XTRM, Inc. Privacy Policy

XTRM, Inc. ("XTRM", "we" and "us") respects your privacy. We offer services that enable merchants to run businesses, and to conduct online payment transactions.

1. Your Privacy Rights
2. Scope and Consent
3. Collection of Personal Information
4. Information We Collect Automatically
5. Information Collected via the XTRM Services
6. Information Collected in Connection with Fraud Monitoring
7. How We Use the Information We Collect
8. Third Party Use of Cookies
9. Operations and International Transfers
10. How We Share Information with Third Parties
11. Your Choices About Personal Information
12. Links to Third-Party Websites
13. Biometric Information
14. Rights Afforded to Certain Individuals (EU/UK, CA, NV)
15. Children’s Privacy
16. Data Storage and Retention
17. Changes to This Policy
18. Contact Us

Your Privacy Rights

This Privacy Policy describes the types of personal information we collect through our payments products and services ("XTRM Services") and via our online presence, which include our main website at xtrm.com, other websites operated by us that we enable users to access via internet, and our mobile applications (collectively, our "Sites"). This policy also describes how we use personal information, with whom we share it, your privacy rights and choices regarding our collection, use, storage, sharing and protection of your personal information, and how you can contact us about our privacy practices. The use of the XTRM Services and Sites is also subject to our Terms and Conditions, which are available here.

XTRM obtains personal information about you from various sources to provide our XTRM Services and to manage our Sites. "You" may be a visitor to one of our websites ("Visitor"), a user of one or more of our Services ("User"), or a customer of a User ("Customer"). If you are a Customer, XTRM will generally not collect your personal information directly from you. Your agreement with the relevant User should explain how the User shares your personal information with XTRM, and if you have questions about this sharing, then you should direct those questions to the User.

Scope and Consent

You accept and expressly consent to the information-handling practices described in this Privacy Policy when you sign up for, access, or use our products, XTRM Services, or Sites. If you do not agree with this Privacy Policy or consent to our collection, use, and disclosure of your personal information as described herein, do not access or use our products, the XTRM Services, or our Sites or provide us with your information.

We reserve the right to amend or update this Privacy Policy from time to time, or to create additional policies, in order to accurately reflect changed circumstances or new legal requirements. As a result, it is important that you read this Privacy Policy closely so that you are fully aware of how and why we are using your personal information.

We may amend this Privacy Policy at any time by posting a revised version on our website. The revised version will be effective as of the published "Last Updated" date. Continued use of our Sites or the XTRM Services after any chances is deemed to be acceptance of those changes.

Collection of Personal Information

For the purposes of this Privacy Policy, "personal information" is any information that identifies, relates to, or can be used to contact a particular individual. We may collect the following types of personal information:

Users and Visitors

• Contact information – first name, last name, email address, name and mailing address of your organization, billing address, and telephone number.
• Identity verification information – date of birth and government-issued identifiers, such as social security number, multi-factor authentication codes, tax ID number, and employer ID number..
• User account information – user ID, account username, account password, account number, and other information that we may request or that you may provide relating to your account.
• Transactional information – details about your transactions with us, including method of payment, payments received, payment details, transaction history, and other information relating to the services purchased by you or your organization.
• Financial account information – details about the financial accounts you designate to make payments or receive payments using the XTRM Services, including bank account number, routing number, credit card number, debit card number, billing details.
• Marketing information – details regarding informational and promotional materials you may have requested or received from us, the services in which you are interested, your receipt of promotional communications, and information on your marketing or communication preferences.
• Job applicant information - If you apply for a job through our Sites, contact information, information regarding your qualifications and background, educational information, and any other information you provide as part of your application or the application process.
• Communication information – copies of communications and inquiries you have submitted to us, including through email, calls, and features available on our Site.
• Device and usage information – details regarding how and when you use our Sites and the XTRM Services, including the device used to connect to the XTRM Services, your IP address and device identifier, the frequency and duration of your usage, the pages you view, what websites or search terms referred you to our Sites, and information about your interaction with our Sites.

If you are a User of XTRM Services or otherwise visit or use our Sites, we may collect personal information when you visit or navigate our Sites, create an account or request access to or use of our Services, submit online forms and surveys, contact us by email, phone, or otherwise, visit or engage with our social media pages, or otherwise provide us with personal information. We may also collect information about you from third-party sources and information about you that is publicly available.

We typically determine the purposes and means of processing this information and, as such, are the "data controller" for such information under the European Union’s General Data Protection Regulation ("GDPR").

User’s Customers

• Contact information – first name, last name, email address, organization information, billing or shipping address, and telephone number.
• Transaction information - details about your transactions with us or the User, including method of payment, payments received, payment details, and transaction history.
• Financial account information – details about the financial accounts you designate to make payments or receive payments using the XTRM Services, including bank account number, routing number, credit card number, debit card number, billing details.
• Device and usage information – details regarding how and when you use our Sites and the XTRM Services, including the device used to connect to the XTRM Services, your IP address and device identifier, the frequency and duration of your usage, the pages you view, what websites or search terms referred you to our Sites, and information about your interaction with our Sites.

We collect, use and disclose personal information about Customers when we act as a User’s service provider. In accessing this information on behalf of Users, we are acting as a "data processor" under GDPR. Users are responsible for making sure that the Customer’s privacy rights are respected, including ensuring appropriate disclosures about third party data collection and use are made to Customers. To the extent that we are acting as a User’s data processor, we will process personal information in accordance with the terms of our agreement with the User and the User’s lawful instructions.

If you are a Customer and would like to obtain more information about how a User uses third party services like XTRM Services to process your personal information in the context of payment transactions, please contact the User directly or visit the User’s privacy policy.

Aggregate or Anonymized Data

Please note that in each case above, we may aggregate or anonymize the foregoing types of information such that they are no longer capable of identifying you, in which case they are no longer considered "personal information."

Information we collect automatically

When you access or use XTRM Services and Sites, we collect information sent to us by various technologies that automatically collect information about your computer, mobile phone or other access device. These technologies may be used and deployed by us, our Users, or our service providers and vendors. Note, the technologies we use to collect information from your interaction with the XTRM Services or our Sites may be provided to us by vendors that collect your personal information using those same technologies instantaneously and simultaneous to our collection of your personal information.

The information sent to us includes, but is not limited to, the following: data about the pages you access, computer IP address, device ID or unique identifier, device type, geo-location information, computer and connection information, mobile network information, statistics on page views, traffic to and from the sites, referral URL, ad data, and standard web log data and other information.

