Sonar's Privacy Policy

SardineAI Corp. together with its affiliates, including SonarAI LLC and SardineAI Payments, Inc. (collectively “Sardine,” “we,” “us,” or “our”) respects, and works hard to protect, your privacy. This Privacy Policy is designed to help those who are interacting with our websites or exploring our Services (“visitors”) or individuals who directly sign up for and access, or who use our products as part of a transaction flow (“transacting users”) (visitors and transacting users are referred to as “you”), understand how we collect, use, process, and disclose your Personal Information, and to help you understand and exercise your privacy rights when you access our websites and use our websites, product offerings or services (“Services”). For United States residents of states that provide additional rights, more information about the data we collect is available in our Notice at Collection and Supplemental Notice for Residents of Certain Other States.

1.  Scope

This Privacy Policy applies to Personal Information we process. “Personal Information” in this Policy means information about you, including your identity, and online behavior.  

This Privacy Policy does not apply to any Personal Information or other data we process on behalf of our enterprise customers (“Enterprise Data”). Our processing of Enterprise Data is governed by contracts we have in place with our enterprise customers, not this Privacy Policy and our enterprise customers’ respective privacy policies govern their collection and use of Personal Information. Any questions or requests relating to the privacy practices of any of our enterprise customers should be directed to the applicable customer. This Privacy Policy also does not apply to Sardine workers or job applicants. Details about how we process your Personal Information if you apply for a job at Sardine or work for us are covered in our Applicant and Worker Privacy Notice.

2.  Personal information we collect

The categories of Personal Information we collect depend on how you interact with us, our Services, and the requirements of applicable law. We endeavor to collect information only relevant for our business needs. We collect information that you provide to us, information we obtain automatically when you use our Services, and information from other sources such as third-party services and organizations, as described below. For residents of certain states, additional disclosures about the information we collect is available in our supplemental disclosure below.

A.  Personal Information You Provide to Us Directly

We may collect Personal Information that you provide to us directly when you interact with our Services.

• Account Creation. If you create an account to register or transact with us as a transacting user, we will collect Personal Information including your full legal name, date of birth, email address, phone number, government identifying information, and payment information. We may also require you to provide additional Personal Information as required by law or for compliance purposes, as a condition for continuing use of aspects of our Services, for example to confirm your identity and your purpose in using the Services.
• Transactions. We collect Personal Information and details associated with transacting users’ transactions, including payment information.
• Your Communications with Us. We may collect Personal Information, such as email address, phone number, or mailing address when you request information about our Services, register for email or other messages from us, contact customer service, request technical support, or otherwise communicate with us.
• Surveys and Questionnaires. We may contact you to participate in surveys, request that you complete a questionnaire or otherwise seek your input. If you decide to participate, we may collect Personal Information from you in connection with your feedback or other responses.
• Promotional Activities. We may sponsor or make promotional offers from time to time as part of our marketing and awareness-raising activities. If you elect to participate in such promotions, such as sweepstakes or contests, we may collect your Personal Information to administer the offer, event or activity. In some jurisdictions, we may be legally required to disclose Personal Information about winners of certain types of promotions.
• Interactive Features. We and others who use our Services may collect Personal Information if you elect to use any of our interactive features (e.g., messaging and chat features, commenting functionalities, forums, blogs, and social media pages). Any information you may elect to provide using any public sharing features of the Services will be considered “public,” unless otherwise required by applicable law, and is not subject to the provisions of this policy.
• Conferences, Trade Shows, and Other Events. We may collect Personal Information from individuals when we attend or host conferences, trade shows, and other events. 
• Business Development and Strategic Partnerships. We may collect Personal Information from individuals and third parties to assess and pursue potential business opportunities. 

B.  Personal Information Collected Automatically

We may collect Personal Information automatically when you use our Services.

