Privacy Policy

1.1 What This Policy Covers

This Privacy Policy applies to our website, www.firmfirst.com (the "Website"), regardless of how you access it. This Privacy Policy also applies when you, or another party, uses our client intake automation, identity verification, screening, and other similar information services (collectively, the "Services"). Our Services may involve certain personal information, whether processed online or offline. "Personal information" means any information that identifies you, such as your first and last name, home or business address, email address, and phone number.

1.2 Whom This Policy Covers

The information we collect depends on the type of relationship you have with us. We intend to collect personal information only from those with the following relationships with us:

• "Verification Subjects," which are individuals or entities on whom FirmFirst received information in connection with your or a Customer's use of the Website or Services. Verification Subjects may include prospective clients of our Customers whose information is submitted through intake forms, verification workflows, or other data collection mechanisms operated by our Customers. Verification Subject data is collected at the direction of, and on behalf of, our Customers. Our Customers are responsible for providing appropriate notice to Verification Subjects regarding the collection and processing of their information through the Services and for obtaining any required consents.
• "Customers," which are businesses or individuals with whom we have a customer or subscriber agreement allowing for use of the Services.
• "Site Visitors," are individuals, Verification Subjects, or Customers accessing our Website.

Our Services are designed exclusively for client intake automation, identity verification, and screening in connection with prospective client engagements. The Services are not intended for, and shall not be used for, employment screening, background checks, or any purpose other than evaluating prospective client relationships.

2.1 Information You Provide Us

We may collect information you voluntarily provide when you:

• Register for an account or subscribe to our Services
• Request a demo or contact us for support
• Complete forms on our Website
• Correspond with us via email, phone, or other means
• Participate in surveys, promotions, or other interactive features

This information may include:

• Contact information (name, email address, phone number, mailing address)
• Professional information (firm or business name, practice areas or industry, job title, professional license information where applicable)
• Account credentials (username, password)
• Billing and payment information (credit card number, billing address)
• Any other information you choose to provide

2.2 Information Collected from Verification Subjects

When our Customers use our Services to verify the identity of their clients or prospective clients, we may collect information from or about Verification Subjects. This information may be submitted directly by the Verification Subject (e.g., through an intake form or verification workflow) or provided by the Customer on the Verification Subject's behalf (e.g., through manual data entry in the FirmFirst platform). This information may include:

• Full legal name, date of birth, and contact information
• Government-issued identification documents (driver's license, passport, state ID)
• Document images and extracted data (ID photos, document numbers, expiration dates)
• Biometric information (facial geometry from selfies and ID photos for identity matching)
• Social Security Number or other government identifiers (when required for verification)
• Address and residence history
• Email address and phone number for verification purposes
• Any additional information required by our Customers for their compliance obligations

2.3 Information Collected Automatically

When you access our Website or Services, we may automatically collect certain information, including:

• Device information (device type, operating system, unique device identifiers)
• Browser information (browser type, language preferences)
• IP address and approximate geographic location
• Usage data (pages visited, time spent, click patterns, referring URLs)
• Log data (access times, error logs, diagnostic data)
• Information collected through cookies, pixel tags, and similar technologies

2.4 Information from Third-Party Sources

We may obtain information about Verification Subjects from third-party sources to provide our verification Services, including: public records databases, government registries, consumer reporting agencies, identity verification providers, fraud prevention databases, and other commercially available data sources. We use this information to, among other things, attempt to verify identity, detect potential fraud, and fulfill our contractual obligations to our business Customers.

We may use the information we collect for the following purposes:

3.1 To Provide and Improve Our Services

• Process identity verifications and deliver verification results to our Customers
• Detect and prevent suspected fraud, identity theft, and other security threats
• Create, maintain, and securely manage your account
• Process transactions and send related information
• Provide customer support and respond to inquiries
• Improve, personalize, and develop our Services
• Generate anonymized, aggregated data for analytics and service improvement

3.2 To Communicate with You; Advertising and Marketing

• Send service-related notices, updates, and administrative messages
• Respond to your comments, questions, and requests
• Send marketing communications (where permitted and with your consent, where required)
• Provide information about products, services, and events

3.3 For Legal and Compliance Purposes

• Comply with applicable laws, regulations, procedures, subpoenas, governmental requests, and legal processes, or other legal or regulatory requirements
• Respond to lawful requests from public and government authorities
• Enforce our Terms of Service and other agreements

