Privacy
Policy

1.Introduction and Overview

Welcome to qalitAI. qalitAI LLC ("qalitAI," "we," "us," or "our") is a financial technology company that develops and provides financial behavioral insights and profiles for individuals ("consumers") and small-to-medium-sized businesses ("SMBs") (collectively, "you" or "users"). qalitAI operates as a Consumer Reporting Agency ("CRA") as defined under the Fair Credit Reporting Act ("FCRA"), 15 U.S.C. § 1681 et seq., and is subject to the regulatory requirements applicable to CRAs, including requirements related to the accuracy, fairness, and privacy of consumer financial information.

This Privacy Policy ("Policy") describes how qalitAI collects, processes, uses, protects, and handles information in connection with the services we provide. It also describes the rights you have with respect to your data and how you may exercise those rights.

qalitAI is committed to the responsible, ethical, and privacy-preserving use of financial data. Our services are designed from the ground up to minimize the collection of personal information, eliminate the use of biased data inputs, and produce financial behavioral insights in a manner that respects the dignity, privacy, and autonomy of every individual and business we serve.

2.Our Privacy Vision and Core Principles

qalitAI was founded on the belief that financial technology can and should operate in a manner that is transparent, fair, and deeply respectful of individual privacy. qalitAI believes that financial data should benefit the data owner first and foremost. The following core principles guide every aspect of our data practices:

2.1 Privacy by Design

qalitAI incorporates privacy protections at the architectural level of our technology. We do not treat privacy as an afterthought or a compliance obligation—it is a foundational design requirement. Our systems are engineered to minimize data exposure, eliminate unnecessary data retention, and produce actionable financial insights without reliance on personally identifiable information.

2.2 No Personally Identifiable Information

qalitAI does not seek, request, receive, store, or process Personally Identifiable Information ("PII"). PII includes, but is not limited to, names, addresses, Social Security numbers, Tax Identification Numbers, dates of birth, email addresses, phone numbers, government-issued identification numbers, and any other information that could directly or indirectly identify a specific individual or business. qalitAI's service architecture is specifically designed to ensure that PII is neither transmitted to qalitAI nor required for the production of financial behavioral insights.

2.3 Minimal Data Footprint

qalitAI maintains the smallest possible data footprint. Transaction data is processed in-memory, used only for the duration necessary to produce insights and profiles, and then immediately flushed from memory. qalitAI does not store raw transaction data in any database or on any server it operates or controls.

2.4 Anti-Bias and Non-Discrimination

qalitAI is committed to fairness and the elimination of bias in financial analysis. We do not receive, use, or incorporate any information related to gender, sexual orientation, disability or ability status, ethnicity, socioeconomic status, age, religion, race, national origin, marital status, or any other protected characteristic. Our insights and profiles are based exclusively on financial behavioral data and derived metrics, not on demographic or identity-based attributes.

2.5 Transparency and Consumer Empowerment

qalitAI believes that individuals and businesses have the right to understand how their financial data is being used and to exercise meaningful control over that use. We are committed to providing clear, accessible information about our practices and to honoring all legally recognized rights related to data access, correction, and deletion.

2.6 Ethical Use of Financial Data

qalitAI only analyzes financial data that has been expressly authorized by the individual or business to whom it belongs. We do not access, process, or analyze any data beyond the scope of the specific authorization granted by the user.

3.Information We Receive and Do Not Receive

3.1 What qalitAI Receives

When you authorize qalitAI's services through our data aggregator partners, qalitAI receives anonymized, de-identified financial transaction data derived from the following types of accounts:

• Checking accounts
• Savings accounts
• Spending accounts (including prepaid and debit accounts)
• Credit card accounts

This data typically covers a rolling period of up to twenty-four (24) months of transaction history. The data qalitAI receives has been anonymized by our data aggregator partners prior to transmission to qalitAI and does not contain PII.

The types of financial data elements that may be included in the anonymized transaction data received by qalitAI include, but are not limited to:

• Transaction amounts
• Transaction types (debits or credits)
• Transaction dates and times
• Transaction categories or merchant category codes
• Transaction descriptions
• Account balance information at the time of transaction
• Account type indicators

All such data is received by qalitAI in anonymized form, associated only with a universally unique identifier ("UUID") assigned at the time of processing by the data aggregator. The UUID is not traceable back to any specific individual or business by qalitAI.

