Sometimes we obtain your personal data from other parties for general marketing purposes, such as companies that provide us with an overview of publicly available information on people that have submitted a job application. We will use this information in the same way as the information that you provided to us.

We only share your personal data with outside service providers that we use for storing and processing your data, for example:

Companies that provide support functionality.

• Companies that support our recruitment activities.
• Companies that support us in sending emails and other messages related to our marketing.
• Clients, affiliates, or partners such as plan sponsors, asset managers, insurers and recordkeepers that ask us to process your data in order to provide services to you (for example, for annuity election purposes)
• We require these companies to adequately safeguard your personal data and not use your data for any other purpose not authorized by us.

In the event that (part of) our business is sold to another company, transfer of ownership could include the transfer of your personal data to the buyer if the data directly relates to that (part of the) business.

We reserve the right to use and disclose personal data in the event we have reason to believe that the disclosure of this information is required to establish the identity of, to contact or to initiate legal proceedings against a person or persons who are suspected of infringing rights or property belonging to Micruity or to others who could be harmed by the user’s activities or of persons who could (deliberately or otherwise) transgress upon these rights and property.

Micruity also shall comply with any government or law enforcement entity investigation that provides proper law enforcement warrants and subpoenas.

We do not share, disclose, sell, rent or otherwise provide your information to third parties for marketing purposes or other business purposes.

We may use your information including Personal Data with our affiliates for purposes consistent with this Privacy Policy. Our suppliers and contractors may have access to your Personal Data to perform certain business-related functions such as providing email services and technology services to us.

Micruity is committed to maintaining an effective information security program in line with reasonable industry standards. Micruity uses administrative, functional, technical, and physical safeguards to protect:

• the security and confidentiality of information
  against any anticipated threats or hazards to the security or integrity of such information
• against unauthorized access to or use of information which could result in substantial harm or inconvenience to individuals.

Micruity uses industry-standard security measures such as SSH and TLS. We will continually review and update our security policies and controls as technology changes to ensure ongoing security. We have entered into confidentiality agreements with our suppliers, agents, representatives and employees (“Representatives”) and our Representatives are expected to maintain the confidentiality of such information. Micruity is not responsible for the data security practices of companies from whom it receives or to whom it sends Personal Data.

Please note that no transmission over the Internet can be 100% secure and thus, we cannot guarantee the security of Personal Data. Moreover, any unprotected electronic communication over the Internet is not secure or confidential, subject to possible interception or loss, and possible alteration. We are not responsible for and we shall not be liable for any damages in connection with any Personal Data contained in any unprotected email, text message or any other electronic message sent to us.

Any attempted or actual security breach shall be directed to Micruity’s Risk and Information Security Committee and legal counsel (if applicable), which are responsible for determining response procedures, depending on the severity and nature of the event and applicable laws and regulations.

Depending on where you live, you may have a legal right to receive notice of a security breach, involving your Personal Data, in writing. Should there be a security breach that affects End Users, the Customer or Subscriber shall be responsible for disseminating notice of such a security breach to those End Users.

We take all reasonably necessary steps to protect all information we hold from misuse, loss, unauthorized access, modification or disclosure. All information is kept secure, encrypted at rest and in transit where possible and protected using industry-standard measures. No method of transmission over the Internet or method of electronic storage (including via 3rd parties) is 100% secure; therefore, while we strive to use commercially acceptable means to protect your information, we cannot guarantee absolute security.

If you become aware of any vulnerability in our site or services, simply send us an email to support@micruity.com and we shall investigate the matter as soon as possible.

The Micruity website does not use cookies.

You have the right to request access to your personal data that we process. You also have the right to:

• Rectify incorrect personal data or erase it in certain circumstances.
• Restrict or object to the processing of your personal data.
• Receive your data so that you can use it elsewhere (data portability).

If we serve you through a third party, such as the recordkeeper of your retirement plan or an insurer that issues you an annuity certificate, please contact them directly to access, update/correct, restrict, or receive your data. You also have the right to withdraw your consent at any time, where our processing is based on your consent. Please be aware that a withdrawal of your consent does not affect the lawfulness of the processing of your data before the date on which you withdraw your consent.

Finally, you may have the right to lodge a complaint with a supervisory authority. If you do not know who your supervisory authority is, please contact us and we will tell you.