3.4 Maintaining Security

• Protect our rights, privacy, safety, or property, and that of our Customers and others
• Investigate and prevent suspected fraud, unauthorized access, and other illegal activities

We process your personal data based on the following legal grounds:

• Contractual Necessity: Processing necessary to perform our contract with you or our business Customers.
• Legitimate Interests: Processing necessary for our legitimate interests, such as fraud prevention, security, and service improvement, where those interests are not overridden by your rights.
• Legal Obligation: Processing necessary to comply with applicable laws and regulations.
• Consent: Where required, we rely on your consent for certain processing activities, such as marketing communications or the collection of biometric data.

When we collect your personal information within the scope of European data protection laws, we do so:

• where necessary to provide the Services, fulfil a transaction, or otherwise perform a contract with you or at your request prior to entering into a contract;
• where necessary for our compliance with applicable law or other legal obligation;
• where necessary for the performance of a task carried out in the public interest;
• where applicable, with your consent; and/or
• as necessary to operate our business, protect the security of our systems, customers and users, detect or prevent fraud, enable our customers to comply with legal obligations, or fulfil our other legitimate interests as described in the "Information We Collect," "How We Use Your Information" and "How We Share Your Information" clauses, except where our interests are overridden by your privacy rights.

Where we rely on your consent to process personal information, you have the right to withdraw your consent at any time, and where we rely on legitimate interests, you may have the right to object to our processing.

We may share your information in the following circumstances:

5.1 With Our Business Customers

To provide our Services, when we verify the identity of a Verification Subject, we may share verification results and related information with the business Customer who requested the verification. This may include verification status, risk scores, supporting data, and other personal information. Our Customers are responsible for their own use of this information in accordance with their privacy policies.

5.2 With Service Providers

We may share information with third-party service providers who perform services on our behalf, including, without limitation: identity verification providers, fraud prevention services, cloud hosting providers, payment processors, analytics providers, and customer support tools. These providers are required under their agreements with us to protect your information and use it only for the purposes for which it was disclosed.

5.3 With Third-Party Data Sources

To verify identity, we may share limited personal information (such as name, date of birth, and government ID numbers) with third-party databases and verification services to confirm the accuracy of information provided.

5.4 For Legal and Safety Purposes

We may disclose information, including, without limitation, with our attorneys or other consultants, when we believe it is necessary to: comply with applicable law or legal processes, including court orders, warrants, or other legal requirements; respond to requests from public and government authorities; protect the rights, privacy, safety, or property of FirmFirst, our Customers, or others; enforce our agreements and policies; or investigate potential violations.

5.5 Business Transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of company assets, your information may be transferred or shared as part of that transaction. We will provide notice if your information becomes subject to a different privacy policy.

5.6 With Your Consent

We may share your information for other purposes with your consent or at your direction.

5.7 Emergencies

We may share personal information to address threats to a person or property, violations of this Privacy Policy, or actual or threatened illegal activities.

5.8 Affiliates

We may share personal information within FirmFirst's parent entities, subsidiaries, and other affiliates. This includes any new affiliates that might be added to FirmFirst's corporate family after the "Last Updated" date.

5.9 Permitted or Required by Law

We may disclose your personal information if applicable law permits or requires the disclosure.

Our identity verification Services may involve the collection and processing of biometric information, specifically facial geometry extracted from photographs (self-photographs and government ID photos) for the purpose of verifying that the person presenting an ID is the same person depicted on the ID document.

6.1 Collection and Use

We collect biometric information only for identity verification purposes when a Verification Subject directly submits a self-photograph and/or government ID through our Services. Biometric data must be submitted by the Verification Subject personally — Customers may not upload biometric data (photographs, government IDs used for facial matching) on a Verification Subject's behalf. We use facial recognition technology to compare the facial geometry from these images to determine if they match.

6.2 Consent

Before collecting biometric information, we inform Verification Subjects of such collection and obtain their consent at the point of submission. Because biometric data must be submitted directly by the Verification Subject through our Services, consent is obtained from the Verification Subject at the time of submission. By submitting a self-photograph or government ID for verification, the Verification Subject consents to the collection and processing of their biometric information as described in this Privacy Policy.

