Privacy Policy

Last updated: October 19, 2025

This Privacy Policy ("Privacy Policy") describes the manner in which Pipsy ("Pipsy", "we," "us", "our") and our web-based application (the "Site"), as well as all related websites, networks, applications, and other services (including SMS services) provided by us and on which a link to this Privacy Policy is displayed (collectively, together with the Site, our "Service") use and collect data from you as a user ("User," "you" or "your").

To use the App and Service that Pipsy and its subsidiaries and affiliates provide, you as a user ("User", "you", "your") of the App and Service must accept the Privacy Policy. If you do not consent to the terms of the Privacy Policy, please do not access or use the App or Service.

We have implemented this Privacy Policy because your privacy, and the privacy of other Users, is important to us. This Privacy Policy describes our policies and procedures regarding the collection, use and disclosure of information we receive from Users of the App and Service. The information we collect varies depending upon how you use the App and Service. This Privacy Policy applies only to information collected through the App and Service. We are not responsible for, and this Privacy Policy does not apply to the privacy practices of those other websites, mobile Apps, programs, or services. We encourage you to seek out and read the Privacy Policy of each resource that you visit.

As used in this policy, the terms "using" and "processing" information include using cookies on a computer, subjecting the information to statistical or other analysis and using or handling information in any way, including, but not limited to collecting, storing, evaluating, modifying, deleting, using, combining, disclosing and transferring information within our organization or among our affiliates.

Information Collection

In connection with your use of the App and Service, we may ask you for Personally Identifiable Information. Personally Identifiable Information may include, but is not limited to, any information that may be used, either alone or in combination with other information, to personally identify an individual. This includes, but is not limited to:

• A first and last name
• A personal profile
• Username, password
• Email address
• Mailing address
• Telephone number
• Birth date
• Billing and payment information
• Other contact information

We may also ask you for other information to learn a bit more about you and specific preferences related to your use of our services ("Non-Identifying Information"). Non-Identifying Information may also include Usage Information ("Usage Information"), which may include but is not limited to:

• User's IP address, UDID or other unique identifier ("Device Identifier"). A Device Identifier is a number that is automatically assigned to User's Device used to access the App, and Pipsy's computers identify User's Device by its Device Identifier.
• User's Device functionality (including browser, operating system, hardware, mobile network information), location, characteristics and other Device data including the time of day, among other information.
• The URL that referred User to the App.
• The areas within Pipsy's App that User visits and User's activities there, including remembering User, User's preferences and pages User requested and/or viewed.

This Privacy Policy describes the information practices for Pipsy, including what type of information is gathered and tracked, how the information is used, and with whom the information is shared.

AI, Machine Learning, and Automated Decision-Making

AI-Powered Features

Certain features within our Service use artificial intelligence (AI) and machine learning technologies to provide enhanced functionality, while other features operate using traditional software methods.

AI-Enhanced Services: The following features utilize AI and machine learning algorithms:

• Risk Scoring: AI algorithms analyze your data to generate risk assessment scores
• Personalized Recommendations: AI systems generate customized recommendations based on your data profile
• Intelligent Content Personalization: AI-driven systems determine personalized content and feature recommendations

Standard Service Features: Many features of our Service operate using traditional software methods and do not involve AI or machine learning processing. These include standard account management, basic data entry and storage, standard reporting features, and routine administrative functions.

Data Used for AI Processing

When you use AI-enhanced features, the following categories of information may be processed through our AI systems:

• Data you specifically provide for AI analysis
• Usage patterns and interaction data related to AI features
• Responses to AI-powered questionnaires and assessments
• Device data (where applicable and with your consent)
• User-generated content (as defined below)

Standard Automated Processing

We also use traditional rule-based automated systems (non-AI) for routine functions such as:

• Basic eligibility determinations based on predefined criteria
• Standard account verification and validation processes
• Routine billing and subscription management
• Basic user authentication and access control

Model Training and Improvement

We use aggregated, de-identified data from AI-enhanced features to train and improve our AI models, which helps us provide better service to all users. Individual user data is processed in accordance with this Privacy Policy and applicable data protection laws. This model improvement is essential to maintaining and enhancing the quality of our AI-powered features.

Third-Party AI Services

For AI-enhanced features only, we may use third-party AI and machine learning services (such as cloud-based AI platforms) to process your data. These providers are bound by strict data processing agreements and are prohibited from using your data for their own purposes. Data processed through standard Service features does not involve third-party AI services.

