EU-U.S. Data Privacy Framework Policy

In accordance with our commitment to protect personal privacy, WizRocket Inc. and its U.S. operating subsidiaries (including those entities listed in Exhibit A) (collectively referred to as “CleverTap”, “we,” “us,” or “our”) provides its customers (“Customers”) with the ability to analyze how their end users (“Customer End Users”) interact with Customer website(s) or mobile application(s) and the ability to contact Customer End Users via the CleverTap service platform (the “CleverTap Service”). Customers’ users of the Service and other representatives of our Customers (collectively, “Customer Representatives”) interact with CleverTap to establish, maintain and manage their use of the CleverTap Service. CleverTap complies with the EU-U.S. Data Privacy program Framework (EU-U.S. DPF), the UK Extension to the EU-US DPF, and the Swiss-U.S. Data Privacy program Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. CleverTap has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework program Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF. CleverTap has certified that it adheres to the UK Extension to the EU-US Data Privacy Framework with regard to the processing of personal data received from the United Kingdom and Gibraltar. CleverTap has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework program principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the UK Extension to the DPF Principles, and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

The Federal Trade Commission (FTC) has jurisdiction over CleverTap’s compliance with the EU-U.S. Data Privacy Program Framework.
All CleverTap employees who handle Personal Data from Europe and/or Switzerland are required to comply with the Principles stated in this Policy.

SCOPE OF THIS EU-U.S. Data Privacy Program Framework POLICY

This Policy applies to the processing of Personally Data that CleverTap receives or collects in the United States or transfers to the United States concerning Individuals who reside in the European Union, the United Kingdom and Gibraltar, or Switzerland.
This Policy does not cover data from which individual persons cannot be identified or situations in which pseudonyms are used. (The use of pseudonyms involves the replacement of names or other identifiers with substitutes so that identification of individual persons is not possible.)

TYPES AND USES OF COLLECTED INFORMATION

The types of information that we may collect (directly from you or from third-party sources) and our privacy practices depend on the nature of the relationship you have with CLEVERTAP and the requirements of applicable law. This section describes how we collect and use that information. This includes an overview of the type of information that we collect directly and automatically, the types of information that we receive from other sources, and why we collect that information.

CleverTap collects both Personal Data and Non-Personal Data:

Personal Data.“Personal Data” is information relating to a specific identified or identifiable person. Generally, CleverTap collects two types of Personal Data, Personal Data from Website users, Customer Representatives, and Personal Data from Customer End Users.

1. Website users
   CleverTap collects several types of information from and about users of our Website, including information by which you may be personally identified, such as name, company name, e-mail address, telephone number, or any other identifier by which you may be contacted online or offline (“identifiers”). We may also collect from job candidates, in the nature of professional or employment-related information, including education, employment, and employment history.


2. Personal Data of Customer Representatives
   CleverTap collects Personal Data from Customer Representatives relating to Customer accounts and management of them. For instance, when Customer Representatives engage in certain activities via the CleverTap Service, including but not limited to creating an account, sending feedback, or otherwise using or participating in the CleverTap Service (collectively, “Identification Activities”), we may ask Customer Representatives to provide certain information. If they elect to engage in an Identification Activity, however, we may ask them to provide us with certain Personal Data, such as name, address (including zip code), email address and/or telephone number. Depending on the Identification Activity, some of the information we ask Customer Representatives to provide may be identified as mandatory and some identified as voluntary. If Customer Representatives do not provide the mandatory information for a particular Identification Activity, they will not be permitted to engage in that Identification Activity with the CleverTap Service.
   As Customer Representatives navigate the CleverTap Service, we may also collect information through the use of commonly-used information-gathering tools, such as cookies and Web beacons (“Web Site Navigational Information”). Web Site Navigational Information includes standard information from Customers Representatives’ Web browsers (such as browser type and browser language), their Internet Protocol (“IP”) address, and the actions they take on the CleverTap Service (such as the Web pages viewed and the links clicked).
   Through our “import Customer End Users” feature option, a Customer Representative may also provide us with Personal Data about other Customer Representatives such as the name, company name, address, phone number, email address, and/or IP address of the Customer Representatives that you choose to share with us. When you provide us with Personal Data about Customer Representatives that have not provided Personal Data to us, we will only use this information for the specific reason for which it is provided, such as to add new records to your CleverTap account, or as agreed in the applicable agreement with Customer.
   We may use Personal Data from Customer Representatives to provide products and/or services to Customers, collect payment for our products and/or services, administer sweepstakes and contests, enhance the operation of the CleverTap Service, improve our marketing and promotional efforts, analyze the use of the CleverTap Service, improve the CleverTap Service, and tailor the experience of Customer Representatives in using the CleverTap Service. We may also use Personal Data to troubleshoot, resolve disputes, accomplish administrative tasks, contact Customer Representatives, enforce our agreements with Customers, including our Master SaaS Subscription Agreements or Terms of Service, and this Privacy Policy, comply with applicable law, and cooperate with law enforcement activities. The CleverTap Service may include social media features such as the Facebook “like” button or other associated social media buttons and widgets and such social media features which are hosted by a third party or directly on the CleverTap Service may collect Customer Representatives’ IP addresses and other information. Such interactions are governed by the applicable privacy policy of those social media features.