6.3 Disclosure

We do not sell, lease, trade, or otherwise profit from biometric information. We may share biometric information with our service providers who assist with identity verification, subject to contractual protections. We may also disclose biometric information when required by law or to protect the rights and safety of others.

6.4 Retention and Destruction

We retain biometric information only as long as necessary to fulfill the purpose for which it was collected. Biometric information will be permanently destroyed when: (a) the initial purpose for collection has been satisfied; or (b) within three (3) years of the Verification Subject's last interaction with us, whichever occurs first — unless a longer retention period is required by law or requested by our business Customer for their compliance obligations.

We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, contractual, or reporting requirements. The retention period may vary depending on the context of the processing and our legal obligations.

In general:

• Account information: Retained for the duration of your account and for a reasonable period thereafter for legal and business purposes.
• Verification data: Retained in accordance with our Customers' instructions and applicable legal requirements, typically for 5–7 years for compliance purposes.
• Biometric data: Retained for no longer than 3 years from last interaction, or as specified in Section 6.4.
• Usage and analytics data: Retained for up to 2 years in identifiable form, then anonymized or deleted.

Once the applicable retention period expires, we securely delete, deidentify, aggregate, or anonymize your personal information. If we deidentify personal information, we will keep it deidentified and will not try to reidentify it unless permitted or required to do so under applicable law.

We implement appropriate technical and organizational security measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS) and at rest
• Access controls and authentication requirements
• Regular security assessments and penetration testing
• Employee training on data protection and security
• Incident response procedures
• Vendor security assessments

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your personal information, we cannot guarantee its absolute security.

What rights you have regarding your personal information depends on where you live and how you interact with us. However, in general:

9.1 Verification Subject Rights

If you are a Verification Subject whose information was collected through our Services — whether you submitted it directly or it was provided by one of our Customers on your behalf — you may exercise your privacy rights by contacting us directly at privacy@firmfirst.com. You do not need to have visited our Website or entered into an agreement with us to submit a rights request. Upon receiving a verifiable request, we will respond in accordance with applicable law.

9.2 Account Information

You may update, correct, or delete your account information at any time by logging into your account or contacting us. Keeping such information up to date is solely the responsibility of the user. Note that we may retain certain information as required by law or for legitimate business purposes.

9.3 Marketing Communications

You may opt out of receiving marketing emails by clicking the "unsubscribe" link in any marketing email or by contacting us. Even if you opt out of marketing communications, we may still send you service-related communications.

9.4 Cookies and Tracking Technologies

Most web browsers are set to accept cookies by default. You can usually modify your browser settings to remove or reject cookies. Please note that removing or rejecting cookies may affect the functionality of our Website.

9.5 Do Not Track

Some browsers have a "Do Not Track" feature that signals to websites that you do not want your online activity tracked. Our Website does not currently respond to Do Not Track signals.

If you live in the European Union (EU), European Economic Area (EEA), UK, Canada, California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia or certain other countries, territories, or states, you might have additional rights concerning your personal information. For those in the EU, EEA, California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia, please read our US AND EU CONSUMER PRIVACY POLICY ADDENDUM for more information.

10.1 California Residents

If you are a California resident, you have certain rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), including the right to:

• Know what personal information we collect, use, and disclose
• Request deletion of your personal information
• Opt out of the sale or sharing of your personal information
• Limit the use of sensitive personal information
• Non-discrimination for exercising your privacy rights

We do not sell personal information as defined by the CCPA/CPRA. We do not share personal information for cross-context behavioral advertising.

10.2 Other U.S. State Privacy Rights

Residents of Colorado, Connecticut, Virginia, Utah, and other states with comprehensive privacy laws may have similar rights. Please contact us to exercise your rights under applicable state law.

We are based in the United States and process information in the United States. If you are located outside the United States, please be aware that information you provide to us or that we collect may be transferred to, processed, and stored in the United States, which may have different data protection laws than your country of residence. For more information, please read our US AND EU CONSUMER PRIVACY POLICY ADDENDUM. When we transfer personal data from the EEA, UK, or Switzerland to the United States or other countries, we use appropriate safeguards, such as Standard Contractual Clauses approved by the European Commission or other legally recognized transfer mechanisms.