3.2 What qalitAI Does Not Receive

qalitAI explicitly does not receive, and has designed its systems to prevent the receipt of, the following categories of information:

• Personally Identifiable Information: Names, addresses, Social Security numbers, Tax Identification Numbers, dates of birth, email addresses, phone numbers, government-issued identification numbers, or any other information that could directly identify an individual or business.
• Authentication Credentials: Login usernames, passwords, PINs, security questions and answers, multi-factor authentication ("MFA") codes, one-time passwords, biometric authentication data, or any other credential used to access financial accounts. Such credentials are entered by users exclusively within the secure environment of our data aggregator partners and are never transmitted to or seen by qalitAI.
• Credit History or Credit Scores: qalitAI does not receive, access, or use any credit bureau data, traditional credit scores (including but not limited to FICO scores, VantageScore, or any other commercially available credit score), credit reports, or any other information derived from traditional credit reporting systems in connection with the production of its financial behavioral insights and profiles.
• Protected Characteristic Information: qalitAI does not receive any information related to gender, sexual orientation, disability or ability status, ethnicity, socioeconomic status, age, religion, race, national origin, marital status, or any other characteristic protected under applicable federal or state law.
• Cookies, Device Identifiers, or Browsing Data: qalitAI does not receive or use cookies, device fingerprints, IP addresses, browsing history, or any other data associated with a user's online activity outside of the specific data aggregation session.

3.3 Information You Provide Directly

If you contact qalitAI directly—for example, to exercise your rights under applicable law, to request information about your profile, or to submit a complaint—we may collect the contact information you provide solely for the purpose of responding to your inquiry. Such information is used only for the specific purpose for which it was provided and is not integrated into your financial behavioral profile.

4.How We Process Data

4.1 In-Memory Processing

qalitAI processes all transaction data exclusively in-memory. This means that when anonymized transaction data is transmitted to qalitAI's processing environment for the purpose of generating financial behavioral insights and profiles, the data exists only in volatile memory (RAM) for the duration of the processing operation. Once the insights and profile have been generated, the transaction data is immediately and permanently flushed from memory.

4.2 What Is Retained

Upon completion of in-memory processing, qalitAI retains only the following:

• Derived metrics, statistics, and quantifiable conclusions that constitute the financial behavioral insights and profile associated with a given UUID. These derived outputs do not contain raw transaction data and are not, on their own, traceable back to any specific individual or business.
• The UUID assigned to the processed data set, which serves as the sole identifier for the resulting profile within qalitAI's systems.

4.3 UUID Assignment and Anonymity

Each data processing event is associated with a UUID generated at the time of processing. The UUID is a randomly generated, non-sequential identifier that contains no information derived from or related to the identity of the individual or business. qalitAI uses UUIDs as the exclusive means of referencing profiles within its systems. qalitAI does not maintain any mapping, lookup table, or other mechanism that would allow it to independently connect a UUID to a specific individual or business.

The ability to connect a UUID to a specific individual or business, if at all possible, resides exclusively with the data aggregator and depends on the current status of the aggregator's cryptographic salting and key management practices, as further described in Section 12.

4.4 No Cross-Session Tracking

qalitAI's data processing is designed as a discrete, transactional operation. qalitAI does not track user activity across sessions, link multiple processing events to the same individual over time through any independent mechanism, or build longitudinal behavioral profiles beyond what is derived from the single authorized data set provided for a given processing event.

5.Data Anonymization and De-Identification

5.1 Anonymization by Data Aggregators

All transaction data processed by qalitAI has been anonymized by our data aggregator partners prior to being made available to qalitAI. Our data aggregator partners employ industry-standard anonymization techniques, including cryptographic salting and hashing, to remove or obfuscate PII from the data before it is transmitted to qalitAI.

qalitAI contractually requires its data aggregator partners to:

• Remove all PII from transaction data prior to transmission to qalitAI;
• Apply cryptographic anonymization techniques that prevent the re-identification of individuals or businesses from the data provided to qalitAI;
• Manage and periodically destroy cryptographic salts used in the anonymization process, further reducing the possibility of re-identification over time;
• Comply with all applicable federal and state privacy laws in connection with the collection, anonymization, and transmission of financial data.

5.2 Derived Metrics and Non-Traceability

The financial behavioral insights and profiles produced by qalitAI consist exclusively of derived metrics, statistical analyses, behavioral indicators, and other quantifiable conclusions drawn from the anonymized transaction data. These derived outputs are designed and tested to ensure that they are not, individually or in combination, traceable back to any specific individual or business. qalitAI applies rigorous technical and methodological standards to prevent the re-identification of individuals or businesses through its output data.