Micruity has appointed a Risk and Information Security Committee that is responsible for matters relating to privacy and data protection. This Risk and Information Security Committee can be reached at the following address. Reach out to us with any questions you may have about the processing of your personal data by us, or to exercise the above rights, at:

Micruity Inc.
Attn: Risk and Information Security Committee
1401 21st ST, STE R
Sacramento, CA 95811

Email at: support@micruity.com

This section is provided for purposes related to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the "CPRA") and applies solely to the personal information and aspects of the Micruity business that are subject to the CPRA. As used in this section, "personal information" means information that meets the definition of "personal information" as set forth in the CPRA and is not otherwise excluded from the scope of the CPRA.

Depending on your relationship with Micruity and other factors, Micruity may have no obligation to honor a particular CPRA request, because of the nature of the personal information that Micruity collects or maintains. If you participate in a workplace retirement plan, services through a recordkeeper, asset manager, plan sponsor, or employer, CPRA requests should be directed to the recordkeeper, asset manager, plan sponsor, or employer.

Your rights under the CPRA

The CPRA gives certain rights to California residents and imposes certain obligations on those businesses that are subject to the CPRA. As required by the CPRA, set forth below is a description of certain rights that California residents generally have under the CPRA. As used below, a "consumer" means a resident of the State of California and a "covered business" means a business that is subject to the CPRA.

Right to Know/Right to Access.

A consumer has the right to request that a covered business that collects a consumer's personal information disclose to that consumer the categories and specific pieces of information the business has collected. A consumer also has the right to request that a covered business that collects a consumer's personal information disclose to that consumer the following:

1. The categories of personal information it has collected about that consumer
2. The categories of sources from which the personal information is collected
3. The business or commercial purpose for collecting, selling or sharing (if applicable) personal information
4. The categories of third parties to whom the covered business discloses personal information
5. The specific pieces of personal information that the covered business has collected about that consumer

These disclosures are not required to include any information about activity that occurred prior to January 1, 2022. Please also note that a covered business is not required to honor more than 2 of these requests from the same consumer during any 12-month period.

Right to Delete. A consumer has the right to request that a covered business delete any personal information that the business has collected from the consumer, subject to certain exceptions.

Right to Correct. A consumer has the right to request that a covered business correct inaccurate personal information that a business maintains about a consumer.
Right to Opt-Out of Sale/Sharing. If a covered business sells or shares personal information, a consumer has the right to opt-out of the sale or sharing of their personal information by the business.

Right to Limit Use and Disclosure of Sensitive Personal Information. If a covered business uses or discloses sensitive personal information for reasons other than those set forth in the CPRA, a consumer has the right to limit the use or disclosure of sensitive personal information by the business.

Non-Discrimination. A consumer has the right not to receive discriminatory treatment by the covered business for the exercise of privacy rights conferred by the CPRA.

Categories of personal information we may collect about you

In general, if you are a customer of ours or you otherwise interact with us, we collect various types of personal information about you. The amount and types of personal information we collect will vary depending on the nature of your relationship and your interactions with us, and on the products and services that we provide to you. The categories of personal information that we may collect about you are:

• Personal identifiers, such as your name, postal address, email address, online identifier, internet protocol address, account name, or other similar identifiers
  Information covered by California's records-destruction law (California Civil Code §1798.80), such as your signature, telephone number, and financial account information
• Commercial information, including products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies
• Characteristics of protected classifications under California or federal law
• Internet or other electronic network activity information, including, but not limited to, browsing history and search history while using our digital offerings, and other information regarding your interactions with our digital offerings or our advertisements
• Geolocation data
• Audio, electronic, visual, and similar data, such as call recordings
• Professional or employment-related information, such as job title and business contact information
• Education information
• Inferences drawn from any of the information listed above to create a profile about you, such as a profile that reflects your preferences, characteristics, behavior, and attitudes
• Sensitive personal information such as social security number, or account log-in, password or credentials allowing access to your account(s) or to our digital offerings

The retention periods for data elements within each category listed above vary depending on the nature of the data element and the purposes for which it is collected and used. Our retention period for the data elements within each category is set based on the following criteria: (1) the length of time that the data is needed for the purposes for which it was created or collected, (2) the length of time the data is needed for other operational or record retention purposes, (3) the length of time the data is needed in connection with our legal, compliance and regulatory requirements, for legal defense purposes and to comply with legal holds, (4) how the data is stored, (5) whether the data is needed for security purposes and fraud prevention, and (6) whether the data is needed to ensure the continuity of our products and services.