Our Website and Services may contain links to third-party websites, applications, or services. This Privacy Policy does not apply to those third-party services. We encourage you to review the privacy policies of any third-party services you access. FirmFirst is not responsible for unaffiliated sites' privacy or data security practices or policies.

Where regulated by CCPA and other applicable law, we do not direct our Services to, or knowingly collect or solicit personal information from, children under 18. Consequently, FirmFirst does not have actual knowledge that it sells or shares such children's personal information. If you are a child under the age of 18, please do not share any of your personal information with us.

We may update this Privacy Policy from time to time. If we make any changes, we will notify you by posting the updated Privacy Policy on our Website with a new "Last Updated" date, and, where required by law, we will provide additional notice (such as via email); provided, however, that if we make any material changes to this Privacy Policy that expand our rights to use or share your personal information, we will provide a prominent notice of such changes and the effective date of the changes before making them. For example, we might include a notice on the Website or email you about the material change. We encourage you to review this Privacy Policy periodically to stay informed of any current or pending changes.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at: privacy@firmfirst.com

---

This US and EU Privacy Policy Addendum (this "Addendum") supplements our Privacy Policy and, except as otherwise noted herein, or as otherwise provided under applicable law, applies solely to (i) California, Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah and Virginia consumers under applicable state laws (including, as applicable, the California Consumer Privacy Act ("CCPA"), Colorado Privacy Act, Connecticut Data Privacy Act, Delaware Personal Data Privacy Act, Indiana Consumer Data Protection Act, Iowa Consumer Data Protection Act, Kentucky Consumer Data Protection Act, Maryland Online Data Privacy Act, Minnesota Consumer Data Privacy Act, Montana Consumer Data Privacy Act, Nebraska Data Privacy Act, New Hampshire Data Privacy Act, New Jersey Data Privacy Act, Oregon Consumer Privacy Act, Rhode Island Data Transparency and Privacy Protection Act, Tennessee Information Privacy Act, Texas Data Privacy and Security Act, Utah Consumer Privacy Act and Virginia Consumer Data Protection Act, and their respective implementing regulations), and (ii) individuals in the European Economic Area under the EU General Data Protection Regulation, as applicable. Please read this Addendum carefully as it contains important information on who we are and our information practices, meaning how and why we collect, use, disclose, sell, share, store, and retain your personal information. It also explains your rights in relation to your personal information and how to contact us or supervisory authorities in the event you have a complaint or request.

Under applicable laws, we collect, use, and are responsible for certain personal information about you. For example, when we offer goods and services to individuals in the European Economic Area (EEA), we are subject to the EU General Data Protection Regulation (EU GDPR), which applies across the entire European Union. For California consumers, we are subject to the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA). We are responsible as a "controller" of that personal information for the purposes of the GDPR. We are responsible for your personal information as a "business" under the CCPA/CPRA.

It would be helpful to start by explaining some key terms used in this Addendum:

Term	Definition
FirmFirst, we, us, our	"FirmFirst.com", and our group companies
Our representative	[Name and contact details — to be designated]
Our Data Protection Officer	[To be appointed prior to onboarding EU-based customers. Contact privacy@firmfirst.com in the interim.]
Personal information	Any information relating to an identified or identifiable individual
Special category personal information	Personal information revealing racial or ethnic origin, political opinions, religious beliefs, philosophical beliefs, or trade union membership; genetic and biometric data; and data concerning health, sex life or sexual orientation.
Sensitive Personal Information	Personal information revealing a consumer's social security number, driver's license and passport numbers, account numbers and credentials, precise geolocation, racial or ethnic origin, religious beliefs, or union membership, personal information concerning a consumer's health, sex life, or sexual orientation, contents of a consumer's mail, email and text messages where the business is not the intended recipient, genetic data, biometric information, or citizenship and immigration status.
Biometric Information	An individual's physiological, biological, or behavioral characteristics, including information about an individual's deoxyribonucleic acid (DNA), that is used or is intended to be used singly or with each other or with other identifying data, to establish individual identity. Biometric information includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.