The technologies we use include:

• Cookies. Cookies are small text files that a website transfers to a visitor’s device for recordkeeping purposes. Cookies may be unique to the browser or mobile application you are using. We use cookies to personalize visitors’ experiences on our website, provide content that we believe may be of interest, track visitor trends and patterns, identify specific pages that you click on and where you scroll, locate the country where you are visiting from, engage in marketing and advertising, and otherwise analyze our Site traffic. Other than "strictly necessary" cookies, we will only place these cookies on your device where you have consented to us doing so (except where otherwise permitted by law). Note some of the cookies described below are temporary and deleted as soon as you close your browser. These are known as "session cookies." Other cookies are stored on your device until they expire or you remove them. These are known as "persistent cookies." For further information about cookies, including how to refuse cookies, please visit www.allaboutcookies.org. Please note that if cookies are disabled, you may not be able to enjoy certain features of our Sites.
  • Flash Cookies. Certain features of our Sites may use local stored objects (or Flash cookies) to collect and store information about your preferences and navigation to, from, and on our Sites. Flash cookies are not managed by the same browser settings as are used for browser cookies.
  • Strictly necessary cookies. These cookies are essential for you to browse our Sites and use its features, such as accessing secure areas of our Sties. Cookies that allow web shops to hold your items in your cart while you are shopping online are an example of strictly necessary cookies. These cookies cannot be turned off are usually only set in response to specific actions you take on the site.
  • Functionality cookies. Also known as "preference cookies," these cookies allow a website to remember choices you have made in the past, like what language you prefer, what region you would like weather reports for, or what your username and password are so you can automatically log in. These cookies may be set by us or third-party providers whose services we have added to the XTRM Services. Disabling these cookies may result in some aspects of the XTRM Services not displaying of functioning properly.
  • Analytics cookies. Also known as "performance cookies," these cookies collect information about how you use our Sites, like which pages you visited and which links you clicked on. None of this information can be used to identify you. It is all aggregated and, therefore, anonymized. Their sole purpose is to improve website functions. This includes cookies from third-party analytics services as long as the cookies are for the exclusive use of the owner of the website visited. Disabling these cookies will not allow us to recognize you when you visit our Sites.
  • Advertising cookies. These cookies track your online activity to help advertisers deliver more relevant advertising or to limit how many times you see an ad. These cookies can share that information with other organizations or advertisers. These are persistent cookies and typically set by third-party providers. These cookies are able to identify your browser and device. Disabling these cookies may result in less targeted advertising.
• Log Files and Device Identifiers. We use log files to track actions occurring on our Sites and collect data about visitors, including IP address, browser type, Internet service provider, referring/exit pages, date/time stamps, and device identifiers.
• Web beacons and other technologies. Our applications may use other tracking tools, including web beacons (also known as clear gifs, pixel tags, and single-pixel gifs), which are small electronic images embedded in content and email messages that are not ordinarily visible to users. Web beacons allow us to track pages and content accessed and viewed by users, as well as to monitor email readership. Pixels, tags, and gifs collect event data and other information about your interaction with our Sites.
• Analytics. Our Sites may also use third-party analytics tools such as Google Analytics. Analytics are used to create reports and statistics on the performance of our Sites and present you with content tailored to your interests. Analytics can be used to collect information such as IP address, type of device, operating system, referring URLs, country information, date and time of page visits, and which pages you visit the most. You can find more information about how data is collected and processed in connection with the Google Analytics service here. You can also read Google’s privacy policy here.

We use these technologies to help ensure that your account security is not compromised; mitigate risk and prevent fraud; and to promote trust and safety across our sites and XTRM Services and Sites. You are free to decline our automated technologies if your browser or browser add-on permits, unless our automated technologies are required to prevent fraud or ensure the security of websites we control. However, declining our automated technologies may interfere with your use of our Sites and XTRM Services.

The information collected through these technologies may be combined with personal information or aggregated with other information on Site visits. We may share information about your use of our Sites with our advertising and analytics partners, who may combine it with other information that you previously provided to them.

Information collected via the XTRM Services

We may collect and store any information you provide us when you use XTRM Services, including when you add information on a web form, add or update your account information, or when you otherwise correspond with us regarding XTRM Services. The personal information that you provide directly to us through our XTRM Services and Sites will be apparent from the context in which you provide the information. In particular:

• When you register for an XTRM account, we may collect your full name, email address, and account log-in credentials.
• When you fill-in our online form to contact us, we may collect your full name, email, country, and anything else you tell us.
• When you add a credit card for funding or identity, we may collect your email address, payment card number, CVC code and expiration date.
• When you respond to XTRM emails we may collect your email address, name and any other information you choose to include in the body of your email or responses. If you contact us by phone, we may collect the phone number you use to call XTRM. If you contact us by phone as a User, we may collect additional information in order to verify your identity.
• You may also choose to submit information to us via other methods, including: (i) in response to marketing or other communications, (ii) through social media or online forums, (iii) through participation in an offer, program or promotion, or (iv) in connection with an actual or potential business relationship with us.
• Additionally, for quality and training purposes or for its own protection, XTRM may monitor or record its telephone conversations with you or anyone acting on your behalf.

Information We Collect in Connection with Fraud Monitoring

When we conduct fraud monitoring, prevention, detection, and financial compliance activities or provide such services to our Users, we will receive personal information from you (and your device) and about you through our XTRM Service and from our business partners, financial service providers, identity verification services, and publicly available sources (e.g., name, address, phone number, country), as necessary to confirm your identity and prevent fraud. Our fraud monitoring, detection and prevention services may collect personal information about you and use technology to help us assess the risk associated with an attempted transaction by you with a User. Additionally, we may monitor insights and patterns of payment transactions and other online signals to reduce the risk of fraud, money laundering and other harmful activity for ourselves, our Users and their Customers.

How We Use the Information We Collect

Our primary purpose in collecting information from and about you, including personal information, is to provide you with a secure, smooth, efficient, and customized experience. We may use the information collected from or about you, including your personal information, to:

• provide XTRM Services, Sites, and customer support;
• process transactions and send notices about your transactions;
• verify your identity, including during account creation and password reset processes;
• resolve disputes, and troubleshoot problems;
• manage risk, or to detect, prevent, and/or remediate fraud or other potentially prohibited or illegal activities;
• detect, prevent or remediate violations of policies or applicable user agreements;
• improve the XTRM Services and Sites by customizing your user experience;
• measure the performance of the XTRM Services and Sites and improve their content and layout;
• manage and protect our information technology infrastructure;
• contact you at any telephone number, by placing a voice call or through text (SMS) or email messaging, as authorized by our User Agreement;
• perform creditworthiness and solvency checks, compare information for accuracy and verify it with third parties.