Your Rights Regarding Automated Decisions

For AI-Powered Decisions: For AI-powered automated decisions that produce legal effects or similarly significant effects on you, you have specific rights. A "significant effect" could include, but is not limited to, a decision that affects your eligibility for certain services, or a change in your service access. You have the right to:

• Request human review of any AI-generated decision
• Obtain information about the logic, significance, and consequences of the AI processing
• Object to AI-based automated processing and request manual processing
• Receive an explanation of how AI decisions are made
• Contest AI decisions and request reconsideration

For Standard Automated Processing: For standard automated processing, you may request human review where the decision significantly affects your access to our Service.

Consent for AI Processing: By using our AI-enhanced features, you consent to the automated processing described above. Standard automated processing is necessary for basic Service operation and cannot be opted out of while maintaining an active account.

Tracking Technologies and Information Use

Tracking Technologies

Pipsy may use various methods and technologies to store or collect Usage Information ("Tracking Technologies"). Tracking Technologies may set, change, alter or modify settings or configurations on User's Device. The Tracking Technologies that may be used include, but are not limited to the following and any subsequent technology and methods later developed which perform a similar function:

• Cookies: A cookie is a data file placed on a Device when it is used to visit the App. A Flash cookie (or locally shared object) is a data file placed on a Device via the Adobe Flash plug-in that may be built-in to or downloaded by User to User's Device. HTML5 cookies can be programmed through HTML5 local storage. Unlike Flash cookies, HTML5 cookies do not require a plug-in. Regular cookies may generally be disabled or removed by tools that are available as part of most commercial browsers, and in some but not all instances can be blocked in the future by selecting certain settings. Each browser a User uses will need to be set separately and different browsers offer different functionality and options in this regard. Also, these tools may not be effective with regard to Flash cookies or HTML5 cookies. Please be aware that if User disables or removes cookies, Flash cookies, or HTML5 cookies on User's Device, some parts of Pipsy's App and/or Service may not function properly, and that when a User revisits Pipsy's App and/or Service, a User's ability to limit cookies is subject to a User's browser settings and limitations.
• Web Beacons: Small graphic images or other web programming code called "web beacons" (also known as "1x1 GIFs" or "clear GIFs") may be included in pages and messages of our App or Service. Web beacons may be invisible to User, but any electronic image or other web programming code inserted into a page or e-mail can act as a web beacon. Web beacons or similar technologies may be used for a number of purposes, including, without limitation, to count visitors to the App and Service, to monitor how users navigate the App and Service, to count how many emails that were sent were actually opened or to count how many particular articles or links were actually viewed.
• Embedded Scripts: An embedded script is programming code that is designed to collect information about User's interactions with the App and Service, such as the links User clicks on. The code may be temporarily downloaded onto User's Device from Pipsy's web server, App, or a third-party service provider, and is active only while User is connected to the App or Service, and is deactivated or deleted thereafter.
• ETag, or entity tag: A feature of the cache in browsers. It is an opaque identifier assigned by a web server to a specific version of a resource found at a URL. If the resource content at that URL ever changes, a new and different ETag is assigned. Used in this manner ETags are a form of Device Identifier. ETag tracking may generate unique tracking values even where the consumer blocks HTTP, Flash, and/or HTML5 cookies.

Pipsy may use Tracking Technologies for a variety of purposes, including, but not limited to:

• Strictly Necessary: Pipsy may use cookies or other Tracking Technologies that Pipsy considers strictly necessary to allow User to use and access Pipsy's App and Service, including cookies required for system administration, to prevent fraudulent activity, or to improve security.
• Performance Related: Pipsy may use cookies or other Tracking Technologies that are useful in order to assess the performance of the App and Service, including as part of Pipsy's analytic practices or otherwise to improve the content, products or services offered through the App and Service.
• Functionality Related: Pipsy may use cookies or other Tracking Technologies that are required to offer the User enhanced functionality when accessing the App, including identifying the User when the User signs in to Pipsy's App or keeping track of the User's specified preferences, including in terms of the presentation of content on Pipsy's App.

Pipsy obtains the User's consent to Pipsy's information storage or collection Tracking Technologies by providing the User with transparent information in Pipsy's Privacy Policy and providing the User with the opportunity to make a choice to disable cookies as set forth above. Please note that Pipsy is not required to obtain the User's consent to the information collection Tracking Technologies identified above that is strictly necessary. The User has the right to object to other use of information storage or collection technologies.

There may be other Tracking Technologies now and later devised and used by Pipsy in connection with the App and Service. Further, third parties may use Tracking Technologies with Pipsy's website and App. Pipsy does not control those Tracking Technologies and Pipsy is not responsible for them. However, the User consents to potentially encountering third party Tracking Technologies in connection with the use of Pipsy's App and Service and accepts that Pipsy's statements under this Privacy Policy do not apply to the Tracking Technologies or practices of such third parties. The User should check the third-party websites to confirm how the User's information is collected and used.

Various third parties are developing or have developed signals or other mechanisms for the expression of consumer choice regarding the collection of information about an individual consumer's online activities over time and across third-party websites or online services (e.g., browser do not track signals). Currently, Pipsy does not monitor or take any action with respect to these signals or other mechanisms.

Pipsy may collect and process Personally Identifiable Information and Non-Identifying Information when a User registers for or uses the App and Service, interacts with the App and Service, or otherwise contacts Pipsy. This Privacy Policy also applies to User's use of interactive features or downloads that: (i) Pipsy owns or controls; (ii) are available through the App or Service; or (iii) interact with the App or Service.

Information Use

Pipsy uses Non-Identifying Information for purposes such as measuring the number of visitors to sections of our App, making the App more useful, and delivering targeted content and personalized recommendations. We use Information to analyze trends, administer the App, track a User's movement, and gather demographic information for aggregate, non-personally identifiable use. Such information is used to monitor and analyze use of the App and Service and for the App and Service's technical administration, to increase our App and Service functionality and user-friendliness, and to better tailor it to our Users' needs. For example, some of this information is collected so that when you visit the App again, it will recognize you and provide content relevant to you. We also use this information to verify that visitors to the App and Service meet the criteria required to process their requests.

We do not treat Usage Information as Personally Identifiable Information or use it in association with other Personally Identifiable Information, though we may aggregate, analyze and evaluate such information for the same purposes as stated above regarding other Non-Identifying Information. We may share aggregated information that does not include Personally Identifiable Information and we may otherwise disclose Non-Identifying Information and Log Data with third parties for analysis, demographic profiling and other purposes. Any aggregated information shared in these contexts will not contain your Personally Identifiable Information. We will not sell User information to any third party for use in marketing or other targeted correspondence.

Your Rights and Choices

Changing or Deleting Your Information

All registered Users may review, update, correct or delete the Personally Identifiable Information provided to us by contacting us. If you completely delete all such information, then your account may become deactivated. If you would like us to delete your account in our system, please contact us at info@pipsy.io with a request that we delete your Personally Identifiable Information from our database. We will use commercially reasonable efforts to honor your request within 30 days of verification.

AI Data Deletion: When you request data deletion, we will also remove your personal data from active AI processing systems. However, aggregated, de-identified data that cannot be traced back to you may remain in our AI models and systems for service improvement purposes.

AI Processing Choices

You have specific choices regarding AI processing of your data:

• You may opt-out of AI processing for enhanced personalization and marketing features. However, certain core Service features require AI processing to function properly. We will clearly indicate which features require AI and provide alternative options where feasible.
• You can request human review of any AI-generated recommendations.

To exercise these choices, visit your account settings or contact us at info@pipsy.io.

Additional Considerations

User-Generated Content and Public Information

"User Content" is any content, materials or information (including without limitation, any text, information, graphics, messages, photos, images, works of authorship of any kind, and any lifestyle related information), data, questions, comments, suggestions or other content, including Personally Identifiable Information that you upload, send, email, display, perform, distribute, post or otherwise transmit to us, at our request or on your own, on, or through the App or Service, whether in connection with your use of the App or Service or through the use of any third party websites or third party services or otherwise, and whether publicly posted or privately transmitted.

User Content and AI Processing: User Content may be processed through our AI systems to provide personalized recommendations and insights. Pipsy or others may store, display, reproduce, publish, distribute or otherwise use User Content online or offline in any media or format (currently existing or hereafter developed) and may or may not attribute it to the User, provided such use complies with applicable privacy laws. Pipsy may also publish Non-Personally Identifiable Information that is part of User's User Content, and Pipsy may use the content, or any portion of the content, for improving our AI services, marketing, and promotional activities.

Please keep in mind that certain features on our App and Service including messaging, chats, calls, and commenting on articles or posts, give you an opportunity to interact with us and others. A User's profile page may be, by default, set up to display information such as the User's display name, images, location (city/state/country), groups that the User has joined and optional information added by the User. Pipsy may offer Users the ability to manage their public profile and use profile preference settings, the functionality and features of which are subject to change. Pipsy recommends that the User does not post information or content as part of the User's profile that the User is not prepared to make public, and that the User visits his or her profile frequently to confirm that the settings reflect the User's then current preferences.

Changing profile preference setting options may not result in immediate changes to the settings, which are subject to Pipsy's operations and maintenance schedules. Users should carefully consider the use of such settings to improve information display options and to ensure the settings are properly set and functioning in the manner desired. Notwithstanding the availability of profile preference settings, User should be aware that these settings are for convenience only, do not employ complex data security protection and may not be error free. Further, other users that have access may repost or otherwise make public User's information or content. Accordingly, discretion and good judgment should be exercised when posting information or content as part of User's profile.

Any information you submit, including your name, location and email address, Personally Identifying Information, Non-Identifying Information, and User Content may be publicly available to others. Others may have access to this information and may have the ability to share it with third parties. Please think carefully before deciding what information you share, and be aware that public postings (including group messaging with other Users) are not confidential, that Pipsy does not control who will have access to the information that User chooses to make public, and that Pipsy cannot ensure that parties who have access to such publicly available information will respect User's privacy or keep it secure. Pipsy is not responsible for the privacy or security of any information that User makes publicly available on the App or Service, including what others do with information User shares with them on the App and Service. When a User chooses to post information that will be publicly disclosed, he or she is responsible for ensuring that such information conforms to all local data protection laws. In addition, Pipsy is not responsible for the accuracy, use or misuse of any User Content that a User may receive from third parties or other Users through the App or Service.

Supplemental Information

We may also supplement the information we collect with information from other sources to assist us in evaluating and improving our App and Service, to determine your preferences so that we can tailor our App and Service to your needs. In addition, to the extent that Pipsy collects and processes Personally Identifiable Information, Non-Identifying Information, and/or supplemental information, Pipsy reserves the right to use such information for the following specific purposes:

• To contact a User regarding new Service features, insights, or articles Pipsy thinks will be of interest to the User.
• To send User updates on topics Pipsy thinks will be of interest to the User.
• To contact a User with regard to User's use of the App or Service and, in Pipsy's discretion, changes to the App or Service and/or the service policies.
• To conduct internal research and analytics to improve our services and AI capabilities.
• For purposes disclosed at the time User provide User's information or as otherwise set forth in this Privacy Policy.
• To provide a User with information or services or process transactions that User has requested or agreed to receive.
• To enable a User to participate in a variety of the Service features.
• To enhance and/or develop features for the App and Service, including AI model improvements.
• To process a User's account registration, including verifying the User's information is active and valid.
• To identify a User as the author of any comments that the User sends to Pipsy to be posted on the App or Service, or in relation to the App and/or Service.
• To ensure that content on the App and Service is presented in the most effective manner for a User and the User's computer or mobile device.
• To provide third parties with aggregate, de-identified information about our user base and usage patterns for research purposes.
• To enable us to process and fulfill a User's subscription and/or other requests.

Other Considerations

Service Providers

We may employ third party vendors and individuals to facilitate the improvement or management of our App or Service (e.g., web analytics, cloud hosting, AI/ML processing) or to assist us in analyzing how our App and Service are used. These third parties may include:

• Cloud infrastructure providers (AWS, Google Cloud, Microsoft Azure)
• AI and machine learning service providers
• Analytics and data processing services
• Customer support platforms

These third parties may have access to your Personally Identifiable Information only to perform these tasks on our behalf and are obligated by contractual agreements not to disclose or use it for any other purpose. All third-party AI processors are bound by data processing addenda that comply with applicable privacy regulations and prohibit the use of your data for training their own AI models.

Cross-Border Data Processing: Some of our AI service providers may process your data outside your country of residence. When we transfer data internationally, we ensure adequate protection through mechanisms such as Standard Contractual Clauses (SCCs), adequacy decisions, or other approved transfer mechanisms.

Compliance with Laws and Law Enforcement

Pipsy cooperates with government and law enforcement officials and private parties to enforce and comply with the law. We will disclose any information about you to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate to respond to claims and legal process (including but not limited to subpoenas), to protect the property and rights of Pipsy or a third party, to protect the safety of the public or any person, or to prevent or stop activity we may consider to be, or to pose a risk of being, illegal, unethical or legally actionable activity.

Business Transfers

Pipsy may sell, transfer or otherwise share some or all of its assets, including your Personally Identifiable Information, in connection with a merger, acquisition, reorganization or sale of assets or in the event of bankruptcy. In such cases, we will provide notice and ensure that any acquiring party agrees to protect your data in accordance with this Privacy Policy.

International Transfer

Your information may be transferred to — and maintained on — computers located outside of your state, province, country or other governmental jurisdiction where the privacy laws may not be as protective as those in your jurisdiction. If you are located outside the United States and choose to provide information to us, Pipsy transfers Personally Identifiable Information to the United States and processes it there. Your consent to this Privacy Policy followed by your submission of such information represents your agreement to that transfer. When transferring data from the EU, we use appropriate safeguards such as Standard Contractual Clauses (SCCs) to ensure the data is adequately protected.