We may collect and use the following personal information, including sensitive personal information, that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household:

Categories of Personal Information	Specific Types of Personal Information Collected
Identifiers (e.g., real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, social security number, driver's license number, passport number, or other similar identifiers)	Full legal name, email address, phone number, mailing address, IP address, account username, unique device identifiers, driver's license number, passport number, state ID number, Social Security Number (when required for identity verification)
Information that identifies, relates to, describes, or is capable of being associated with a particular individual (e.g., name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver's license or state ID number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information)	Name, address, telephone number, passport number, driver's license or state ID number, date of birth, address and residence history, billing address, credit card number (for payment processing only)
Account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account	Account username and password, credit card number with billing address (processed by third-party payment processor; not stored by FirmFirst)
Characteristics of protected classifications under California or federal law	Not intentionally collected. May be incidentally present in government-issued identification documents submitted for verification purposes.
Commercial information (e.g., records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies)	Subscription plan and tier, payment and transaction history, feature usage history, inquiry volume
Biometric information	Facial geometry extracted from self-photographs and government ID photos for identity verification matching
Internet or other electronic network activity information (e.g., browsing history, search history, and information regarding a consumer's interaction with an internet website, application, or advertisement)	Pages visited, time spent on pages, click patterns, referring URLs, browser type and version, search queries within the platform
Geolocation data	Approximate geographic location derived from IP address. No precise GPS geolocation is collected.
Audio, electronic, visual, thermal, olfactory, or similar information	Government-issued ID document images (photos of driver's license, passport, state ID), self-photographs submitted for identity verification
Professional or employment-related information	Firm or business name, practice areas or industry, job title, professional license information (where applicable)
Education information (defined as information that is not publicly available personally identifiable information as defined in FERPA)	Not collected
Inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes	Risk scores, identity verification status, fraud signal assessments, practice area fit indicators, inquiry quality signals derived from email validation, phone validation, device fingerprinting, and data enrichment
Racial or ethnic origin, religious or philosophical beliefs, union membership, or citizenship or immigration status	Not intentionally collected. Citizenship or immigration status may be incidentally present in government-issued identification documents submitted for verification purposes.
Contents of a consumer's mail, email, and text messages unless the business is the intended recipient of the communication	Not collected. FirmFirst sends transactional emails and SMS notifications but does not access or store the contents of a consumer's private communications.
Genetic data	Not collected
Processing of biometric information to uniquely identify a consumer	Facial geometry comparison between self-photograph and government ID photo to verify that the person presenting an ID is the same person depicted on the ID document
Health information	Not collected
Sex life or sexual orientation	Not collected

If you do not provide personal information required to provide FirmFirst products and/or services to you, it may delay or prevent us from providing such products or services to you.

We collect personal information from you and from other categories of sources such as:

• You, directly in person, by telephone, text, email and/or via our website
• Private and publicly available third-party sources
• Our Customers, including law firms and their staff who submit prospect information through the FirmFirst platform
• Data and data analytics providers
• Government entities and public records databases
• Identity verification and fraud prevention service providers
• Operating systems and platforms
• Publicly accessible sources (e.g., property records)
• Cookies on our website
• Our IT and security systems, including automated monitoring of our websites and other technical systems

We only use your personal information if we have a proper reason for doing so, for example:

• To comply with our legal and regulatory obligations
• For the performance of our contract with you or to take steps at your request before entering into a contract
• For our legitimate interests or those of a third party, or
• Where you have given consent

A legitimate interest is when we have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.

The table below explains what we use (process) your personal information (including, if applicable, sensitive personal information, but subject to your consent where required by applicable law) for and our reasons for doing so:

