California Privacy Notice

This California Privacy Notice ("Notice") supplements the information in Duodata's general Privacy Policy and applies solely to individual residents of California ("consumers") who use our Services or visit our website. We adopt this Notice to comply with the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act (collectively, "CCPA") and other California privacy laws. Any terms defined in the CCPA have the same meaning when used in this Notice. If there is any conflict between this Notice and other sections of our Privacy Policy regarding California consumers, this Notice will control for California residents.

Scope

Duodata is a B2B software provider, and in many cases we act as a "service provider" processing personal information on behalf of our business customers. This Notice applies to personal information that Duodata collects and uses in our capacity as a "business" under the CCPA, for example, information we collect from our website visitors, account holders, and business contacts. It does not apply to any Customer Data that we host or process on behalf of our customers through our Services. In those cases, our customer's privacy policy governs, and individuals should direct any rights requests to the relevant customer who is the data controller.

1. Categories of personal information we collect

In the past 12 months, Duodata may have collected the following categories of personal information about California consumers. We provide examples of the data in each category for clarity.

• Identifiers: Such as real name, business or personal contact information (email address, telephone number, company name, job title), account login credentials (username and password), or other similar identifiers.
• Customer records information: This includes information covered by the California Customer Records law (Cal. Civ. Code section 1798.80(e)), such as mailing address, telephone number, and payment information (for example, billing address or the last four digits of a payment card). Duodata uses third party payment processors and does not store full card numbers.
• Commercial information: Records of products or services purchased or considered, subscription plan details, account history, and usage logs of our Services (for example, features used, transaction history within the platform).
• Internet or other electronic network activity: Information automatically collected from your use of our website or Services, such as your IP address, device identifiers, browser type, operating system, pages or features you access, date and time stamps, and analytics data regarding your interaction with our site or app. This may also include cookies or similar tracking technologies on our website.
• Geolocation data: General location information inferred from your IP address (for example, city or region). Duodata does not collect precise geolocation such as GPS level data from users.
• Professional or employment information: If you interact with us in a business context, we may collect your employer's name, your title or role, and other professional details (for example, when you sign up with a company email or if your employer designates you as an account user).
• Inferences: Inferences drawn from the above information to personalize your experience or improve our Services (for example, inferring your preferences or potential interest in certain features based on your usage). These inferences are only used internally by Duodata to enhance service functionality and are not sold or shared.

Duodata does not collect sensitive personal information such as Social Security numbers, driver's license numbers, precise geolocation, or biometric data from consumers for purposes beyond what is necessary to provide the Services. While we may process account authentication information (like passwords or security tokens) and any sensitive data our customers choose to upload into the platform, we only use such sensitive information to provide and secure our Services, not for inferring characteristics about consumers. Therefore, the right to limit the use of sensitive personal information (as provided by the CCPA) is generally not applicable to our practices.

2. Sources of personal information

We collect the personal information described above from the following types of sources:

• Directly from you: We receive most information directly from you. For example, you provide personal identifiers and payment details when you create an account, sign up for a subscription, enter information into our platform, fill out a form on our website, or communicate with us (such as contacting support or giving feedback).
• Automatically from your use of our Services: As you interact with our website or application, we (or our authorized service providers) use cookies, logs, and other tracking technologies to collect internet or network activity information and device information automatically.
• From your organization: If you use Duodata as an authorized user under a company account, we may receive your personal information from your employer or organization (for example, your company may provide your name and email to set up your user account).
• From third parties or partners: We may receive personal information from third parties in some cases, for example, if you register for Duodata via a referral or integration partner, if you sign in using a third party identity provider, or if we obtain marketing leads from reputable business contact databases. We only collect and use such data in compliance with applicable law.

3. Business purposes for collecting and using personal information

Duodata collects, uses, and discloses the personal information described above for the following business and commercial purposes:

• Providing and improving Services: To provide, maintain, and support our SaaS platform and services. For example, we use personal information to set up your account, authenticate you when you log in, operate the platform's functionality for your use, and process transactions or subscription fees. We also analyze usage data and feedback to understand performance and improve our Services, develop new features, and enhance user experience.
• Communicating with you: To communicate with you about your account, provide customer support, send service alerts or important updates (such as security or performance notices), and respond to your inquiries or requests.
• Marketing and updates in a B2B context: To send you informational or promotional content about new features, industry insights, events, or newsletters if you are a business contact or have opted to receive such communications. We will always honor your opt out or unsubscribe requests for marketing communications. We do not sell your data for third party marketing.
• Analytics and personalization: To analyze website traffic and user interactions in order to personalize content and refine our marketing strategy. Any analytics or advertising cookies are handled in accordance with our cookie practices and your preferences.
• Security and fraud prevention: To maintain the security of our Services, including detecting and preventing fraudulent activity or unauthorized access. We monitor and audit usage, log access data, and use various security tools to protect against malicious or illegal activity.
• Legal compliance: To comply with applicable legal obligations, such as responding to valid legal process (subpoenas or court orders), satisfying government reporting requirements, or exercising legal rights (establishing or defending against legal claims).
• Business operations: To support core business functions such as accounting, auditing, payment processing, and recordkeeping. For instance, we use purchase information for invoicing and financial reporting.
• Corporate transactions: In the event of a potential or actual merger, acquisition, bankruptcy, or other sale or transfer of all or part of our business, personal information may be transferred to a successor or affiliate as part of that transaction as permitted by law. We would require the new owner to continue honoring the privacy protections described in this Notice.

We will not use the personal information we collected for materially different, unrelated, or incompatible purposes without providing you notice and obtaining your consent where required.

4. Disclosure of personal information to third parties

Duodata may disclose personal information to third parties for our business purposes. In the preceding 12 months, we have disclosed the categories of personal information listed above to the following categories of third parties:

• Service providers and contractors: We share personal information with trusted service providers and contractors who assist us in operating our business and Services. This includes cloud hosting providers (for data storage and servers), payment processors, customer support software providers, email and communications services, analytics providers, and other IT or security vendors. These third parties process personal information on our behalf for the purposes described in this Notice and are contractually obligated to protect it and use it only as necessary to perform services for us.
• Integration partners: If you choose to integrate Duodata with third party services (for example, connecting an external database or a third party application to our platform), we will share data at your direction with those third parties as needed to facilitate the integration. Such transfers are part of providing the Services at your request, and the third party's use of that information is governed by their own privacy policy.
• Affiliates: We may share personal information with our corporate affiliates for purposes consistent with this Notice, such as internal administration, technical operations, or providing you with services that integrate with our platform.
• Legal and safety recipients: We may disclose personal information to government authorities, law enforcement, or other parties when required to do so by law or legal process, or where we believe disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.
• Business transfers: As noted above, in a merger, acquisition, financing due diligence, reorganization, bankruptcy, or sale or transfer of all or part of our business, personal information may be disclosed or transferred to the succeeding entity as part of that transaction.

Duodata does not sell personal information to third parties for monetary consideration. We also do not share personal information with third parties for cross context behavioral advertising purposes as "share" is defined under the CCPA. In other words, Duodata will not disclose or transfer your personal data to outside companies for their own marketing or advertising purposes. In the past 12 months, we have not sold any personal information and have not shared personal information for targeted advertising. Because we do not sell or share personal data in this manner, we do not offer a "Do Not Sell or Share My Personal Information" opt out link. If our practices change in the future, we will update this Notice and provide appropriate opt out mechanisms as required by law.

We may disclose any of the categories of personal information listed in Section 1 for our legitimate business purposes as described here, for example to our service providers. We do not disclose sensitive personal information except as necessary to provide the Services (for example, transmitting payment info to a payment processor, or processing login credentials to authenticate users).

5. Your California privacy rights

If you are a California resident, the CCPA provides you with specific rights regarding your personal information. This section describes those rights and how you can exercise them. Duodata will not discriminate against you for exercising any of these rights.

• Right to know (access): You have the right to request that we disclose to you the personal information we have collected about you and how we have handled it, including: (i) the categories of personal information we have collected about you; (ii) the specific pieces of personal information we have collected about you; (iii) the categories of sources from which the personal information was collected; (iv) our business or commercial purposes for collecting that information; (v) the categories of third parties to whom we disclosed your personal information; (vi) if we have sold or shared your personal information, the categories of personal information so sold or shared and the categories of third parties to whom we sold or shared it; and (vii) if we disclosed your personal information for a business purpose, the categories of personal information and recipients for each type of disclosure. We generally provide this information for the 12 month period preceding your request.
• Right to delete: You have the right to request that we delete personal information we have collected from you and retained, subject to certain exceptions. Once we receive and confirm a verifiable deletion request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. We may deny a deletion request (or retain certain information) if retaining the information is necessary for us or our service providers for purposes permitted by CCPA, for example, to complete a transaction, detect security incidents, debug and fix errors, exercise or defend legal claims, or comply with legal obligations.
• Right to correct: You have the right to request that we correct inaccurate personal information we maintain about you. Upon a verifiable correction request, we will use commercially reasonable efforts to correct the inaccurate information, taking into account the nature of the information and the purposes of the processing.
• Right to opt out of sale or sharing: You have the right to direct a business that sells or shares personal information to stop selling or sharing your personal information. As noted above, Duodata does not sell or share personal information as those terms are defined under the CCPA, so this right is not currently applicable to our practices.
• Right to limit use of sensitive personal information: If a business uses or discloses sensitive personal information beyond certain exempt purposes, California residents have the right to direct the business to limit the use of their sensitive personal information to purposes that are necessary to provide the services. As noted above, Duodata does not use sensitive personal information in ways that would trigger this right.
• Right to non discrimination: You have the right not to receive discriminatory treatment by Duodata for exercising any of your California privacy rights. We will not deny you Services, charge you different prices, or provide a different level of quality solely because you exercised your CCPA rights. However, if the exercise of your rights prevents us from providing the Services (for example, if you request deletion of all data needed to maintain your account), we may not be able to continue providing certain features.