We may contact you via electronic means or postal mail to notify you regarding your account, to troubleshoot problems with your account, to resolve a dispute, to poll your opinions through surveys or questionnaires, or as otherwise necessary to service your account. Additionally, we may contact you to inform you about XTRM Services or Sites. Finally, we may contact you as necessary to enforce our policies, applicable law, or any agreement we may have with you. To reach you as efficiently as possible, we may contact you via phone, and may use autodialed or prerecorded calls and text messages as described in our User Agreement. Where applicable and permitted by law, you may decline to receive certain communications.

We do not sell or rent your personal information to third parties for their marketing purposes.

Third-Party Use of Cookies

Some content or applications, including advertisements, on the XTRM Services and Sites are served by third parties, including advertisers, ad networks and servers, content providers, and application providers. These third parties may use automated technologies, such as cookies, web beacons, or device identifiers, to collect information about you when you use our website. The information they collect may be associated with your personal information or they may collect information, including personal information, about your online activities over time and across different websites and other online services. They may use this information to provide you with interest-based (behavioral) advertising or other targeted content. We do not control these third parties’ tracking technologies or how they may be used. If you have any questions about an advertisement or other targeted content, you should contact the responsible provider directly.

Operations and International Transfers

Please be aware that XTRM is headquartered in the United States and has operations globally. Our operations are supported by a network of computers, cloud-based servers, and other infrastructure and information technology, including, but not limited to, the use of third-party service providers. We, and third-party service providers on our behalf, store and process your personal information in the United States and elsewhere in the world. If your personal information is transferred to other countries, including countries which may not have data protection laws that provide the same level of protection that exists in your country, we will protect the personal information as described in this Privacy Policy.

We protect your personal information using physical, technical, and administrative security measures to reduce the risks of loss, misuse, unauthorized access, disclosure and alteration. Some of the safeguards we use are firewalls and data encryption, physical access controls to data centers, and information access authorization controls. Please be aware that no data transmission over the Internet is 100% secure. While we strive to protect your personal information, we cannot ensure or warranty the security of any information you transmit to us and you do so at your own risk.

How We Share Information with Third Parties

We may share the information we collect from and about you, including your personal information, with:

• Credit bureaus and collection agencies to report account information, as permitted by law.
• Our subsidiaries, parents, related entities, and affiliates.
• Our User customers, their employees, and service providers for the purposes of fulfilling the obligations under our User Agreements.
• A buyer or other successor prior to or in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of XTRM’s assets or business, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by XTRM about our Users, Customers, and Visitors is among the assets transferred.
• Our professional advisors, such as lawyers, accountants, and other similar advisors.
• Law enforcement, government officials, or other regulatory authorities pursuant to a subpoena, court order, or other legal process or requirement applicable to XTRM or one of its affiliates; when we need to do so to comply with law or credit card rules; or when we believe, in our sole discretion, that the disclosure of personal information is necessary to prevent physical harm or financial loss, to report suspected illegal activity or to investigate violations of our User Agreement.
• Other unaffiliated third parties, for the following purposes:
  • To contractors, service providers, and other third parties we use to support our business. For example, our IT providers, secure payment processing providers on our Sites, customer contact center services, insurance providers and document storage providers.
  • Marketing and advertising vendors that may assist with lead generation, hosting information relating to clients and potential clients, marketing automation, advertisement placement and targeting, and marketing campaigns and communications. Note, the service providers that help us make features available on our Sites, and otherwise supply technologies to help us track Site usage, also collect your personal information instantaneously and simultaneous to our collection of your personal information.
  • Analytics vendors in order to understand our Site traffic and usage patterns, optimize our Sites, and identify potential new clients.
  • Fraud prevention and risk management vendors to help prevent fraud or assess and manage risk.
  • Customer service vendors or partners for customer service purposes, including to help service your accounts or resolve disputes (e.g., billing or transactional).
  • Our Users’ legal compliance advisors, service providers, and vendors to help them comply with anti-money laundering and counter-terrorist financing verification requirements.
  • Other parties for any purpose we disclose at the time you provide the information.

When the information we collect about you is aggregated, anonymized, or otherwise does not identify you, we may use that information for any purpose or share it with third parties, to the extent permitted by applicable law.

Your Choices About Personal Information

You have choices regarding our collection, use, and disclosure of your personal information:

• Opting out of receiving communications from us. If you no longer want to receive marketing- related emails from us, you may opt-out via the unsubscribe link included in such emails. We will try to comply with your request(s) as soon as reasonably practicable. Please note that if you opt- out of receiving marketing-related emails from us, we may still send you administrative messages that are required to provide you with our XTRM Services.
• Updating information. If you would like to review, correct, or update personal information that you have previously provided to us, you may do so within your user account or by contacting us.
• Cookies. Depending on your browser or device, you may have the option to set the browser to accept all cookies, reject all cookies, notify you when a cookie is set, or delete cookies. Each browser and device are different, so we recommend you evaluate the tools and settings available in your browser or device, as well as any available instructions for the same. Please note that if you disable or delete cookies, you may not be able to access or use certain features of the Sites or XTRM Services.
• Google Analytics. As discussed above, we use Google Analytics in connection with the Site. If you would like to refrain from having your data collected by Google Analytics, Google has developed an opt-out browser that you can use. You can find more information on how Google uses information it collects here.
• Interest-Based Advertising. To opt-out of personalized or interest-based advertisements, you may be able to adjust the settings on your device. Please go to your device settings and opt-out through the controls provided through Google/Android or iOS, as applicable. Each operating system, iOS for Apple phones, Android for Android devices and Windows for Microsoft devices, has its own instructions on how to prevent the delivery of interest-based advertisements. (We cannot guarantee that these instructions will not change, or that they will continue to be available; they are controlled by each mobile platform, not us.). For any other devices and/or operating systems, please visit the privacy settings for the applicable device or contact the applicable platform operator. You can also visit https://optout.aboutads.info to opt out of interest-based advertisements.
• Declining to Provide Information. You can choose not to provide us with information we may request through our Sites or the XTRM Services, but that may result in you being unable to use certain features of our Sites, request information about our services, or initiate other transactions with us.
• Do Not Track Mechanisms. Please note that our Site does not honor "Do Not Track" signals, and such signals will not impact the operation of the Sites or XTRM Services.
• Jurisdiction-specific choices. Choices relating to the rights afforded consumers under the laws of their jurisdiction of residence are in the “Rights Afforded to Certain Individuals” section below.

We may need to verify your identity before responding to any request described above. If we no longer need to process personal information about you in order to provide our XTRM Services or our Sites, we may not maintain, acquire or process additional information in order to identify you for the purpose of responding to your request.

If you are a Customer of a User, please direct your requests directly to the User. For example, if you are making, or have made, a purchase from a merchant using XTRM as a services provider, and you have a request that is related to the payment information that you provided as part of the purchase transaction, then you should address your request directly to the merchant.

Links to Third-Party Websites

Our Sites may contain links to third-party websites. Such websites have separate privacy policies that you should review. We do not control these third-party websites and are not responsible for the content of linked websites or those companies’ data-handling practices.

Biometric Information

XTRM, through third-party service providers, may use technology to collect biometric identifiers or information for the purposes of verifying your identity and preventing and protecting against fraud. In particular, the technology used by XTRM’s service providers analyzes your driver’s license, state, or passport ID, including the photo on your ID, to verify its authenticity and your identity. Such information is retained for only so long as is necessary to fulfill the initial purpose for collecting or obtaining such information, and in any event, for no more than 3 years from the date of your last interaction with XTRM. Once such period has expired, the information is permanently deleted or destroyed in accordance with XTRM’s retention and security policies.

You may be provided further notice regarding the collection or storage of biometric identifiers or biometric information and be asked to provide your written release. We recommend you review such notices carefully, as well as any service provider privacy notices made available to you at the time of such notice.

Rights Afforded to Certain Individuals

California Privacy Rights

This California Privacy Rights Notice ("Notice") provides additional details about the personal information we collect about California "consumers" as defined by the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act ("CCPA").

This Notice explains our collection, processing, and disclosure of "personal information" relating to California consumers. Specifically, this Notice applies to our processing activity when we are acting as a "business" under the CCPA—meaning that we control the purposes and means of processing your personal information. Some of the personal information we collect may be subject to other data protection laws (such as the Fair Credit Reporting Act) and may be exempt from some or all of the requirements under the CCPA.

A. Information We Collect and Disclose

As defined by the CCPA, "personal information" includes any information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information does not include:

• Publicly available information from government records;
• Deidentified or aggregated consumer information; and
• Information excluded from the CCPA’s scope, including personal information covered by certain sector-specific privacy laws such as the Fair Credit Reporting Act.

In the past 12 months, XTRM has collected the following categories of personal information from consumers and disclosed such information to the following categories of third parties for the business purposes described below.

Please note that we may also use, disclose, or transfer your information in connection with the sale, merger, dissolution, restructuring, divestiture, or acquisition of our company or its assets. We may also disclose your personal information in response to a court order, subpoena, search warrant, law, or regulation

XTRM collects these categories of personal information from the following sources:

• Direct collection: We collect information directly from you when you choose to provide it to us by visiting our Sites, filling out forms on our Sites, engaging in transactions with us, signing up to receive promotional or information communications from us, communicating with us about our services, or otherwise directly providing the information to us.
• Indirect and technology-based collection: We also collect certain information from you indirectly when you visit, use, or navigate our website. XTRM collects certain identifiers (such as IP addresses) and internet and similar network activity (such as website usage data) from you indirectly using cookie, pixels, and passive tracking technologies, as described in this Privacy Policy.
• Collection via social media: We may collect personal data about social media users, including basic user profile information (such as username), user-generated content (such as posts, comments, pages, profiles, or feeds) and associated metadata (such as time and location of a post or comment); contact details (such as name, email address, telephone number if made public by the user); and additional individual information published by the user (such as employer, profession, age, location, education information, habits, etc.). The type and scope of personal data obtained from social media platforms depends on the type of APIs and permissions set out by the respective platforms and the administrative permissions granted by customers, where applicable.
• Third-party collection: From time-to-time, we may obtain marketing or lead lists from third party vendors. We use these, for example, to send you marketing communications.

B. Sensitive Personal Information. XTRM does not collect “sensitive personal information” (as defined by the CCPA) for the purposes of inferring characteristics about California consumers. Accordingly, XTRM treats any such information as “personal information” consistent with the appliable provisions of the CCPA.

C. Use of Personal Information

We collect and use the personal information we collect for the following business or commercial purposes (as well as any other purposes as set forth in this Privacy Policy).

• Providing and optimizing your experience on our website and ensuring that our content is presented to you in the most effective manner.
• Fulfilling transactions with you, processing your payments, and managing the transaction and delivery process.
• Communicating with you and responding to your inquiries about our services, including to provide you with promotional and informational communications regarding our services, informing you about new services, updating you about changes to our website, and investigating any concerns you have about our services or your transactions.
• Developing, updating, and improving our services, customer service, customer experience, and marketing efforts, and otherwise improving our knowledge and insights regarding customers.
• Preventing and detecting fraud, financial crime, hacking activities, security breaches, and other unlawful activities in connection with the website or purchase and use of our services.
• Enforcing our agreements with customers and complying with our legal or regulatory obligations.
• Performing other functions as otherwise described to you at the time of collection or to which you otherwise consent.

D. Applicable Retention Periods. Please refer to our “Data Storage and Retention” section below for more information.

E. Sale or Sharing of Personal Information

In the past 12 months, XTRM has not sold personal information of any category. or ”share” any such information for the purposes of cross-context behavioral advertising. Likewise, XTRM does not have actual knowledge of any sales or sharing of personal information regarding minors under 16 years of age.

F. Your Rights Under the CCPA

The CCPA provides California residents with the rights discussed below. For convenience, and as required by the CCPA, we explain how you can exercise those rights, to the extent they are applicable.

1. Right to Request Information. You have the right to request that we disclose certain information about our collection and use of your personal information during the past 12 months. Specifically, you may request that we disclose:

• The categories of personal information we collected about you;
• The categories of sources for the personal information we collected about you;
• The business and commercial purposes for collecting your personal information;
• The categories of third parties with whom we shared your personal information;
• The specific pieces of personal information we collected about you; and
• If we disclosed your personal information for a business purpose, the categories of personal information received by each category of third party.

2. Right to Data Portability. You have the right to request that we provide copies of the specific pieces of personal information we collected about you. If a verifiable consumer request is made, and subject to any exceptions or limitations under the CCPA, we will take steps to deliver the personal information to you either by mail or electronically. If we provide the information to you electronically, it will be in a portable and readily useable format, to the extent technically feasible. Consistent with the CCPA and our interest in the security of your personal information, we will not provide copies of sensitive personal information we may receive from you (e.g., driver’s license number, other government-issued identification number, financial account number, health or medical identification number, account password, or security questions or answers) in response to a CCPA request, to the extent any of those items are in our possession.

3. Right to Request Deletion. You have the right to request that we delete personal information we collected from you, subject to any exceptions or limitations under the CCPA.

4. Right to Correct Inaccurate Information. If we maintain inaccurate personal information about you, you have the right to request that we correct that inaccurate personal information, taking into account the nature of the personal information and the purposes of the processing of the personal information

5. Right to Opt-Out. Consumers in California have the right to opt-out of (1) the sharing of their personal information for the purposes of cross-context behavioral advertising (as defined in the CCPA), or (2) the sale of personal information. Because XTRM does not “sell” or “share” personal information, these rights are not available.

G Exercising Your Rights

As indicated above, the CCPA provides certain limitations and exceptions to the foregoing rights, which may result in us denying or limiting our response to your request.

To exercise the rights described above, you—or someone authorized to act on your behalf—must submit a verifiable consumer request to us by sending an e-mail to: [email protected] with the subject line: "CCPA Request" or calling us at (866) 367.9289. Your request must include your name, e-mail address, mailing address, phone number, the nature of your inquiry and the context in which we may have received your information. If you are an agent submitting a request on behalf of a consumer, we may request that you submit a signed permission from the consumer authorizing you to make the request. In order to protect the privacy and data security of consumers, the verifiable consumer request must:

• Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative of such consumer; and
• Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request. We may also request that you provide additional information if needed to verify your identity or authority to make the request. We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you or the consumer on whose behalf you are making the request.

The CCPA requires businesses to respond to a verifiable consumer request within forty-five (45) days of its receipt; however, we may extend that period by an additional 45 days. If we require more time, we will inform you of the reason and extension period in writing. We will deliver our written response via e- mail. Any disclosures we provide will only cover the 12-month period preceding the receipt of the verifiable consumer request, unless otherwise required or permitted by the CCPA. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select the format of our response; the format will be readily useable and should allow you to transmit the information from one entity to another. We will not charge a fee to process or respond to a verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing the request.

H. Our Commitment Not to Discriminate

Consistent with the CCPA, we will not discriminate against you for exercising any of your CCPA rights by: (1) Discriminate or retaliate against an employee, job applicant, or contractor for exercising their rights under the CCPA; (2) Denying you goods or services; (3) Charging you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties; (4) Providing you a different level or quality of goods or services; or (5) Suggesting that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

I. Data Sharing or Direct Marketing Purposes

California Civil Code § 1798.83 further permits California residents to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. If you are a California resident, you may ask us to refrain from sharing your personal information with certain of our affiliates and other third parties for their marketing purposes. Please tell us your preference by contacting us at [email protected].

Rights Under the GDPR (EU / UK Residents)

The European Union’s General Data Protection Regulation and the United Kingdom’s and Switzerland’s versions of the same (collectively, the "GDPR") afford certain rights to individuals in the European Economic Area (together with the UK and Switzerland, the "EEA"). If you are in the EEA, you have the following rights. Note, however, that not all rights apply in all circumstances.

• Right of access: subject to certain exceptions, you have the right of access to your personal information that we hold. If you are requesting access to your data in order to protect the rights of others, we may require you to validate your identity before we can release that information to you
• Right to rectify your personal information: if you discover that the information, we hold about you is inaccurate or incomplete, you have the right to have this information rectified (i.e., corrected).
• Right to be forgotten: you may ask us to delete information we hold about you in certain circumstances. This right is not absolute and it may not be possible for us to delete the information we hold about you, for example, if we have an ongoing contractual relationship or are required to retain information to comply with our legal obligations.
• Right to restriction of processing: in some cases, you may have the right to have the processing of your personal information restricted. For example, where you contest the accuracy of your personal information, its use may be restricted until the accuracy is verified.
• Right to object to processing: you may object to the processing of your personal information (including profiling) when it is based upon our legitimate interests. You may also object to the processing of your personal information for the purposes of direct marketing and for the purposes of statistical analysis.
• Right to data portability: you have the right to receive, move, copy, or transfer your personal information to another controller when we are processing your personal information based on consent or on a contract and the processing is carried out by automated means.

With regard to the personal information we collect from Users or Visitors, we are typically the "data controller" for such information under the GDPR. As a result, if you wish to exercise one of the rights discussed above, you may do so by submitting a written request to [email protected]. This is normally free, unless this process is unduly difficult or is clearly unfounded, repetitive, or excessive, in which case we may charge a reasonable fee or decline to respond. Once we have received your request, we will review it and contact you within thirty (30) days of receipt of your request, will notify you of any delay in processing your request and, in any event, will respond to the request within three (3) months. Please note that we may need to request specific information from you to help us confirm your identity. If you are located in the EEA or UK and have a concern about our processing of your data, you may have the right to make a complaint to the appropriate data protection authority in the EEA or UK.

A. Lawful Basis under GDPR

We will process different types of information under different lawful bases under the GDPR depending on the nature of the information and your relationship with us. The following table describes how we plan to use your personal information and our lawful basis for doing so. We may process your personal information on more than one basis depending on the specific purpose for which we have collected or are otherwise using your information.

B. Transfers from the EEA, Switzerland, or UK

If we transfer personal information from the EEA, Switzerland, or UK to the United States or any other country, we will implement appropriate legal mechanisms to ensure an adequate level of personal data protection consistent with the GDPR’s requirements. For example, if the recipient country has not received an Adequacy Decision from the European Commission (such as the United States), we will rely on Standard Contractual Clauses (SCC) that have been approved by the European Commission as the lawful mechanisms for such transfers. Further, we will enter into appropriate data processing agreements with all non-EU (sub)processors that contain SCCs and define data protection standards to be employed by each (sub)processor.

Nevada Privacy Rights

Under Nevada law, Nevada residents who have purchased services from us may opt out of the "sale" of "covered information" (as such terms are defined under Nevada law) for monetary consideration to a person for that person to license or sell such information to additional persons. "Covered information" includes first and last name, address, email address, and phone number, or an identifier that allows a specific person to be contacted either physically or online. We do not engage in any activities that would qualify as a sale under Nevada law.

Residents of Other U.S. States

This section supplements the other information in this Notice and provides additional details for U.S. consumers, as defined by the laws of the consumer’s state of residence (if applicable) (e.g., the Virginia Consumer Data Protection Act (“VCDPA”), Colorado Privacy Act (“CPA”), Connecticut Act Concerning Personal Data Privacy and Online Monitoring (“CTDPA”), and Utah Consumer Privacy Act (“UCPA”), the Delaware Persona Data Privacy Act, the Iowa Consumer Data Protection Act, the Montana Consumer Data Privacy Act, the Nebraska Data Privacy Act, the New Hampshire Privacy Act, the New Jersey Privacy Act, the Oregon Consumer Privacy Act, the Texas Data Privacy and Security Act).