6.How We Use Information

qalitAI uses the anonymized transaction data it receives solely for the following purposes:

6.1 Production of Financial Behavioral Insights and Profiles

The primary purpose for which qalitAI processes anonymized transaction data is the generation of financial behavioral insights and profiles. These insights and profiles are designed to provide an alternative, non-discriminatory, and comprehensive assessment of the financial behavior of individuals and businesses, which may be used as an alternative or supplement to traditional credit scoring methods for purposes such as:

• Lending and credit underwriting decisions
• Tenant screening (where permitted by law)
• Insurance underwriting (where permitted by law)
• Financial planning and advisory services
• Other permissible purposes under applicable law

6.2 Service Improvement and Model Development

qalitAI may use aggregated, anonymized derived metrics and statistical outputs for the purpose of improving its analytical models, algorithms, and services. Such use involves only the derived outputs (not raw transaction data) and is conducted in a manner that does not identify or re-identify any individual or business.

6.3 Legal Compliance and Regulatory Obligations

qalitAI may use information as necessary to comply with applicable laws, regulations, legal processes, and governmental requests, including obligations arising under the FCRA, GLBA, and applicable state privacy laws.

6.4 No Sale of Data

qalitAI does not sell, rent, lease, or otherwise transfer any data—including derived metrics, profiles, or UUID-associated records—to third parties for commercial purposes unrelated to the provision of qalitAI's services. The term "sell" as used in this Policy is consistent with the definition provided under applicable state privacy laws, including the California Consumer Privacy Act ("CCPA").

7.Data Aggregators and Third-Party Partners

7.1 Role of Data Aggregators

qalitAI contracts with one or more data aggregators to facilitate authorized access to financial account data on behalf of users. Data aggregators act as intermediaries between users' financial institutions and qalitAI, collecting and anonymizing transaction data pursuant to the user's express authorization.

7.2 What Data Aggregators Do

Our data aggregator partners are responsible for:

• Facilitating the user's authorization of data access through a secure, browser-based interface;
• Collecting transaction data from authorized financial accounts;
• Anonymizing transaction data by removing PII and applying cryptographic techniques prior to transmission to qalitAI;
• Managing user authentication credentials and MFA information exclusively within their own secure systems, without transmitting such information to qalitAI;
• Maintaining cryptographic salts used in the anonymization process and periodically destroying such salts in accordance with their data management practices;
• Complying with applicable federal and state privacy laws.

7.3 qalitAI Never Sees Credentials

At no point does qalitAI receive, view, store, or process any login credentials, passwords, PINs, MFA codes, or other authentication information entered by a user in connection with authorizing access to their financial accounts. This information is entered by the user directly within the data aggregator's secure interface and is managed exclusively by the data aggregator. qalitAI has no technical capability to access or retrieve this information.

7.4 OAuth Authentication

qalitAI's data aggregator partners employ OAuth (Open Authorization), an industry-standard open protocol for secure authorization, as the authentication method for accessing banking and spending accounts where supported by the financial institution. OAuth enables users to grant qalitAI's aggregator partners access to their account data without sharing their account credentials, providing an additional layer of security and privacy.

7.5 Aggregator Data Practices

Users should be aware that data aggregators maintain their own privacy policies and data practices, which govern the aggregator's collection, use, and retention of user data independently of this Policy. qalitAI encourages users to review the privacy policies of any data aggregator involved in the processing of their data. qalitAI's contractual requirements for its aggregator partners are described in Section 5.1 and Section 7.2 above.

8.Authentication and Credential Security

8.1 No Credential Exposure to qalitAI

As described in Section 7.3, qalitAI is never exposed to any user authentication credentials or MFA information. The data aggregation process is designed so that users interact exclusively with the aggregator's secure interface when entering credentials, and qalitAI receives only the anonymized output of the data collection process.

8.2 Browser-Based Process

The data aggregation process through which users authorize access to their financial accounts is browser-based. qalitAI's role in this process is limited to initiating the authorization request and receiving the anonymized transaction data output. qalitAI does not operate or control the browser-based interface through which users authenticate with their financial institutions.