• Automatic Collection of Personal Information. We may collect certain information automatically when you use our Services, such as your Internet protocol (IP) address, user settings, MAC address, cookie identifiers, mobile carrier, mobile advertising and other unique identifiers, browser or device information, location information (including approximate location derived from IP address), domain server, and Internet service provider. For transacting users using our Services we may also automatically collect information regarding your use of the Services, such as pages that you visit before, during and after using our Services, information about the links you click, the types of content you interact with, the frequency and duration of your activities, such as how you type on a keyboard, move a mouse, tap a touch screen or otherwise interacts with a device, and other information about how you use our Services.
• Cookie Policy (and Other Technologies). We, as well as third parties that provide content, advertising, or other functionality on our Services, may use cookies, pixel tags, and other technologies (collectively, “Technologies”) to automatically collect information through your use of our Services. 
• Cookies. Cookies are small text files placed in device browsers that store preferences and facilitate and enhance your experience.
• Pixel Tags/Web Beacons. A pixel tag (also known as a web beacon) is a piece of code embedded in our Services that collects information about engagement on our Services. The use of a pixel tag allows us to record, for example, that a user has visited a particular web page or clicked on a particular advertisement. We may also include web beacons in e-mails to understand whether messages have been opened, acted on, or forwarded.

Our uses of these Technologies fall into the following general categories: 

• Strictly Necessary. This includes Technologies that allow you access to our Services, applications, and tools that are required to identify irregular website behavior, prevent fraudulent activity, improve security, or allow you to make use of our Services;
• Performance-Related. We may use Technologies to assess the performance of our Services, including as part of our analytic practices to help us understand how individuals use our Services (see Analytics below);
• Functionality-Related. We may use Technologies that allow us to offer you enhanced functionality when accessing or using our Services. This may include identifying you when you sign into our Services or keeping track of your specified preferences, interests, or past items viewed;
• Analytics. We may use Technologies and other third-party tools to process analytics information on our Services. These Technologies allow us to better understand how our digital Services are used and to continually improve and personalize our Services. For example, one of our analytics partners includes FullStory (Session Replay Analytics). We use FullStory’s session replay analytics services, including for fraud prevention. This allows us to record and replay an individual’s interaction with the Services in certain cases. For more information about how FullStory uses your Personal Information, please visit FullStory’s Privacy Policy. To learn more about how to opt out of FullStory’s use of your information, please click here.
• Social Media Platforms. Our Services may contain social media buttons, such as      X and LinkedIn, which might include widgets such as the “share this” button or other interactive mini programs. These features may collect Personal Information such as your IP address and which page you are visiting on our Services and may set a cookie to enable the feature to function properly. Your interactions with these platforms are governed by the privacy policy of the company providing it.
• Biometric Information. We may collect your biometrics, including facial imagery, to verify your identity as a transacting user when using certain of our Services, and for fraud prevention purposes. In such cases, we use third-party technology from our service providers to collect information about you, including biometric information, a selfie and government identification (collectively “Biometric Information”). This Privacy Policy as well our service providers’ privacy policies will apply to the collection, use and sharing of your Biometric Information, should you elect to provide it to us as a transacting user of the Services. 
  

C.  Personal Information Collected from Other Sources

Third-Party Services and Sources. We may obtain Personal Information about you from other sources, including through third-party services and organizations.  For example, if you are a visitor accessing our Services through a third-party application, such as an app store, a third-party login service, or a social networking site, we may collect Personal Information about you from that third-party application that you have made available via your privacy settings. If you are a transacting user, we may also obtain Personal Information from third-parties that you may use to connect and disclose your financial information with our Services. For example, you may elect to authorize Plaid, Inc. to disclose certain banking information with our Services, in which case both the Plaid Privacy Policy, and this Privacy Policy, would apply. 

3. How we use your personal information

We use your Personal Information for a variety of business purposes, including to provide our Services, for administrative purposes, and to market our products and Services, as described below.

A.  Provide Our Services

We use your information to provide you with our Services, such as:

• Fulfill our contract with you if you are a transacting user;
• Managing your information and transacting user account;
• Providing access to certain areas, functionalities, and features of our Services;
• Answering requests for customer or technical support; 
• Communicating with you about your transacting user account, transactions, and activities on our Services, including providing you with information about policy changes;
• Processing your financial information and other payment methods when transacting with the Services as a transacting user;
• Processing applications if you apply for a job we post; and
• Allowing you to register for events.