The categories of personal data of consumers processed by XTRM and the purposes for such processing; the categories of personal data that are disclosed with third parties and the categories of third parties with whom XTRM discloses personal data; and information about whether XTRM sells personal data or processes personal data for the purposes of targeted advertising are described in the “California Privacy Rights ” section above.

consumers have the right under the above-mentioned laws (subject to applicable limitations or exceptions) to:

• Confirm whether or not XTRM is processing the consumer’s personal data and to access such data;
• Correct inaccuracies in the consumer’s personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer’s personal data;
• Delete personal data provided by or obtained about the consumer; and
• Obtain a copy of the consumer’s personal data that the consumer previously provided to XTRM in a portable, and to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance, where the processing is carried out by automated means.

If you are a resident of a jurisdiction that has a privacy law that affords you with certain rights, you may exercise these rights by contacting XTRM at [email protected] with the subject line: "Privacy Request" or calling us at (866) 367.9289. We will verify your request using commercially reasonable efforts: this may include requiring you to provide at least 4 pieces of information which may include your name, mailing address, email address and phone number. XTRM will use this information to search our systems and determine if we have information about you. If we are able to locate information about you, we will fulfill your request, to the extent no exception or limitation under the above-mentioned laws applies. If we are not able to authenticate your request, we may only be able to provide you with a report that includes the categories of Personal Information we collect, use, or disclose.

XTRM will respond to the request within 45 days of receipt of the request; however, we may extend the period for response by an additional 45 days when reasonably necessary, in which case we will inform you of the extension together with the reason. If XTRM declines to take an action regarding your request, we will inform you of such, including the justification for declining to take action and instructions on how to appeal the decision (if applicable).

Information provided in response to a request shall be provided free of charge, up to twice annually per consumer. If requests are manifestly unfounded, excessive, or repetitive, XTRM may charge the consumer a reasonable fee to cover the administrative costs of complying with the request or decline to act on the request.

In the event XTRM declines to take action regarding your request, you may appeal the decision, if permitted by applicable law, by contacting XTRM at [email protected]. Within 60 days of receipt of an appeal, we will inform you of any action or inaction taken in response to such appeal. If the appeal is denied, you may contact your state’s Attorney General to submit a complaint. Residents of Connecticut can submit a complaint at: https://www.dir.ct.gov/ag/complaint/

Canada Privacy Rights

Certain Canadian laws, including Canada’s Personal Information Protection and Electronic Documents Act ((S.C. 2000, c. 5) ("PIPEDA"), provide certain rights to Canadian residents including the right to request information from an organization about the existence, use or disclosure of such resident’s personal information, to request access to that information, and to challenge the accuracy and completeness of the information and have it amended as appropriate. If you are a Canadian resident and would like to make a request regarding your information that under our control, please contact us at the "Contact Us" information below. We will attempt to respond to your request within a reasonable time. Such response will be at minimal or no cost to you.

Children’s Privacy

Our Sites are general audience sites and are not directed at, or intended for use by, children under the age of 16 years. Accordingly, we do not knowingly collect personal information from children under age 16. Should we discover that a child under the appropriate age provided his or her personal information, we will use that information only to respond to that child and inform him or her that we must have parental consent before receiving such information.

Data Storage and Retention

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or other mandatory reporting requirements. To determine the appropriate retention period we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure, the purposes for which we process it, whether we can achieve those purposes through other means, and the applicable legal requirements. We also consider any specific limitation periods under applicable law.

Contact Us

To submit a request to exercise any of the rights described above, you may contact the XTRM Security Administrator at XTRM at [email protected] or at (866) 367.9289 or at XTRM, Inc. 1221 Brickell Avenue, Suite 900, Miami, Florida, USA 33131. We may need to verify your identity before responding to your request, such as verifying that the email address from which you send the request matches your email address that we have on file. Authentication based on a government-issued and valid identification document may be required. If you are a Customer of an XTRM User, please direct your requests directly to the XTRM User with whom you shared your personal information.

Data Protection Schedule

This Data Protection Schedule applies only to the extent that XTRM acts as a processor or sub-processor to a business User.

Capitalized terms used but not defined in this Schedule shall have the meaning set out in the applicable User Agreement.

1 Definitions and Interpretation.

The following terms have the following meanings when used in this Schedule:

"Customer" means a customer of User who pays the User in exchange for goods or services through the XTRM services and for the purposes of this Schedule, is a data subject.

"Customer Data" means the personal data that the Customer provides to User and User passes on to XTRM through the use by the User of the XTRM services.

"data controller" (or simply "controller") and "data processor" (or simply "processor") and "data subject" have the meanings given to those terms under the Data Protection Laws.

"Data Protection Laws" means means all laws and regulations applicable to the processing of personal data by XTRM on User's behalf, such as (to the extent applicable) the California Consumer Privacy Act, as amended and together with implementing regulations ("CCPA") and the laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, including the General Data Protection Regulation (EU) 2016/679 (GDPR) and any associated regulations or instruments.

"personal data" has the meaning given to it in the Data Protection Laws.

"processing" has the meaning given to it in the Data Protection Laws and "process", "processes" and "processed" will be interpreted accordingly.

"Sub-processor" means any processor engaged by XTRM and/or its Affiliates in the processing of personal data.

2 Processing of Personal Data in Connection with the XTRM Services.

2.1 User as data controller. With regard to any Customer Data to be processed by XTRM in connection with this Agreement, User will be a controller and XTRM will be a processor in respect of such processing. User will be solely responsible for determining the purposes for which and the manner in which Customer Data are, or are to be processed.The parties agree that the "Business Purpose" for XTRM's processing of personal data on User's behalf is described in the order form or other purchase order by which User purchased access to and/or the use of XTRM's services. The duration of processing, the nature and purpose of the processing, the types of Customer Data, and the categories of data subjects processed under this Agreement are further specified in Attachment 2 below. The parties agree this information shall be deemed that information required in this Agreement under applicable U.S. state privacy laws.

2.2 User written instructions. XTRM shall only process Customer Data on behalf of and in accordance with User's written instructions. The Parties agree that this Schedule is User's complete and final written instruction to XTRM in relation to Customer Data. Additional instructions outside the scope of this Schedule (if any) require prior written agreement between User and XTRM, including agreement of any additional fees payable to XTRM for carrying out such additional instructions. User shall ensure that its instructions comply with all applicable laws, including Data Protection Laws, and that the processing of Customer Data in accordance with User's instructions will not cause XTRM to be in breach of Data Protection Laws. The provisions of this Section are subject to the provisions of Section 2.14 on Security. User hereby instructs XTRM to process Customer Data for the following purposes:

2.2.1 as reasonably necessary to provide the XTRM services to User;

2.2.2 after anonymizing the Customer Data, to use that anonymized Customer Data, directly or indirectly, which is no longer identifiable personal data, for any purpose whatsoever.