6. How to exercise your rights

If you are a California resident and wish to exercise any of the rights described above, you or your authorized representative may submit a verifiable consumer request to Duodata by any of the following methods:

• Email: Send an email to privacy@duodata.ai with the subject line "CCPA Request" and in the body specify which right you seek to exercise (for example, Access/Know, Deletion, Correction). Please include sufficient information that allows us to verify your identity (such as your name, the email address associated with your Duodata account or interactions, and any relevant context).
• Mail: Send a letter to:

  Privacy Team - CCPA Request
  Duodata Inc.
  1700 Westlake Ave N
  Seattle, WA 98109

• Authorized agents: You may designate an authorized agent to make a request on your behalf. If an agent submits a request for you, we may require proof that you gave the agent signed permission to submit the request, and we may also require you to verify your identity directly with us or confirm that you authorized the agent.

Verification process: For your protection, we can only fulfill requests when we have confidence in the requester's identity. When you submit a request, we will take steps to verify your identity to a reasonable degree of certainty before processing the request. This may involve matching information you provide in the request (such as email address, phone number, and recent interactions) with the information we have on file. If we cannot verify your identity, we may not be able to honor the request and will explain why.

Response timing and format: We will acknowledge receipt of your request within the time required by law and aim to substantively respond within 45 days of receiving a verifiable request. If we need more time (up to an additional 45 days), we will inform you of the reason and extension in writing. If you have an account with us, we will deliver our written response to that account or via the email associated with the account. If you do not have an account, we will deliver the response via mail or email, depending on what you provide. We do not charge a fee to process or respond to your request unless it is excessive, repetitive, or manifestly unfounded.

7. Other California privacy disclosures

Shine the Light: California's "Shine the Light" law (Civil Code section 1798.83) gives California residents the right to request certain information about personal information (if any) that a business discloses to third parties for their own direct marketing purposes. Duodata's policy is not to disclose personal information of our customers or users to third parties for their own direct marketing purposes without your consent. Because we do not share your personal information with unaffiliated third parties for their own marketing, we believe we are exempt from this requirement. If you still wish to make a Shine the Light request, you may do so by contacting us at privacy@duodata.ai. In your request, please attest to the fact that you are a California resident and provide a current California address for our response.

Do Not Track signals: California law requires us to state how we respond to web browser "Do Not Track" signals. At this time, there is no uniform industry standard for how to interpret DNT signals. Duodata does not track users across third party websites over time, and we do not use information collected from our website to serve targeted advertising on third party sites. You can control cookies through your browser settings and, if a cookie banner is present, through your cookie preferences.

Minors: Our Services are intended for business use and are not directed to children or minors. If you are a California resident under age 18 and have posted content or information publicly on a Duodata website or forum, you may request removal of that content under California Business and Professions Code section 22581 by contacting us at privacy@duodata.ai with details of where the content is posted. Note that this removal does not ensure complete removal (for example, content that was reposted by others may not be removed), and we may not remove content that we are required to retain by law.

8. Updates to this California Privacy Notice

We may update this California Privacy Notice from time to time in order to reflect changes in our practices or to remain compliant with relevant laws. When we make changes, we will update the "Last updated" date at the top of this Notice. For significant changes, we may provide a more prominent notice, such as via our website homepage or a notification to registered users. We encourage you to review this Notice periodically for the latest information on our California privacy practices.

9. Contact us

If you have any questions or concerns about this California Privacy Notice, or about Duodata's privacy practices in general, please contact us at the address below. You may also review our Privacy Policy, Terms of Use, and Security page for additional information.

Duodata Inc.
Attn: Privacy Team - California Privacy Notice
1700 Westlake Ave N
Seattle, WA 98109
Email: privacy@duodata.ai