What we use your personal information for	Our reasons
To provide products and/or services to our Customers	For the performance of our contracts with you or our other Customers, including, for example, to (i) process or fulfill a request or other transactions submitted to us, or (ii) perform identity verification
To prevent and detect fraud against you, our Customers, or us	For our legitimate interests or those of a third party, i.e., to minimize fraud that could be damaging for us and for you
Conducting checks to identify our Customers and verify their identity	To comply with our legal and regulatory obligations
Screening for financial and other sanctions or embargoes	To comply with our legal and regulatory obligations
Other processing necessary to comply with professional, legal, and regulatory obligations that apply to our business	To comply with our legal and regulatory obligations
Gathering and providing information required by or relating to audits, inquiries, or investigations by regulatory bodies	To comply with our legal and regulatory obligations
Ensuring business policies are adhered to, e.g., policies covering security and internet use	For our legitimate interests or those of a third party, i.e., to make sure we are following our own internal procedures so we can deliver the best service to you
Operational reasons, such as improving efficiency, training, and quality control	For our legitimate interests or those of a third party, i.e., to be as efficient as we can so we can deliver the best service for our Customers
Ensuring the confidentiality of commercially sensitive information	For our legitimate interests or those of a third party, i.e., to protect trade secrets and other commercially valuable information. To comply with our legal and regulatory obligations
Statistical analysis to help us manage our business, e.g., in relation to our financial performance, customer base, product range or other efficiency measures	For our legitimate interests or those of a third party, i.e., to be as efficient as we can so we can deliver the best service to our Customers
Preventing unauthorized access and modifications to systems	For our legitimate interests or those of a third party, i.e., to prevent and detect criminal activity that could be damaging for us, our Customers, and/or for you. To comply with our legal and regulatory obligations
Updating and enhancing customer records	For the performance of our contract with our Customers or you or to take steps at your request before entering into a contract. To comply with our legal and regulatory obligations. For our legitimate interests or those of a third party, e.g., making sure that we can keep in touch with our Customers about existing orders and new products
Statutory returns	To comply with our legal and regulatory obligations
Marketing our services to existing and former Customers, third parties who have previously expressed an interest in our services, and third parties with whom we have had no previous dealings	For our legitimate interests or those of a third party, i.e., to promote our business to existing and former Customers

For EEA Data Subjects: The above table does not apply to special category personal information, which we will only process with your explicit consent.

We may use your personal information to send you updates (by email, text message, telephone, or post) about our products and services, including exclusive offers, promotions or new products and services.

We have a legitimate interest in processing your personal information for promotional purposes (see above "How and why we use your personal information"). This means we do not usually need your consent to send you promotional communications. However, where consent is needed, we will ask for this consent separately and clearly.

We will always treat your personal information with the utmost respect and never sell or share it with other organizations outside the FirmFirst group for marketing purposes.

You have the right to opt-out of receiving promotional communications at any time by:

• Contacting us at [contact details for marketing opt-out]
• Using the "unsubscribe" link in emails or "STOP" number in texts, or
• Updating your marketing preferences [on our website / in your account]

We may ask you to confirm or update your marketing preferences if you instruct us to provide further products or services in the future, or if there are changes in the law, regulation, or the structure of our business.

We routinely share personal information with:

• Service providers we use to help deliver our products and services to you, such as identity verification providers, fraud prevention services, cloud hosting providers, payment processors, analytics providers, and customer support tools
• Other third parties we use to help us run our business, such as marketing agencies or website hosts
• Third parties approved by you
• Our Customers

We only allow our service providers to handle your personal information if we are satisfied they take appropriate measures to protect your personal information. We also impose contractual obligations on service providers to ensure they can only use your personal information to provide services to us and to you. We may also share personal information with external auditors, e.g., in relation to the audit of our accounts.

We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.

We may also need to share some personal information with other parties, such as potential buyers of some or all of our business or during a restructuring. Where appropriate, we will attempt to anonymize information, but this may not always be possible. The recipient of the information will be bound by applicable confidentiality obligations.

We do not sell personal information and have no plans to do so. We have not sold or shared any personal information in the preceding 12 months. We may disclose personal information to third-party service providers solely as necessary to perform our Services (e.g., identity verification, fraud prevention, cloud hosting, payment processing). Such disclosures are made under contractual obligations that restrict providers from using the information for any purpose other than providing the specified services.

In the preceding 12 months, we have disclosed the following categories of personal information for a business purpose:

• Identifiers (e.g., real name, postal address, email address, IP address, account name)
• Information that identifies, relates to, describes, or is capable of being associated with a particular individual (e.g., name, address, telephone number)
• Biometric information (facial geometry for identity verification)
• Internet or other electronic network activity information (e.g., browsing history, usage data)
• Geolocation data (approximate location derived from IP address)
• Professional or employment-related information (firm name, practice areas)
• Inferences drawn from the above to create a profile (e.g., risk scores, verification status)

We retain your personal information for as long as necessary to provide our services, including to fulfill the transactions you have requested, or for other essential purposes such as complying with our legal obligations, maintaining business and financial records, carrying out our legitimate interests, including meeting our contractual obligations, resolving disputes, maintaining security, detecting and preventing fraud and abuse, and enforcing our agreements. The criteria used to determine retention periods includes the legal limitation of liability period, agreed contractual provisions, applicable regulatory requirements, and industry standards.