2.3 XTRM cooperation. In relation to Customer Data processed by XTRM under this Agreement, XTRM shall cooperate with User to the extent reasonably necessary to enable User to adequately discharge its responsibility as a controller under Data Protection Laws, including without limitation as User requires in relation to:

2.3.1 assisting User in the preparation of data protection impact assessments to the extent required of User under Data Protection Laws; and

2.3.2 responding to binding requests from data protection authorities for the disclosure of Customer Data as required by applicable laws.

2.4 Scope and Details of Customer Data Processed by XTRM. The objective of processing Customer Data by XTRM is the performance of the XTRM services pursuant to the Agreement. XTRM shall process the Customer Data in accordance with the specified duration, purpose, type, and categories of data subjects as set out in Attachment 2 (Data Processing of Customer Data).

2.5 Compliance with Laws. The Parties will at all times comply with Data Protection Laws.

2.6 Correction, Blocking and Deletion. To the extent User, in its use of the XTRM services, does not have the ability to correct, amend, block, or delete Customer Data, as required by Data Protection Laws, XTRM shall comply with any commercially reasonable request by User to facilitate such actions to the extent XTRM is legally permitted to do so. To the extent legally permitted, User shall be responsible for any costs arising from XTRM's provision of such assistance.

2.7 Data Subject Requests. XTRM shall, to the extent legally permitted, promptly notify User if it receives a request from a Customer for access to, correction, amendment, or deletion of that Customer's personal data. User shall be responsible for responding to all such requests. If legally permitted, XTRM shall provide User with commercially reasonable cooperation and assistance regarding such Customer's request and User shall be responsible for any costs arising from XTRM's assistance.

2.8 Training. XTRM undertakes to provide training as necessary from time to time to the XTRM personnel with respect to XTRM's obligations in this Schedule to ensure that the XTRM personnel are aware of and comply with such obligations. XTRM will take reasonable steps to ensure that only authorized personnel have access to Customer Data and that any persons whom it authorizes to have access to the Customer Data are under obligations of confidentiality.

2.9 Limitation of Access. XTRM shall ensure that access by XTRM's personnel to Customer Data is limited to those personnel performing XTRM services in accordance with the Agreement.

2.10 Sub-processors. User specifically authorizes the engagement of XTRM (and its Affiliates) as Sub-processors in connection with the provision of the XTRM services. In addition, User generally authorizes the engagement of any other third parties as Sub- processors in connection with the provision of the XTRM services. When engaging any Sub-processor, XTRM will execute a written contract with the Sub-processor, which contains terms for the protection of Customer Data which are no less protective than the terms set out in this Schedule. If requested, XTRM shall make available to User a current list of Sub-processors for the respective XTRM services with the identities of those sub-processors.

2.11 Audits. Where requested by User, subject to the confidentiality obligations set forth in the User Agreement, XTRM shall make available to User (or User's independent, third- party auditor that is not a competitor of XTRM or any members of XTRM or its Affiliates) information regarding XTRM's compliance with the obligations set forth in this Schedule. User shall reimburse XTRM for any time expended for any such on-site audit at XTRM's then-current professional XTRM services rates, which shall be made available to User upon request. Before the commencement of any such on-site audit, User and XTRM shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which User shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by XTRM. User shall promptly notify XTRM with information regarding any non-compliance discovered during the course of an audit.

2.12 Security. XTRM shall, as a minimum, implement and maintain appropriate technical and organizational measures as described in Attachment 1 to this Schedule to keep Customer Data secure and protect it against unauthorized or unlawful processing and accidental loss, destruction or damage in relation to the provision of the XTRM services. Since XTRM provides the XTRM services to all Users uniformly via a hosted, web-based application, all appropriate and then-current technical and organizational measures apply to XTRM's entire customer base hosted out of the same data center and subscribed to the same service. User understands and agrees that the technical and organizational measures are subject to technical progress and development. In that regard, XTRM is expressly permitted to implement adequate alternative measures as long as the security level of the measures is maintained in relation to the provision of the XTRM services.

2.13 Security Incident Notification. If XTRM becomes aware of a Security Incident in connection with the processing of Customer Data, XTRM will, in accordance with Data Protection Laws: (a) notify User of the Security Incident promptly and without undue delay; (b) promptly take reasonable steps to minimize harm and secure Customer Data; (c) describe, to the extent possible, reasonable details of the Security Incident, including steps taken to mitigate the potential risks; and (d) deliver its notification to User's administrators by any means XTRM selects, including via email. User is solely responsible for maintaining accurate contact information and ensuring that any contact information is current and valid.

1. Deletion. Upon termination or expiry of the User Agreement, XTRM will delete or return to User all Customer Data processed on behalf of the User, and XTRM shall delete existing copies of such Customer Data except where necessary to retain such Customer Data strictly for the purposes of compliance with applicable law.

2 GDPR. If the processing of any Customer Data by XTRM is subject to the GDPR, then Module Two (Controller to Processor) of the Standard Contractual Clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021 (as amended and updated from time to time) ("EU SCCs") hereby apply to any transfers of such Customer Data outside of the European Economic Area and/or its member states to the extent User is a Controller of the Personal Data of European Data Subjects, and Module Three (Processor to Processor) of the EU SCCs hereby apply to any such transfers to the extent User is a Processor of the Personal Data of European Data Subjects, and are deemed incorporated into this DPA by reference, take precedence over the rest of this DPA to the extent of any conflict, and are completed as follows:

1. The optional docking clause in Clause 7 does not apply;
2. In Clause 9, Option 2 (general written authorization) applies, and changes to sub-Processors will be notified in accordance with the terms of this DPA;
3. In Clause 11, the optional language does not apply;
4. In Clause 17 (Option 1), the EU SCCs will be governed by law of Ireland;
5. In Clause 18(b), disputes will be resolved before the courts of Ireland;
6. Attachment 2 to this DPA contains the information required in Annex I of the EU SCCs;
7. Attachment 1 to this DPA contains the information required in Annex II of the EU SCCs; and
8. The information required in Annex III of the EU SCCs can be found here: https://xtrmsupport.xtrm.com/en/support/solutions/articles/4000162624-security004-xtrm-sub-processors.

