If you are located in the European Economic Area, U.K., or Switzerland, you may have rights under the General Data Protection Regulation (the “GDPR”). Under the GDPR, Gravy is required to provide individuals with certain information about the processing of their “Personal Data” and rights available to them with respect to such Personal Data.

This Privacy Notice applies to personal data Gravy collects as part of our Data Services, and through our Website. For a general description of the services provided by Gravy, the type of data we collect, how we share such data, and secure it, please refer to our general Privacy Policy (the “Privacy Policy”). Any capitalized terms used herein and not defined shall have the meaning set forth in such Privacy Policy.

The GDPR defines “Personal Data” as any data that identifies or can identify a particular unique user or device, including, name, address, mobile device identifiers, precise location data*, IP, cookie identifiers, and biometric data, among others.

* For clarity, “precise location data” does not mean “real-time” data. Instead, it is information that describes the precise geographic location of a device derived through any technology that is capable of determining with reasonable specificity the actual physical location of a device.

The GDPR grants you a number of rights with respect to your Personal Data that controllers, such as Gravy, may hold about you. Each of your rights is outlined in more detail below:

• Right to Access. This enables you to receive a copy of Personal Data we hold about you and to check that we are lawfully processing it.
• Right to Correct. This enables you to have any incomplete or inaccurate information we hold about you corrected.
• Right to Object. You have a right to object to the processing of your Personal Data. This right exists where we are collecting your Personal Data because we have a legitimate interest in that data (like preventing fraud) and there is something about your particular situation, which makes you want to object to processing on this ground. You also have a right to object where we are processing your Personal Data for direct marketing purposes.
• Right to Erasure. This enables you to ask us to delete or remove Personal Data where there is no good reason for us to continue to process it. You also have a right to ask us to delete or remove your Personal Data where you have exercised your right to object to processing and we have not overriding legitimate ground to retain it.
• Restrict Processing. This right enables you to ask us to suspend the processing of Personal Data about you, for example, if you want us to establish its accuracy.
• Request Transfer. We will provide to you, or a third party you have chosen, your Personal Data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent, or performance of a contract with you, for use of that personal Data.
• Withdraw consent. Where we rely on consent to process your Personal Data, you may choose to withdraw this consent. Please refer to the Privacy Choices section of our Privacy Policy for more information on your opt-out options. You may directly request to be removed from any data we provide through our Data Services by following the instructions on the Opt Out Section of the Privacy Policy. If we receive such opt-out request either directly or through a third-party partner, we will cease processing your Personal Data for our Data Services within 30 days or less.
• Lodge a Complaint. You have the right to file a complaint with the relevant data protection supervisory authority.

For more details on the rights you have in respect of your personal data, please refer to the European Commission (https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en)

In order to exercise any of the rights described above, please contact us at gravyanalytics@datarep.com.

We may need to request specific information from you to help us confirm your identity and assist us in responding to your request. This is a security measure to ensure that Personal Data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. We will only use the information you provide to us when exercising your rights above to verify your identity or authority to make the request.

We will deliver our written response by mail or electronically, at your option. We will not charge you a fee for access to your personal information (or to exercise any of your other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, excessive, or manifestly unfounded, or we may refuse to comply with your request in these circumstances.

Should you have a complaint, please contact us as soon as possible. If you feel that your complaint has not been adequately resolved, please note that the GDPR gives you the right to contact your local data protection supervisory authority.

In respect of each of the purposes for which we use your Personal Data, the GDPR requires us to ensure that we have a legally justified reason, or “legal basis” for that use. Most commonly, our legal basis for processing your Personal Data will be:

• For the provision of our Data Services, we require your consent to use your Personal Data for the purposes we have specifically described in our Privacy Policy. We rely on app providers and our third-party data suppliers to obtain consent from you. We contractually require our third-party data suppliers to comply with all applicable laws and to only provide us with data which they have the rights to transfer to us for our specific uses.
• In some cases, we rely on legitimate interest as our legal basis for processing your Personal Data. When we use Personal Data to maintain the security of our services, such as to detect fraud or to ensure that bugs are detected and fixed, to protect our system and information from unauthorized persons, and to comply with law, we rely on our legitimate interest. In determining our legitimate interest, we consider and balance any potential impact on you and your rights before we process your Personal Data to make sure that our interests do not override the impact on you.
• In certain circumstances, we process your Personal Data as necessary to perform a contract we are about to enter into or have entered into with you, or to communicate with our customers with respect to our services (“Contractual Necessity”).
• In some cases, we will process your Personal Data where we need to comply with an EEA, U.K., or Swiss legal or regulatory obligation (“Compliance with Law”).