3. Customer End User Data
   As part of the provision of the CleverTap Service to Customers, CleverTap collects certain Personal Data and other, Non-Personal Data about Customer End Users as determined by the applicable Customer (“Customer End User Data”). CleverTap does not control or otherwise approve any messages or requests for Customer End User Data made by a Customer to a Customer End User. Customer End Users should be aware that a Customer can request such Customer End User Data from them in order to use the Customer’s website(s) and/or mobile application(s) and that Customer End User Data may then be included in the information given to CleverTap through your use of the CleverTap Service. Therefore, Customer End Users should review the privacy policy of a Customer’s website and/or mobile application to assess the security of any information a Customer End User discloses. To the extent that CleverTap does receive any Customer End User Data, CleverTap shall make reasonable efforts, consistent with the terms of this Privacy Policy, to maintain the confidentiality of such Customer End User Data. CleverTap has no direct relationship to the Customer End Users whose Customer End User Data it processes and such Customer End User who seeks access, or who seeks to correct, amend, or delete inaccurate Customer End User Data should direct his or her query to the applicable Customer for removal. Once such Customer requests removal of such applicable Customer End User Data, CleverTap will respond to such request within one month; provided that (i) such period may be extended by up to 2 additional months when necessary, taking into account the complexity and number of the requests and (ii) CleverTap shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.
   CleverTap’s Customers may electronically submit Customer End User Data to the CleverTap Service. CleverTap will not review, share, distribute, or reference any such Customer End User Data except as provided in CleverTap’s applicable agreement with Customer, or as may be required by applicable law. CleverTap acknowledges that Customer End Users have the right to access their Personal Data. If Personal Data pertaining to a Customer End User has been submitted to us by a Customer, and a Customer End User wishes to exercise any rights it may have to access, correct, amend, or delete such Personal Data, the Customer End User should inquire with the Customer directly. Because CleverTap personnel have limited ability to access data our Customers submit to the CleverTap Service, if a Customer End User wishes to make a request directly to CleverTap, please provide the name of the Customer who submitted your data to the CleverTap Service. We will refer your request to such Customer and will support them as needed in responding to your request within one month; provided that (i) such period may be extended by up to 2 additional months when necessary, taking into account the complexity and number of the requests and (ii) CleverTap shall inform you of any such extension within one month of receipt of the request, together with the reasons for the delay.

Non-Personal Data. “Non-Personal Data” is information that does not identify a specific person.

1. Website users
   CleverTap collects several types of information that is about you but individually does not identify you, information comprising communications with you, about your browsing sessions using the Website (Internet activity information), including, but not limited to, browsing history, search history, and information regarding a user’s interaction with the Website and/or geolocation information (based on IP address).


2. Non-Personal Data from Customer Representatives
   CleverTap may receive Non-Personal Data from Customer Representatives, which may include data such as the URL of the website a Customer Representative visited before participating in the CleverTap Service, the URL of the website visited after participating in the CleverTap Service, the type of browser the Customer Representative is using, or general and/or aggregated location data that does constitute Personal Data. We, and/or our authorized Third-Party Service Providers (defined below), may automatically collect this information when Customer Representatives visit or use the CleverTap Service through the use of electronic tools like Cookies and Web beacons or Pixel tags, as described below in this Privacy Policy.
   We use Non-Personal Data to provide products and/or services to Customer Representatives, enhance the operation of the CleverTap Service, troubleshoot, administer the CleverTap Service, analyze trends, gather demographic information, comply with applicable law, and cooperate with law enforcement activities. We may also share this information with our authorized Third-Party Service Providers to measure the overall effectiveness of our products and services.


3. Non-Personal Data from Customer End Users
   CleverTap’s Customers may electronically submit Non-Personal Data from Customer End Users to the CleverTap Service. CleverTap will not review, share, distribute, or reference any such Non-Personal Data except as provided in CleverTap’s applicable agreement with Customer, or as may be required by applicable law. CleverTap uses such Non-Personal Data for the purpose of enhancing or providing the CleverTap Service.

DATA TRACKING

Cookies. To facilitate and customize your experience with the CleverTap Service, we may store cookies on your computer or other similar device through which you access the CleverTap Service. A cookie is a small text file that is stored on your computer or other device for record-keeping purposes that contains information about you. We use cookies to save you time while using the CleverTap Service, remind us who you are, and track and target your interests in order to provide a customized experience. Cookies also allow us to collect Non-Personal Data from you, like which pages you visited, what links you clicked on, and how you used the CleverTap Service. Most browsers automatically accept Cookies, however, you may be able to modify your browser settings to decline cookies.
Other Tracking Devices. When you access the CleverTap Service, or open or click an email, pixel tags and web beacons generate a Non-Personally Identifiable notice of that action. Pixel tags allow us to measure and improve our understanding of visitor traffic and behavior on the CleverTap Service, as well as give us a way to measure our promotions and performance. We may also utilize pixel tags and web beacons provided by our marketing partners for the same purposes.
How to Opt-Out of Third-Party Tracking Technologies. The use of tracking technologies by third parties is subject to their own privacy policies, not this Privacy Policy, and we have no responsibility or liability in connection therewith. If you do not want the services that tracking technologies provide, you may be able to opt out by visiting http://www.aboutads.info/choices.

For sensitive information (e.g., that specifying medical/health conditions, racial/ethnic origin, political or religious beliefs, or sex life of the individual), organizations must obtain affirmative, express consent (opt-in) from individuals if such information is to be (i) disclosed to a third party or (ii) used for a purpose other than those for which it was originally collected or subsequently authorized by the individuals through the exercise of opt-in choice.

DISCLOSURES AND ONWARD TRANSFERS OF PERSONAL DATA

In order to operate our websites and provide services, we may provide personal, aggregate and other associated data to third parties including our services providers and vendors that provide or perform services for us, including services such as payment processing, database management, and professional services. CleverTap discloses Personal Data only to third parties who reasonably need to know such data for the scope of the initial transaction and not for other purposes.
Such third parties must agree to use the personal data only for the purpose for which they have been engaged by CleverTap and confirm that their privacy practices are consistent with this Policy.
On occasion, we may also share Personal Data concerning a visitor with our affiliates (such as a subsidiary or affiliate of our company) and Clients in furtherance of our operations and as needed to implement visitor request.
We remain responsible for the Personal Data that we share with third parties for processing on our behalf, and we remain liable under the Principles if such third parties process such Personal Data in a manner inconsistent with the principles if we are responsible for the event giving rise to the damage.
Please be aware that CleverTap may be required to disclose Personal Data in response to a lawful request by public authorities, including to meet national security or law enforcement requirements.

EUROPEAN UNION (EU) OR THE UNITED KINGDOM (UK) RESIDENTS

The EU and UK’s General Data Protection Regulation (GDPR) specifies that EU and UK residents have the following rights regarding the collection, storage, and processing of their personal information:

• Be informed
• Access
• Rectification
• Erasure
• Restrict processing
• Data portability
• To object
• To not be subject to a decision based solely on automated processing, including profiling
• To lodge a data protection complaint with your local supervisory authority

In compliance with both the EU and UK’s GDPR, CleverTap commits to resolving applicable inquiries and requests related to these rights. Residents of the EU and UK can send us an email to privacy@clevertap.com.

EU-U.S. DATA PRIVACY PROGRAM FRAMEWORK COMPLIANCE

CleverTap complies with the EU-U.S. Data Privacy Program Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Program Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. CleverTap has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework program Principles (EU-U.S. DPF Principles) and the UK Extension to the EU-U.S. DPF Principles with regard to the processing of personal data received from the European Union, the UK and Gibraltarin reliance on the EU-U.S. DPF. CleverTap has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework program principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the UK Extension to the EU-U.S. DPF Principles, and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.
In compliance with the EU-US Data Privacy Framework Principles, CleverTap commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the United States pursuant to the DPF Principles. European Union, UK, Gibraltarian, and Swiss individuals with DPF inquiries or complaints should first contact CleverTap at privacy@clevertap.com.
CleverTap has further committed to refer unresolved privacy complaints under the DPF Principles to an independent dispute resolution mechanism, Data Privacy Framework Services, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/programs/all-programs/dpf-consumers/ProcessForConsumers for more information and to file a complaint. This service is provided free of charge to you.
If your DPF complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See https://www.dataprivacyframework.gov/s/article/G-Arbitration-Procedures-dpf?tabset-35584=2

CHANGES TO THIS POLICY

This Policy may be amended from time to time, consistent with the Principles and applicable data protection and privacy laws. If we make any material changes we will notify visitors by means of a notice on our website prior to the change becoming effective. We encourage visitors to periodically review this page for the latest information on our privacy practices.

DEFINED TERMS

For the purposes of this Policy, the following terms have the following meaning;
Personal Data as defined under the European Union Regulation 2016/679 (the GDPR) means any information relating to an identified or identifiable natural person (‘data subject’)
Data Subject means an identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person
Sensitive Data (or special categories of personal data) means specifically personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, concerning health, genetic and biometric data, sex life, or sexual orientation. The same extra safeguards under the GDPR will apply to criminal convictions and offences data.

Exhibit A

Leanplum Inc.