Privacy Policy

Effective Date: June 27, 2026 Last Updated: May 27, 2026 1. Introduction and Scope Addi, Inc. (“Addi,” “we,” “us,” or “our”), a Delaware corporation located in Kansas City, Missouri, provides this Privacy Policy to describe how we collect, use, disclose, and protect information when you use the Addi platform, website, and related services (collectively, the “Services”). This Privacy Policy applies to all users of the Services. Addi is an AI-powered platform that helps businesses create and launch professional audio, video, and other display advertisements. The platform builds brand profiles using publicly available data, generates on-brand ads, and connects to Advertising Platforms to manage, publish, and monitor advertising campaigns, and connects to Business Platforms to import transaction and customer data for ad personalization. Please read this Privacy Policy carefully. It describes our data practices in connection with the Services. Where the law requires your consent for a specific processing activity (such as use of non-essential cookies, certain marketing communications, or AI model improvement), we will request that consent separately. We do not sell your Personal Information for monetary consideration. Depending on how applicable U.S. state privacy laws define "sale," "share," or "targeted advertising," certain of our advertising and analytics activities may be treated as such. Where any such activity occurs, you may opt out as described in Section 10 ("Your Privacy Rights") and through the "Your Privacy Choices" link on our website. We share data with service providers who process it on our behalf to deliver the Services, as described in this Policy. 1.1 Data Controller and Processor Roles For purposes of applicable data protection laws, Addi’s role depends on the data and the activity: Controller / Business: Addi is the data controller (and “business” under U.S. state privacy laws) for information we collect directly from you,such as account data, billing data, usage and log data, and inquiries to us. Processor / Service Provider: When we process data on your behalf— including brand materials you provide, ad content we generate at your direction, audience data from your connected Advertising Platform accounts, or transaction and customer data from your connected Business Platform accounts, and Customer Lists you upload - Addi acts as a processor (under GDPR/UK GDPR) and as a service provider (under U.S. state privacy laws) on your instructions and pursuant to our Terms of Service and Data Processing Addendum where applicable. Independent Controller (limited): To the extent Addi operates its own Advertising Platform accounts to deliver campaigns on your behalf, Addi may be an independent controller in its relationship with the relevant Advertising Platform (e.g., Meta, Google, TikTok, Spotify, or others) for platform-level relationship data. See Section 5. 2. Information We Collect 2.1 Information You Provide Directly - Account Information: Name, email address, business name, phone number Purpose: Account creation, authentication, communication - Billing Information: Payment method details, billing address, transaction history Purpose: Invoicing (processed by third-party payment processor; not stored on our servers) - Brand Information: Business name, website, industry, logos, images, colors, brand voice, target audience descriptions, campaign goals, geography, competitors Purpose: Building brand profiles, generating advertisements - Ad Content and Inputs: Text, images, audio, video, scripts, prompts, creative briefs you submit Purpose: AI content generation, ad creation - Communications: Support tickets, feedback, survey responses Purpose: Customer support, service improvement 2.2 Information from Connected Advertising Platforms When you use the Services to run campaigns on Advertising Platforms (e.g., Spotify Ad Studio, TikTok Ads Manager, YouTube/Google Ads, Meta Ads Manager), we may collect or generate the following data in connection with delivering those campaigns: - Campaign Data: Campaign names, settings, budgets, schedules, ad creative assets, bid strategies. Purpose: Campaign management, optimization - Audience Data: Audience segment definitions, demographic information, interest categories, custom audience parameters. Purpose: Ad targeting, audience insights - Performance Analytics: Impressions, clicks, conversions, engagement rates, cost-per-action metrics, reach. Purpose: Performance reporting, optimization - Customer Lists: Hashed email addresses or phone numbers uploaded to ad platforms for custom audiences. Purpose: Audience targeting as directed by you - Account Metadata: Ad account IDs, account status, connected pages/profiles. Purpose: Service delivery, platform integration Important: We access Advertising Platform data solely to provide the Services on your behalf and as your data processor. We do not use your Advertising Platform data for our own marketing or advertising, to serve other customers, or to contact individuals in your audience segments. We do not sell your Advertising Platform data. 2.3 Information from Third-Party Data Sources To build and enrich your brand profile, Addi compiles publicly available and API-sourced information about your business from third-party data sources. The