3 UK GDPR. If the processing of any Customer Data by XTRM is subject to the GDPR as it forms parts of the United Kingdom domestic law by virtue of Section 3 of the European Union (Withdrawal) Act 2018, then the EU SCCs, as amended by, and together with, the following, apply:

4. By executing and entering into this Agreement, the parties are deemed to have signed and entered into the terms of this section. The terms and conditions herein shall be legally binding upon the parties with the same effect as the terms and conditions of the Agreement. The parties hereby agree as follows:

Part 1:

1. Start Date. The effective date of this section is the Effective Date.
2. Parties' Details. User is the "Exporter." XTRM is the "Importer." The Parties' details are set forth in applicable Order Form.
3. Addendum EU SCCs. For the purposes of this section, the "Addendum EU SCCs" means the EU SCCs identified above, including the Appendix Information (defined below) and with only the modules, clauses, and optional provisions of the EU SCCs brought into effect for the purposes of this section as set forth above.
4. Appendix Information. "Appendix Information" or "Table 3" for the purposes of the Mandatory Clauses, means the information which must be provided for the Approved EU SCCs and which for this section is set forth as follows:
1. "Annex 1A" shall be deemed to mean that information as per Part 1, Section 2 above.
2. "Annex 1B" shall be deemed to mean that information in Attachment 2.
3. "Annex II" shall be deemed to mean that information in Attachment 1.
4. "Annex III" shall be deemed to mean that information found here https://xtrmsupport.xtrm.com/en/support/solutions/articles/4000162624-security004-xtrm-sub-processors.
5. Neither party may end these terms as set forth in the Mandatory Clauses, Section 19.

Part 2:

Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.

1. Switzerland. If any Customer Data concerns a data subject residing in Switzerland, then the EU SCCs, as amended by, and together with, the following apply:

1. Clause 13 is modified so that the Federal Data Protection and Information Commissioner is the competent supervisory authority with respect to Personal Data transfers governed by the FADP, and the appropriate EU supervisory authority shall have authority over Personal Data transfers to the extent they are governed by the GDPR.
2. For the purposes of the Clauses, the term "Member State" shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence in accordance with Clause 18.c.
3. The transfer of Personal Data shall – to the extent legally permitted – be governed by the provisions of the GDPR. The provisions of the Federal Act on Data Protection, as currently in force in the version of 19 June 1992 ("FADP"), and as replaced by the version of 25 September 2020 ("Revised FADP"), are additionally applicable on a subsidiary basis, in which case references to provisions of the GDPR shall be understood to be referring to the equivalent provisions of the FADP as in force from time to time.
4. Until the Revised FADP enters into force, and provided that the Processing of Personal Data is governed by the FADP, the term "Personal Data" also includes the data of legal entities (as defined by the FADP).

2.18 CCPA. If any Customer Data processed by XTRM is subject to the CCPA, then the following terms apply: This section only applies to the extent any Personal Information of California Consumers is included in the Customer Data. For the purposes this section, "Collects," "Consumer," "Personal Information," "Processing," "Sell," and "Share" shall have their meanings as set forth in the CCPA. The parties acknowledge and agree that XTRM is Processing Personal Information pursuant to the Agreement as a "service provider" (as defined by the CCPA) of User for the Business Purposes. As such, XTRM represents and warrants as follows: (a) XTRM will not retain, use, or disclose any Personal Information it Collects pursuant to the Agreement for any purpose other than the Business Purposes or as otherwise permitted by the CCPA; (b) XTRM shall not Sell or Share any Personal Information it Collects pursuant to the Agreement; (c) XTRM shall not retain, use, or disclose the Personal Information that it Collects pursuant to the Agreement outside of the direct business relationship between XTRM and User, except as permitted by the CCPA; and (d) XTRM shall not combine any Personal Information it Collects pursuant to the Agreement with Personal Information that it receives from, or on behalf of, another person or business, or that it Collects from its own interactions with individuals, except as permitted by the CCPA. The parties acknowledge and agree that any combining contemplated by the Services is being performed by XTRM for the Business Purposes and such purposes constitute a "business purpose" (as defined by the CCPA). XTRM further agrees as follows: (i) XTRM will comply with all applicable sections of the CCPA, including by providing the same level of privacy protection as required by businesses subject to the CCPA; (ii) XTRM will implement those reasonable security procedures and practices set forth in the DPA with respect to the Personal Information it Collects pursuant to the Agreement; (iii) User may monitor XTRM's compliance with this section, and User's obligations under the CCPA, in accordance with the audit terms set forth in the DPA; (iv) User may, upon notice, take those reasonable and appropriate steps set forth in the DPA and the Agreement to stop and remediate any unauthorized use of Personal Information by XTRM; (v) XTRM will notify User of any Consumer requests pursuant to the terms of the DPA; (vi) XTRM will notify User after it makes a determination that it can no longer meet its obligations under the CCPA; and (vii) if XTRM subcontracts with another person in providing services to User, XTRM will have a contract with such subcontractor that complies with the CCPA.

ATTACHMENT 1

Technical and Organizational Measures

The following technical and organizational measures will be implemented:

Measures taken to prevent any unauthorized person from accessing the facilities used for data processing;

Measures taken to prevent data media from being read, copied, amended or moved by any unauthorized persons;

Measures taken to prevent the unauthorized introduction of any data into the information system, as well as any unauthorized knowledge, amendment or deletion of the recorded data;

Measures taken to prevent data processing systems from being used by unauthorized person using data transmission facilities;

Measures taken to guarantee that authorized persons when using an automated data processing system may access only data that are within their competence;

Measures taken to guarantee the checking and recording of the identity of third parties to whom the data can be transmitted by transmission facilities;

Measures taken to guarantee that the identity of the persons having had access to the information system and the data introduced into the system can be checked and recorded ex post facto at any time and by any authorized person;

Measures taken to prevent data from being read, copied, amended or deleted in an unauthorized manner when data are disclosed and data media transported;

Measures taken to safeguard data by creating backup copies.

ATTACHMENT 2

Data Processing of Customer Data

Duration of Processing: The term of the User Agreement.

Categories of data subjects: Customer Data – The personal data that the Customer provides to the User which then passes it to XTRM to be forwarded to its third party service providers to facilitate settlement of payments.

Subject-matter of the processing: The payment settlement and data processing services facilitated by XTRM which allows User to accept payment methods on a website or mobile application from Customers, or to upload payment data.

Nature and purpose of the processing: XTRM processes Customer Data that is sent by the User to XTRM for purposes of facilitating a third party payment processor to process the Customer's payment method as payment to the User for the sale of goods or services, and to consolidate payment data for Users.

Type of personal data: Customer Data – User shall inform XTRM of the type of Customer Data XTRM is required to process under this Agreement. Should there be any changes to the type of Customer Data XTRM is required to process then User shall notify XTRM immediately. XTRM processes the following Customer Data, as may be provided by the User to XTRM from time to time:

Full name
Date of birth
Address
Billing address
Email address
Telephone number
Fax number
Government ID number
Bank account number and bank routing number
Financial account number
Card or payment instrument type
Card Primary Account Number (PAN)
Card Verification Value (CVV)
Card expiration date
Business tax ID
Username
Password
IP address
Device Data
Browser data