9.Consumer Reporting Agency Disclosures

9.1 qalitAI as a Consumer Reporting Agency

qalitAI operates as a Consumer Reporting Agency as defined under the Fair Credit Reporting Act, 15 U.S.C. § 1681a(f). As a CRA, qalitAI is subject to the requirements of the FCRA with respect to the accuracy, fairness, privacy, and appropriate use of consumer financial information.

9.2 Your Right to Access Your Profile

As a CRA, qalitAI is committed to providing individuals and businesses with access to the financial behavioral insights and profile results associated with their data upon request. You have the right to request a copy of the insights and profile that qalitAI has produced in connection with your authorized data. To make such a request, please contact us using the information provided in Section 21.

9.3 FCRA Rights

Under the FCRA, consumers have certain rights with respect to information maintained by consumer reporting agencies, including:

• The right to know what is in your file. You may request and obtain all information qalitAI has on file about you (to the extent that qalitAI is able to identify records associated with you, subject to the limitations described in Section 12).
• The right to request a credit score. Where applicable and available, you may request the credit score or financial behavioral score associated with your profile.
• The right to dispute incomplete or inaccurate information. If you believe that any information in your profile is incomplete or inaccurate, you have the right to dispute it. qalitAI will investigate disputes and correct or delete inaccurate information as required by law.
• Consumer reporting agencies must correct or delete inaccurate, incomplete, or unverifiable information. Inaccurate, incomplete, or unverifiable information must be removed or corrected, usually within 30 days.
• The right to opt out of certain uses of your information. You have the right to opt out of the use of your financial behavioral profile for certain purposes, as described in Section 10.

A full summary of your FCRA rights is available at www.consumerfinance.gov/learnmore or by contacting us directly.

9.4 Permissible Purposes

qalitAI provides financial behavioral insights and profiles only to parties with a permissible purpose as defined under the FCRA, 15 U.S.C. § 1681b. This includes, but is not limited to, creditors, insurers, employers (where permitted), landlords (where permitted), and other parties with a legitimate need for the information in connection with a business transaction initiated by the consumer or business.

10.Authorization, Permissioned Data, and Opt-Out Rights

10.1 Express Authorization Required

qalitAI processes transaction data only when the individual or business to whom the data belongs has expressly authorized such processing. Authorization is obtained through the data aggregator's secure interface at the time the user initiates the process of generating financial behavioral insights. qalitAI does not process any data beyond the scope of the specific authorization granted.

10.2 Permissioned Data

All data processed by qalitAI is "permissioned data"—data that the user has specifically authorized qalitAI and its aggregator partners to access and process. The scope of the authorization is defined at the time of the user's consent and is limited to the categories of accounts and the time period specified in the authorization.

10.3 Opt-Out Rights

You have the right to opt out of the processing of your transaction data by qalitAI at any time. If you opt out, qalitAI will not process your transaction data for the purpose of generating financial behavioral insights and profiles.

To opt out, please contact us using the information provided in Section 21.

10.4 Scope of Analysis

qalitAI analyzes only the categories of accounts and the time period for which you have granted authorization. qalitAI does not access, analyze, or incorporate data from any account or time period not covered by your authorization.

11.Cookies, Trackers, and Online Activity

11.1 No Cookies or Trackers

Because qalitAI's relationship with users is limited to a discrete, transactional data processing event, qalitAI does not use cookies, web beacons, pixel tags, device fingerprinting, session tracking, or any other technology to track user activity online, whether during or after the data aggregation process.

11.2 No Association of Online Activity

qalitAI does not associate any user's online activities, browsing history, or digital footprint with the process of producing financial behavioral insights and profiles. The absence of cookies and trackers is a deliberate design choice intended to preserve user privacy and to ensure that the production of financial behavioral insights is based exclusively on authorized financial transaction data, not on inferences drawn from online behavior.

11.3 Third-Party Websites

This Policy applies only to qalitAI's services and does not govern the practices of any third-party websites, platforms, or services that may be linked to or from qalitAI's website or services. qalitAI is not responsible for the privacy practices of third parties and encourages users to review the privacy policies of any third-party services they use.

12.Data Retention and Deletion

12.1 Retention of Transaction Data

12.2 Retention of Derived Outputs

qalitAI retains the derived metrics, statistics, and financial behavioral insights and profiles associated with each processed data set, referenced by UUID, for the period necessary to fulfill the purposes described in this Policy and to comply with applicable legal obligations. The retention period for derived outputs may vary depending on the nature of the service provided and applicable legal requirements.

