Privacy Policy

MarketCrunch AI, Inc.

Effective Date: Nov 04, 2025

Notice to Data Subjects

This Privacy Policy governs the collection, use, disclosure, and retention of personal information by MarketCrunch AI, Inc. in connection with the provision of services through marketcrunch.ai and associated platforms. Material terms are as follows:

• Information Collected: Identifiers (name, email address), account credentials, commercial transaction data, internet activity and usage logs, brokerage account metadata (upon voluntary linking via third-party integration), and derived inferences regarding platform usage.
• Processing Activities: Service provisioning, authentication, alert generation, payment processing, analytics, security operations, and regulatory compliance. Personal information is not utilized for training proprietary machine learning models.
• Third-Party Processors: Data is processed by service providers including, without limitation, Stripe, Inc. (payment processing), Plaid Inc. (brokerage integration), Google LLC (authentication and analytics), Amazon Web Services, Inc. and Google Cloud Platform (infrastructure), and market data vendors.
• No Sale or Cross-Context Sharing: Personal information is not sold or shared for purposes of cross-context behavioral advertising as defined under applicable state privacy statutes.
• Data Subject Rights: Individuals possess rights of access, rectification, erasure, portability, and objection as prescribed by applicable law, including the California Privacy Rights Act and the General Data Protection Regulation.
• Security Measures: Reasonable technical and organizational safeguards are implemented; however, absolute security cannot be guaranteed.
• International Data Transfers: Personal information is transferred to and processed in the United States pursuant to Standard Contractual Clauses and equivalent mechanisms.
• Minors: Services are not directed to persons under eighteen (18) years of age. Information from individuals under thirteen (13) years is not knowingly collected.
• Inquiries: Communications regarding this Policy or data subject requests should be directed to info@marketcrunch.ai or privacy@marketcrunch.ai.

The complete Policy follows below and should be read in its entirety.

Table of Contents

• Overview & Scope
• Personal Data We Collect
• Sources of Personal Data
• How We Use Personal Data
• Legal Bases for Processing (EU/UK)
• Disclosures & Categories of Recipients
• AI, Profiling & Automated Processing
• Cookies & Similar Technologies
• Data Retention
• Security
• Your Rights & Choices
• International Transfers
• Children's Privacy
• Third-Party Sites & Services
• Changes to This Policy
• Contact Us
• Jurisdictional Addenda

1. Overview & Scope

1.1 Controller Identity. MarketCrunch AI, Inc. ("MarketCrunch AI," "Company," "we," "us," or "our"), a Delaware corporation, serves as the data controller with respect to the processing of personal information described herein. The Company provides artificial intelligence-driven financial research and educational services via its website located at marketcrunch.ai, together with related mobile applications, application programming interfaces, dashboards, algorithmic content feeds, alert systems, and third-party integrations (collectively, the "Service").

1.2 Scope of Application. This Privacy Policy (the "Policy") sets forth the Company's practices concerning the collection, use, disclosure, retention, and protection of personal information obtained in connection with the Service. This Policy applies globally to all users of the Service, subject to additional jurisdictional requirements as specified in Section 17.

1.3 Relationship to Terms of Service. This Policy is incorporated by reference into the Company's Terms of Service (available at https://marketcrunch.ai/terms) and constitutes an integral component thereof. Capitalized terms not otherwise defined herein shall have the meanings ascribed to them in the Terms of Service. By accessing or using the Service, users expressly consent to the collection and processing of personal information as described in this Policy and agree to be bound by both this Policy and the Terms of Service.

1.4 Supplementary Documentation. This Policy may be supplemented by additional notices, including cookie notices, data processing addenda for enterprise customers, or jurisdiction-specific disclosures, which shall be deemed incorporated herein by reference where applicable.

2. Personal Data We Collect

The Company collects and processes the following categories of personal information in connection with the operation of the Service:

2.1 Identifiers. Full name and electronic mail address obtained through third-party authentication services; Internet Protocol (IP) addresses collected automatically upon Service access; Device identifiers, including mobile device identification numbers, browser types, and operating system designations.

2.2 Authentication and Account Credentials. Google account information (name and email address) received via Firebase authentication protocols; Authentication tokens and session identifiers maintained by Firebase for account access management.

