CEARTscore Privacy Statement Effective as of December 1, 2025 When you use and interact with our website or services, communicate with us, visit our offices, or attend our events, we may collect, use, share and process information relating to individuals ("Personal Data"). This Privacy Statement (“Statement”) explains how CEART collects, uses, shares or otherwise processes Personal Data and the rights of individuals associated with that processing. 1. Responsible CEARTscore entity. CEARTscore, LLC and/or its affiliated entities (collectively, “CEART”, “we”, “us”, or the “Company”) act as the controllers of your Personal Data and are responsible for its processing, unless expressly specified below in this Statement. This Statement does not apply to the extent we process Personal Data as a processor or service provider on behalf of our customers, including where we offer our customers various services through which our customers (or their affiliates) collect, use, share or process Personal Data via our services. For detailed privacy information related to a CEART customer or a customer affiliate who uses CEART’s services as the controller, please contact our customer directly. We are not responsible for the privacy or data security practices of our customers, which may differ from those explained in this Statement. 2. When this Statement applies. This Statement applies to the processing of Personal Data collected by us when you: • Visit or interact with our websites that display or link to this Statement; • Visit or interact with our branded social media pages; • Visit our offices or other premises; • Receive communications from us or otherwise communicate with us, including but not limited to emails, phone calls, texts or faxes; • Use our services where we act as a controller of your Personal Data; • Register for, attend or take part in our events, webinars, programs, trainings, certifications, or contests; • Act as or work for a service provider or supplier to CEART, to the extent CEART acts as a controller with respect to your Personal Data; • Are employed by a customer using our services where your Personal Data has been shared with us in our capacity as a controller (for example, during the sales or contracting process); and • Participate in surveys, research or other similar data collection facilitated by us. When applications, connectors, extensions or other solutions are provided by us and they link to this Statement, this Statement applies. With regard to any offerings available from CEART but which are provided by third parties, the privacy statement of the relevant third party applies and this Statement does not. Our websites and services may contain links to other websites, applications, platforms and services maintained by third parties. CEART does not control these and the information practices of those third parties, including the social media platforms that host our branded social media pages, are governed by their own privacy statements. It is recommended that you read the applicable privacy statements carefully to understand their privacy practices. In some circumstances, we may also collect, or our partners provide us with, publicly available information which may contain Personal Data that you have published or that has been made available online. The way in which our partners collect this is detailed in their own privacy statements, available on their websites. CEART may use artificial intelligence (“AI”) to process your Personal Data, including to develop and deploy AI systems. Where AI is leveraged, it will only be used where legally permissible and in compliance with this Statement. For purposes of clarification, this Statement applies where CEART processes your Personal Data as a controller. It does not apply to Personal Data you voluntarily submit to our services as an authorized user of a CEART service; with regard to Personal Data you submit to our services, CEART acts as a processor. 3. Personal Data we collect from you. The Personal Data we collect directly from you depends on how you choose to interact with us and what you choose to share. This may include identifiers such as contact information, professional or employment-related information, financial account information, commercial information, visual information such as your image, and internet activity information, among others. Below are examples of the types of data we may collect in the following situations: Personal Data Collection Scenarios Situations Categories of Personal Data If you express an interest in obtaining additional information about our services; request customer support; use our “Contact Us” or similar features; register to use our websites or to receive communications; sign up for an event, webinar or contest; participate in a program, training, certification or survey; use our services; download certain content; or are employed by a customer using our services where your information has been shared with us Contact information, such as your name, job title, company name, address, phone number, email address, username and password, other information you have voluntarily chosen to share or communicate to CEART If you make purchases via our websites or register for an event or webinar Contact information, financial and billing information, such as billing name and address, credit card number or bank account information If you attend an event Attendee badge information which may include name, title, company name, address, country, phone number and email address, image and video, such as from CCTV footage If you register with us for purposes such as joining a community that we host or participating in a program Username, photo, video (such as during an online certification exam) or other biographical information, such as your occupation, location, social media profiles or usernames, company name, areas of expertise and interests If you interact with our websites or emails Information about your device and your usage of our websites or emails (such as Internet Protocol (IP) addresses or other identifiers), which may qualify as Personal Data (please see Section 4 below) using cookies, web beacons, or similar technologies If you use and interact with our services Information about your device and your usage of our