Categories of sources from which personal information is collected

In addition to the sources described in the section above entitled "How and why we obtain and use personal information", depending on the nature of your relationship and your interactions with us, and on the products and services that we provide to you, we may obtain personal information from the following sources:

• You or your representative, such as when using our products, services or digital offerings, when interacting with us or any of our service providers regarding our products, services or digital offerings or when otherwise communicating with us
• Providers of publicly available information
• Another person or other persons (typically people who know you) who provide referral information about you to us or who use the capabilities we offer on certain of our websites and applications to forward an article or other information to you
• Third parties that provide products and services to you through your relationship with us
• Third parties that perform services for us or on our behalf
• Other third-party sources, including government sources, data brokers and social networks

Why we collect personal information

Please see the section above entitled "How and why we obtain and use personal information" for a description of some of the business or commercial purposes for which we collect personal information, including sensitive personal information. In addition to those purposes described above, below are additional business or commercial purposes for which we collect personal information:

• To maintain the accuracy and integrity of our records
• For marketing and communication purposes
• For reporting and analytical purposes
• For training and quality-control measures
• To verify your identity
• To protect against malicious, fraudulent, or illegal activity
• For business analysis, planning, and reporting
• For effectiveness measurements

Categories of personal information disclosed for business purposes

Like most businesses, we disclose personal information, including in some cases certain sensitive personal information, to third parties for our business purposes. Depending on the nature of your relationship and your interactions with us, and on the products and services that we provide to you, we disclose to third parties for business purposes the personal information that is encompassed by one or more of the categories described in the "Categories of personal information we may collect about you" section above, with the categories of third parties listed in the section above entitled "How we share information about you with third parties".

Selling/sharing of personal information

We DO NOT sell your personal information for payment or for any other compensation. The ways in which we share your personal information with third parties on certain of our Websites will not, under the CPRA, be considered to be a “sale” of personal information or “sharing” of personal information for “cross-context behavioral advertising” (as those terms are used in the CPRA).

CPRA Exemptions

Please note that certain types of personal information collected or maintained by a covered business are exempt from the CPRA. For example, a covered business has limited obligations, or in some cases, no obligations, under the CPRA with regard to the following types of personal information:

• Personal information collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act (Public Law 106-102) and implementing regulations, or pursuant to the California Financial Information Privacy Act (Division 1.4 [commencing with Section 4050] of the California Financial Code)

In addition, some businesses are not subject to the CPRA, such as:

• A business that does not do business in the State of California
• A business that is not organized or operated for the profit of financial benefit of its shareholders or other owners
• A business that does not determine the purposes and means of the processing of consumers' personal information
• A business that has annual gross revenue of $25,000,000 or less

Furthermore, under the CPRA, there are a number of situations where a covered business under the CPRA may refuse to honor a CPRA request to delete a consumer's personal information and is allowed to continue to maintain the personal information.

Some examples include situations where retention of the personal information is reasonably necessary to:

• Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer or reasonably anticipated within the context of the covered business’s ongoing business relationship with the consumer, or otherwise perform a contract between Micruity and the consumer
• Help to ensure security and integrity to the extent the use of the personal information is reasonably necessary and proportionate for those purposes
• Debugging to identify and repair errors that impair existing intended functionality
• Exercise free speech, ensure the right of another consumer to exercise that consumer's right of free speech, or exercise another right provided by law
• To enable solely internal uses that are reasonably aligned with consumer expectations based on the consumer's relationship with the business and compatible with the context in which the consumer provided the information
• Comply with a legal obligation

Please note that the description of the CPRA set forth in this privacy policy is a summary of only certain aspects of the CPRA and is not and should not be considered a complete description of the CPRA. In addition to what is described above, the CPRA includes other exemptions that apply to particular types of personal information and particular businesses, as well as additional situations where a covered business is not required to honor a consumer’s request to delete the consumer's personal information.

Submitting a CPRA Request

If you wish to submit a CPRA request to Micruity, you may email support@micruity.com. Before submitting your request, please ensure you have reviewed all the CPRA exemptions, including those described above under the section above entitled "CPRA Exemptions".

You should generally expect to receive a response within 45 days of the date we receive your request. However, in some instances, we may require an additional 45 days to process your request in which case we will notify you and explain why the extension is necessary.

We will need to verify your identity before we can process your request. Through the request process, we will make you aware of any information that you will need to provide to us to process your request. You may have to confirm that you are a California resident and verify your identity or the identities of those authorized to submit requests on your behalf. Additionally, the information you provide will be used to help verify your identity.

This policy is effective as of 1 October 2023 and may be updated from time to time. The latest version can be found at micruity.com.