2.3 Commercial and Transactional Information. Subscription status, plan designation, billing history, and transaction metadata received from the Company's payment processor; Payment card information is collected and maintained exclusively by Stripe, Inc., the Company's third-party payment processor, and is not accessed or stored by the Company.

2.4 Internet and Network Activity Data. Service usage patterns, including without limitation: page views, feature utilization, session duration, user interactions, and search queries; System logs documenting user inputs submitted to the Service and corresponding outputs generated thereby; Device and browser characteristics, including browser type and version, operating system, screen resolution, and referring uniform resource locators (URLs); Cookies, web beacons, pixels, and similar tracking technologies as described in Section 8.

2.5 Financial Account Information (Voluntary Brokerage Linking). Brokerage account linking tokens and holdings metadata obtained via Plaid Inc. when users voluntarily elect to link external brokerage accounts; Holdings information includes, without limitation, security identifiers (ticker symbols), position quantities, and account type classifications; The Company does not receive, access, or store brokerage login credentials, which remain subject to Plaid's custody and the applicable broker-dealer's systems; The Company does not possess authority to execute, modify, or cancel securities transactions or transmit trading instructions.

2.6 Inferences and Derived Data. User preferences and configuration settings established within user accounts; Algorithmic inferences regarding user interests derived from feature usage patterns, securities viewed, and interaction history; Such inferences are employed solely to personalize Service delivery and do not constitute investment advice or recommendations.

2.7 Geolocation Information. Approximate geographic location inferred from IP address for purposes of analytics, security monitoring, and regulatory compliance; The Company does not collect precise geolocation data.

2.8 Communications. Electronic mail correspondence between users and the Company, including customer support inquiries, feedback submissions, and related communications; Email engagement metrics (e.g., delivery confirmations, open rates, link activations) collected through the Company's email service providers.

2.9 Exclusions. The Company does not collect the following categories of information:

• User-Generated Content: Users do not upload documents, images, media files, or similar content to the Service.
• Direct Credential Access: The Company does not receive or store financial institution login credentials, which are maintained exclusively by Plaid and applicable broker-dealers.
• Sensitive Personal Data (as defined under California Consumer Privacy Act): The Company does not intentionally collect government-issued identification numbers, precise geolocation coordinates, racial or ethnic origin, religious beliefs, health information, sexual orientation data, union membership status, or genetic or biometric identifiers for identification purposes. Financial account access obtained via Plaid is limited to holdings metadata and is processed exclusively for alert generation purposes.

3. Sources of Personal Data

Personal information is obtained from the following sources:

3.1 Direct Collection from Data Subjects. Account Registration: Information provided during account creation via third-party authentication services; Service Interaction: Data generated through user engagement with Service features, including dashboards, prediction tools, calculators, and alert systems; Voluntary Integrations: Information obtained when users elect to link external brokerage accounts via Plaid; Communications: Information provided through direct correspondence with the Company.

3.2 Automatic Collection via User Devices. Usage data, system logs, IP addresses, and device characteristics collected automatically through cookies, software development kits (SDKs), and similar technologies.

3.3 Third-Party Service Providers. Google LLC / Firebase: Provides authenticated user identity data (name and email address) upon user-initiated login; Plaid Inc.: Provides brokerage account connection tokens and holdings metadata upon user authorization; Stripe, Inc.: Provides payment transaction confirmations and subscription status information; Google Analytics: Generates aggregated usage statistics and traffic analytics.

3.4 Public and Commercial Data Sources. Market Data Vendors (Alpaca Markets LLC, Polygon.io): The Company obtains publicly available securities market data to generate analytical outputs. Such data does not contain user personal information but informs algorithmic predictions and market insights.

4. How We Use Personal Data

The Company processes personal information for the following purposes:

4.1 Service Provisioning and Operations. Authentication of user accounts and management of login sessions; Generation and delivery of artificial intelligence-driven predictions, market signals, algorithmic content feeds, options analysis tools, and related Service features; Transmission of automated alerts and notifications concerning securities held in linked brokerage accounts (where applicable); Enablement of personalized dashboards and user experience customization based on usage patterns and preferences.

4.2 Payment Processing and Subscription Management. Processing of subscription payments via third-party payment processors; Administration of billing cycles, subscription renewals, cancellations, and invoicing; Detection and prevention of fraudulent payment activity.