12.3 Your Right to Request Deletion

You have the right to request the deletion and removal of data associated with you from qalitAI's systems. To submit a deletion request, please contact us using the information provided in Section 21.

12.4 Deletion Process and Limitations

qalitAI's ability to fulfill a deletion request depends in part on the current status of the data aggregator's cryptographic salt management practices:

(a) Where the Data Aggregator Has Already Destroyed Its Salt: Our data aggregator partners periodically destroy the cryptographic salts used to anonymize transaction data. Once a salt has been destroyed, it is typically no longer possible for either the data aggregator or qalitAI to connect a UUID or derived profile to any specific individual or business. In this circumstance, qalitAI will make reasonable and good-faith efforts to identify and delete any data that may be connected to your deletion request. However, qalitAI cannot guarantee that it will be able to identify all data associated with you after a salt destruction event.

(b) Where the Data Aggregator Has Not Yet Destroyed Its Salt: If the data aggregator has not yet completed a salt destruction cycle since your data was processed, it may be possible, through the data aggregator's systems, to connect a UUID and associated derived profile to your identity. In this case, upon receipt of a verified deletion request, qalitAI will work with the data aggregator to identify the UUID(s) and associated derived data connected to your identity and will delete and remove all such data from qalitAI's systems to the extent technically feasible.

12.5 Verification of Deletion Requests

To protect user privacy and prevent unauthorized deletion of data, qalitAI may require you to provide sufficient information to verify your identity and your connection to the data subject to the deletion request. The information you provide for verification purposes will be used solely for the purpose of processing your deletion request and will not be used for any other purpose.

12.6 Legal Retention Obligations

Notwithstanding the above, qalitAI may be required to retain certain information for periods specified by applicable law, regulation, or legal process, including obligations arising under the FCRA, GLBA, and applicable state laws. In such cases, qalitAI will retain only the minimum information required to satisfy its legal obligations and will delete such information promptly upon the expiration of the applicable retention period.

13.Data Sharing and Disclosure

13.1 No Sale of Data

qalitAI does not sell, rent, lease, or otherwise transfer user data or derived profiles to any third party for commercial purposes. For purposes of applicable state privacy laws, including the CCPA, qalitAI does not "sell" or "share" personal information as those terms are defined in such laws.

13.2 Sharing of Financial Behavioral Insights and Profiles

qalitAI may share the financial behavioral insights and profiles it produces with the following parties, subject to applicable law and the user's authorization:

• Parties with a Permissible Purpose under the FCRA: qalitAI may provide financial behavioral insights and profiles to creditors, lenders, insurers, landlords, employers, and other parties with a permissible purpose as defined under the FCRA, 15 U.S.C. § 1681b, in connection with a transaction initiated or authorized by the individual or business.
• The Individual or Business: qalitAI will share profile results and determinations with the individual or business to whom the profile pertains upon request, as described in Section 9.2.

13.3 Data Aggregators

The only other party with access to the anonymized transaction data used by qalitAI is the data aggregator that collected and anonymized the data prior to making it available to qalitAI. qalitAI does not share transaction data with any other third party, and, as described in Section 4.1, transaction data is not retained by qalitAI after processing.

13.4 Legal Disclosures

qalitAI may disclose information as required by applicable law, regulation, or legal process, including in response to a valid subpoena, court order, or governmental request. qalitAI will, where permitted by law, provide notice to affected users prior to making such disclosures. It is understood that qalitAI is generally not able to associate data with users. Where possible, however, notice will be provided as stated above.

13.5 Business Transfers

In the event of a merger, acquisition, sale of assets, or other business transaction involving qalitAI, user data and derived profiles may be transferred to the acquiring entity, subject to the same protections described in this Policy. Though it is not typically possible to associate data with users, qalitAI will either (1) provide notice to users, or (2) provide public notice on qalitAI's website prior to any such transfer and will require the acquiring entity to honor the commitments made in this Policy.

13.6 Aggregated and Anonymized Data

qalitAI may share aggregated, anonymized statistical data and derived metrics that do not identify any individual or business for purposes such as research, industry reporting, product development, and service improvement. Such aggregated data does not constitute "personal information" under applicable privacy laws.