International Data Subject Rights

If you are a resident of the European Union, you have the right to:

• Access and Rectification: You can request access to the personal data we hold about you and ask for it to be corrected if it is inaccurate or incomplete.
• Erasure (Right to be Forgotten): You have the right to request the deletion of your personal data under certain circumstances.
• Restriction of Processing: You can ask us to restrict the processing of your personal data in specific situations, such as when you contest its accuracy.
• Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit that data to another controller where technically feasible.
• Right to Object: You can object to the processing of your personal data for direct marketing or on grounds relating to your particular situation, including automated decision-making and profiling.
• Right to Lodge a Complaint: You have the right to lodge a complaint with a data protection supervisory authority in your habitual residence, place of work, or place of the alleged infringement if you believe your rights under the GDPR have been violated.

AI-Specific Rights: In addition to the above, you have specific rights related to our AI processing:

• Right to explanation of AI decisions that significantly affect you
• Right to human oversight of automated decision-making
• Right to opt-out of AI profiling for marketing purposes
• Right to correction of AI-generated insights about you

To exercise any of these rights, contact us at info@pipsy.io. We will respond within the timeframes required by applicable law (typically 30 days).

Security

Pipsy uses commercially reasonable administrative, technical, personnel and physical measures to safeguard Personally Identifiable Information in our possession against loss, theft and unauthorized use, disclosure or modification. Our security measures include:

• Encryption of data in transit and at rest
• Regular security assessments and penetration testing
• Access controls and employee training on data protection
• Secure AI model deployment and data processing environments
• Regular monitoring for unauthorized access or data breaches

However, we cannot assure that your Personally Identifiable Information or Non-Identifying Information will never be disclosed in a manner that is inconsistent with this Privacy Policy. We are not responsible for the privacy practices of third parties or for how they may use information they receive from you or from us in accordance with their own policies. Pipsy will make any legally required disclosures of any breach of the security, confidentiality, or integrity of your unencrypted electronically stored "personal data" (as defined in applicable state statutes on security breach notification) or as required by contract, to you via email or conspicuous posting on the App within 72 hours of discovery and without unreasonable delay, insofar as consistent with (i) the legitimate needs of law enforcement or (ii) any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

Data Retention

General Retention Periods:

• Account data: Retained while your account is active and for 7 years after account closure
• Usage and analytics data: Retained for 3 years for service improvement purposes
• AI training data: De-identified data may be retained indefinitely for model improvement
• Marketing communications data: Retained until you unsubscribe or for 2 years, whichever is sooner

Legal and Regulatory Requirements: We may retain data longer when required by law, regulation, or for legitimate business purposes such as resolving disputes or enforcing agreements. Data subject to legal holds will be retained until such holds are lifted.

Deletion Process: Upon expiration of retention periods or upon your request for deletion (where applicable), we will securely delete your data from our active systems. Some data may persist in backup systems for up to 90 days following deletion from active systems.

Links to Other Websites

Our App may contain links to other websites. The fact that we link to a website is not an endorsement, authorization or representation of our affiliation with that third party, nor is it an endorsement of their privacy or information security policies or practices. We do not exercise control over third party websites. These other websites may place their own cookies or other files on your computer, collect data or solicit Personally Identifiable Information from you. Other websites follow different rules regarding the use or disclosure of the Personally Identifiable Information you submit to them. We encourage you to read the privacy policies or statements of the other websites you visit.

Children's Privacy

The App and Service are not directed to persons under 18. If a parent or guardian becomes aware that his or her child has provided us with Personally Identifiable Information without their consent, he or she should contact us at info@pipsy.io. If we become aware that a child has provided us with Personally Identifiable Information, we will delete such information from our files within 30 days.

Modification of the Privacy Policy

We reserve the right, at our discretion, to change this Privacy Policy at any time, which change shall become effective upon posting by the Pipsy on the App, via the Service, or sending you an email or other notification. Material changes to how we process your data, particularly changes related to AI processing or data sharing, will be communicated with 30 days advance notice. You will be deemed to have agreed to Additional Terms (as defined in the Terms & Conditions) by your decision to continue accessing the App or Service following the date in which such Additional Terms become effective.

This Privacy Policy may be updated from time to time. You are advised to consult this policy regularly for any changes. Unless otherwise defined in this Privacy Policy, terms used in this Privacy Policy have the same meanings as in our Terms & Conditions. If you choose to visit the App, your visit and any dispute over privacy is subject to this Privacy Policy and the App's Terms & Conditions, including limitations on damages, jurisdiction of disputes and application of the law of the State of Texas.