4.3 Communications. Transmission of transactional communications, including account confirmations, billing notices, security alerts, and Service updates; Distribution of marketing and promotional communications (subject to user opt-out rights as described in Section 11); Response to customer support inquiries and user feedback.

4.4 Service Enhancement and Product Development. Analysis of usage patterns and user behavior to improve Service functionality, design, and performance; Personalization of content delivery and feature recommendations; Conduct of research, statistical analysis, and product testing; The Company does not utilize individual user personal information to train proprietary machine learning models. Aggregated, anonymized usage data may be employed for research and product development purposes.

4.5 Security, Fraud Prevention, and Compliance. Detection, investigation, and prevention of fraudulent activity, security breaches, and unauthorized access; Enforcement of the Terms of Service and other Company policies; Compliance with applicable legal and regulatory obligations, including responses to lawful governmental requests; Establishment, exercise, and defense of legal claims.

4.6 Business Operations and Administration. Maintenance and troubleshooting of systems infrastructure; Conduct of internal audits, quality assurance reviews, and risk management activities; Facilitation of potential corporate transactions, including mergers, acquisitions, and asset sales.

5. Legal Bases for Processing (EU/UK)

With respect to data subjects located in the European Union, United Kingdom, or European Economic Area, the Company processes personal information pursuant to the following legal bases under the General Data Protection Regulation (Regulation (EU) 2016/679) and the UK General Data Protection Regulation:

5.1 Performance of Contract (Article 6(1)(b) GDPR). Processing is necessary for the performance of the contractual relationship established under the Terms of Service, including: Provision of access to Service features and functionalities; Processing of subscription payments and account administration; Delivery of alerts and notifications; Provision of customer support services.

5.2 Legitimate Interests (Article 6(1)(f) GDPR). Processing is necessary for purposes of the legitimate interests pursued by the Company or third parties, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. Legitimate interests include: Service Improvement: Analytics, research, and product development to enhance Service quality and user experience; Security and Fraud Prevention: Protection of Company systems, user accounts, and business operations against fraudulent activity and security threats; Marketing Communications: Distribution of promotional content concerning Service features and offerings (subject to opt-out rights); Business Operations: Maintenance of technical infrastructure, enforcement of policies, and conduct of routine business administration.

The Company has assessed these legitimate interests against potential impacts on data subjects and has determined that processing does not override individual rights and freedoms.

5.3 Consent (Article 6(1)(a) GDPR). Processing is based on the data subject's explicit consent where required by applicable law, including: Deployment of non-essential cookies and analytics technologies (where consent requirements apply); Transmission of marketing communications (where consent is required rather than reliance on legitimate interests).

Consent may be withdrawn at any time without affecting the lawfulness of processing conducted prior to withdrawal.

5.4 Legal Obligation (Article 6(1)(c) GDPR). Processing is necessary for compliance with legal obligations to which the Company is subject, including: Response to lawful requests from governmental authorities and regulators; Satisfaction of tax, accounting, and financial reporting requirements; Compliance with data protection and privacy law obligations.

6. Disclosures & Categories of Recipients

The Company discloses personal information to the following categories of recipients:

6.1 Service Providers and Processors. The Company engages third-party service providers to perform functions on its behalf in connection with Service operations. Such providers act as data processors and are contractually obligated to process personal information solely in accordance with the Company's instructions and to implement appropriate technical and organizational security measures.

Service providers include:

• Stripe, Inc.: Payment processing and subscription management services;
• Plaid Inc.: Brokerage account linking and financial data aggregation services;
• Google LLC (Firebase, Google Analytics): Authentication infrastructure, account management systems, and usage analytics;
• Amazon Web Services, Inc. and Google Cloud Platform: Cloud hosting, data storage, and technical infrastructure services;
• Email Service Providers: Transactional and marketing email delivery services [specific provider to be designated];
• Market Data Vendors (Alpaca Markets LLC, Polygon.io): Provision of securities market data for algorithmic analysis and prediction generation.

6.2 Artificial Intelligence and Technology Infrastructure Providers. The Company utilizes artificial intelligence and machine learning infrastructure provided by third-party technology vendors, including DeepSeek and OpenAI, as components of the Company's technology stack. The Company does not transmit user personal information to OpenAI or DeepSeek. User data is processed exclusively on infrastructure hosted by Amazon Web Services, Inc. and Google Cloud Platform.

6.3 Legal and Regulatory Authorities. The Company may disclose personal information to governmental authorities, regulatory agencies, and law enforcement entities when required by applicable law or legal process, or when necessary to: Respond to lawful requests, subpoenas, court orders, or regulatory inquiries; Comply with statutory or regulatory obligations; Establish, exercise, or defend legal claims; Protect the rights, property, safety, or security of the Company, its users, or the public.

6.4 Corporate Transaction Counterparties. In the event of a merger, acquisition, consolidation, sale of assets, bankruptcy, or similar corporate transaction, personal information may be transferred to successor entities or acquiring parties, subject to continued application of this Policy or a successor policy providing substantially equivalent protections.

6.5 Consent-Based Disclosures. The Company may disclose personal information to additional third parties when the data subject provides explicit consent or directs such disclosure.

6.6 Absence of Sale or Cross-Context Sharing. The Company does not sell personal information, as that term is defined under the California Consumer Privacy Act (Cal. Civ. Code § 1798.140(ad)), the California Privacy Rights Act, or similar state privacy statutes. Specifically, the Company does not disclose personal information to third parties in exchange for monetary or other valuable consideration.

The Company does not share personal information for purposes of cross-context behavioral advertising, as that term is defined under applicable state privacy laws (Cal. Civ. Code § 1798.140(ah)).

In the event the Company's data practices change such that personal information is sold or shared for cross-context behavioral advertising purposes, the Company will update this Policy and implement required opt-out mechanisms in accordance with applicable law.

7. AI, Profiling & Automated Processing

7.1 Artificial Intelligence Systems. The Company deploys proprietary machine learning models and algorithms to generate the following outputs: Predictive analytics concerning equity securities price movements (next-day and next-week forecasts); Confidence scoring and historical hit rate metrics derived from backtested model performance; Algorithmic content classification and sentiment analysis applied to market news and events; Options contract gain and loss projections based on user-specified parameters and Company-generated price targets; Automated alerts concerning securities positions held in user-linked brokerage accounts (where applicable).

7.2 Characterization of Outputs. All outputs generated by the Service constitute impersonal, general-purpose research and educational content. Such outputs are not customized to individual user financial circumstances, risk tolerance profiles, investment objectives, or suitability parameters. The Company does not provide investment advice, and Service outputs do not constitute recommendations, endorsements, or suitability determinations within the meaning of applicable securities laws and regulations.

Users are expressly advised that Service outputs should not be relied upon as the sole or primary basis for investment decisions. As stated in the Terms of Service, users bear sole responsibility for all investment decisions and are advised to consult qualified legal, tax, and financial advisers prior to making investment determinations.

7.3 Automated Decision-Making. The Company does not engage in solely automated decision-making that produces legal effects concerning data subjects or similarly significantly affects them, as contemplated by Article 22 of the General Data Protection Regulation. Specifically: Service outputs are informational and educational in nature; The Company does not execute securities transactions or exercise discretionary investment management authority; The Company does not make creditworthiness determinations, eligibility assessments for services, or other decisions that impose binding legal consequences; All investment decisions remain under the exclusive control and responsibility of individual users.

7.4 Training Data Policies. The Company does not train its proprietary machine learning models on individual user personal information. While the Company maintains system logs of user inputs and algorithmic outputs for purposes of Service operation, security monitoring, and quality assurance, such data is not utilized to train models on individual user behavior patterns.

The Company may employ aggregated, anonymized usage statistics for purposes of research, analytics, and product development in a manner that does not permit re-identification of individual users.

7.5 Transparency and Disclosure. The Company provides general information concerning algorithmic methodologies, model limitations, and performance disclaimers within the Terms of Service and on the Service interface. Such disclosures include, without limitation: Explanations that backtested performance metrics are hypothetical and subject to inherent limitations; Warnings that past performance does not constitute evidence of future results; Disclaimers concerning the speculative nature of predictive analytics and the inherent uncertainty of financial markets.

7.6 User Control Mechanisms. Users maintain control over the following aspects of Service usage: Election to utilize or disregard algorithmic predictions and outputs; Voluntary decision to link external brokerage accounts; Configuration of alert preferences or complete disablement of alert functionality; Cancellation of subscriptions and termination of account access.

7.7 Rights Under EU/UK Data Protection Law. Data subjects located in the European Union or United Kingdom possess the following rights in connection with automated processing: Right to obtain information concerning the logic, significance, and envisaged consequences of automated processing (Article 13(2)(f) and Article 14(2)(g) GDPR); Right to object to processing based on legitimate interests, including profiling (Article 21 GDPR); Right to object to direct marketing, including profiling for such purposes (Article 21(2)-(3) GDPR); Right not to be subject to solely automated decision-making producing legal or similarly significant effects (Article 22 GDPR), though as noted above, the Company does not engage in such decision-making.

Data subjects may exercise these rights as described in Section 11.

8. Cookies & Similar Technologies

8.1 Definition and Scope. Cookies are small text files stored on user devices when accessing websites. Similar technologies include web beacons (also known as pixel tags or clear GIFs), local storage objects, software development kits (SDKs), and other tracking technologies that enable collection of usage data and device information.

8.2 Categories of Cookies Deployed. The Company and its service providers deploy the following categories of cookies:

Strictly Necessary Cookies. Essential cookies required for core Service functionality, including: Session authentication and account access management; Security features and fraud prevention mechanisms; Load balancing and technical infrastructure operations.

Strictly necessary cookies cannot be disabled without materially impairing Service functionality.

Analytics and Performance Cookies. Cookies that collect information concerning Service usage patterns, including: Google Analytics cookies that track page views, session duration, user flows, and feature utilization; Performance monitoring tools that assess Service responsiveness and identify technical issues.

Data collected via analytics cookies is used to improve Service quality and user experience.

Functional Cookies. Cookies that enable enhanced functionality and personalization, including: Storage of user preferences and configuration settings; Customization of dashboard layouts and feature displays; Recognition of returning users to streamline access.

Marketing and Advertising Cookies. Cookies that support marketing communications and campaign measurement (if applicable), including: Tracking of marketing email engagement and click-through rates; Attribution of user acquisition to marketing channels; Personalization of promotional content.

8.3 Google Analytics. The Company employs Google Analytics, a web analytics service provided by Google LLC, to collect and analyze usage data. Google Analytics deploys cookies to track user sessions, page views, and interactions. Google's processing of Analytics data is governed by Google's Privacy Policy (available at https://policies.google.com/privacy).

Opt-Out Mechanisms: Users may control Google Analytics tracking through: Browser cookie management settings; Installation of the Google Analytics Opt-Out Browser Add-On (available at https://tools.google.com/dlpage/gaoptout), which prevents transmission of usage data to Google Analytics.

8.4 User Control and Opt-Out Rights. Users may exercise control over cookies through the following mechanisms:

Browser-Based Controls: Modern web browsers provide settings to: Block all cookies (note: blocking essential cookies will prevent Service access); Delete existing cookies stored on user devices; Configure browser notifications upon cookie placement; Implement "Do Not Track" preferences (see Section 8.5 below).

Specific instructions for cookie management are typically available in browser help documentation or settings menus.

Mobile Device Controls: Users accessing the Service via mobile applications may control tracking through device-level settings: iOS: Settings → Privacy & Security → Tracking; Android: Settings → Google → Ads → Opt out of Ads Personalization

8.5 Do Not Track and Global Privacy Control Signals. Certain browsers and devices transmit "Do Not Track" (DNT) signals to websites. As of the Effective Date, there exists no uniform industry standard for recognizing or responding to DNT signals. The Company's systems do not currently respond to DNT signals.

Should the Company elect to implement support for Global Privacy Control (GPC) signals or similar universal opt-out mechanisms in the future, this Policy will be updated accordingly.

8.6 Mobile Application Tracking Technologies. When the Service is accessed via mobile applications, the Company may utilize software development kits (SDKs) and similar technologies to collect device identifiers, usage data, and analytics. Users may control such tracking through device-level privacy settings as described in Section 8.4.

9. Data Retention

9.1 Retention Principles. The Company retains personal information for the duration necessary to: Fulfill the purposes for which the information was collected as described in Section 4; Satisfy legal, regulatory, tax, accounting, and audit obligations; Establish, exercise, or defend legal claims and resolve disputes; Enforce the Terms of Service and other Company agreements; Protect against fraudulent activity, security threats, and abuse.

9.2 Standard Retention Periods. The following retention periods apply to categories of personal information:

Account and Identification Data: Retained for the duration of active account status and for a reasonable period following account closure (typically thirty (30) to ninety (90) days) to accommodate potential reactivation and satisfy regulatory obligations. Account data deletion is executed only upon explicit data subject request (see Section 11 for deletion request procedures).

Usage Logs and Analytics Data: Retained for twelve (12) to twenty-four (24) months following collection for purposes of analytics, security monitoring, debugging, and Service improvement, after which data is aggregated, anonymized, or permanently deleted.

Brokerage Integration Data: Holdings metadata obtained via Plaid is retained for the duration of active brokerage integration. Upon user revocation of Plaid access, the Company ceases receiving updated holdings information and retains existing data only as necessary for legal compliance or dispute resolution.

Payment and Transaction Data: Transaction metadata and billing records are retained for up to seven (7) years following the transaction date to satisfy tax reporting obligations, financial audit requirements, and applicable recordkeeping statutes.

Marketing Communications Data: Contact information for marketing purposes is retained until the data subject opts out of marketing communications, at which point the information is suppressed to honor the opt-out preference but may be retained in suppression lists to prevent inadvertent re-solicitation.

9.3 Deletion and Anonymization. Upon expiration of applicable retention periods, the Company will: Permanently delete personal information using industry-standard deletion methods; or Anonymize personal information such that it can no longer be attributed to an identified or identifiable individual.

9.4 Backup and Archive Systems. Personal information may temporarily persist in backup systems and disaster recovery archives following deletion from active systems. Backup data is subject to periodic deletion or overwriting in accordance with the Company's data lifecycle management policies.

9.5 Deletion Requests. Data subjects may submit requests for deletion of personal information as described in Section 11. The Company will comply with such requests except where retention is required or permitted by applicable law, including for purposes of legal compliance, fraud prevention, security, or the establishment, exercise, or defense of legal claims.

10. Security

10.1 Technical and Organizational Measures. The Company implements reasonable technical and organizational measures designed to protect personal information against unauthorized access, unlawful processing, accidental loss, destruction, or damage. Security measures include, without limitation: Encryption: Personal information is encrypted during transmission using Transport Layer Security (TLS) / Secure Sockets Layer (SSL) protocols and encrypted at rest where technically feasible; Access Controls: Access to personal information is restricted to authorized personnel on a need-to-know basis and is subject to authentication requirements; Account Security: User accounts are protected via third-party authentication services (Google Firebase) with password security controls; Security Monitoring: The Company maintains security monitoring systems to detect anomalous activity, attempted intrusions, and security incidents; Vendor Security Requirements: Third-party service providers are contractually required to implement appropriate technical and organizational security measures.

10.2 Limitations and Disclaimers. Notwithstanding the security measures described above, the Company cannot and does not guarantee absolute security of personal information. No method of electronic transmission, internet-based communication, or digital storage is entirely secure. Unauthorized access, hardware or software failures, human error, and other factors may compromise the security of personal information.

The Company expressly disclaims all warranties, express or implied, concerning the security of personal information, to the maximum extent permitted by applicable law.

10.3 Data Breach Notification Obligations. In the event of a confirmed data breach that compromises the security, confidentiality, or integrity of personal information, the Company will provide notification to affected data subjects and relevant supervisory authorities as required by applicable law, including: The General Data Protection Regulation (Article 33-34); The California Consumer Privacy Act (Cal. Civ. Code § 1798.82); Other applicable state breach notification statutes; Industry-specific regulations (where applicable).

Notifications will be provided without undue delay upon confirmation of the breach and will include information concerning the nature of the breach, categories of data affected, potential consequences, and remedial measures.

10.4 Data Subject Responsibilities. Data subjects bear responsibility for: Maintaining the confidentiality of account credentials and authentication tokens; Enabling multi-factor authentication where available; Utilizing secure internet connections and avoiding public or unsecured networks when accessing the Service; Promptly logging out of accounts when using shared or public devices; Immediately notifying the Company of any known or suspected unauthorized access to accounts or personal information.

11. Your Rights & Choices

11.1 Universal Rights. Irrespective of geographic location, all users possess the following rights:

Opt-Out of Marketing Communications: Data subjects may opt out of receiving marketing and promotional electronic mail communications by activating the "Unsubscribe" link included in the footer of each marketing email. Opt-out requests will be processed within ten (10) business days. Note that transactional communications (including account notifications, billing statements, security alerts, and service updates) are not subject to opt-out and will continue to be transmitted as necessary for Service operations.

Revocation of Brokerage Account Integration: Data subjects who have linked external brokerage accounts via Plaid may revoke access authorization at any time through account settings or by contacting Plaid directly. Upon revocation, the Company will cease receiving updated holdings information, and automated alerts will be discontinued. Previously received holdings data may be retained as described in Section 9.

Account Deletion: Data subjects may request deletion of user accounts and associated personal information by submitting a request to info@marketcrunch.ai or privacy@marketcrunch.ai. Account deletion results in permanent loss of access to Service features and account data.

11.2 Rights Under United States State Privacy Laws. Residents of California, Virginia, Colorado, Connecticut, Utah, and other U.S. states with comprehensive privacy legislation possess the following rights:

Right to Know / Right of Access: Data subjects may request disclosure of: Categories of personal information collected by the Company; Specific pieces of personal information maintained in Company records; Categories of sources from which personal information is obtained; Business or commercial purposes for which personal information is collected or disclosed; Categories of third parties to whom personal information is disclosed or sold; Categories of personal information disclosed to each category of recipient.

Right to Delete: Data subjects may request deletion of personal information collected or maintained by the Company, subject to exceptions permitting retention where necessary for: Completion of transactions for which the information was collected; Detection and prevention of security incidents, fraud, or illegal activity; Debugging to identify and repair errors; Exercise of free speech or other legal rights; Compliance with legal obligations; Internal uses reasonably aligned with data subject expectations; Otherwise permitted under applicable law.

Right to Correct: Data subjects may request correction of inaccurate personal information maintained by the Company. Upon receipt of a verified correction request, the Company will use commercially reasonable efforts to correct the information.

Right to Data Portability: Data subjects may request a copy of personal information in a portable, machine-readable format to the extent technically feasible. The Company will provide responsive data in commonly used formats such as CSV, JSON, or PDF.

Right to Opt Out of Sale or Sharing: The Company does not sell or share personal information as those terms are defined under the California Consumer Privacy Act (Cal. Civ. Code § 1798.140(ad), (ah)) or equivalent state statutes. In the event Company practices change such that personal information is sold or shared for cross-context behavioral advertising purposes, the Company will provide conspicuous opt-out mechanisms as required by law.

Right to Limit Use of Sensitive Personal Information: The Company does not use or disclose sensitive personal information (as defined under Cal. Civ. Code § 1798.140(ae)) for purposes beyond those specified in Cal. Civ. Code § 1798.121(a). Financial account information obtained via Plaid is used exclusively for alert generation and fraud prevention and is not used for unrelated purposes that would trigger limitation rights.

Right to Non-Discrimination: The Company will not discriminate against data subjects for exercising privacy rights by: Denying goods or services; Charging different prices or imposing different rates; Providing different levels or quality of service; Suggesting that the data subject will receive different pricing or service quality.

The Company may offer financial incentives or differential pricing programs where permitted by law, provided such programs comply with applicable legal requirements and are offered on an opt-in basis with advance notice.

Authorized Agents (California): California residents may designate authorized agents to submit privacy requests on their behalf. To process requests submitted by authorized agents, the Company requires: Written authorization signed by the data subject specifically authorizing the agent to act on the data subject's behalf; or A valid power of attorney executed pursuant to California Probate Code sections 4000–4465.

The Company reserves the right to verify both the identity of the data subject and the authority of the authorized agent prior to processing requests.

11.3 Rights Under the General Data Protection Regulation (EU/UK). Data subjects located in the European Union, United Kingdom, or European Economic Area possess the following rights pursuant to the General Data Protection Regulation (Regulation (EU) 2016/679) and the UK General Data Protection Regulation:

Right of Access (Article 15 GDPR): Data subjects may obtain confirmation as to whether personal information is being processed and, where applicable, access to such personal information together with supplementary information concerning: Purposes of processing; Categories of personal information; Recipients or categories of recipients; Retention periods or criteria for determining retention; Rights to rectification, erasure, restriction, or objection; Right to lodge a complaint with a supervisory authority; Source of information (where not collected from the data subject); Existence of automated decision-making, including profiling.

Right to Rectification (Article 16 GDPR): Data subjects may request correction of inaccurate personal information and completion of incomplete personal information through provision of supplementary statements.

