EU-U.S. Data Privacy Framework Policy

In accordance with our commitment to protect personal privacy, WizRocket Inc. and its U.S. operating subsidiaries (including those entities listed in Exhibit A) (collectively referred to as “CleverTap”, “we,” “us,” or “our”) provide Customers with a service platform that enables them to analyse how their end users (“Customer End Users”) interact with Customer website(s) or mobile application(s) and to communicate with such Customer End Users through the CleverTap service platform (the “CleverTap Service”).

Customers’ authorised users of the CleverTap Service and other representatives of our Customers (collectively, “Customer Representatives”) interact with CleverTap for the purpose of establishing, maintaining, and managing their use of the CleverTap Service.

CleverTap complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), as set forth by the U.S. Department of Commerce. CleverTap has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. DPF Principles with regard to the processing of personal data received from the European Union, to the UK Extension Principles with regard to the processing of personal data received from the United Kingdom and Gibraltar, and to the Swiss-U.S. DPF Principles with regard to the processing of personal data received from Switzerland, in each case in reliance on the applicable Data Privacy Framework.

If there is any conflict between the terms in this Policy and the EU-U.S. DPF Principles, the UK Extension Principles, and/or the Swiss-U.S. DPF Principles, the DPF Principles shall govern. To learn more about the Data Privacy Framework program and to view CleverTap’s certification, please visit Data Privacy Framework. The Federal Trade Commission (FTC) has jurisdiction over CleverTap’s compliance with the Data Privacy Framework. All CleverTap employees who handle personal data originating from the European Union, the United Kingdom, Gibraltar, and/or Switzerland are required to comply with the Principles set forth in this Policy.

SCOPE OF THIS EU-U.S. Data Privacy Program Framework POLICY

This Policy applies to the processing of Personal Data by CleverTap in the United States, or the transfer of such Personal Data to the United States, concerning individuals who reside in the European Union, the United Kingdom and Gibraltar, or Switzerland, in reliance on the applicable Data Privacy Framework.
This Policy does not apply to data that has been irreversibly anonymised such that individuals cannot be identified by any means reasonably likely to be used. For clarity, pseudonymized data, where identifiers have been replaced but re-identification remains possible, continues to be treated as Personal Data and remains within the scope of this Policy.

TYPES AND USES OF COLLECTED INFORMATION

The types of information processed by CleverTap, whether obtained directly from individuals or from third-party sources, and the applicable privacy practices depend on the nature of the relationship between the individual and CleverTap, as well as the requirements of applicable law. This section describes the categories of information processed by CleverTap, the sources of such information, and the purposes for which it is processed.

CleverTap processes both Personal Data and Non-Personal Data.

Personal Data. “Personal Data” means any information relating to an identified or identifiable natural person, as defined under applicable data protection laws. In general, CleverTap processes Personal Data relating to Website users, Customer Representatives, and Customer End Users, as further described below.

1. Website Users
   CleverTap processes Personal Data relating to users of its website, including information by which an individual may be identified or contacted, such as name, company name, email address, telephone number, or other similar identifiers. CleverTap may also process professional or employment-related information submitted by job applicants, including education, employment history, and related qualifications.


2. Personal Data of Customer Representatives
   CleverTap processes Personal Data relating to Customer Representatives for the purpose of establishing, administering, and managing Customer accounts and their use of the CleverTap Service. When Customer Representatives engage in certain activities through the CleverTap Service, including but not limited to creating an account, submitting feedback, or otherwise using or participating in the CleverTap Service (collectively, “Identification Activities”), CleverTap may request that Customer Representatives provide certain information. Depending on the Identification Activity, some information may be identified as mandatory and other information as voluntary. If a Customer Representative does not provide information identified as mandatory for a particular Identification Activity, the Customer Representative may not be able to participate in that activity within the CleverTap Service.
   As Customer Representatives interact with the CleverTap Service, CleverTap may also process usage and technical information through commonly used information-gathering technologies such as cookies and web beacons (“Website Navigational Information”). Website Navigational Information may include standard information from a Customer Representative’s browser (such as browser type and language), Internet Protocol (IP) address, and information regarding interactions with the CleverTap Service (such as pages viewed and links clicked). Additional information regarding the use of cookies and available choices is described elsewhere in this Policy.
   Through certain service features, including the “import Customer End Users” functionality, a Customer Representative may also provide CleverTap with Personal Data relating to other Customer Representatives, such as name, company name, address, phone number, email address, and/or IP address. Where such Personal Data is provided, CleverTap processes the information solely for the specific purpose for which it was provided, including to create or manage records within the applicable Customer account, or as otherwise agreed with the Customer in the applicable contractual arrangements.
   CleverTap processes Personal Data of Customer Representatives for purposes that include providing and operating the CleverTap Service, collecting payment for products and services, administering promotions or contests where applicable, enhancing and improving the CleverTap Service, analyzing service usage, tailoring user experience, troubleshooting issues, resolving disputes, performing administrative functions, communicating with Customer Representatives, enforcing applicable agreements and policies, complying with legal obligations, and cooperating with lawful requests from public authorities. The CleverTap Service may include social media features or widgets that are hosted by third parties or directly integrated into the CleverTap Service. Such features may collect information such as IP address and interaction data. Any interactions with these features are governed by the privacy policies of the respective third-party providers.