14.Security

14.1 Security Measures

qalitAI employs industry-standard technical, administrative, and physical security measures designed to protect the confidentiality, integrity, and availability of the data it processes and retains. These measures include, but are not limited to:

• Encryption of data in transit using industry-standard protocols (e.g., TLS 1.2 or higher);
• Encryption of data at rest for all retained derived outputs;
• Access controls and authentication requirements for qalitAI personnel and systems;
• Regular security assessments, penetration testing, and vulnerability management;
• Incident response and breach notification procedures;
• Employee training on data privacy and security practices.

14.2 Minimization as a Security Measure

qalitAI's practice of processing transaction data exclusively in-memory and immediately flushing such data upon completion of processing is itself a significant security measure. By not retaining raw transaction data, qalitAI eliminates the risk of a data breach involving transaction data.

14.3 Breach Notification

In the event of a security incident that results in the unauthorized access, use, or disclosure of user data, qalitAI will comply with all applicable breach notification requirements under federal and state law, including the requirements of the GLBA, FCRA, and applicable state data breach notification statutes. qalitAI will notify affected users and relevant regulatory authorities in accordance with applicable legal requirements.

14.4 No Guarantee

While qalitAI takes data security seriously and employs reasonable measures to protect user data, no security system is impenetrable. qalitAI cannot guarantee the absolute security of information processed or retained in connection with its services.

15.Your Rights and Choices

15.1 General Rights

Subject to applicable law and the limitations described in this Policy, you have the following rights with respect to your data:

• Right to Access: You have the right to request information about the financial behavioral insights and profile that qalitAI has produced in connection with your authorized data.
• Right to Correction: You have the right to request the correction of inaccurate or incomplete information in your profile.
• Right to Deletion: You have the right to request the deletion of your profile and associated data, subject to the limitations described in Section 12.
• Right to Opt Out: You have the right to opt out of the processing of your transaction data, as described in Section 10.3.
• Right to Know: You have the right to know what categories of data qalitAI processes and the purposes for which it is processed.
• Right to Non-Discrimination: qalitAI will not discriminate against you for exercising your privacy rights.

15.2 How to Exercise Your Rights

To exercise any of the rights described in this Section, please contact qalitAI using the information provided in Section 21. We will respond to your request in accordance with applicable law and within the timeframes required by such law.

15.3 Authorized Agents

You may designate an authorized agent to submit requests on your behalf. qalitAI may require verification of the agent's authority and your identity before processing requests submitted by authorized agents.

16.State-Specific Privacy Rights

16.1 California Residents — CCPA and CPRA

If you are a California resident, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA/CPRA"), provides you with specific rights regarding your personal information.

As described throughout this Policy, qalitAI is designed to avoid the collection of personal information as defined under the CCPA/CPRA. To the extent that any information processed or retained by qalitAI constitutes "personal information" under the CCPA/CPRA, the following categories may apply: Commercial information (derived financial behavioral metrics and profile outputs, referenced by UUID).

Your CCPA/CPRA rights include:

• Right to Know: You have the right to request information about the categories and specific pieces of personal information qalitAI has collected about you, the sources of that information, the purposes for collection, and the categories of third parties with whom it is shared.
• Right to Delete: You have the right to request deletion of personal information qalitAI has collected about you, subject to certain exceptions and the limitations described in Section 12.
• Right to Correct: You have the right to request correction of inaccurate personal information.
• Right to Opt Out of Sale or Sharing: qalitAI does not sell or share personal information as defined under the CCPA/CPRA. You therefore need not submit an opt-out request, but you may contact us if you have concerns.
• Right to Limit Use of Sensitive Personal Information: qalitAI does not collect sensitive personal information as defined under the CPRA.
• Right to Non-Discrimination: qalitAI will not discriminate against you for exercising your CCPA/CPRA rights.

To submit a CCPA/CPRA request, please contact us using the information in Section 21. We will respond to verified requests within 45 days, with an extension of up to an additional 45 days where reasonably necessary.

Shine the Light Law (California Civil Code § 1798.83): California residents may request information about qalitAI's disclosure of personal information to third parties for direct marketing purposes. qalitAI does not disclose personal information to third parties for direct marketing purposes.

16.2 Vermont Residents

Vermont's data broker law, 9 V.S.A. § 2430 et seq., imposes certain requirements on data brokers that collect and sell personal information about Vermont residents. To the extent qalitAI's activities are subject to Vermont's data broker law, qalitAI complies with the registration, disclosure, and opt-out requirements of that law. Vermont residents may contact us using the information in Section 21 to exercise their rights under Vermont law.

