SecureCHEK AI will notify affected customers of any material changes to its sub-processor list in accordance with applicable Data Processing Agreement terms.

6.2  Business Transfers

We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business. We will notify affected individuals as required by applicable law.

6.3  Legal Requirements

We may disclose your information where required by law, regulation, legal process, or governmental request. Where permitted by law, we will notify you of such a request before complying. Where we receive legally binding requests that prohibit notification, we will use all lawful efforts to seek the right to notify and will inform the requesting authority of any conflict with applicable data protection obligations including Standard Contractual Clauses.

6.4  No Sale of Personal Information

SecureCHEK AI does not sell personal information to third parties. SecureCHEK AI has not disclosed or sold any personal information to third parties for a business or commercial purpose in the preceding twelve months and will not do so in the future.

7. International Data Transfers

SecureCHEK AI is headquartered in the United States with personnel in Serbia. Personal data of individuals located in the European Union or EEA may be transferred to and processed in the United States and Serbia.

SecureCHEK AI relies on the following transfer mechanisms for transfers of EU/EEA personal data to third countries:

• Standard Contractual Clauses (SCCs) — for transfers from the EU/EEA to the United States, SecureCHEK AI implements the EU Standard Contractual Clauses approved by the European Commission. SCCs are incorporated into Data Processing Agreements with enterprise customers.

• EU Adequacy Decision — Serbia has been granted an adequacy decision by the European Commission, meaning transfers of personal data from the EU/EEA to SecureCHEK AI’s Belgrade-based personnel do not require additional transfer mechanisms.

SecureCHEK AI’s secondary cloud infrastructure in the European Union enables data residency options for customers with EU data processing requirements. Customers with specific data residency requirements should raise these during engagement scoping.

8. Cookies and Tracking Technologies

We may use cookies and similar tracking technologies such as web beacons and pixels to access or store information when you visit our website. You can control cookie settings through your browser. Most browsers allow you to refuse cookies or to be alerted when cookies are being sent. Note that disabling cookies may affect certain features of our website.

Regarding Do-Not-Track signals: no uniform technology standard for recognizing and implementing DNT signals has been finalized. We do not currently respond to DNT browser signals. If a standard is adopted that we must follow we will inform you in a revised version of this notice.

9. Data Retention

We retain personal information only for as long as necessary for the purposes set out in this Privacy Policy, or as required by applicable law, regulation, or contractual obligation.

• Website visitor and prospect data — retained for the duration of the business relationship and for a reasonable period thereafter for legitimate business purposes.

• Platform user data — retained for the duration of the customer’s active subscription and for up to 60 days following contract termination, after which it is securely deleted in accordance with our Data Management Policy and the applicable Data Processing Agreement.

• Personally identifiable information — deleted or de-identified as soon as it no longer has a legitimate business purpose. PII is also deleted in response to a verified data subject deletion request where no legal obligation to retain exists.

• Security and audit records — retained in accordance with SecureCHEK AI’s Global Record Retention Schedule, typically 1–5 years depending on record category.

• Legal hold — where records are subject to legal proceedings, retention is governed by SecureCHEK AI’s legal counsel regardless of standard retention periods.

When we have no ongoing legitimate business need to process your personal information, we will delete or anonymize it. Where deletion is not immediately possible (for example in backup archives), we will securely store and isolate the information from further processing until deletion is possible, and issue a deletion certificate upon completion.

10. How We Keep Your Information Safe

SecureCHEK AI has implemented appropriate technical and organizational security measures to protect your personal information, aligned with SOC 2 Trust Services Criteria. These include:

• AES-256 encryption at rest and TLS 1.2 or higher encryption in transit for all personal data.

• Least-privilege access controls restricting access to personal data to authorized personnel with a documented business need.

• Multi-factor authentication required for all system access.

• Audit logging of all access events with monitoring and alerting for anomalous activity.

• Regular vulnerability scanning and at minimum annual penetration testing.

• Formal incident response procedures with breach notification obligations.

• Background checks for all personnel with access to confidential information.

Despite our safeguards, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure. We cannot promise or guarantee that unauthorized third parties will not be able to defeat our security measures. You should only access our Services within a secure environment.

11. Collection of Information From Minors

We do not knowingly solicit data from or market to children under 18 years of age. By using our Services, you represent that you are at least 18 years of age. If we learn that personal information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data. If you become aware of any data we may have collected from children under age 18, please contact us at privacy@securechek.ai.

12. Your Privacy Rights

12.1  Rights for EEA, UK, and Swiss Residents (GDPR)

If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights regarding your personal data:

• Right of access — to obtain a copy of your personal data and information about how it is processed.

• Right to rectification — to request correction of inaccurate or incomplete personal data.

• Right to erasure — to request deletion of your personal data in certain circumstances.

• Right to restriction — to request that we restrict processing of your personal data in certain circumstances.

• Right to data portability — to receive your personal data in a structured, machine-readable format.

• Right to object — to object to processing of your personal data where we rely on legitimate interests as the legal basis.

• Right to withdraw consent — where processing is based on consent, to withdraw consent at any time without affecting the lawfulness of prior processing.

• Right to lodge a complaint — to lodge a complaint with your local data protection supervisory authority.

EEA supervisory authority contacts: https://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm

Swiss supervisory authority: https://www.edoeb.admin.ch/edoeb/en/home.html

12.2  Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the following specific privacy rights:

• Right to know — to request disclosure of the categories and specific pieces of personal information we have collected, the sources, the purposes for collection, and the categories of third parties with whom we share it.

• Right to delete — to request deletion of your personal information, subject to certain exceptions provided by law.

• Right to correct — to request correction of inaccurate personal information.

• Right to opt out of sale — SecureCHEK AI does not sell personal information. No opt-out is required.

• Right to non-discrimination — we will not discriminate against you for exercising your privacy rights.

California Civil Code Section 1798.83 (“Shine The Light” law) permits California residents to request information about disclosures of personal information to third parties for direct marketing purposes. Please contact us at privacy@securechek.ai to make such a request.

12.3  Exercising Your Rights

To exercise any of the rights described above, please contact us at privacy@securechek.ai. We will respond to all verifiable requests within the timeframes required by applicable law. We may need to verify your identity before processing your request. We will not discriminate against you for exercising your rights.

13. Updates to This Privacy Notice

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or operational environment. The updated version will be indicated by an updated date at the top of this document and will be effective as soon as it is accessible. If we make material changes, we may notify you by prominently posting a notice or by sending you a direct notification. We encourage you to review this Privacy Policy periodically.

14. How to Contact Us

If you have questions or comments about this Privacy Policy, wish to exercise your privacy rights, or have a complaint about how we handle your data, please contact us:

Email: privacy@securechek.ai

Post:

SecureCHEK AI Inc

303 E 57th Street Suite 21B

New York, NY 10022

United States

Document Control