3. Customer End User Data
   As part of the provision of the CleverTap Service, CleverTap processes Personal Data and Non-Personal Data relating to Customer End Users (“Customer End User Data”) solely on behalf of and in accordance with the instructions of its Customers, as set forth in the applicable contractual arrangements. CleverTap does not control, initiate, or approve any communications, messages, or requests for Customer End User Data made by a Customer to its Customer End Users. Customer End Users should be aware that a Customer may request certain information directly from them in order to operate the Customer’s website(s) and/or mobile application(s), and that such information may subsequently be provided to CleverTap by the Customer through use of the CleverTap Service. Customer End Users are therefore encouraged to review the privacy policy of the applicable Customer to understand how their information is collected, used, and disclosed. To the extent CleverTap processes Customer End User Data, CleverTap implements appropriate technical and organizational measures and makes reasonable efforts to maintain the confidentiality and security of such data, consistent with the terms of this Policy and applicable law.
   CleverTap has no direct relationship with Customer End Users whose Personal Data it processes. Accordingly, Customer End Users seeking to exercise rights of access, correction, amendment, or deletion of their Personal Data should direct such requests to the applicable Customer, who acts as the data controller. Upon receipt of a valid request from a Customer to access, correct, amend, or delete Customer End User Data, CleverTap will support the Customer and respond to such request within one month, provided that this period may be extended by up to two additional months where necessary, taking into account the complexity and number of requests, and that CleverTap will inform the Customer of any such extension and the reasons for delay within one month of receipt of the request.
   CleverTap will not review, share, distribute, or otherwise use Customer End User Data except as instructed by the Customer in the applicable agreement with CleverTap or as required by applicable law. Where a Customer End User submits a request directly to CleverTap, CleverTap may require the individual to identify the relevant Customer and will refer the request to that Customer and provide reasonable assistance, as appropriate, to enable the Customer to respond in accordance with applicable data protection laws.

Non-Personal Data. “Non-Personal Data” is information that does not identify a specific person.

1. Website Users – Usage and Technical Information
   CleverTap processes certain information relating to Website users that is generated through interactions with the Website, including communications with users, information regarding browsing sessions and Internet activity (such as pages viewed, interactions with Website content, and referring URLs), and technical information such as browser type, operating system, device information, and Internet Protocol (IP) address. Where such information relates to an identified or identifiable individual, it is treated as Personal Data and processed in accordance with this Policy and applicable data protection laws.


2. Non-Personal and Aggregated Data from Customer Representatives
   CleverTap may process certain information relating to Customer Representatives that is generated through their interaction with the CleverTap Service and that does not, on its own, identify an individual. Such information may include referring and exit URLs, browser type, device or operating system information, and aggregated or anonymized location or usage data, where such data cannot reasonably be used to identify an individual. CleverTap, and its authorized third-party service providers, may process this information automatically through the use of technologies such as cookies, web beacons, and pixel tags, as further described in this Policy. Where such information relates to an identified or identifiable individual, it is treated as Personal Data and processed in accordance with this Policy and applicable data protection laws.
   CleverTap processes Non-Personal and aggregated information for purposes that include providing and operating the CleverTap Service, enhancing service functionality, troubleshooting and administration, analyzing trends, generating statistical or demographic insights, complying with applicable legal obligations, and cooperating with lawful requests from public authorities. CleverTap may share such Non-Personal or aggregated information with authorized third-party service providers solely for these purposes and in accordance with applicable contractual and legal requirements.