B.  Administrative Purposes

We use your information for various administrative purposes, such as:

• Pursuing our legitimate interests such as direct marketing, research and development (including marketing research), network and information security, and fraud prevention;
• Detecting security incidents, protecting against malicious, deceptive, fraudulent or illegal activity, and prosecuting those responsible for that activity;
• Measuring interest and engagement in our Services; 
• Improving, upgrading, or enhancing our Services; 
• Developing new products and services;
• Ensuring internal quality control and safety;
• Authenticating and verifying individual identities, including requests to exercise your rights under this Privacy Policy;
• Debugging to identify and repair errors with our Services;
• Auditing relating to interactions, transactions, and other compliance activities;
• Sharing Personal Information with third parties as needed to provide the Services;
• Enforcing our agreements and policies; and
• Carrying out activities that are required to comply with our legal obligations.

C.  Marketing and Advertising our Products and Services

We may use Personal Information to tailor and provide you with content and advertisements. We may provide you with these materials as permitted by applicable law. If you have any questions about our marketing practices or if you would like to opt out of the use of your Personal Information for marketing purposes, please see Your Privacy Choices and Rights or  Contact Us at any time.

D.  With Your Consent

We may use Personal Information for other purposes that are clearly disclosed to you at the time you provide Personal Information or with your consent.

E.  Other Purposes

We also use your Personal Information for other legitimate business purposes, as requested by you, for legal compliance, loss-prevention, anti-fraud purposes or as otherwise permitted by applicable law. For example, we may use Personal Information to create de-identified and/or aggregated information to improve the accuracy and security of our Services and to contribute to protecting the security of the broader payments ecosystem. Note however, if we create or receive de-identified information, we will not attempt to reidentify such information, except as may be required to comply with applicable law. 

4.  How we may disclose your personal information

We disclose your Personal Information to third parties for a variety of business purposes, including to provide our Services, at your request or with your permission, to protect us or others, or in the event of a major business transaction such as a merger, sale, or asset transfer, as described below. 

A.  Disclosures to Provide our Services

The categories of third parties with whom we may disclose your Personal Information are described below. To the extent we provide Personal Information to our affiliates or service providers, we do so to enable them to process such Personal Information based on our instructions and in compliance with this Privacy Policy and any other appropriate confidentiality and security measures. With respect to onward transfers under the Data Privacy Framework, the Data Privacy Framework requires that Sardine remain liable for onward transfers of Personal Information in a manner inconsistent with the Data Privacy Framework Principles as outlined in our Data Privacy Framework Statement.

• Service Providers. We work with third-party service providers and vendors that assist us with the provision of our Services. This includes service providers and vendors that provide us with IT support, hosting, payment processing, settlement services, fraud detection, identity verification providers, and related services. When we disclose information with third-party service providers in this capacity, we require them to use your information on our behalf in accordance with our instructions and terms and only process your personal information as necessary to provide the Services to you pursuant to the terms of a binding contract between them and Sardine. We may disclose your information with payment processing companies to process and settle payments transacting users initiate when using our Services. If you are a transacting user, we will also disclose your Personal Information with our identity verification partners to prevent fraud by confirming your identity by comparing information you provide us to public records and third-party databases. In some cases, our service providers may process biometric data that can be used in connection with the provision of fraud prevention and identity verification services. In those cases, transacting users will also need to agree to our service providers’ privacy policies to access the Services.
• Business Partners. We may disclose your Personal Information with business partners to provide you with a product or service you have requested. We may also disclose your Personal Information with business partners with whom we jointly offer products or services.
• Affiliates. We may disclose your Personal Information with our company affiliates for our administrative and business purposes, IT management, or for them to provide services to you or support and supplement the Services we provide.
• Professional Advisors, Industry Partners, Governmental Authorities and Regulators. In order to provide our Services, we may also disclose your information with our advisors, regulators, tax and other governmental authorities, governmental agencies, law enforcement agencies and industry partners to respond to applicable law or regulations, court orders, legal process or government requests; comply with our reporting and information sharing obligations with industry partners and regulatory authorities; detect, investigate, prevent, or address fraud and other illegal activity or security and technical issues; and protect the rights, property, and safety of you, Sardine or others, including to prevent imminent harm or injury to others.

B.  Disclosures to Protect Ourselves or Others

We may access, preserve, and disclose any information we store associated with you to external parties if we, in good faith, believe doing so is required or appropriate to: comply with law enforcement or national security requests and legal process, such as a court order or subpoena; protect your, our, or others’ rights, property, or safety; enforce our policies or contracts; collect amounts owed to us; or assist with an investigation or prosecution of suspected or actual illegal activity.

C.  Disclosure in the Event of Merger, Sale, or Other Asset Transfers

If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, purchase or sale of assets, or transition of service to another provider, your information may be sold or transferred as part of such a transaction, as permitted by law and/or contract.

5.  Your privacy choices and rights

Your Privacy Choices. The privacy choices you may have about your Personal Information are determined by applicable law and are described below.

• Email Communications. If you receive an unwanted email from us, you can use the unsubscribe link found at the bottom of the email to opt out of receiving future emails. Note that you will continue to receive transaction-related emails regarding products or Services you have requested. We may also send you certain non-promotional communications regarding us and our Services, and you will not be able to opt out of those communications (e.g., communications regarding our Services or updates to our Terms of Service or this Privacy Policy). 
• “Do Not Track”/ “Global Privacy Control.”  Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. Additionally, some browsers or plug-ins offer a “Global Privacy Control” (“GPC”), which you can learn more about at https://globalprivacycontrol.org/. Please note that we do not respond to or honor DNT signals or similar mechanisms transmitted by web browsers. However, if we detect a GPC signal from your device, we will interpret it as a request to stop or limit the sale or sharing of Personal Information for certain purposes, depending on the circumstances and law applicable to your jurisdiction.
• Cookies. You may stop or restrict the placement of Technologies on your device or remove them by adjusting your preferences as your browser or device permits. However, if you adjust your preferences, our Services may not work properly. Please note that cookie-based opt-outs are not effective on mobile applications.

Your Privacy Rights. Depending on where you live, you may be entitled to exercise certain privacy rights related to your Personal Information. If you would like to exercise any privacy rights granted to you under applicable law, please Contact Us at any time. We will process such requests in accordance with applicable laws and will not discriminate against you for any exercising privacy rights to which you are legally entitled. Please note, to protect your privacy, we will take steps to reasonably verify your identity before fulfilling your request. These steps may involve asking you to provide information to allow us to reasonably verify you are the person about whom we collected Personal Information (or an authorized representative), or to answer questions regarding your account and use of our Services.

• Right to Access and Portability of Personal Information about you, including: (i) confirming whether we are processing your Personal Information, and (ii) obtaining access to, or a copy of Personal Information we may hold about you. 
• Right to Request Correction of your Personal Information where it is inaccurate, incomplete, or outdated. In some cases, we may provide self-service tools that enable you to update your Personal Information directly.
• Right to Request Deletion of your Personal Information when processing is based on your consent or when processing is unnecessary, excessive, or noncompliant, subject to applicable law.
• Right to Request Restriction of or Object to our processing of your Personal Information where the processing of your Personal Information is based on our legitimate interest or for direct marketing purposes including (i) the right to opt-out of the sharing of Personal Information, (ii) object to or restrict our use of or your sensitive Personal Information, including the right to opt-out of the sharing of sensitive Personal Information, and (iii) opt out of the processing of your Personal Information for purposes of (a) targeted advertising, and (b) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.
• Right to Withdraw your Consent to our processing of your Personal Information. Please note that your withdrawal will only take effect for future processing and will not affect the lawfulness of processing before the withdrawal. If you refrain from providing Personal Information or withdraw your consent to processing, you may not be able to use aspects of the Services.
• Right to Work with an Authorized Agent. Only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your Personal Information. To authorize an agent, provide written authorization signed by you and your designated agent and Contact Us as set forth below for additional instructions.
• Right to File a Complaint. If your Personal Information is subject to the certain data protection laws, you have the right to lodge a complaint with the competent supervisory authority or attorney general if you believe our processing of your Personal Information violates applicable law.      

6.  Security of your information

We take steps to ensure that your information is treated securely and in accordance with this Privacy Policy. Unfortunately, no system is 100% secure, and we cannot ensure or warrant the security of any information you provide to us. To the fullest extent permitted by applicable law, we do not accept liability for unauthorized access, use, disclosure, or loss of Personal Information.  By using our Services or providing Personal Information to us, you agree that we may communicate with you electronically regarding security, privacy, and administrative issues relating to your use of our Services. If we learn of a security system’s breach, we may attempt to notify you electronically by posting a notice on our Services, by mail, or by sending an email to you.

7.  Retention of personal information

We store the Personal Information we collect as described in this Privacy Policy for as long as you use our Services, or as necessary to fulfill the purpose(s) for which it was collected, provide our Services, resolve disputes, establish legal defenses, conduct audits, pursue legitimate business purposes, enforce our agreements, and comply with applicable laws, or based upon other criteria, including, but not limited to, the sensitivity and volume of such data.  Additionally, we endeavor to retain all such Personal Information in accordance with legal requirements.

8.  International data transfers

All information processed by us may be transferred, processed, and stored anywhere in the world, including, but not limited to, the United States or other countries, which may have data protection laws that are different from the laws where you live. We endeavor to safeguard your information consistent with the requirements of applicable laws.

If we transfer Personal Information which originates in the European Economic Area, Switzerland, and/or the United Kingdom to a country that has not been found to provide an adequate level of protection under applicable data protection laws, we use various safeguards. For transfers to the United States, we will rely on the Data Privacy Frameworks, described below. For transfers to other countries that have not been deemed to have “adequate” privacy laws by the exporting countries, one of the safeguards we may use to support such transfer is the EU Standard Contractual Clauses, as supplemented by country-specific annexes, as applicable.      

9.  Data privacy framework

SardineAI Corp., SonarAI LLC and SardineAI Payments Inc. comply with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce.  Sardine has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles”) regarding the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.  Sardine has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (“Swiss-U.S. DPF Principles) regarding the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.  If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern.  To learn more about the Data Privacy Framework (“DPF”) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.  Please also review Sardine’s Statement on its adherence to the Data Privacy Framework. 

If you are in the European Economic Area, the United Kingdom, or Switzerland you may seek confirmation regarding whether Sardine is processing Personal Information about you, request access to Personal Information, and ask that we correct, amend or delete your Personal Information where it is inaccurate or has been processed in violation of the Data Privacy Framework Principles. Where otherwise permitted by applicable law, you may use any of the methods set out in this Privacy Policy to request access to, receive (port), object to processing (including in some cases automated decision making and/or profiling), restrict processing, seek rectification, or request erasure of Personal Information held about you by Sardine. 

Although Sardine  makes good faith efforts to provide Individuals with access to their Personal Information, there may be circumstances in which Sardine  is unable to provide access, including but not limited to: where the information contains legal privilege, would compromise others’ privacy or other legitimate rights, where the burden or expense of providing access would be disproportionate to the risks to the Individual’s privacy in the case in question or where it is commercially proprietary. If Sardine determines that access should be restricted in any instance, we will provide you with an explanation of why that determination has been made and a contact point for any further inquiries. 

Notwithstanding anything herein to the contrary, Sardine remains subject to the investigatory and enforcement powers of the Federal Trade Commission (“FTC”), or any other U.S. authorized statutory body.

10.  Children's information

Our Services are not directed to persons under 18, and we do not knowingly collect Personal Information from children under the age of 13.   If you are a parent or guardian and believe your child has provided us with their Personal Information, please Contact Us. We will delete any Personal Information we may have inadvertently collected from your child unless we have a legal obligation to keep it.

11.  Changes to our privacy policy

We may revise this Privacy Policy from time to time at our sole discretion. If there are any material changes to this Privacy Policy, we will notify you as required by applicable law. You understand and agree that you will be deemed to have accepted the updated Privacy Policy if you continue to use our Services after the new Privacy Policy takes effect.

12.  Contact us

Sardine is the controller of the Personal Information we process under this Privacy Policy. If you have any questions about our privacy practices or this Privacy Policy, or to exercise your rights as detailed in this Privacy Policy, please contact us at:

SardineAI Corp.
382 NE 191^st St, #58243
Miami, Florida
33179-3899
dataprotection@sardine.ai

13. Notice at collection and supplemental notice for California and residents of certain U.S. States

This Supplemental Policy is for residents of states that have adopted comprehensive privacy legislation and others that may come into effect from time to time, including, but not limited to, California, Connecticut, Colorado, Utah and Virginia (collectively, “Applicable State Laws”).

The following table describes the categories of personal information Sardine has collected and whether Sardine disclosed that personal information for a business purpose (e.g., to a service provider).

As more fully described in the section titled      Personal Information We Collect, the sources from which we collect Personal Information include directly from you when you interact with us, automatically from you when you use our sites and services (for example through cookies and other online technologies), from third parties (for example, if you access our services through a third-party application, such as an app store, a third-party login service, or a social networking site, we may collect Personal Information about you from that third-party application that you have made available via your privacy settings), and through referrals from others. The business purposes for which we collect Personal Information are described in more detail in the section titled, How We Use Your Personal Information and include:

• To provide our Services to you;
• For our Administrative purposes;
• With your consent, and
• To comply with law.
  

Our full Privacy Policy can be accessed here.

"Sales" and “Sharing” of Personal Information under the CCPA

For purposes of CCPA, we do not “sell” Personal Information, nor do we have actual knowledge of any “sale” of Personal Information of persons under 18 years of age as the term “sell” is commonly understood. However, we may “share” Personal Information for cross-contextual behavioral advertising. 

California Shine the Light. The California “Shine the Light” law permits users who are California residents to request and obtain from us once a year, free of charge, a list of the third parties to whom we have disclosed their Personal Information (if any) for their direct marketing purposes in the prior calendar year, as well as the type of Personal Information disclosed to those parties. Sardine does not disclose Personal Information to third parties for their direct marketing purposes.

14. U.S. Consumer privacy notice

‍

15. Important privacy choices for consumers

You have the right to control whether we share some of your personal information. Please read the following information carefully before you make your choices below.

SardineAI Corp. (“Sardine”, “we”, or “us”) provides this California Customer Privacy Notice to you as required by the California Financial Information Privacy Act, to the extent you are a California resident to whom we provide a financial product or service.  

Your Rights

You have the right to restrict the sharing of personal and financial information with our affiliates (companies we own or control) and outside companies with whom we do business, as described below. Nothing in this form prohibits Sardine from sharing information necessary for us to follow the law, as permitted by applicable law, or to service your accounts with us.

Your Choices

Restrict Information Sharing With Companies We Own or Control (Affiliates):  Unless you send us an email to dataprotection@sardine.ai and tell us “NO, Sardine may not share personal and financial information about me with Sardine’s affiliated companies” or otherwise say “No”, we may share personal and financial information about you with our affiliated companies. See below for details.

□  NO, please do not share my personal and financial information with your affiliated companies.

Restrict Information Sharing With Other Companies We Do Business With To Provide Financial Products And Services:  Unless you send us an email to dataprotection@sardine.ai and tell us “NO, Sardine may not share personal and financial information about me with outside companies Sardine contracts with to provide financial products and services” or otherwise say “No”, we may share your personal and financial information with outside companies with whom we contract to provide financial products and services to you. See below for details.

□  NO, please do not share my personal and financial information with outside companies you contract with to provide financial products and services.

Time Sensitive Reply

You may exercise your privacy choice(s) at any time.  To exercise your privacy choice(s) please email us with your name, email and your choices as offered above. Please note we may need to contact you via a secure channel to confirm your account number before proceeding. Your choice(s) will remain unless you notify us otherwise.  If we do not hear you, we may share some of your information with affiliated companies and other companies with whom we have contracts to provides products and services. You may also mail this form to us using the address set forth in Section 12 of our Privacy Policy.

Name:

Account or Policy Number(s):                      [to be filled in by consumer]

Signature:

LAST UPDATED: JUNE 11, 2024

Data privacy framework principles: Policy Statement ("STATEMENT")

Purpose

SardineAI Corp., SonarAI LLC and SardineAI Payments, Inc. (collectively, “Sardine”) comply with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”) and the UK Extension to the EU-U.S. DPF and Swiss-U.S. Data Privacy Framework (collectively, “Data Privacy Framework”) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personally-identifying information (“Personal Information”) transferred from the European Union, United Kingdom and Switzerland to the United States. Sardine has certified to the Department of Commerce that it adheres to the Data Privacy Framework Principles regarding the processing of Personal Information received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework Principles (collectively, the “Data Privacy Framework Principles”). If there is any conflict between the terms of our online privacy policy and the Data Privacy Framework Principles, the Data Privacy Framework Principles shall govern. To learn more about the Data Privacy Framework program, and to view our certification, please visit https://www.dataprivacyframework.gov.

Definitions

The following capitalized terms are used throughout this document and are defined as follows:

• “Agent” or collectively, “Agents” means any third party that processes Personal Information pursuant to the instructions of, and solely for, Sardine or to which Sardine discloses Personal Information for use on its behalf.
• “Citizen” or collectively, “Citizens” means a lawful citizen or citizens of the EEA, the UK and Switzerland and includes Customers and Users.
• “EEA” means the European Economic Area.
• “Sardine” or the “Company” collectively refers to Sardine, as it is incorporated in any state or territory of the United States.
• “Personal information” includes the term “personal data” and means any information or set of information about an identified or identifiable Citizen, including, but not limited to: (a) first name or initial and last name; (b) home or other physical address; (c) telephone number; (d) email address or online identifier associated with the Citizen; (e) Social Security number or other similar identifier; (f) employment, financial or health information; or (g) any other information relating to a Citizen that is combined with any of the above. The term “Personal Information” does not include anonymized information or information that is reported in the aggregate (provided that such aggregated information is not identifiable to a natural person).
• “Data Privacy Framework Principles” collectively means the following seven (7) privacy principles as described in the Data Privacy Framework: (1) Notice, (2) Choice, (3) Accountability for Onward Transfer, (4) Security, (5) Data Integrity and Purpose Limitation, (6) Access, and (7) Recourse, Enforcement and Liability as agreed to by the U.S. Department of Commerce and the European Commission.
• “Process” or “Processing” of Personal Information means any operation or set of operations which is performed upon Personal Information, whether by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.
• “Sensitive Personal Information” means Personal Information that reveals race, ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, genetic data, biometric data where Processed to uniquely identify a person, any information that concerns medical or health conditions, social security measures or sex life, or information relating to the commission of a criminal offense.
• “Statement” means this Data Privacy Framework Statement.
  

Capitalized terms not defined above have the definitions set forth in the respective paragraphs of this Statement.