services through log files and other technologies, some of which may qualify as Personal Data (including Usage Data) (please see Section 4 below) If you communicate with us via a phone call Information such as your name, voice, telephone number and any other Personal Data voluntarily shared If you visit our offices or other premises Name, email address, phone number, company name, time and date of arrival, image or video, such as from CCTV footage If you voluntarily submit certain information to us, such as filling out a survey, responding to a questionnaire or participating in other forms of research Information you have provided as part of that request, which may include Personal Data and special categories of Personal Data, to the extent you voluntarily choose to provide it If you are a supplier or service provider to CEART (or work for a supplier or service provider) Contact information, payment and billing information If you provide us, our service providers or our affiliates with any Personal Data relating to other individuals, you: • represent that you have the authority to do so, • where required, have obtained their necessary consent(s) to share their Personal Data with us for processing, and • acknowledge and accept that it may be used in accordance with this Privacy Statement. If you believe that your Personal Data has been provided to us improperly, or you want to exercise your rights relating to your Personal Data, please contact us by using the information in Section 13 below. 4. What Device and Usage Data do we process? We may use common information-gathering tools, such as tools for collecting data, cookies, web beacons, pixels, and similar technologies to collect information that may contain Personal Data as you navigate our websites, our services, or interact with emails we have sent to you. You can control cookies through your browser settings. 4.1 Device and Usage Data. As is the case with most websites, we may collect certain device information when individual users visit our websites. This information may include identifiers, commercial information, and internet activity information such as IP address (or proxy server information), device and application information, identification numbers and features, location, browser type, plug-ins, integrations, Internet service provider, mobile carrier, the pages and files viewed, searches, referring website, app or ad, operating system, system configuration information, advertising and language preferences, date and time stamps associated with your usage, and frequency of visits to the websites. This information is used for the purposes set forth below in Section 5 of this Statement. In addition, we collect certain information as part of your use of our services (“Usage Data”). This information may include: (i) identifiers, such as user ID, organization ID, username, email address and user type; (ii) commercial information; and (iii) internet activity information such as IP address (or proxy server), mobile device number, device and application identification numbers, location, language, browser type, Internet service provider or mobile carrier, user interactions such as the pages and files viewed, website and webpage interactions including searches and other actions you take, operating system type and version, system configuration information, date and time stamps associated with your usage and details of which of our services and versions you are using. This information is used for the purposes set forth in detail below in Section 5 of this Statement. We may also use aggregated Usage Data for legitimate internal business purposes, such as to identify additional customer opportunities, and to ensure that we are meeting the demands of our customers and their users. 4.2 Our use of cookies, web beacons and other tracking technologies on our website and in email communications to you. We may use technologies such as web beacons, pixels, tags, and JavaScript, alone or in conjunction with cookies, to collect information about the use of our websites and how people interact with our emails. When you visit our websites, we, or an authorized third party, may place a cookie on your device that collects information, including Personal Data, about your online activities over time and across different sites. Cookies allow us to track use, infer browsing preferences, and improve and customize your browsing experience. We may use both session-based and persistent cookies on our websites. Session-based cookies exist only during a single session and disappear from your device when you close your browser or turn off the device. Persistent cookies remain on your device after you close your browser or turn your device off. You can also control the use of cookies on your device, but choosing to disable cookies on your device may limit your ability to use some features on our websites and services. We may also use web beacons and pixels on our websites and in emails. For example, we may place a pixel in a marketing email that notifies us when you click on a link in the email. We use these technologies to operate and improve our websites and marketing emails – please see more details in the “Advertising Cookies” row in the table below. For instructions on how to unsubscribe from our marketing emails, please see Section 10.4 below. The following describes how we use different categories of cookies and similar technologies: Type of Cookies Description Required cookies Required cookies are necessary for basic website functionality. Some examples include: session cookies needed to transmit the website, aggregate site analytics cookies, authentication cookies, and security cookies. If you have chosen to identify yourself to us, we may place on your browser a cookie that allows us to uniquely identify you when you are logged into the websites and to process your online transactions and requests. Functional cookies Functional cookies enhance functions, performance, and services on the website. Some examples include: cookies used to analyze site traffic, cookies used for market research, and cookies used to display advertising that is not directed to a particular individual. Functional cookies may also be used to improve how our websites function and to help us provide you