3. Non-Personal and Aggregated Data from Customer End Users
   Customers may submit to the CleverTap Service certain data relating to Customer End Users that does not, on its own, identify an individual, including aggregated or anonymized data (“Non-Personal Data”). CleverTap processes such data solely on behalf of and in accordance with the instructions of its Customers, as set forth in the applicable contractual arrangements. CleverTap does not process such Non-Personal Data for independent purposes and will not use, disclose, or otherwise process such data except as necessary to provide and enhance the CleverTap Service, as instructed by the Customer, or as required by applicable law. Where data submitted by a Customer is combined with other information or otherwise becomes identifiable, such data is treated as Personal Data and processed in accordance with this Policy and applicable data protection laws.

Data Tracking and Cookies

1. Cookies. CleverTap uses cookies and similar technologies to operate, maintain, and enhance the CleverTap Service and to improve user experience. Cookies are small text files stored on a user’s device that enable certain functionality and help collect information about interactions with the CleverTap Service. Depending on the context and configuration, cookies may process information such as pages viewed, links clicked, session information, and other usage or technical data. Where such information relates to an identified or identifiable individual, it is treated as Personal Data and processed in accordance with this Policy and applicable data protection laws. Users may be able to manage or disable cookies through their browser settings or through other tools made available by CleverTap, subject to applicable legal requirements.
2. Other Tracking Technologies. CleverTap may also use technologies such as pixel tags and web beacons to understand usage of the CleverTap Service, measure performance of communications, and analyze trends. These technologies may collect information about interactions with the CleverTap Service or communications, such as whether an email was opened or a link was clicked. Such information is processed in accordance with this Policy and applicable law.
3. Third-Party Tracking and Choices. Certain third-party service providers or partners may place cookies or use similar technologies in connection with the CleverTap Service. The use of such technologies by third parties is governed by their respective privacy policies. Where required by applicable law, CleverTap provides users with choices regarding the use of cookies and similar technologies, including the ability to opt out of certain forms of tracking through available consent or preference management tools, browser settings, or industry opt-out mechanisms such as WebChoices.

Sensitive Data

Where CleverTap processes Sensitive Data (also referred to as “special categories of personal data” under applicable data protection laws), such as data revealing an individual’s health or medical conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, or sex life or sexual orientation, CleverTap will obtain affirmative, express consent (opt-in) from the individual where required by applicable law before such data is disclosed to a third party or used for a purpose other than the purpose for which it was originally collected or subsequently authorized.
Where CleverTap processes Sensitive Data on behalf of its Customers in its role as a data processor, responsibility for obtaining any required consent rests with the applicable Customer, and CleverTap processes such data solely in accordance with the Customer’s instructions and applicable contractual arrangements.

DISCLOSURES AND ONWARD TRANSFERS OF PERSONAL DATA

In order to operate its websites and provide the CleverTap Service, CleverTap may disclose Personal Data to third parties, including its service providers and vendors, that perform services on its behalf, such as payment processing, infrastructure hosting, database management, analytics, and professional services. CleverTap limits such disclosures to what is reasonably necessary for the performance of the applicable services and does not disclose Personal Data for purposes unrelated to the original purpose of collection or processing.
CleverTap requires third parties that process Personal Data on its behalf to enter into appropriate contractual commitments to process such data only for the specified purposes, to implement appropriate safeguards, and to provide at least the same level of protection for Personal Data as required under this Policy and the applicable Data Privacy Framework Principles.
CleverTap may also disclose Personal Data to its affiliates where necessary for legitimate business operations and, where applicable, to Customers or other parties solely to the extent required to fulfil a request or instruction initiated by the relevant individual or Customer, and in accordance with applicable contractual and legal obligations.
CleverTap remains responsible and liable under the Data Privacy Framework Principles for the processing of Personal Data it transfers to third parties acting on its behalf, unless CleverTap demonstrates that it is not responsible for the event giving rise to the damage.
CleverTap may also be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, as permitted under applicable law.