Gravy may share your Personal Data with third parties who are located in jurisdictions outside the EEA, U.K., or Switzerland. These jurisdictions have privacy laws that the European Commission considers are less protective of Personal Data than the privacy laws in your own country.

When we transfer Personal Data outside of the EEA, U.K., or Switzerland, or to countries the EU has deemed as having inadequate protections, we take steps to make sure that appropriate safeguards are in place to protect your Personal Data, including, but not limited to, making such transfers in accordance with the European Commission approved Standard Contractual Clauses. In these Standard Contractual Clauses, we make commitments with respect to the privacy and security of such Personal Data. For more information on the Standard Contractual Clauses, please visit the following link: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en. Additionally, we take care to ensure that we and our representatives act in a manner that is consistent with our Privacy Policy and this Privacy Notice.

Gravy and its subsidiary and covered entity including Venntel, Inc., and Unacast, Inc., complies with the EU-US Data Privacy Framework Principles (“DPF”), U.K. and Swiss-US Privacy Shield Framework, UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF as set forth by the U.S. Department of Commerce and the European Commission, UK Government, and Swiss Federal Administration regarding the collection, use, and retention of Personal Data transferred from the EEA, U.K., or Switzerland to the United States. We have certified to the Department of Commerce that we adhere to the Data Privacy Framework PrinciplesPrivacy Shield Principles. If there is any conflict between the terms in our Privacy Policy, this Privacy Notice, and the Data Privacy Framework PrinciplesPrivacy Shield Principles, the Data Privacy Framework PrinciplesPrivacy Shield Principles shall take precedence. To learn more about the Data Privacy Framework program Privacy Shield program, the Data Privacy Framework Principles, and to view our certification, please visit https://www.dataprivacyframework.gov.

As described in the Data Privacy Framework Principles, Gravy is accountable for Personal Data that it receives and subsequently transfers to third parties to the extent such third parties who process Personal Data on our behalf do so in a manner that does not comply with the Data Privacy Framework Principles, unless we prove that we are not responsible for the event giving rise to the damage. We are not, however, liable for the data handling practices of our third-party partners and customers unless they are acting on our behalf.

In compliance with the Data Privacy Framework Principles, Gravy commits to resolve complaints about our collection or use of your Personal Data. EEA, U.K. or Swiss individuals with inquiries or complaints regarding this Privacy Notice should first contact us at:

Gravy Analytics

44679 Endicott Dr., Suite 300

Ashburn, VA 20147

(703) 840-8850

privacy@gravyanalytics.com

Gravy has further committed to refer unresolved Data Privacy Framework complaints to The International Centre for Dispute Resolution-American Arbitration Association (ICDR-AAA), an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not resolved your complaint, please contact or visit https://www.icdr.org/dpf for more information or to file a complaint. The services of AAA are provided at no cost to you.

As further explained in the Data Privacy Framework Principles, binding arbitration before a Data Privacy Framework Panel will also be made available to you in order to address residual complaints not resolved by any other means. Gravy is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

Please contact us with any questions or comments about this EEA, U.K. & Switzerland Privacy Notice or our practices at:

• General Privacy Email/DPO Contact: privacy@gravyanalytics.com
• General Contact Address:

Gravy Analytics, Inc.

44679 Endicott Drive, Suite 300

Office 349

Ashburn, VA 20147

(703) 840-8850

privacy@gravyanalytics.com

• EU Data Protection Representative:

DataRep has locations in each of the 27 EU countries, the UK, and Norway & Iceland in the European Economic Area (EEA). If you want to raise a question to Gravy Analytics related to the GDPR or the exercise of your rights in respect of your personal data, you may do so by:

• Sending an email to DataRep at gravyanalytics@datarep.com,
• Contacting DataRep via their online webform at: https://www.datarep.com/datarequest or
• Mailing your inquiry to DataRep at the most convenient of the addresses set forth under DataRep Addresses.

PLEASE NOTE: when mailing inquiries, it is ESSENTIAL that you mark your letters for “DataRep”, and not “Gravy Analytics, Inc.” or your inquiry may not reach DataRep. Please refer clearly to Gravy Analytics, Inc. in your correspondence. Please do not contact DataRep for any general inquiries regarding Gravy’s services.