Privacy Policy

1. Introduction

Streamlined Financial, Inc. ("Streamlined", "we", "us" or "our") provides a digital invoicing enablement solution for small businesses. This Privacy Policy describes our practices concerning the information we receive or collect when you visit our website located at www.streamlinedpayments.com ("Website") or access our online platform through the website of one of our partners (collectively, "Services"). Specifically, it describes the information we collect, how and for which purposes we may use such information, where we store it and for how long we retain the information, with whom we may share it, our use of tracking technologies and communications, our security practices, your choices and rights regarding such information, our policy concerning children, and how to contact us if you have any concerns regarding this Policy or your privacy.

Streamlined provides its Services primarily to businesses (our "Customers"). When we process information about you in our capacity as a controller (or "business" under applicable US state privacy laws) — for example, when you visit our Website, sign up for an account, or contact us — this Privacy Policy describes our practices. When our Customers use the Services to send invoices, accept payments, or otherwise process information about their own customers, vendors, employees, or contacts (each, a "Payor"), we generally act as a processor (or "service provider") on the Customer's behalf, and our handling of that Payor information is governed by our agreement (including any Data Processing Addendum) with the relevant Customer. If you are a Payor and have questions about how a particular business uses your information, please contact that business directly.

Please read this Privacy Policy and make sure that you fully understand and agree to it. If you do not agree to this Policy, please discontinue and avoid using our Services.

2. Information Collection

We collect the following main categories of information (and to the extent one or more of them may enable the identification of a specific person or is linked to such potentially identifying data, we will deem it "Personal Information"):

Information You Provide. You may provide us Personal Information such as your name, e-mail address, phone number, and hashed password when you use our Services, create a user account, or contact us. If you choose to send invoices via our Services, you may also provide us with your banking information and preferences, as well as information about any customers making payment.

Sensitive Personal Information. To facilitate payments and to verify identity, we may also collect information that is treated as "sensitive" under certain privacy laws, including financial account numbers (such as bank account and routing numbers), payment card information (handled by our payment processors and not stored by us in unencrypted form), and, where required, government identifiers used to comply with anti-money laundering and "know your customer" obligations. We use such information only as reasonably necessary to provide our Services and to comply with our legal obligations.

Information We Collect Automatically. When you visit, interact with or use our Services, we may collect certain technical data about you. We collect or generate such data either independently or with the help of third party services, including through the use of "cookies" and other tracking technologies (as further detailed in Section 6 below). Such data consists of sensor, location, connectivity, technical and aggregated usage data, such as your GPS/GNSS location data; home and work locations; IP addresses, wireless networks, cell towers and Wi-Fi access points; non-identifying data regarding a device, operating system, and browser; activity, communication, and performance logs; issues and bugs; and user activity on our Services. This data does not enable us to learn your true identity or contact details, and serves mostly to improve the overall performance of our Services, and to better understand how our users typically use our Services and how we could improve their user experience.

Information from Third Parties. We may receive information about you from third parties. For example, we may receive information about you from outside records of third parties, such as marketing-related or demographic information. We may supplement the information we collect about you through the Website and the Services with such information from third parties in order to enhance our ability to serve you, to tailor our content to you and/or to offer you opportunities to purchase products or services that we believe may be of interest to you. If we combine such data with information we collect through the Website or the Services, such information is subject to this Privacy Policy unless we have disclosed otherwise.

3. Information Use

We use your Personal Information as necessary for the performance of our Services; for complying with applicable law; and based on our legitimate interests in maintaining and improving our Services and offerings, understanding how our Services are used, optimizing our marketing, customer service and support operations, and protecting and securing our users, ourselves, and members of the general public.

Specifically, we use Personal Information for the following purposes:

• To facilitate, operate, and provide our Services;
• To authenticate the identity of our users, and to allow them to access and use our Services;
• To provide our users with assistance and support;
• To further develop, customize and improve the Services and your user experience, based on common or personal preferences, experiences, and difficulties;
• To contact our users with general or personalized service-related messages (such as password-retrieval); or with promotional messages (such as newsletters, special offers, new features etc.); and to facilitate, sponsor and offer certain events and promotions;
• To support and enhance our data security measures, including for the purposes of preventing and mitigating the risks of fraud, error, or any illegal or prohibited activity;
• To create aggregated statistical data, inferred non-personal data or anonymized or pseudonymized data (rendered non-personal), which we or our business partners may use to provide and improve our respective services;
• To enforce our Terms of Service and any other agreements between you and Streamlined; and
• To comply with any applicable laws and regulations