EUROPEAN UNION (EU) AND UNITED KINGDOM (UK) RESIDENTS

The EU General Data Protection Regulation (“GDPR”) and the UK GDPR provide individuals residing in the European Union and the United Kingdom with certain rights regarding the processing of their Personal Data. These rights include the right to:

• Be informed about the processing of Personal Data
• Access Personal Data
• Rectify inaccurate or incomplete Personal Data
• Request erasure of Personal Data
• Restrict processing of Personal Data
• Receive Personal Data in a portable format
• Object to the processing of Personal Data
• Not be subject to a decision based solely on automated processing, including profiling
• Lodge a complaint with a competent data protection supervisory authority

Where CleverTap processes Personal Data as a data controller, CleverTap is committed to responding to applicable requests to exercise these rights in accordance with GDPR and UK GDPR requirements. Individuals may submit requests or inquiries by contacting CleverTap at privacy@clevertap.com. Where CleverTap processes Personal Data on behalf of its Customers as a data processor, requests to exercise data subject rights should be directed to the applicable Customer, who acts as the data controller. CleverTap will provide reasonable assistance to Customers, as required under applicable law and contractual arrangements, to support the handling of such requests. EU residents have the right to lodge a complaint with their local supervisory authority in the EU or European Economic Area, and UK residents have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO).

EU-U.S. DATA PRIVACY PROGRAM FRAMEWORK COMPLIANCE

CleverTap complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), as set forth by the U.S. Department of Commerce. CleverTap has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. DPF Principles and the UK Extension to the EU-U.S. DPF Principles with regard to the processing of personal data received from the European Union, the United Kingdom and Gibraltar, in reliance on the EU-U.S. DPF. CleverTap has also certified that it adheres to the Swiss-U.S. DPF Principles with regard to the processing of personal data received from Switzerland, in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms of this Privacy Policy and the EU-U.S. DPF Principles, the UK Extension Principles, and/or the Swiss-U.S. DPF Principles, the applicable DPF Principles shall govern. To learn more about the Data Privacy Framework program, and to view CleverTap’s certification, please visit Data Privacy Framework.
The Federal Trade Commission (FTC) has jurisdiction over CleverTap’s compliance with the Data Privacy Framework. In compliance with the EU-U.S. Data Privacy Framework Principles, CleverTap commits to resolve complaints regarding the collection or use of personal data transferred to the United States in reliance on the DPF. European Union, United Kingdom, Gibraltar, and Swiss individuals with inquiries or complaints regarding CleverTap’s DPF compliance should first contact CleverTap at privacy@clevertap.com.
If a complaint cannot be resolved directly with CleverTap, CleverTap has committed to cooperate with and refer unresolved complaints to Data Privacy Framework Services, operated by BBB National Programs, an independent dispute resolution mechanism. This service is provided free of charge to individuals. For more information or to file a complaint, please visit Data Privacy Framework Services – For Consumers.
Under certain conditions, if a complaint cannot be resolved through the above mechanisms, individuals may invoke binding arbitration as a last resort in accordance with the Data Privacy Framework’s arbitration procedures. Additional information regarding binding arbitration is available at Data Privacy Framework.

CHANGES TO THIS POLICY

This Policy may be amended from time to time to reflect changes in our privacy practices, applicable laws, or the Data Privacy Framework Principles. Any amendments will be made in a manner consistent with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and other applicable data protection and privacy laws. If we make material changes that affect how Personal Data is processed, we will provide appropriate notice, such as by posting a notice on our website prior to the changes becoming effective. We encourage individuals to periodically review this Policy to stay informed about our privacy practices.

DEFINED TERMS

For the purposes of this Policy, the following terms have the following meaning;
1. Personal Data. For the purposes of this Policy, “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”), as defined under applicable data protection laws, including the EU General Data Protection Regulation (Regulation (EU) 2016/679) and the UK General Data Protection Regulation. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
2. Data Subject. “Data Subject” means an identified or identifiable natural person whose Personal Data is processed, directly or indirectly, as described in this Policy.
3. Sensitive Data (Special Categories of Personal Data). “Sensitive Data” (also referred to as “special categories of personal data”) means Personal Data that reveals or relates to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or medical conditions, genetic data, biometric data, sex life, or sexual orientation, as defined under applicable data protection laws. Personal Data relating to criminal convictions and offences is subject to additional protections under applicable law and is treated with the same level of care and safeguards as Sensitive Data where required.

Exhibit A

Leanplum, LLC.