with more relevant communications, including marketing communications. These cookies collect information about how our websites are used, including which pages are viewed most often. We may use our own technology or third-party technology to track and analyze usage information to provide enhanced interactions and more relevant communications, and to track the performance of our advertisements. CEART may also use HTML5 local storage or Flash cookies for the above-mentioned purposes. These technologies differ from browser cookies in the amount and type of data they store, and how they store it. 4.3 Notices on behavioral advertising and opt-out for website visitors. As described above, we or one of our authorized partners may place, and read the data collected by, cookies on your device when you visit our websites for the purpose of serving you tailored advertising (also referred to as “online behavioral advertising” or “interest-based advertising”). 4.4 Telephony log information. If you use certain features of our services on a mobile device, we may also collect telephony log information (like phone numbers, time and date of calls, duration of calls, SMS routing information and types of calls), device event information (such as crashes, system activity, hardware settings, browser language), and location information (through IP address, GPS, and other sensors that may, for example, provide us with information on nearby devices, Wi-Fi access points and cell towers). 5. Purposes for which we process your Personal Data We collect and process your Personal Data (including, where legally permissible, special categories of Personal Data) for the following purposes: Purpose Description Providing our websites We process your Personal Data to operate and administer our websites, and to provide you with the content you access and request Improving our websites We process your Personal Data to analyze overall trends and help us improve the user experience on our websites Promoting the security of our websites We process your Personal Data by monitoring your use of our websites, and verifying and investigating activity Market research and the provision of personalized content We process your Personal Data (including Usage Data) to conduct market research, provide tailored/personalized information about us on our website and within the services, as well as to provide other personalized content based upon your activities and interests Registering visitors We process your Personal Data, including registration information and associated non-disclosure information, for security reasons Managing event registrations and attendance We process your Personal Data to plan and host events (including participation therein) for which you have registered or that you attend, including sending related communications to you Ensuring the safety and security of our offices, premises, employees, and events We process your Personal Data where necessary based on a credible threat to our employees, events, or premises Sending marketing communications We process your Personal Data (including Usage Data) to send you marketing information, service recommendations and other non-transactional communications (e.g., marketing newsletters, telemarketing calls, SMS, in-app nudges or push notifications, information about our services, news or events) about us, our affiliates and partners Prospecting sales leads We process your Personal Data to communicate with you, where legally permitted, following the expression of your interest in learning more about CEART Optimizing the sales process We process your Personal Data to increase productivity, streamline tasks, improve efficiency and increase deal velocity through the automation of our sales process Summarizing content We process your Personal Data to create summaries of our interactions with you, such as calls or emails Handling support or service-related requests We process your Personal Data if you request support, or raise service questions Providing our services We process your Personal Data to perform our contract with you for the provision of our services and to satisfy our obligations under the applicable terms of use Developing and optimizing the performance of our services We process your Personal Data to develop, optimize, and improve the performance of our services Managing our customer and user accounts We process your Personal Data (including Usage Data) to manage customer and user accounts generally and to document our interactions with you for purposes such as billing, customer correspondence, marketing and customer relationship management Managing usage and licensing compliance We process your Personal Data (including Usage Data) to assess and manage usage and licensing compliance with the applicable terms of use of our services Preparing internal reports and business modeling We process your Personal Data (including Usage Data) for internal reporting, and business modeling purposes such as forecasting, revenue, capacity planning, product strategy Maintaining our security We process your Personal Data (including your Usage Data) for the purposes of maintaining CEART’s own security, including investigating, detecting and preventing suspicious activity, fraud and cybercrime that may affect CEART or our services Undertaking financial reporting We process your Personal Data (including your Usage Data) for the purposes of financial reporting Aggregating data We process your Personal Data (including your Usage Data) for the purposes of aggregating this information to ensure that it is no longer identifying in certain contexts Complying with legal obligations and defending CEART We process your Personal Data (including Usage Data) when cooperating with public and government authorities, courts or regulators in accordance with our legal obligations under applicable laws or to defend the company, our employees or our property to the extent this requires the processing or disclosure of Personal Data to protect our rights If we need to collect and process Personal Data by law, or under a contract we have entered into with you, and you fail to provide the required Personal Data when requested, we may not be able to perform under our contract with you. 6. Who do we share Personal Data with? We may share your