You have the right under the California Consumer Privacy Act of 2018 (CCPA), as amended by the California Privacy Rights Act of 2020 (CPRA), and certain other privacy and data protection laws, as applicable, to exercise free of charge:

Disclosure of Personal Information We Collect About You. You have the right to know, and request disclosure of: the categories of personal information we have collected about you, including sensitive personal information; the categories of sources from which the personal information is collected; our business or commercial purpose for collecting, selling, or sharing personal information; the categories of third parties to whom we disclose personal information, if any; and the specific pieces of personal information we have collected about you.

Please note that we are not required to: retain any personal information about you that was collected for a single one-time transaction if, in the ordinary course of business, that information about you is not retained; reidentify or otherwise link any data that, in the ordinary course of business, is not maintained in a manner that would be considered personal information; or provide the personal information to you more than twice in a 12-month period.

Disclosure of Personal Information Sold, Shared, or Disclosed for a Business Purpose. In connection with any personal information we may sell, share, or disclose to a third party for a business purpose, you have the right to know: the categories of personal information about you that we sold or shared and the categories of third parties to whom the personal information was sold or shared; and the categories of personal information that we disclosed about you for a business purpose and the categories of persons to whom the personal information was disclosed for a business purpose.

You have the right to opt-out of the sale of your personal information or sharing of your personal information for the purpose of targeted behavioral advertising. If you exercise your right to opt-out of the sale or sharing of your personal information, we will refrain from selling or sharing your personal information, unless you subsequently provide express authorization for the sale or sharing of your personal information.

To opt-out of the sale or sharing of your personal information, visit our homepage and click on the Do Not Sell or Share My Personal Information link here: [URL].

Right to Limit Use of Sensitive Personal Information. You have the right to limit the use and disclosure of your sensitive personal information to the use which is necessary to: perform the services or provide the goods reasonably expected by an average consumer who requests those goods or services; perform certain services on our behalf including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing analytic services, providing storage, or providing similar services; help to ensure security and integrity; undertake activities to verify or maintain the quality or safety of a service or device; and as authorized by further regulations.

You have a right to know if your sensitive personal information may be used, or disclosed to a service provider or contractor, for additional, specified purposes.

To limit the use of your sensitive personal information, visit our homepage and click on the "Limit the Use of My Sensitive Personal Information" link here: [URL].

Right to Deletion. Subject to certain exceptions, on receipt of a verifiable request from you, we will: delete your personal information from our records; direct any service providers or contractors to delete your personal information from their records; and direct third parties to whom the business has sold or shared your personal information to delete your personal information unless this proves impossible or involves disproportionate effort.

Please note that we may not delete your personal information if it is reasonably necessary to: complete the transaction for which the personal information was collected, fulfill the terms of a written warranty or product recall, provide a good or service requested by you, or otherwise perform a contract between you and us; help to ensure security and integrity; debug to identify and repair errors; exercise free speech or ensure the right of another consumer to exercise their right of free speech; comply with the California Electronic Communications Privacy Act; engage in public or peer-reviewed scientific, historical, or statistical research in the public interest; enable solely internal uses that are reasonably aligned with your expectations based on your relationship with us; comply with an existing legal obligation; or otherwise use your personal information, internally, in a lawful manner that is compatible with the context in which you provided the information.

Right of Correction. If we maintain inaccurate personal information about you, you have the right to request us to correct that inaccurate personal information. Upon receipt of a verifiable request from you, we will use commercially reasonable efforts to correct the inaccurate personal information.

Protection Against Retaliation. You have the right to not be retaliated against by us because you exercised any of your rights under the CCPA/CPRA. This means we cannot, among other things: deny goods or services to you; charge different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; provide a different level or quality of goods or services to you; or suggest that you will receive a different price or rate for goods or services or a different level or quality of goods or services.

Please note that we may charge a different price or rate or provide a different level or quality of goods and/or services to you, if that difference is reasonably related to the value provided to our business by your personal information.