16.3 Nevada Residents

Nevada Revised Statutes Chapter 603A provides Nevada residents with the right to opt out of the sale of covered information. qalitAI does not sell covered information as defined under Nevada law. Nevada residents may contact us at privacy@qalitai.com to submit an opt-out request or to ask questions about our data practices.

16.4 Virginia Residents — CDPA

Virginia residents have rights under the Virginia Consumer Data Protection Act, Va. Code Ann. § 59.1-575 et seq. ("CDPA"), including the right to access, correct, delete, and obtain a copy of personal data, and the right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects. Virginia residents may submit requests by contacting us at the information in Section 21. We will respond within 45 days, with an extension of up to an additional 45 days where reasonably necessary.

16.5 Colorado Residents — CPA

Colorado residents have rights under the Colorado Privacy Act, C.R.S. § 6-1-1301 et seq. ("CPA"), including the right to access, correct, delete, and obtain a copy of personal data, and the right to opt out of the processing of personal data for targeted advertising, sale, or profiling for decisions with legal or significant effects. Colorado residents may submit requests by contacting us at the information in Section 21.

16.6 Connecticut Residents — CTDPA

Connecticut residents have rights under the Connecticut Data Privacy Act, Conn. Gen. Stat. § 42-515 et seq. ("CTDPA"), including the right to access, correct, delete, and obtain a copy of personal data, and the right to opt out of targeted advertising, sale of personal data, or profiling for decisions with legal or significant effects. Connecticut residents may submit requests by contacting us at the information in Section 21.

16.7 Texas Residents — TDPSA

Texas residents have rights under the Texas Data Privacy and Security Act ("TDPSA"), including rights of access, correction, deletion, portability, and the right to opt out of targeted advertising, sale of personal data, and profiling for consequential decisions. Texas residents may submit requests by contacting us at the information in Section 21.

16.8 Other State Privacy Laws

qalitAI monitors the enactment and implementation of state privacy laws across all U.S. jurisdictions and is committed to complying with applicable privacy laws in every state in which it operates. If you are a resident of a state with a comprehensive privacy law not specifically addressed in this Policy, you may still have rights with respect to your personal information under applicable law. Please contact us using the information in Section 21 to inquire about your rights.

17.International Users and GDPR Compliance

17.1 International Operations

As of the date of this document, qalitAI's services are currently directed at users in the United States. However, to the extent that qalitAI processes data relating to individuals located in the European Economic Area ("EEA"), the United Kingdom ("UK"), or Switzerland, the following provisions apply.

17.2 General Data Protection Regulation (GDPR)

For individuals located in the EEA, the processing of personal data is governed by the General Data Protection Regulation (EU) 2016/679 ("GDPR"). qalitAI is committed to complying with the GDPR to the extent applicable to its operations.

Legal Basis for Processing:

• Consent: Where you have expressly authorized qalitAI to process your financial data, as described in Section 10.
• Legitimate Interests: Where processing is necessary for qalitAI's legitimate interests in providing financial behavioral insights and profiles, provided that such interests are not overridden by your interests or fundamental rights and freedoms.
• Legal Obligation: Where processing is necessary to comply with applicable law.

Your GDPR Rights:

• Right of Access (Article 15): You have the right to obtain confirmation of whether qalitAI processes your personal data and, if so, to access that data and receive information about how it is processed.
• Right to Rectification (Article 16): You have the right to request the correction of inaccurate personal data.
• Right to Erasure ("Right to Be Forgotten") (Article 17): You have the right to request the deletion of your personal data, subject to the limitations described in Section 12 and applicable legal exceptions.
• Right to Restriction of Processing (Article 18): You have the right to request that qalitAI restrict the processing of your personal data in certain circumstances.
• Right to Data Portability (Article 20): You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit that data to another controller.
• Right to Object (Article 21): You have the right to object to the processing of your personal data based on qalitAI's legitimate interests.
• Rights Related to Automated Decision-Making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similarly significant effects. Where qalitAI's financial behavioral profiles are used in connection with such decisions, you have the right to request human review.

Data Transfers: To the extent that qalitAI transfers personal data from the EEA to the United States, qalitAI will implement appropriate safeguards as required by GDPR Chapter V, including Standard Contractual Clauses approved by the European Commission.

Data Protection Officer: qalitAI has designated a Data Protection Officer ("DPO") to oversee compliance with applicable data protection laws. The DPO may be contacted at privacy@qalitai.com.