Personal Data as follows: • Service providers: With our contracted service providers, who provide services such as IT and system administration and hosting, credit card processing, research and analytics, marketing, events planning, customer support and data enrichment for the purposes described above in Section 5. Contracted service providers may also deliver AI and generative AI capabilities to allow us to analyze data, determine trends, make predictions and create AI-generated responses or other content for the purposes described above in Section 5; • CEART affiliates: With CEART affiliates to the extent such sharing of data is necessary to fulfill a request you have submitted via our websites or for customer support, marketing, technical operations, event registration, and account management purposes; • Event sponsors: If you attend an event or webinar organized by us, or download or access a resource on our website, we may share your Personal Data with the sponsors of the event or the sponsor of the resource. In these circumstances, the processing of your Personal Data will be governed by the relevant sponsors’ privacy statements, which we recommend you read carefully. If required by applicable law, we may seek your consent to such sharing via the registration form. If you do not wish for your Personal Data to be shared, you may choose to not opt-in via the event/webinar registration form, or you can opt-out in accordance with Section 10 below. In the event you choose to opt-in to have your badge scanned by an event sponsor, you are providing your Personal Data directly to the sponsor (not to CEART) and the processing of your badge data will be subject to the event sponsor’s privacy policy; • Partners: With specific partners that offer supplementary services to those provided by CEART, such as partners that offer sustainability resources (where required by applicable law, only to the extent you consent to such sharing); • Customers with whom you are affiliated and/or the applicable partner responsible for access to your services: If you use our services as an authorized user, we may share your Personal Data with your affiliated customer and/or the applicable partner responsible for your access to the services to the extent this is necessary for verifying accounts, activity and CEART certifications, investigating suspicious activity, or enforcing our terms and policies; • Contest and promotion sponsors: With sponsors of contests or promotions for which you register in order to fulfill the contest or promotion; • Professional advisers: In individual instances, we may share your Personal Data with professional advisers acting as service providers, processors, or joint controllers - including, for example, lawyers, bankers, auditors, and insurers who provide professional services to us; and • Public authorities: With legal bodies, judicial, public, and government authorities, to the extent we are compelled to disclose Personal Data to comply with our legal obligations. We may also share aggregated Usage Data with CEART’s service providers for the purpose of helping CEART conduct analyses and make improvements. Additionally, CEART may share Usage Data on an aggregate basis in the normal course of operating our business; for example, we may share information publicly to show trends about the general use of our services. 7. International transfer of Personal Data Your Personal Data may be transferred to and stored by us in the United States and by our affiliates and third parties listed in Section 6 above. Therefore, your Personal Data may be processed and stored outside your country or jurisdiction, including in places that are not subject to an adequacy decision by the European Commission or your local legislature or regulator, and that may not provide for the same level of data protection. We ensure that the recipient of your Personal Data provides an adequate level of protection and security, by entering into appropriate agreements, including, where required, standard contractual clauses or an alternative mechanism for the transfer of Personal Data as approved by the European Commission (Art. 46 GDPR) or other applicable regulators or legislators. Where required by applicable law, we will obtain your consent before processing, sharing, transferring and/or storing your Personal Data outside of your jurisdiction. Further, CEART commits to complying with law and regulation, to extent necessary based upon the amount, nature, and sensitivity of the Personal Data being processed, and the potential risk of harm from unauthorized use or disclosure of the Personal Data, applicable to CEART’s processing of your Person Data. If you have any questions or concerns regarding our handling of your Personal Data, please contact us using the contact information provided below. 8. Children Our websites and services are not directed at children. We do not knowingly collect Personal Data from children under the age of 13. We do not knowingly collect Personal Data for children between the ages of 13 and 18 unless we have obtained consent from a parent or guardian, such collection is subject to a separate agreement with us, or the visit by a child is unsolicited or incidental. If you believe we have mistakenly or unintentionally collected Personal Data from a child without appropriate consent, please contact us using the information in Section 13 below and we will take steps to delete their Personal Data from our systems as soon as possible. 