Privacy Policy

Patterns Data Systems Inc. - PRIVACY POLICY

Last Updated: January 25, 2024

Patterns Data Systems is committed to your privacy. We have created this Privacy Policy (the "Policy") to inform you about the ways in which we handle personal data and information in our business. This Policy applies to Patterns Data Systems, Inc. and its affiliates (collectively referred to herein as the "Company") and covers the services we provide to you as well as our sales, marketing, and related business activities. We refer to personal data and information in this Policy as “personal data.” We refer to our products and services in this Policy collectively as the “Services.”

1. This Policy applies the Services and to related activities such as those described below:

• Managing your account and relationship we have with you as our customer or a trial user.

• Direct sales, advertising and marketing activities that we may provide to you.

• Sales and marketing activities from our authorized partners, including resellers, platform partners, distributors, and third-party marketplaces.

• Your participation in our training or certification programs.

• Your attendance or participation in our partner events.

• Providing our services and products to you as our customer.

• Your visits to and use of our websites.

2. Company is both a processer and a controller of personal data.

Under the General Data Protection Regulation of the European Union (the “GDPR”) and other similar data protection laws, we may either be defined as a controller or a processor of personal data. When Company provides the Services to you, Company generally acts as a “processor” of personal data, because Company processes personal data as part of the Service and at your direction. When acting as a processer, Company handles your personal data as necessary to provide the Services to you and solely on your instructions, unless legally required to do otherwise. Company is also considered a “controller” of your personal data if Company determines how that data will be handled.

Addendums may be incorporated into this Policy to provide further information about Company’s role as a controller or processor with respect to particular Services. Addendums are listed at the end of this Policy.

3. Categories of personal data and Information that we collect.

We may collect, store, and use personal data in the following categories:

• Contact information such as your name, email address, phone number, title, professional details, and employer's name.

• Information about our users' experiences with products, services, events, webinars, and online forums and communities.

• Contact information derived from your interactions with us, such as with our customer support team.

• Contact Information about prospective customers collected from our events, trade shows, and partners.

• Payment information for purchases with the Company.

• Audio and visual information, such recordings of some calls, meetings and events.

• Additional details customers, candidates, and participants at events sponsored by us including:

o Identity documents and other personal data collected solely to authenticate the candidate's identity and for security purposes such as photographs.

o Personal data submitted for accommodations (such as information about health or language concerns).

• Other personal data may be collected in connection with our Services, as described in the relevant Service-specific Addendum.

4. How we collect personal data.

Personal data is obtained directly from you or your employer. We also may receive personal data from our partners (which include resellers and distributors), third-party marketplaces where our products are offered (such as the salesforce.com app exchange), data brokers (such as Dun & Bradstreet), marketing companies, interactions with our website, referrals from other customers and users, publicly available sources such as company websites and LinkedIn. Company collects certain categories personal data when you visit our website.

5. How we use and share personal data.

Company uses and shares personal data for the following purposes:

• To analyze, improve, and develop Company products and Services.

• To provide our products, Services, events, websites, communities, training, and other business offerings.

• To process payments.

• To manage our relationships with customers, partners, resellers, distributors, event attendees, investors, and others (which may involve sharing personal data with them).

• For marketing, advertising, and other communications (including customizing those communications for specific recipients).

• To provide a third party (such as an employer) with confirmation or denial of an individual's claimed certification status.

• For surveys and other market research.

• For security, IT management, and related research.

• To enforce the legal terms that govern our business and commercial relationships (for example, we may share personal information with the opposing party, judge or arbitrator in a dispute).

• To provide security and business continuity.

• To follow the law, or in other cases where we believe that using or disclosing the data is appropriate to protect the rights, safety, and property of Company or others (for example, when required to make disclosures in response to lawful requests by public authorities, such as to meet national security or law enforcement requirements).

• For an actual or contemplated business sale, merger, consolidation, change in control, transfer of substantial assets, or reorganization, or due diligence in anticipation of such an event (for example, if a company were to acquire Company, it may also acquire the personal data we hold).

• For other purposes requested or permitted by our customers or users.

For those purposes, we may share personal data with, for example:

• our affiliates;

• our customers;

• third parties that assist us, such as our partners, event providers, payment processors, marketing providers, testing providers, analytics providers, providers of technical services (e.g., providers of data storage, data backup, and CRM systems), and other subcontractors;

• joint marketing partners;

• security researchers;

• employers and others who seek verification of an individual’s claimed certification status;

• entities involved in dispute resolution (such as an arbitrator or an opposing party);

• entities involved in potential or actual significant corporate transactions or events (such as those described in the second-to-last item in the list of uses and disclosures above);

• governmental entities.

These uses and disclosures are also subject to our contractual obligations.

6. What is the legal basis that applies to our use of personal data?

The laws in some jurisdictions require data controllers to tell you about the legal grounds that allow them to use or disclose your personal data. Where those laws apply, our legal grounds are:

• Legitimate Business Interests: We handle personal data because it furthers the legitimate business interests of Company (or of our customers, business partners, or suppliers) in the activities we engage in to run our business and provide you with Services, including those listed below, and because that handling of data does not unduly impact your interests, rights, and freedoms:

o Providing cybersecurity and managing information technology assets;

o Protecting business activities, individuals, and property;

o Providing customer service;

o Marketing and advertising (including sending certain direct marketing);

o Analyzing and improving business activities;

o Managing risks and legal issues.

• To perform contractual commitments: Some of our handling of personal data is necessary to meet our contractual obligations to individuals, or to take steps at the person's request because we are planning to enter into a contract with that person or their company. For example, when we process an individual’s payment data for a training program, we are relying on this basis.

• Consent:

o If the law requires consent, and in some other cases, we handle personal data on the basis of consent. For example, we conduct some of our direct marketing on the basis of consent.

o If the law requires explicit consent, we use personal data on that basis.

o If the law allows, we may be able to infer consent from the circumstances.

• Legal compliance: We sometimes need to use and disclose personal data to comply with our legal obligations.

• Legal claims: Sometimes we use or disclose personal data because it is necessary to establish, exercise, or defend legal claims.

7. What Personal Data rights and choices (including direct marketing opt-out) are available?

We offer the options below for exercising your rights and choices about how we use your personal data. Many of these are subject to important limits or exceptions under applicable laws.

• You may review and update certain information by logging into the relevant Company websites or online services.

• The law of your jurisdiction (for example, within certain States such as California, or international locations such as the United Kingdom and European Economic Area) may give you additional rights to request access to, correction of, or deletion of certain personal data we store. In some cases, you may be entitled to receive a copy of the personal data you provided to us in portable form or to request that we share it with a third party. The law may also give you the right to request restrictions on the use of your personal data, to object to our use of your personal data, or to withdraw your consent to use your personal data (which will not affect the legality of any processing that happened before your request takes effect). Section 13 below explains how to make these requests.

o For example, people who live in the United Kingdom or European Economic Area (and certain other people) have the right to opt out of our use of personal data for direct marketing. They can exercise their rights to opt out, or to object to other processing, by contacting us as described below.

• Our marketing email messages, and certain other communications include instructions about how to unsubscribe, which you can use to limit or stop those communications. Opt-out processes may take some time to complete, but we will work to meet your request as quickly as possible. You cannot opt out of certain communications (such as account related or billing- related communications.)

• You can exercise opt-out rights, object, or withdraw consent in relation to our use of certain cookies and certain similar technologies as described in Section 7 below.

• For information about Californians’ privacy rights under California law, please see Section 11 below.

You may contact us with any concerns or complaints regarding our privacy practices, and you also may submit a complaint to the relevant governmental authority. For your protection, we will only implement requests with respect to personal data after we have verified your identity to our satisfaction, taking into consideration the nature of your request.

8. Does the personal data go to other countries?

We are a global company with corporate offices in Spain and in the United States. It is Company's policy to comply with legal requirements for protecting the movement of data across borders, including through the use of European Commission-approved Standard Contractual Clauses. Company affiliates and third parties with whom we share personal data as described in this Privacy Policy are located in the United States and elsewhere in the world, including countries where privacy laws may not provide as much protection as your country. Your personal information may be subject to disclosure to the governments, courts or law enforcement or regulatory agencies of these or other countries, pursuant to the laws of such countries.

9. Use of cookies and similar technology.

When accessing the Company website, Company and third-party partners of Company may collect certain information by automated means such as through the use of cookies, web beacons, JavaScript, mobile device functionality and similar computer code. Cookies are files that contain data, such as unique identifiers, that may be transferred to and from your device when you visit a web page. Company uses cookies for the following purposes:

• to recognize the devices,

• to improve your use of our website and services,

• for cybersecurity,

• to prevent fraud,

• to provide services, and

• for record-keeping, analytics, and marketing.

This information may include unique browser identifiers, IP address, browser and operating system information, device identifiers (such as the Apple IDFA or Android Advertising ID), geolocation, other device information, Internet connection information, as well as details about your interactions with our apps, websites, and emails (for example, the URL of the third-party website from which you came, the pages on our website that you visit, and the links you click on in our websites).

We and third parties may use these automated means to read or write information on your devices, such as in various types of cookies and other browser-based or plugin-based local storage (such as HTML5 storage or Flash-based storage), or to collect pieces of information that together may uniquely identify your device.

These technologies help us:

• Keep track of whether you are signed in or have previously signed in so that we can display all the features that are available to you.

• Remember your settings on the pages you visit so that we can display your preferred content the next time you visit.

• Display personalized content.

• Perform analytics, measure traffic and usage trends, and better understand the demographics of our users.

• Diagnose and fix technology problems.

• Plan for and enhance our business.

Also, in some cases, we assist with the collection of information by advertising services provided by third parties. The ad services may track your online activities over time by collecting information through automated means such as cookies, and they may use this information to show you ads that are tailored to your individual interests or characteristics and/or based on your prior visits to certain sites or apps, or other information we or they know, infer, or have collected from the users like you. For example, we and these services may use different types of cookies, other automated technology, and data to:

• Recognize users and their devices.

• Inform, optimize, and serve ads.

• Report on our ad impressions, other uses of ad services, and interactions with these ad impressions and ad services (including how they are related to visits to specific sites or apps).

More details about our use of Cookies and how you can opt out and manage cookies is found in The Company Cookie Policy Addendum.

By accessing the Company Cookie Policy Addendum You can launch a consent tool to adjust your preferences about how certain cookies and certain similar technologies are used on Company websites.

You should repeat the opt out process with each browser you use to visit those websites. This is the best way to control cookies on the sites that offer this option.

If you replace, change, or upgrade your browser, or delete your cookies, you may need to use these opt-out tools again.

Please visit your mobile device manufacturer's website (or the website for its operating system) for instructions on any additional privacy controls in your mobile operating system, such as privacy settings for device identifiers and geolocation. Please note, however, that we do not respond to browser-based privacy signals (such as do-not-track) at this time.

8. How long does Company store personal data?

We will retain personal data as long as necessary to fulfill the purposes outlined in this Privacy Policy unless the law requires us to keep it for a longer period of time. To provide security and business continuity for the activities described in this Policy, we make backups of certain data, which we may retain for longer than the original data.

9. How do we provide security for personal data that we handle and store?

Company takes the security of data seriously and although we cannot guarantee that data that we collect can be protected from all possible threats, Company has put in place physical, technical, and administrative safeguards to protect your data.

10. How do we handle information that is not personal data?

Our use and disclosure of non-personal data is not subject to this Policy, however, if you or your employer has entered into a contract or non-disclosure agreement with us, confidential non-personal data will always be protected from disclosure as provided for in the applicable agreements. If applicable law and our contractual obligations allow, we may aggregate or de-identify your personal data so that the information cannot be linked to you. Our standard terms and conditions contain typical confidentiality terms and may be viewed on our website here: https://www.Company.com/company-legal-agreements/

11. Your rights under the California Consumer Privacy Act.

The California Consumer Privacy Act ("CCPA") provides additional rights to residents of California regarding information collection and use practices.

11.1 Categories of personal information collected.

We identify below the categories of personal information that we have collected about our users in the last 12 months, using the categories provided in the CCPA:

• Identifiers

• Customer Records Information

• Commercial Information

• Internet or Other Electronic Network Activity Information

• Geolocation Data

• Professional or Employment-related Information

For more detail on the information we collect, including the sources we receive information from, please refer to our Information Collection Practices above. We collect and use these categories of personal information for the business purposes described in the Information Collection Practices section above.

11.2 Categories of personal information sold.

Company does not sell your personal information to any third party for monetary consideration. Under the CCPA, however, the term "sell" could include sharing of personal information with partners where Company may obtain a commercial benefit. This might include sharing of personal information with Company's implementation or reseller partners, for example. We identify below the categories of personal information that we have provided to our partners in the last 12 months, using the categories provided in the CCPA:

• Identifiers

• Customer Records Information

• Commercial Information

• Internet or Other Electronic Network Activity Information

• Geolocation Data

• Professional or Employment-related Information

11.3 Rights of California residents.

California residents are entitled to the following rights under the CCPA. To exercise any of the rights, please submit a request to the email address or call our toll-free number set forth in Section 13. In the request, please specify which right you are seeking to exercise and the scope of the request. We will confirm receipt of your request within 10 days. We may require specific information from you to help us verify your identity and process your request. If we are unable to verify your identity, we may deny your requests to know.

A. Right to Know. You have the right to know certain details about our data practices in the past 12 months. In particular, you may request the following from us:

• The categories of personal information we have collected about you;

• The categories of sources from which the personal information was collected;

• The categories of personal information about you we disclosed for a business purpose or sold;

• The categories of third parties to whom the personal information was disclosed for a business purpose or sold;

• The business or commercial purpose for collecting or selling the personal information; and

• The specific pieces of personal information we have collected about you.

B. Right to Delete. You have the right to request that we delete the personal information we have collected from you in the last 12 months. We may require specific information from you to

help us verify your identity and process your request. If we are unable to verify your identity, we may deny your request to delete. If we deny your request, we will explain the reason why in our response.

C. Right to Opt-Out. You have the right to tell us not to sell your information at any time. If you are a California resident and we know you are under 16 years of age, we will not sell your personal information unless (i) you are 13 years of age or more and have provided opt-in consent and confirmed that choice, or (ii) you are under 13 years of age and your parent or guardian has provided affirmative authorization of that sale.

D. Right to Non-discrimination. You have the right not to receive discriminatory treatment by us for exercising any of your rights.

E. Authorized Agent. You can designate an authorized agent to submit requests on your behalf. However, we will require written proof of the agent's permission to do so and verify your identity directly.

12. Changes to the Privacy Policy.

In the event of changes in the law, our data handling practices or for other reasons, Company reserves the right to update and change this Policy at any time, by updating and publishing the revised Privacy Policy on patterns.app.

13. How to contact us.

If you have any questions or wish to exercise your rights under the GDPR, the CCPA, or other applicable privacy laws, you may send notice by email to Company at notices@patterns.app.

You may also send a written notice to us at one of the following addresses:

2181 Greenwich St, San Francisco, CA 94123

Patterns Data Systems, Inc.