Supervisory Authority: If you are located in the EEA and have concerns about qalitAI's data practices that are not resolved to your satisfaction, you have the right to lodge a complaint with the supervisory authority in your country of residence.

17.3 United Kingdom

To the extent that qalitAI processes personal data of UK residents, qalitAI complies with the UK GDPR and the Data Protection Act 2018. UK residents have rights equivalent to those described in Section 17.2 and may contact the UK Information Commissioner's Office ("ICO") with concerns.

18.Federal Regulatory Compliance (GLBA, FCRA, and Related Laws)

18.1 Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq. ("GLBA"), requires financial institutions to explain their information-sharing practices and to protect sensitive consumer financial information. To the extent qalitAI qualifies as a "financial institution" under the GLBA, qalitAI complies with the GLBA's privacy and safeguards requirements, including the Federal Trade Commission's ("FTC") Safeguards Rule, 16 C.F.R. Part 314.

Under the GLBA, qalitAI is required to provide you with notice of its privacy practices. This Policy serves as qalitAI's GLBA privacy notice. qalitAI does not share nonpublic personal information ("NPI") with nonaffiliated third parties for marketing purposes, and qalitAI does not engage in practices that would require it to offer a GLBA opt-out beyond what is described in this Policy.

18.2 Fair Credit Reporting Act (FCRA)

As described in Section 9, qalitAI operates as a Consumer Reporting Agency under the FCRA, 15 U.S.C. § 1681 et seq. qalitAI complies with all FCRA requirements applicable to CRAs, including requirements related to:

• The accuracy and integrity of consumer report information;
• Permissible purposes for the disclosure of consumer reports;
• Consumer rights to access, dispute, and correct information in consumer reports;
• Adverse action notice requirements;
• Identity theft protections;
• Disposal of consumer report information.

18.3 Equal Credit Opportunity Act (ECOA) and Fair Housing Act (FHA)

qalitAI is committed to compliance with the Equal Credit Opportunity Act, 15 U.S.C. § 1691 et seq. ("ECOA"), and the Fair Housing Act, 42 U.S.C. § 3601 et seq. ("FHA"), which prohibit discrimination in credit and housing transactions on the basis of race, color, religion, national origin, sex, marital status, age, familial status, disability, and other protected characteristics. qalitAI's design principles, including the exclusion of protected characteristic data from its analytical processes, are intended to support compliance with ECOA, FHA, and analogous state fair lending and fair housing laws.

18.4 Consumer Financial Protection Bureau (CFPB)

qalitAI is subject to the supervisory and enforcement authority of the Consumer Financial Protection Bureau ("CFPB") with respect to certain aspects of its operations. qalitAI cooperates with CFPB examinations and inquiries and maintains compliance with CFPB regulations and guidance applicable to its activities.

18.5 Federal Trade Commission Act (FTC Act)

qalitAI is subject to the jurisdiction of the Federal Trade Commission ("FTC") with respect to unfair or deceptive acts or practices. qalitAI is committed to truthful, transparent, and non-deceptive communications about its data practices and the nature of its services.

19.Children's Privacy

qalitAI's services are not directed to individuals under the age of 18, and qalitAI does not knowingly collect or process data relating to individuals under the age of 18. If qalitAI becomes aware that it has received data relating to an individual under the age of 18, it will take prompt steps to delete such data. If you believe that qalitAI may have received data relating to a minor, please contact us using the information provided in Section 21.

20.Changes to This Privacy Policy

qalitAI reserves the right to update or modify this Privacy Policy at any time. When we make material changes to this Policy, we will notify you by posting the updated Policy on our website and updating the "Last Updated" date at the top of this Policy. Where required by applicable law, we will provide additional notice of material changes, such as by email or in-product notification.

Your continued use of qalitAI's services after the effective date of any updated Policy constitutes your acceptance of the updated Policy. If you do not agree with the updated Policy, you should discontinue your use of qalitAI's services and contact us to exercise your rights as described herein.

We encourage you to review this Policy periodically to stay informed about our data practices.

21.Contact Us

If you have questions, concerns, or requests related to this Privacy Policy or qalitAI's data practices, or if you wish to exercise any of the rights described in this Policy, please contact us using the following information:

We will respond to all inquiries and requests in accordance with applicable law and within the timeframes required by such law.

A.Appendix A: Summary of Key Privacy Commitments

For ease of reference, the following is a summary of qalitAI's core privacy commitments: