1. About This Policy

This Privacy Policy describes how Vertalo, Inc. ("Vertalo," "we," "us," or "our") collects, uses, and shares information about individuals who access or use our platform, website, and related services. Vertalo is headquartered at 1515 East Cesar Chavez St, Austin, TX 78702.

By accessing or using Vertalo's platform, you agree to the collection and use of your information as described in this policy. If you do not agree, please discontinue use of our services.

2. Information We Collect

We collect information you provide directly and information generated through your use of the platform:

• Identity & Contact: Full name, email address, company or organization name, job title, and phone number.
• Account Credentials: Usernames, passwords (hashed), and multi-factor authentication data.
• Compliance & Verification Data: Government-issued identification, accredited investor documentation, AML/KYC information, and other data required by applicable securities regulations.
• Transaction & Issuance Records: Cap table data, securities ownership records, transfer history, and blockchain address associations.
• Usage Data: Log files, IP addresses, browser type, device information, pages visited, timestamps, and feature interactions.
• Communications: Messages, support requests, and correspondence submitted through the platform.

3. How We Use Your Information

We use collected information for the following purposes:

• Platform Operation: Provisioning accounts, processing transactions, maintaining cap tables, and delivering core Transfer Agent services.
• Regulatory Compliance: Fulfilling obligations as an SEC-registered Transfer Agent, including recordkeeping under Rule 17Ad-7 and related regulations.
• Identity Verification & AML/KYC: Verifying investor identity and eligibility in accordance with applicable securities laws.
• Security: Detecting fraud, unauthorized access, and other threats to platform integrity.
• Communications: Sending transactional notices, account updates, compliance alerts, and (with your consent) marketing communications.
• Product Improvement: Analyzing aggregated usage data to improve platform features and performance.

4. How We Share Your Information

Vertalo does not sell your personal information. We share information only in the following circumstances:

• Regulatory Authorities: We may disclose information to the SEC, FINRA, or other regulatory bodies as required by law or in response to a valid legal process.
• Service Providers: We engage vetted third-party vendors (cloud infrastructure, identity verification, custody) under strict data processing agreements and non-disclosure obligations.
• Business Clients: Issuers using our Transfer Agent services may access their own investor records as permitted by the terms of our engagement.
• Legal Process: We may disclose information in response to subpoenas, court orders, or other legal obligations.
• Corporate Transactions: In connection with a merger, acquisition, or sale of assets, your information may be transferred to the successor entity, subject to equivalent privacy protections.

We never sell, rent, or trade your personal information to third parties for commercial purposes.

5. Data Retention

We retain personal information for as long as necessary to provide services, comply with legal obligations, and resolve disputes. As an SEC-registered Transfer Agent, Vertalo is subject to mandatory recordkeeping rules under the Securities Exchange Act of 1934 and SEC regulations that may require us to retain certain records beyond standard retention periods — in some cases, for six years or longer.

When data is no longer required for regulatory or operational purposes, it is securely deleted or anonymized.

6. Security Measures

We implement industry-standard technical and organizational safeguards, including encryption at rest and in transit, hardware security module (HSM) key management, multi-factor authentication, role-based access controls, and continuous monitoring. See our Security Protocols page for full details.

7. Your Rights — GDPR & CCPA

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal data we hold about you.
• Correction: Request correction of inaccurate or incomplete data.
• Deletion: Request deletion of your data, subject to our legal retention obligations.
• Portability: Receive your data in a structured, machine-readable format.
• Opt-Out: California residents may opt out of the sale of personal information (note: we do not sell personal data).
• Object / Restrict: Object to or request restriction of certain processing activities.

Requests are subject to identity verification. We will respond within the timeframes required by applicable law. Note that certain regulatory recordkeeping obligations may limit our ability to fully honor deletion requests.

8. Cookies & Tracking

We use cookies and similar technologies for session management, security, and analytics. You may configure your browser to refuse cookies; however, some platform features may not function correctly without them. We do not use tracking technologies for cross-site behavioral advertising.

9. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a prominent notice on our platform. Continued use of the platform after changes become effective constitutes acceptance of the revised policy.