4. How We Share Your Information in Connection with the Services

1. Payors and Payees. In connection with the Streamlined Services, we may share some of your Personal Information with the business with which you are transacting in order to effect your transaction.
2. Streamlined Partners. If you access our online platform through the website of one of Streamlined's partners, then we may share your Personal Information with that partner.
3. Streamlined Service Providers. We may engage selected third party companies and individuals to perform services complementary to our own (e.g. hosting and server co-location services, data analytics services, marketing and advertising services, data and cyber security services, fraud detection and prevention services, payment processing services, e-mail and SMS distribution and monitoring services, and our business, legal and financial advisors) (collectively,"Service Providers"). These Service Providers may have access to your Personal Information, depending on each of their specific roles and purposes in facilitating and enhancing our Services, and may only use it for such purposes.
4. Subsidiaries and Affiliated Companies. We may share Personal Information internally within our family of companies, for the purposes described in this Policy.
5. Business Transfers. Should Streamlined or any of its affiliates undergo any change in control, including by means of merger, acquisition, or purchase of substantially all of its assets, your Personal Information may be shared with the parties involved in such event. If we believe that such change in control might materially affect your Personal Information then stored with us, we will notify you of this event and the choices you may have via e-mail or prominent notice on our Services.
6. Legal Compliance. We may disclose or allow government and law enforcement officials access to certain Personal Information, in response to a subpoena, search warrant, or court order (or similar requirement), or in compliance with applicable laws and regulations. Such disclosure or access may occur if we have a good faith belief that we are legally compelled to do so, or that disclosure is appropriate in connection with efforts to investigate, prevent, or take action regarding actual or suspected illegal activity, fraud, or other wrongdoing.
7. Protecting Rights and Safety. We may share your Personal Information with others if we believe in good faith that this will help protect the rights, property, or personal safety of Streamlined, any of our users, or any members of the general public.
8. With Your Permission. Streamlined may share your Personal Information pursuant to your explicit consent.

5. Location, Retention, and Protection of Information

1. Your Personal Information may be maintained, processed, and stored by Streamlined and our authorized affiliates and Service Providers in the United States of America, as necessary for the proper delivery of our Services, or as may be required by law. Streamlined, its affiliates, and Service Providers are each committed to protect Personal Information in accordance with this Policy and industry standards.
2. We retain Personal Information for as long as needed to provide the Services, comply with our legal obligations, resolve disputes, and enforce our agreements. Typical retention periods are as follows: (i) account information is retained for the life of the account, plus up to seven (7) years thereafter to comply with tax, accounting, audit, and anti-money laundering obligations; (ii) invoice and transaction records are retained for up to seven (7) years following the transaction; (iii) marketing preferences and suppression lists are retained indefinitely so that we can honor your opt-out choices; (iv) server logs, security telemetry, and similar operational data are typically retained for up to twenty-four (24) months; and (v) backup copies are retained until the relevant backup is overwritten in our normal backup rotation. If we are required to maintain a record of any information, you may not be able to delete such information until the applicable retention period has expired. Please be aware that your Personal Information may be stored on backup tapes and locations, third-party servers, and other repositories that may not be erasable, and residual information may be retained. We are under no obligation to store such information indefinitely and disclaim any liability arising out of, or related to, the destruction of such information.
3. We maintain administrative, technical, and physical safeguards that are designed to protect the privacy and security of your Personal Information. For example, all information you provide is accessible only to designated staff. In addition, all information is protected by SSL/TLS encryption when it is exchanged between your web browser and the Website or via the Services. We note, however, that the transmission of information via the internet is not completely secure. Although we do our best to protect your Personal Information, we cannot guarantee the security of information transmitted to our Website or via the Services. Any transmission of personal information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the Website. In addition, where you have chosen a password for access to certain parts of our Website, you are responsible for keeping this password confidential.
4. Where Your Information Is Processed. Our Services are intended for businesses based in the United States, and Personal Information is primarily processed and stored in the United States. To the extent any of our Service Providers process Personal Information outside the United States in connection with providing the Services, by using the Services you acknowledge and consent to the transfer of your Personal Information to those jurisdictions and to its handling in accordance with this Privacy Policy and applicable law.
5. Breach Notification. If we become aware of a security incident that compromises your Personal Information, we will notify you and applicable regulators as and when required by law, and in any event without undue delay.

6. Cookies and Tracking Technologies

We use the following categories of cookies and similar technologies on the Website and the Services:

• Strictly necessary cookies, which are required for the Website and Services to function (for example, to authenticate you and remember your session);
• Functional cookies, which remember choices you make to provide a more personalized experience;
• Analytics and performance cookies, which help us understand how the Website and Services are used so that we can improve them; and
• Marketing cookies, which we and our advertising partners may use to deliver advertising that is more relevant to you.