Data privacy framework principles

1. Notice: In the event that Sardine collects Personal Information from a Citizen, Sardine will furnish a notice to the Citizen that describes: (i) the types of Personal Information that it collects about such Citizens; (ii) the purposes for which it collects such information; (iii) the types of third parties to which it discloses such information, and the purposes for which it does so; and (iv) how to contact Sardine with any inquiries or complaints, including any relevant establishment in the EEA, United Kingdom and/or Switzerland that can respond to such inquiries or complaints. Notice will be provided in clear and conspicuous language at the time of collection, or as soon as reasonably practicable thereafter. In any event, notice will be provided before Sardine discloses the Personal Information or uses such information for a purpose other than that for which the Personal Information was originally collected or Processed.‍
2. Choice: If Personal Information is to be used for a new purpose that is materially different from the purpose(s) for which the Personal Information was originally collected or subsequently authorized, or transferred to a non-Agent third party, Citizens will be provided, where practical and appropriate, with an opportunity to decline to have their Personal Information so used or transferred. If the Personal Information used for a purpose other than that for which it was originally collected or subsequently authorized or transferred to the control of a non-Agent third party is Sensitive Personal Information, the Citizen’s affirmative express consent will be obtained prior to the use or transfer of the Sensitive Personal Information or as otherwise permitted in accordance with the Data Privacy Framework Principles.‍
3. Accountability for Onward Transfer: Sardine will endeavor to only transfer Personal Information to an Agent where such Agent has given assurances that it provides at least the same level of privacy protection as is required by the Data Privacy Framework Principles and this Statement and will notify Sardine if it makes a determination it can no longer meet this obligation. Where Sardine has knowledge that an Agent is using or sharing Personal Information in a way that is contrary to the Data Privacy Framework Principles and/or this Statement, Sardine will take reasonable steps to prevent or stop such Processing. With respect to onward transfers to   Agents, the Data Privacy Framework requires that, to the extent it is responsible for the event, Sardine shall remain liable should its Agents Process Personal Information in a manner inconsistent with the Data Privacy Framework Principles.‍
4. Security: Sardine takes reasonable and appropriate administrative, technical and physical precautions designed to protect Personal Information from loss, misuse and unauthorized access, disclosure, alteration and destruction, regardless of whether such Personal Information is in electronic or tangible, hard copy form.‍
5. Data Integrity and Purpose Limitation: Sardine endeavors to limit the collection, usage, and retention of Personal Information to that which is relevant for the intended purposes of Processing, and takes reasonable steps designed to ensure that all Personal Information is reliable for its intended use, accurate, complete and current. Sardine trains its personnel and uses technical and other organizational measures to keep Personal Information reliable, accurate, complete and current.‍
6. Access: Citizens may seek confirmation regarding whether Sardine is Processing Personal Information about them, request access to their Personal Information and ask that the Company correct, amend or delete that information, where it is inaccurate or has been Processed in violation of the Data Privacy Framework Principles. Although Sardine makes good faith efforts to provide Citizens with access to their Personal Information, Sardine reserves the right to limit or deny such access where the burden or expense of providing access would be disproportionate to the risks to the Citizen’s privacy, where the rights of Citizens other than the subject Citizen would be violated, where the information is commercially proprietary or where doing so is otherwise consistent with the Data Privacy Framework  Principles. If Sardine determines that access should be restricted in any instance, we will provide you with an explanation of why that determination has been made and a contact point for any further inquiries.‍
7. Recourse, Enforcement and Liability: Sardine has implemented mechanisms to verify its ongoing compliance with the Data Privacy Framework Principles and this Statement. Any party that violates the Privacy Principles and/or this Statement will be subject to disciplinary procedures in accordance with Sardine’s disciplinary procedures. In the event of a dispute, Citizens can seek resolution of their questions or complaints regarding use and disclosure of their Personal Information in accordance with the Data Privacy Framework Principles contained in this Statement. If you feel that Sardine is not abiding by the terms of this Statement or is not in compliance with the Data Privacy Framework Principles, please contact Sardine at the contact information provided below. In addition, Sardine has agreed to cooperate with JAMS Data Privacy Framework Dispute Resolution Program with respect to complaints related Customer and User Personal Information. For more information and to submit a complaint to JAMS, visit JAMS ADR link.  Such independent dispute resolution mechanisms are available to Citizens free of charge. If any request remains unresolved, Citizens may have a right to invoke binding arbitration under the Data Privacy Framework. The FTC has jurisdiction over Sardine’s compliance with the Data Privacy Framework.
   

Limitation on scope of data privacy framework principles

Adherence to these Data Privacy Framework Principles may be limited (i) to the extent required or allowed by applicable law, rule or regulation; (ii) to the extent necessary to respond to lawful requests by public authorities, including to meet national security, law enforcement, legal or governmental requirements; and/or (iii) to protect the health or safety of a Citizen.

Contact information

If you have questions regarding this Statement or any of Sardine’s privacy practices, please contact us by email at dataprotection@sardine.ai.

Changes to this statement

This Statement may be amended from time to time in a manner that is consistent with the requirements of the Data Privacy Framework Principles. When this Statement is updated, the “Last Updated” date at the top of this document shall be amended accordingly. Any material changes to this Statement will be posted on Sardine’s website at www.sardine.ai/privacy-policy.