Right	Description
Right to Be Informed	The right to know or be notified about the collection and use of your personal information
Right to Access	The right to be provided with a copy of your personal information (the right of access)
Right to Rectification	The right to require us to correct any mistakes in your personal information
Right to be Forgotten	The right to require us to delete your personal information — in certain situations
Right to Restriction of Processing	The right to require us to restrict processing of your personal information — in certain circumstances, e.g., if you contest the accuracy of the data
Right to Data Portability	The right to receive the personal information you provided to us, in a structured, commonly used, and machine-readable format and/or transmit that data to a third party — in certain situations
Right to Object	The right to object: at any time to your personal information being processed for direct marketing (including profiling); in certain other situations to our continued processing of your personal information, e.g., processing carried out for our legitimate interests
Right Not to be Subject to Automated Individual Decision-Making	The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you or similarly significantly affects you

For further information on each of those rights, including the circumstances in which they apply, see the guidance from the UK Information Commissioner's Office (ICO) on individual rights under the EU General Data Protection Regulation.

If you are a Minnesota or Oregon resident, you may also request that we disclose to you (i) the categories of Personal Information we process about you and (ii) the third parties to which we have disclosed your Personal Information. If you are a Delaware or Maryland resident, you may also request that we disclose to you the categories of third parties to whom we disclosed your Personal Information.

In general, you may request to know whether we process your personal information and to access such personal information. You may request to correct inaccuracies in your personal information. You may request to receive a copy of your personal information, including specific pieces of personal information, including, where applicable, to obtain a copy of your personal information in a portable, readily usable format. You may request that we delete your personal information, subject to certain exceptions and our contractual rights or rights under applicable law. You may request to "opt-out" of your personal information being sold to certain third parties, as defined by applicable law. This right may be exercised by contacting us pursuant to Section A14 below.

Our use of tracking technologies through some of our websites may be considered a sale or sharing of your personal information for cross-context behavioral advertising or targeted advertising under certain U.S. consumer privacy laws. You may request to opt-out of such tracking technologies by sending an opt-out preference signal supported by your device or browser. Your use of an opt-out preference signal will apply only to your device or browser and not to other personal information that is not linked to your device or browser.

We will not retaliate against you because you exercise any of your rights under applicable law. We do not offer financial incentives or price or service differences to consumers in exchange for the retention or sale of a consumer's personal information.

If you would like to exercise any of your rights as described in this Privacy Policy, you can contact us at privacy@firmfirst.com. You may also write to us at [contact information].

Please note that you may only make a CCPA/CPRA-related data access or data portability disclosure request twice within a 12-month period.

If you choose to contact us directly, you will need to provide us with: enough information to identify you (e.g., your full name, address and customer or matter reference number); proof of your identity and address (e.g., a copy of your driving license or passport and a recent utility or credit card bill); and a description of what right you want to exercise and the information to which your request relates.

We are not obligated to make a data access or data portability disclosure if we cannot verify that the person making the request is the person about whom we collected information or is someone authorized to act on such person's behalf. Any personal information we collect from you to verify your identity in connection with your request will be used solely for the purposes of verification.

Information may be held at our offices and those of our group companies, third-party agencies, service providers, representatives and agents as described above (see above: "Who We Share Your Personal Information With"). Some of these third parties may be based outside the EEA. For more information, including on how we safeguard your personal information when this occurs, see below: "Transferring Your Personal Information Out of the EEA."

To deliver services to you, it is sometimes necessary for us to share your personal information outside the EEA, e.g.: with our offices outside the EEA; with your and our service providers located outside the EEA; if you are based outside the EEA; or where there is an international dimension to the services we are providing to you.

These transfers are subject to special rules under European and UK data protection law. If you would like further information, please contact us (see "How To Contact Us" below).

We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorized way. We limit access to your personal information to those who have a genuine business need to access it. Those processing your information will do so only in an authorized manner and are subject to a duty of confidentiality. We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

We hope that we can resolve any query or concern you raise about our use of your information. The GDPR also gives you the right to lodge a complaint with a supervisory authority, in the EEA state where you work, normally live, or where any alleged infringement of data protection laws occurred. A full list of EEA supervisory authorities and their contact information is available from the European Data Protection Board at https://edpb.europa.eu/about-edpb/about-edpb/members_en.

We may change this Addendum from time to time. Any changes will be posted on this page with an updated revision date.

Please contact us by email at privacy@firmfirst.com if you have any questions about this Addendum or the information we hold about you.