categories of sources, data collected, and purposes are described below. - Business directories and review platforms: Business name, address, hours, categories, ratings, review excerpts. Purpose: Brand profile enrichment and verification - Brand and visual identity providers: Logos, color palettes, fonts, social media links. Purpose: Brand visual identity profiling - Social media and web data providers: Publicly available posts, engagement metrics, brand sentiment, business reviews. Purpose: Brand perception and market intelligence for ad relevance - Company and firmographic data providers: Industry classification, employee count estimates, company profile information. Purpose: Business profile enrichment - Mapping and location services: Business name and address identification. Purpose: Brand identification and verification This information pertains to businesses, not individuals, and is used solely to build and refine brand profiles for ad creation. A list of our current third-party data source providers is available upon request by contacting [email protected]. Addi does not guarantee the accuracy, completeness, or timeliness of third-party data. You may review and edit your brand profile at any time within the Services. 2.4 Information Collected Automatically - Usage Data: Features used, actions taken, pages viewed, session duration, ad creation history. Purpose: Product improvement, analytics - Device and Technical Data: Device type, operating system, browser type/version, screen resolution. Purpose: Service optimization, troubleshooting - Log Data: IP addresses, access times, referring URLs, error logs, timestamps. Purpose: Security, fraud prevention, diagnostics - Inferences: Brand sentiment, target audience characteristics, brand positioning. Purpose: Brand profiling, ad recommendations 2.5 Cookies and Similar Technologies We use cookies and similar technologies for the following purposes: - Essential: Authentication, security, core service functionality. Cannot be disabled. Lifespan: Session or up to 1 year - Analytics: Understanding how users interact with the Services (e.g., PostHog, configured in cookieless mode – no cookie is set). Lifespan: None - Preference: Remembering your settings and preferences. Lifespan: Up to 1 year - Marketing: Measuring effectiveness of Addi’s own advertising campaigns and tracking ad performance. Lifespan: Up to 1 year We do not serve third-party advertisements within the Services. For users in the EEA and UK: Analytics, preference, and marketing cookies are placed only after you provide consent through our cookie consent manager. You may withdraw consent at any time. Do Not Track: We do not currently respond to Do Not Track browser signals, as there is no accepted industry standard for doing so. 2.6 Information from Connected Business Platforms When you connect Business Platform accounts (e.g., Square point-of-sale) to Services, we may collect: - Transaction Data: Order records, transaction amounts, payment timestamps, order line items. Purpose: Business insights, ad content personalization - Product and Catalog Data: Product names, categories, pricing, inventory status. Purpose: Ad content generation, campaign targeting - Customer Metrics: Customer counts, visit frequency, aggregate purchasing patterns. Purpose: Audience insights, ad performance context - Customer Profile Data: Individual customer identifiers provided by your connected Business Platform, including name, email address, and phone number. Purpose: Audience segmentation, ad targeting insights, and ad content personalization - Account Metadata: Merchant ID, location IDs, connected account status. Purpose: Service delivery, platform integration Important: We access Business Platform data solely to provide the Services on your behalf and as your data processor. We do not use your Business Platform data for our own marketing, to serve other customers, or to build independent profiles on your customers. We do not use your customers'' Personal Information (such as name, email address, or phone number) to contact them directly, and we do not make your customers’ individual data available to other Addi merchants. We do not make your raw Business Platform data available to other merchants, and we do not combine raw Business Platform data across merchants. We may use de-identified, aggregated data derived from merchant activity to generate platform-wide insights. We do not sell your Business Platform data. 2.7 Biometric / Audio-Video Audio and video content you upload to the Services is processed solely as advertising creative input for generating ad Outputs. Addi does not use uploaded audio or video to identify any individual and does not knowingly create biometric identifiers (such as voiceprints or faceprints) or biometric information from uploaded content. Voice and Likeness Features. Certain features (such as voice cloning or AI voice synthesis) transmit audio to third-party service providers to generate Outputs. If your uploaded content includes a real person''s voice, image, or likeness, you represent and warrant that you have obtained all rights, releases, and consents required by applicable law (including any consents required under applicable biometric privacy laws including the Illinois Biometric Information Privacy Act, Texas CUBI, and Washington''s biometric law, and other applicable state biometric laws, and any applicable publicity, recording, or AI synthetic-media laws). You are responsible for retaining records of those consents. 3. How We Use Your Information 3.1 Service Delivery and Operations - Providing, operating, and maintaining the Services, including AI-powered ad generation, brand profiling, and Advertising Platform integrations - Processing your payments - Authenticating your account and managing access via WorkOS - Providing customer support and responding to inquiries 3.2 AI Content Generation - Processing your Inputs (prompts, brand data, creative briefs) through AI foundation models to generate advertising content (“Outputs”) - We submit your Inputs to third-party AI model providers solely for the purpose of generating Outputs - We do not use your Content to train our own proprietary AI models without your express opt-in consent. However, third-party AI model providers we utilize may process data through their own platforms subject to their own privacy policies and terms of service, which may permit model training. We use commercially reasonable efforts to disclose which providers are utilized upon request. 3.3 Product Improvement - Analyzing usage patterns to improve the Services and develop new features - Generating aggregated, de-identified analytics and benchmarks 3.4 Security and Compliance - Detecting, preventing, and addressing fraud, abuse, security incidents, and technical issues - Enforcing our Terms of Service - Complying with legal obligations, including responding to lawful requests from public authorities 3.5 Communications - Sending transactional communications (e.g., billing notices, security alerts) - Sending product updates, feature announcements, and marketing communications. You may opt out at any time. 4. How We Share Your Information We do not sell your Personal Information. We share information only in the following circumstances: 4.1 Service Providers and Sub-Processors - Cloud infrastructure: All data (encrypted at rest and in transit) - Authentication and access management: Account credentials, authentication tokens - Payment Processing: Billing information only - Business platform integrations: Transaction records, product and catalog data, and individual customer profile data (including name, email address, and phone number) from connected Business Platform accounts, processed on your behalf to generate ad targeting insights and content personalization - AI model providers: Input content submitted for generation purposes, including ad scripts, brand context, and generation parameters - AI observability and evaluation: Prompts, model outputs, and generation metadata used to monitor AI quality, latency, reliability and compliance with our Terms of Service - Brand and business data sources: Business identifiers such as name, address, URL - Company and firmographic data providers: Business name, industry classification, employee estimates, and company profile information for brand enrichment - Product analytics: De-identified usage data - Email and communications: Email addresses and message content for transactional communications (e.g., account invitations, billing notices) - Bot protection and security: IP addresses and browser signals for automated abuse prevention - Cookie consent management: Cookie preference selections, consent status, and consent identifiers - Application monitoring: De-identified application performance metrics and request traces A list of our current sub-processors is available upon request by contacting [email protected]. 4.2 Advertising Platforms When you use the Services to create and publish advertisements, we transmit ad content and campaign configurations to your connected Advertising Platforms on your behalf and at your direction. This includes ad creative assets, targeting parameters, budgets, and schedules. 4.3 Legal Requirements and Safety We may disclose your information if required by law or in good faith belief that disclosure is necessary to: (a) comply with a legal obligation, court order, or lawful request by public authorities; (b) protect and defend the rights or property of Addi; (c) prevent fraud or address security or technical issues; (d) protect the personal safety of users or the public. 4.4 Aggregated and De-Identified Data We may derive aggregated, de-identified insights from usage, performance, and Business Platform data across our merchant base to improve the Services and deliver platform-wide intelligence features. These aggregates are used to generate industry benchmarks, identify effective advertising patterns. No individual merchant’s raw data, business identity, customer records, or transaction details are disclosed to other merchants or third parties through these features. We do not use raw Business Platform data — including transaction records, customer profile data, or individual campaign performance — to generate cross-merchant insights without first de-identifying and aggregating that data in a manner that cannot reasonably be re-identified. For further detail on Addi''s ownership of aggregated analytics, see Section 10.1 of our Terms of Service. 4.5 Business Transfers In the event of a business transfer described in Section 19.5 of our Terms of Service, your information may be transferred to the acquiring entity. Any such transfer will be subject to the same protections described in this Policy. 5. Advertising Platform Data This section provides additional detail about how we handle data from your connected Advertising Platform accounts. 5.1 Data Processor Role Where Addi operates its own Advertising Platform accounts to deliver campaigns on your behalf, Addi may be an independent data controller (and "business" under U.S. state privacy laws) in its relationship with the relevant Advertising Platform (such as Meta, Google, TikTok, or Spotify) for platform-level relationship and account data, and acts as a processor / service provider with respect to the brand assets, creative inputs, audiences, and campaign instructions you provide. Where you connect and operate your own Advertising Platform accounts, Addi acts as a processor / service provider for the data we access through those connections. In all cases, we process Advertising Platform data subject to each platform''s terms and data use policies and solely to deliver the Services to you. 5.2 Limitations on Use We do not use your Advertising Platform data to: - Serve other customers or build advertising profiles for our own purposes - Train AI models - Contact individuals in your audience segments or Customer Lists - Combine your Advertising Platform data with data from other Addi customers 5.3 Platform Compliance We comply with the data use policies of each integrated Advertising Platform, including Meta, Google, TikTok, and Spotify, with respect to data received through their respective APIs and integrations. 5.4 Data Deletion Upon your request, upon disconnecting an Advertising Platform account, or upon receiving an authenticated deletion request from a connected Advertising Platform, we will delete the associated Advertising Platform data from our active systems within 30 days, except as required to comply with legal obligations or our data retention policy. 5.5 Customer Lists If you upload, connect, or otherwise make available Customer Lists (e.g., email lists for custom audience targeting), you represent and warrant that: (a) you have provided all required notices and obtained all consents and other legal bases necessary to share that data with Addi and the relevant Advertising Platforms for the intended targeting purposes; (b) you have honored all opt-outs of sale, sharing, and targeted advertising and any do-not-sell, do-not-share, do-not-track, or universal opt-out signals received from those individuals; (c) the lists do not include data from individuals known by you to be under 18 (or under 16 in the EEA/UK) or other categories prohibited by applicable Advertising Platform policies; and (d) you do not include sensitive Personal Information except as expressly permitted by law and platform policy. Addi processes Customer Lists solely to facilitate audience targeting at your direction. 6. Business Platform Data This section provides additional detail about how we handle data from your connected Business Platform accounts (e.g., point-of-sale systems). 6.1 Data Processor Role When processing Business Platform data (transaction data, product and catalog data, customer metrics, and customer profile data), Addi acts as a data processor on your behalf. We process this data solely in accordance with your instructions and as necessary to provide the Services. 6.2 Limitations on Use - We do not use your Business Platform data to: - Serve other merchants with your raw Business Platform data or disclose your business identity in connection with any cross-merchant analytics - Train AI models - Contact your customers or individuals reflected in transaction data - Combine your Business Platform data with data from other Addi customers (except in de-identified, aggregated form as described in Section 4.4) 6.3 Data Deletion Upon your request, or upon disconnecting a Business Platform account, we will delete the associated Business Platform data from our active systems within 30 days, except as required to comply with legal obligations or our data retention policy. 7. AI and Automated Processing 7.1 AI Content Generation The Services use artificial intelligence, including third-party foundation models, to generate advertising content based on your Inputs. When you submit Inputs, they are processed by our AI systems (and, where necessary, transmitted to third-party AI model providers) to produce Outputs. We also use third-party AI observability tooling to trace and monitor AI generation requests; such tooling may receive Input and Output content for the purpose of performance monitoring and debugging. All Output generated through the Services is embedded with C2PA Content Credentials — cryptographically signed provenance metadata identifying Addi as the generator, the AI model used, and the generation timestamp. These credentials are applied to every Output unconditionally and cannot be disabled. For further detail on AI transparency features, see Section 8.2 and 8.6 of our Terms of Service. 7.2 Third-Party AI Providers Certain AI features of the Services rely on third-party foundation model providers for text generation, web research, and voice synthesis. When you use these features, your Inputs may be transmitted to those providers for the purpose of generating Outputs. Addi does not control the practices of such providers, and their processing of data may be subject to their own terms, privacy policies, and data handling practices. A current list of AI model providers is available upon request by contacting [email protected]. 7.3 AI Model Improvement By default, Addi does not use your Content (Inputs, Outputs, Advertising Platform data, or Business Platform data) to train or improve our AI models. Addi does not sell your Personal Information, and does not use your Personal Information to train our models. Third-party AI model providers and observability tools we utilize may process your Inputs through their own platforms subject to their own terms, which may permit model training on user data. A current list of AI model providers is available upon request by contacting [email protected]. 7.4 Automated Decision-Making The Services use automated processing to generate ad content and provide recommendations (e.g., ad format suggestions, creative approaches based on your industry and audience). These automated processes assist you but do not make final decisions without your review and approval. You maintain full control over what content is created and published. 7.5 Human Review Addi may use human reviewers to examine content for: safety and trust investigations, quality assurance, legal compliance, and customer support. 8. Data Retention We retain your information only for as long as necessary to fulfill the purposes described in this Policy, or as required by law: - Account Information: Duration of account + 30 days after deletion - Billing and Transaction Records: 7 years (tax and legal compliance) - Brand Information and Ad Content (Inputs/Outputs): Duration of account + 90 days (exportable during this period). - Advertising Platform Data: Duration of platform connection + 30 days after disconnection - Business Platform Data: Duration of platform connection + 30 days after disconnection. - Usage and Log Data: 30 Days from collection - Cached Data (brand profiles, session data): 24 hours (automatically cleared) - Customer Support Records: Account duration + 90 days - Flagged Content (violations): Up to 1 year for investigation - Cookie Data: See cookie-specific durations in Section 2.5 - Aggregated / De-Identified Data: Retained indefinitely (cannot identify you) - Consent Audit Trail (IP address, browser/device information at time of consent acceptance): Duration of account + 7 years When you accept our Terms of Service or Privacy Policy, we record your IP address, browser/device information (User-Agent), document version accepted, and timestamp as a legal compliance audit trail. These records are retained for the duration of your account plus 7 years. You may request deletion of your data at any time through account settings or by contacting [email protected]. We will process deletion requests within 30 days, except where retention is required by law. 9. Data Security We implement industry-standard technical and organizational measures to protect your information, including: - Encryption: AES-256 encryption at rest; TLS 1.2+ encryption in transit for all data - Authentication: Secure authentication via WorkOS with support for multi-factor authentication (MFA) - Access Controls: Role-based access controls limiting employee access to personal data on a need-to-know basis - Infrastructure: Hosted on DigitalOcean with commercially reasonable security practices - Monitoring: Security monitoring, intrusion detection, and automated alerting - Vendor Security: Security assessments and data processing agreements with all sub-processors - Compliance: Addi’s security practices are designed to align with SOC 2 Type II requirements. - Breach Notification: Documented incident response procedures with commitment to notify without undue delay and in accordance with applicable law. No method of transmission or storage is 100% secure. While we use commercially reasonable measures to protect your information, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials. To report security vulnerabilities: Contact [email protected]. 10. Your Privacy Rights 10.1 Rights for All Users Regardless of your location, you may: - Access your Personal Information through your account settings or by contacting us - Correct inaccurate or incomplete account information through your account settings - Delete your account and associated data by contacting [email protected] - Export your data in a machine-readable format - Opt out of marketing communications via the unsubscribe link in any marketing email - Opt out of having your aggregated data used for AI model improvement - Manage cookies through our cookie preference center or your browser settings To exercise these rights, contact [email protected] or use the privacy controls in your account settings. We will not discriminate against you for exercising your rights. 10.2 California Residents — CCPA/CPRA If you are a California resident, you have the following additional rights: - Right to Know: Request disclosure of what Personal Information we collect, use, and share - Right to Delete: Request deletion of your Personal Information - Right to Correct: Request correction of inaccurate Personal Information - Right to Opt-Out: Opt out of the “sale” or “sharing” of Personal Information (we do not sell your data) - Right to Limit: Limit use of sensitive Personal Information - Right to Non-Discrimination: Not be discriminated against for exercising your rights Under CPRA, certain categories of Personal Information are classified as "sensitive personal information" (SPI) and are subject to additional rights and restrictions. The following describes Addi''s collection and use of SPI: Categories of Personal Information Collected (Prior 12 Months) CCPA Category Collected? Sold? Shared for Behavioral Ads? - A. Identifiers (name, email, IP address) | Collected? Yes | Sold? No | Shared for Behavioral Ads? No - B. Personal info per Cal. Civ. Code §1798.80(e) | Collected? Yes | Sold? No | Shared for Behavioral Ads? No - C. Protected classification characteristics | Collected? No | Sold? No | Shared for Behavioral Ads? No - D. Commercial information (transactions, subscriptions) | Collected? Yes | Sold? No | Shared for Behavioral Ads? No - E. Biometric information | Collected? No | Sold? No | Shared for Behavioral Ads? No - F. Internet or network activity (usage data) | Collected? Yes | Sold? No | Shared for Behavioral Ads? No - G. Geolocation data (IP-derived approximate; precise coordinates for business location and campaign targeting area) | Collected? Yes | Sold? No | Shared for Behavioral Ads? No - H. Sensory data (audio/video you upload) | Collected? Yes | Sold? No | Shared for Behavioral Ads? No - I. Professional information (job title, business) | Collected? Yes | Sold? No | Shared for Behavioral Ads? No - J. Education information | Collected? No | Sold? No | Shared for Behavioral Ads? No - K. Inferences drawn from above | Collected? Yes | Sold? No | Shared for Behavioral Ads? No Sensitive Personal Information: The categories of sensitive Personal Information (as defined under Cal. Civ. Code § 1798.140(ae)) that Addi collects are: (1) account log-in credentials, used solely for authentication; and (2) precise geolocation data in the form of business location coordinates and campaign targeting area coordinates, used solely to provide the Services. We do not collect biometric identifiers, financial account information, health data, or other sensitive Personal Information categories. We do not use or disclose sensitive Personal Information for purposes beyond those necessary to provide the Services, and we do not sell or share it. You have the right to limit our use of your sensitive Personal Information by contacting [email protected]. Authorized Agents: Authorized agents may submit requests on your behalf with (a) signed written authorization from the consumer, or (b) a valid power of attorney. We may contact the consumer directly to verify the request. To exercise your rights: Contact [email protected] or call 1-866-879-2334. We will verify your identity and respond within 45 days (extendable by an additional 45 days with notice). 10.3 EEA, UK, and Switzerland — GDPR If you are located in the European Economic Area, United Kingdom, or Switzerland, the following applies: Legal Bases for Processing - Account creation and service delivery: Performance of contract (Art. 6(1)(b)) - Activity: Payment processing: Performance of contract (Art. 6(1)(b)) - AI content generation: Performance of contract (Art. 6(1)(b)) - Security and fraud prevention: Legitimate interests (Art. 6(1)(f)) - Usage analytics and product improvement: Legitimate interests (Art. 6(1)(f)) - Marketing communications: Consent (Art. 6(1)(a)) - AI model improvement (opt-in): Consent (Art. 6(1)(a)) - Legal compliance: Legal obligation (Art. 6(1)(c)) Note on processor-role data flows: The table above covers processing activities where Addi acts as a data controller. For data processed on behalf of merchants — including Advertising Platform data (campaign data, audience data, performance analytics), Business Platform data (transaction records, customer profile data), and Customer Lists — Addi acts as a data processor under GDPR Art. 28. In these cases, the merchant is the controller and is responsible for determining and documenting the applicable lawful basis. Addi processes such data solely in accordance with the merchant''s instructions and the terms of the applicable agreement. See §§5.1 and 6.1 for further detail. Your GDPR Rights - Right of Access (Art. 15): Request a copy of your personal data - Right to Rectification (Art. 16): Correct inaccurate personal data - Right to Erasure (Art. 17): Request deletion (“right to be forgotten”) - Right to Restriction (Art. 18): Request restriction of processing - Right to Data Portability (Art. 20): Receive data in a structured, machine-readable format - Right to Object (Art. 21): Object to processing based on legitimate interests - Withdraw Consent: At any time, without affecting lawfulness of prior processing - Lodge a Complaint: File a complaint with your local supervisory authority To exercise your rights: Contact [email protected]. We will respond within 30 days. Right to Object (detail): To exercise the right to object to processing based on legitimate interests, contact [email protected] describing the specific processing activity and grounds for objection. We will cease the relevant processing unless we demonstrate compelling legitimate grounds that override your interests. Data Controller Addi, Inc., 117 W. 20th Street, Suite 202, Kansas City, MO 64108 Data Protection Contact: [email protected] EU Representative: If the nature and volume of our processing of EU personal data requires appointment of an EU representative under GDPR Article 27, we will appoint one and update this section. For EU data subject inquiries, contact [email protected]. 10.4 Other U.S. State Privacy Rights Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Indiana, Kentucky, Rhode Island, Maryland, Minnesota, Nebraska, Delaware, Iowa, New Hampshire, New Jersey, Tennessee, and other states with comprehensive privacy laws may have similar rights to access, delete, correct, and port Personal Information, and to opt out of targeted advertising and profiling. Universal Opt-Out Signals: We honor universal opt-out preference signals, including Global Privacy Control (GPC), as required by applicable state laws including the California Consumer Privacy Act, Colorado Privacy Act, Connecticut Data Privacy Act, Texas Data Privacy and Security Act, Montana Consumer Data Privacy Act, and Oregon Consumer Privacy Act. When we detect a recognized universal opt-out signal, we will treat it as a valid request to opt out of the sale or sharing of Personal Information and targeted advertising for that browser or device. To exercise your rights: Contact [email protected] or call 1-866-879-2334. Appeals Process: If we decline your request, you have the right to appeal. Send appeals to [email protected] with “Privacy Rights Appeal” in the subject line. We will respond within 60 days. 11. International Data Transfers Addi is based in the United States, and your information is processed and stored in the United States. If you access the Services from outside the United States, your information will be transferred to, stored, and processed in the United States. For EEA/UK/Swiss users, we rely on the following mechanisms for lawful international data transfers: - EU-U.S. Data Privacy Framework, UK Extension, and Swiss-U.S. Data Privacy Framework: Addi is not currently certified under the Data Privacy Framework. We will update this Policy if we become certified. - Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our data processing agreements with sub-processors Data Processing Addendum: Customers who process personal data subject to GDPR or other applicable data protection laws may request a Data Processing Addendum (DPA) by contacting [email protected]. The DPA incorporates Standard Contractual Clauses (Module Two: Controller to Processor) and UK IDTA where applicable. 12. Children’s Privacy The Services are designed for business users and are not directed at children. You must be at least 18 years old to use the Services, as set forth in our Terms of Service. We do not knowingly collect Personal Information from anyone under 18, and specifically comply with COPPA with respect to children under 13, and apply equivalent protections under EEA and UK law for children under 16. We do not knowingly permit customers to use the Services to upload, target, or build custom audiences from Personal Information about children, and we do not knowingly process children''s Personal Information for ad targeting, delivery, or campaign management. If we learn that we have collected Personal Information from a person under 18, we will take reasonable steps to delete that information promptly. If you believe a child has provided us with Personal Information, please contact [email protected]. Advertising Directed at Children: Addi does not collect, process, or use Personal Information from children in connection with ad targeting, delivery, or campaign management. If you use the Services to create advertisements directed at children or for products and services intended for children, you may not use the Services to collect, target, or process the Personal Information of children, and you are solely responsible for compliance with the Children''s Online Privacy Protection Act (COPPA), applicable Advertising Platform policies regarding ads to minors, and all other applicable child protection laws. See Section 8 of our Terms of Service for additional obligations regarding advertising compliance, including the requirement to review all AI-generated content before publication. 13. Third-Party Links The Services may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any information. 14. Changes to This Privacy Policy We may update this Privacy Policy from time to time. We will provide at least 30 days’ notice of material changes by posting the updated Policy on our website. When material changes take effect, you will be prompted to review and accept the updated Policy before continuing to use the Services. The “Last Updated” date at the top indicates when it was last revised and the "Effective Date" indicates when it takes effect. Your continued use of the Services after the effective date constitutes acceptance. 15. Contact Us If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: Addi, Inc. 117 W. 20th Street, Suite 202 Kansas City, MO 64108 Privacy and data rights requests: [email protected] Security issues: [email protected] Legal inquiries: [email protected] Phone: 1-866-879-2334 CCPA response timeline: 45 days (with possible 45-day extension) GDPR response timeline: 30 days