9. How long do we keep your Personal Data? We may retain your Personal Data for a period of time consistent with the original purpose of collection (see Section 5 above) or as long as required to fulfill our legal or regulatory obligations. We determine the appropriate retention period for Personal Data on the basis of the amount, nature, and sensitivity of the Personal Data being processed, the potential risk of harm from unauthorized use or disclosure of the Personal Data, whether we can achieve the purposes of the processing through other means, and on the basis of applicable legal requirements (such as applicable statutes of limitation). After expiration of the applicable retention periods, your Personal Data will be deleted. If there is any data that we are unable, for technical reasons, to delete entirely from our systems, we will implement appropriate measures to prevent any further use of such data. 10. Your rights relating to your Personal Data 10.1 Your rights You may have certain rights relating to your Personal Data, subject to local data protection laws. Depending on the applicable laws these rights may include the right to: • Access your Personal Data held by us; • Know more about how we process your Personal Data; • Rectify inaccurate Personal Data and, taking into account the purpose of processing the Personal Data, ensure it is complete; • Erase or delete your Personal Data; • Restrict our processing of your Personal Data; • Transfer your Personal Data to another controller (data portability), to the extent possible; • Object to any processing of your Personal Data; • Opt out of certain disclosures of your Personal Data to third parties; • Know what categories of Personal Data are shared for delivering advertisements on non-CEART websites, applications, and services and the categories of recipients of such Personal Data; • Opt out of the sharing of your Personal Data for delivering advertisements on non-CEART websites, applications, and services; • If you’re under the age of 16, or such other applicable age of consent for privacy purposes in relevant individual jurisdictions, opt in to certain disclosures of your Personal Data to third parties; • Not be subject to a decision based solely on automated processing, including profiling, which produces legal effects ("Automated Decision-Making"); • Withdraw your consent at any time (to the extent we rely on consent as our legal basis for processing), without affecting the lawfulness of the processing based on such consent before its withdrawal; • Complain about the use of your Personal Data; • Not be discriminated against for exercising your rights as described above; and • Appeal our refusal to act upon your request to exercise a right relating to your Personal Data by following the steps provided in our response to your inquiry. Where we process your Personal Data for direct marketing purposes, you can exercise your right to object at any time to such processing without having to provide any specific reason for such objection. Note that Automated Decision-Making currently does not take place on our websites or in our services. 10.2 How to exercise your rights To exercise your rights, please contact us by using the information in Section 13 below. Your Personal Data may be processed in responding to these rights. We try to respond to all legitimate requests within one month unless otherwise required by law, and will contact you if we need additional information from you in order to honor your request or verify your identity. Occasionally it may take us longer than a month, taking into account the complexity and number of requests we receive. If you are an employee of a CEART customer, we recommend you contact your employer’s system administrator for assistance in correcting or updating your information. Some registered users may update their user settings, profiles, organization settings and event registrations by logging into their accounts and editing their settings or profiles. To update your billing information, discontinue your account or request return or deletion of your Personal Data and other information associated with your account, please contact us by using the information in Section 13 below. 10.3 Your rights relating to customer data As described above, we may also process Personal Data submitted by or for a customer to our services. If not stated otherwise in this Privacy Statement or in a separate disclosure, we process such Personal Data as a processor on behalf of our customer (and its affiliates) who is the controller of the Personal Data (see Section 1 above). We are not responsible for and have no control over the privacy and data security practices of our customers, which may differ from those explained in this Privacy Statement. If your Personal Data has been submitted to us by a CEART customer and you wish to exercise any rights you may have under applicable data protection laws, please direct your inquiry to them directly. 10.4 Your preferences for email and SMS marketing communications If we process your Personal Data for the purpose of sending you marketing communications, you may manage your receipt of marketing and non-transactional communications from CEART by clicking on the “unsubscribe” link located on the bottom of CEART marketing emails and by replying or texting ‘STOP’ if you receive CEART SMS communications. Please note that opting out of marketing communications will not stop important business communications related to your current relationship with us, such as service announcements, event registrations, or security information. 11. How we secure your Personal Data. We take appropriate precautions including organizational, technical, and physical measures to help safeguard against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure of, or access to, the Personal Data we process or use. While we follow generally accepted standards to protect Personal Data, no method of storage or transmission is 100% secure. You are solely responsible for protecting your password, limiting access to your devices, and signing out of websites after your sessions. 12. Changes to this Privacy Statement. We will update this Statement from time to time to reflect changes in our practices, technologies, legal requirements, and other factors. If we do, we will update the effective date as such is specified above the first paragraph of this Statement. If we make a material update, we may provide you with notice prior to the update taking effect, such as by posting a notice on our website or by contacting you directly, or where required under applicable law and feasible, request your consent to these changes. We encourage you to periodically review this Statement to stay informed about our collection, processing and sharing of your Personal Data. 13. Contacting us. To exercise your rights regarding your Personal Data, or if you have questions regarding this Statement or our privacy practices, you can contact us at: Physical Address: CEARTscore LLC Attn: Legal Dept. P.O. Box 765 Farmville, NC 27828 Email: Info@CEART.io