Where required by applicable law, we will obtain your consent before placing non-essential cookies. You can manage your cookie preferences through any cookie banner we make available, or through your browser settings. If you choose to disable certain cookies, some parts of the Website or the Services may not function properly.

Session Trackers. In operating the Website and the Services, we may use cookies and similar session tracking technologies ("Session Trackers"). Session Trackers help provide additional functionality to the Website, customize users' experiences with the Website and help us analyze Website usage more accurately for research and product development purposes. We (including third parties that we work with) may place session trackers on your device for security purposes, to facilitate navigation of the Website or the Services, and to personalize your experience while using our Website or the Services. If you would prefer not to accept Session Trackers when using the Website or the Services, please follow the instructions provided by your website or mobile browser (usually located within the "Help", "Tools" or "Edit" facility) to modify your Session Tracker settings. Please note that if you disable Session Trackers, you may not be able to access certain parts of our Website or Services and other parts of our Website or Services may not work properly. As a result, we recommend that you leave Session Trackers turned on when accessing the Website or the Services because they allow you to take advantage of some of the Website and Services' features.

Web Beacons. In addition to Session Trackers, we may use web beacons (also known as "clear GIFs"), which are transparent graphic images placed on a web page or in an email and indicate that a page or email has been viewed or tell your browser to get content from another server. We use web beacons to measure traffic to or from, or use of, our online forms, tools or content items and related browsing behavior and to improve your experience when using the Website or the Services. We may also use customized links or other similar technologies to track hyperlinks that you click and associate that information with your Information in order to provide you with more focused communications.

7. Managing Your Preferences

1. We want to communicate with you in the most effective manner, whether by sending you relevant marketing materials or by operating an intuitive and informative website. At the same time, we appreciate that your preferences regarding marketing, promotions, and online privacy will continue to evolve. This section provides you with information on how you can fine-tune your preference settings.
2. We may use your Personal Information to provide you with marketing or other promotional communications via mail or email. If, at any time, you would like to stop receiving these promotional e-mails, you may follow the opt-out instructions contained in any such e-mail or by contacting us as set out below. Please note that by opting out, you may prohibit Streamlined from informing you of offerings that may be of interest to you. It may take up to five (5) business days for us to process opt-out requests.
3. In addition, we may use your Personal Information to send you push notifications from time-to-time in order to update you about any events or promotions that we may be running. If you no longer wish to receive these types of communications, you may turn them off on your device.

8. Accessing, Updating, and Correcting Your Information

1. Updating Your Information. If you are a registered user of the Services, you may update and correct your information and delete inaccuracies through your account. Specifically, you can review and edit specific types of information at any time by logging in to the Website or the Services and making changes.
2. Correcting Information from Third Parties. Streamlined may receive from its customers Personal Information about third parties (notably, payees) and may have no direct relationship with the individuals to whom that information relates. An individual who is not a Streamlined registered user who seeks to access, correct, amend, or delete data provided to us by our customers should direct those requests to the customer as they will have access to that information through their own account. If requested to remove data, we will respond within the timeframes required by applicable law.

9. Social Media

You may also find additional information regarding the Services on our social media sites such as Facebook, LinkedIn, or X (formerly Twitter). Please keep in mind that any information you share through such social media sites is visible to all participants on these social media sites and you should never post any sensitive information (such as account numbers) to such social media sites. Please carefully review the terms of use and privacy policies of these social media sites as they may be different from our own policies.

10. Other Websites and Businesses

This Privacy Policy covers the privacy practices of Streamlined only. This Privacy Policy does not apply to the practices of third party websites, services, or applications, including third parties with which we partner. These third party services are governed by their own privacy policies. Streamlined is not responsible for the privacy policies and practices of these third parties.

11. Do Not Track and Global Privacy Control

Some browsers offer a "Do Not Track" ("DNT") signal. Because no consistent industry standard for DNT has been adopted, we do not currently respond to DNT browser signals. However, we recognize and honor opt-out preference signals such as the Global Privacy Control ("GPC") where required by applicable law (including, where applicable, in California, Colorado, and Connecticut). When we detect a GPC signal from your browser, we treat it as a valid request to opt out of the "sale" or "sharing" of Personal Information associated with that browser and device, to the extent we engage in any such sale or sharing.

12. Children Under 13 Years of Age

Our Services are not directed to children under 13 years of age, and we do not knowingly collect information from children under 13. If we become aware that a child under 13 has provided us with Personal Information, we will prohibit and block such use and will make all efforts to promptly delete any Personal Data stored with us with regard to such child.

13. Your California Privacy Rights

This section applies to California residents and supplements the rest of this Privacy Policy. It describes how we handle Personal Information under the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the "CCPA").

