your computer by websites and services that you visit or access. They are widely used to make websites and services work and function with greater efficiency, and to provide information about our users' experience during use of, or interaction with, our websites, and Services. Some cookies last only for the duration of your web session and expire when you exit your browser; other cookies may last for longer than your web session, including after you exit your browser, for example by remembering you when you return to our website. The list below explains the cookies that we and our third-party partners use and why.

• Functional Cookies for Preferences and Settings: These cookies are used to record a user's choice and settings that enable our websites and Services to operate correctly or that maintain your preferences over time and may be stored on your device.
• Functional Cookies for Sign in and Authentication: When you sign into a website or Service using a CapitalOS account, we may store a unique ID number, and the time you signed in, in an encrypted cookie on your device. This cookie allows you to move from page to page within the website without having to sign in again on each page. You can also save your sign-in information, so you do not have to sign in each time you return to the site.
• Analytics Cookies: To provide our products and improve your user experience on our websites and with the Services, we use cookies and other identifiers to gather usage and performance data. For example, we use cookies to count the number of unique visitors to a web page or service or to our blog and to develop other statistics about the operations of the Services. This may include cookies from us and from third-party providers. We use the information to compile reports and to help us improve our websites and Services.

Most web browsers automatically accept cookies but provide controls that allow you to block or delete them. Instructions for blocking or deleting cookies in other browsers may be available in each browser's privacy or help documentation. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org.

Certain features of the Services may depend on cookies. Please be aware that if you choose to block cookies, you may not be able to sign in or use those features, and preferences that are dependent on cookies may be lost. If you choose to delete cookies, settings and preferences controlled by those cookies, including advertising preferences, will be deleted and may need to be recreated.

We and our third-party service providers may sometimes use technologies to engage in data analytics, auditing, measurement, research, reporting, and debugging on the Services and to measure interactions with the Services, such as tracking referral credits. For example, we use Google Analytics on our Services for such purposes. You can learn more about Google Analytics here and opt out here.