Categories of Personal Information We Collect. In the past twelve (12) months, we have collected the following categories of Personal Information, as those categories are defined under the CCPA: identifiers (such as name, email address, IP address, and account credentials); customer records (such as contact and billing information); commercial information (such as records of transactions and services purchased); financial information (such as bank account information used to process payments); internet or other electronic network activity information (such as device, browsing, and usage data); geolocation data (approximate location derived from IP address); professional or employment-related information (such as job title and employer); and inferences drawn from the above. We collect these categories from you directly, from our Customers and partners, from cookies and similar technologies, and from third-party data sources, as further described in Section 2.

Sensitive Personal Information. We collect financial account information (and, where required, government identifiers) that may qualify as "sensitive personal information" under the CCPA. We use such information only as reasonably necessary to provide the Services you have requested and to comply with our legal obligations, and not for purposes that would require us to offer a "right to limit" the use of sensitive personal information under the CCPA.

Purposes for Which We Use Personal Information. We use the categories above for the business and commercial purposes described in Section 3 of this Privacy Policy.

Categories of Recipients. We disclose the categories of Personal Information described above to the categories of recipients described in Section 4 of this Privacy Policy (including Service Providers, Streamlined Partners, payors and payees, our affiliates, and parties involved in a business transfer or legal process).

"Sale" and "Sharing" of Personal Information. We do not "sell" Personal Information for monetary consideration. We may, however, allow certain third-party advertising and analytics partners to collect Personal Information through cookies and similar technologies on our Website, which may be considered a "sale" or "sharing" of Personal Information for cross-context behavioral advertising purposes under the CCPA. You may opt out of these activities at any time by using any "Do Not Sell or Share My Personal Information" link we make available on our Website, by enabling the Global Privacy Control in your browser, or by emailing us at privacy@streamlinedpayments.com. We do not knowingly sell or share the Personal Information of consumers under sixteen (16) years of age.

Your CCPA Rights. If you are a California resident, you have the right to:

• request that we disclose the categories and specific pieces of Personal Information we have collected, used, disclosed, and sold or shared about you;
• request that we correct inaccurate Personal Information we maintain about you;
• request that we delete Personal Information we have collected from you, subject to certain exceptions;
• opt out of the sale or sharing of your Personal Information;
• limit the use and disclosure of sensitive personal information, where applicable; and
• not be discriminated against for exercising any of these rights.

How to Exercise Your Rights. You may submit a request by emailing us at privacy@streamlinedpayments.com. We will verify your request by matching the information you provide with the information we maintain about you, and may ask for additional information to verify your identity. You may also designate an authorized agent to make a request on your behalf, in which case we will require written authorization and, in some cases, verification of your identity. We will respond to verifiable requests within the timeframes required by applicable law.

"Shine the Light". California's "Shine the Light" law also entitles California residents to request, once per year, a list of the categories of Personal Information that we have disclosed to third parties for those third parties' direct marketing purposes during the preceding calendar year, and the names and addresses of those third parties. To make a request, please email privacy@streamlinedpayments.com and specify that you want a "Your Streamlined California Privacy Rights Notice". Please allow thirty (30) days for a response.

14. Other US State Privacy Rights

Residents of certain other US states (including Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Iowa, Delaware, and others) may have rights under their state privacy laws similar to those described above for California. Depending on your state of residence, these may include the right to confirm whether we process your Personal Information; to access, correct, or delete your Personal Information; to obtain a portable copy of your Personal Information; to opt out of targeted advertising, the sale of Personal Information, and certain forms of profiling; and to appeal a denial of your rights request. To exercise any of these rights, please contact us at privacy@streamlinedpayments.com. We will respond within the timeframes required by applicable law. If we deny your request, you may appeal our decision by replying to our response; if we deny your appeal, you may contact your state's Attorney General.

15. Geographic Scope

The Services are intended for use by businesses based in the United States and by their customers, vendors, and contacts in connection with such businesses' transactions. We do not target the Services to, or actively market to, individuals located in the European Economic Area, the United Kingdom, or Switzerland, and we make no representations that the Services are appropriate or available for use in those regions. If you choose to access the Services from outside the United States, you do so on your own initiative and are responsible for compliance with local laws.

16. Contact Us

If you have questions or concerns regarding this Privacy Policy, please contact us by email at privacy@streamlinedpayments.com.

17. Changes to This Privacy Policy

Please read this Privacy Policy carefully. Streamlined will occasionally update this Privacy Policy. When we do, we will also revise the "last updated" date at the top of this page. Any changes to our Privacy Policy will become effective upon our posting of the revised Privacy Policy on the Website. Use of the Website following such changes constitutes your acceptance of the revised Privacy Policy then in effect. To the extent Streamlined makes any material change to this Privacy Policy, it will provide you with notice via email, on the Website, or through the Services prior to the change becoming effective.