Right to Erasure / "Right to be Forgotten" (Article 17 GDPR): Data subjects may request deletion of personal information where one of the following grounds applies: Personal information is no longer necessary in relation to the purposes for which it was collected; The data subject withdraws consent upon which processing is based (where consent is the legal basis), and no other legal ground exists; The data subject objects to processing pursuant to Article 21 GDPR, and no overriding legitimate grounds exist; Personal information has been unlawfully processed; Erasure is required for compliance with a legal obligation under EU or Member State law; Personal information was collected in relation to the offer of information society services to children.

The Company may refuse erasure requests where processing is necessary for: Exercise of the right of freedom of expression and information; Compliance with legal obligations or performance of tasks in the public interest; Establishment, exercise, or defense of legal claims; Other grounds specified in Article 17(3) GDPR.

Right to Restriction of Processing (Article 18 GDPR): Data subjects may request restriction of processing where: The data subject contests the accuracy of personal information (restriction applies for the period necessary to verify accuracy); Processing is unlawful, but the data subject opposes erasure and requests restriction instead; The Company no longer requires the personal information, but the data subject requires it for legal claims; The data subject has objected to processing pursuant to Article 21(1) GDPR, pending verification of whether legitimate grounds of the controller override those of the data subject.

Right to Data Portability (Article 20 GDPR): Data subjects may receive personal information provided to the Company in a structured, commonly used, machine-readable format and may request transmission of such information directly to another controller where technically feasible, subject to the following conditions: Processing is based on consent or contract performance; Processing is carried out by automated means.

Right to Object (Article 21 GDPR): Objection Based on Legitimate Interests: Data subjects may object at any time to processing of personal information based on Article 6(1)(f) GDPR (legitimate interests), including profiling based on those provisions. The Company shall cease processing unless it can demonstrate compelling legitimate grounds that override the interests, rights, and freedoms of the data subject, or processing is necessary for establishment, exercise, or defense of legal claims.

Objection to Direct Marketing: Data subjects possess an absolute right to object at any time to processing of personal information for direct marketing purposes, including profiling related to direct marketing. Upon receipt of an objection, the Company shall cease processing for such purposes.

Objection to Processing for Scientific/Historical Research or Statistical Purposes: Data subjects may object to processing for scientific or historical research or statistical purposes pursuant to Article 89(1) GDPR, unless processing is necessary for performance of a task carried out for reasons of public interest.

Right to Withdraw Consent (Article 7(3) GDPR): Where processing is based on consent pursuant to Article 6(1)(a) or Article 9(2)(a) GDPR, data subjects may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing conducted prior to withdrawal.

Right Not to Be Subject to Automated Decision-Making (Article 22 GDPR): Data subjects possess the right not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects or similarly significantly affect the data subject. As stated in Section 7, the Company does not engage in solely automated decision-making that produces legal or similarly significant effects.

Right to Lodge a Complaint (Article 77 GDPR): Data subjects possess the right to lodge a complaint with a supervisory authority (data protection authority) in the Member State of their habitual residence, place of work, or place of the alleged infringement. Contact information for supervisory authorities is provided in Section 12.4.

11.4 Exercise of Rights: Procedures and Timelines.

Submission of Requests: To exercise any of the rights enumerated above, data subjects should submit requests to: Email: info@marketcrunch.ai or privacy@marketcrunch.ai; Subject Line: "Privacy Rights Request," "Data Subject Request," "GDPR Request," or "CCPA Request"

Required Information: Requests must include the following information to enable verification and processing: Full name and email address associated with the user account (where applicable); Description of the specific right to be exercised (e.g., access, deletion, correction, portability); Sufficient information to permit identity verification (e.g., account details, recent transactions, or other authenticating information); Any additional supporting documentation relevant to the request.

Identity Verification: To protect the security and confidentiality of personal information, the Company will verify the identity of requestors prior to fulfilling requests. Verification methods may include: Confirmation of email address or account credentials; Response to security questions or authentication challenges; Provision of government-issued identification or other documentation where identity cannot be confirmed through existing account records.

The Company may request additional information where necessary to verify identity or clarify the scope of requests.

Response Timelines: The Company will respond to verified requests within the timeframes prescribed by applicable law: GDPR (EU/UK): Thirty (30) days from receipt of the request, extendable by an additional sixty (60) days where requests are complex or numerous. Extensions will be communicated to the data subject within thirty (30) days of the original request, together with reasons for the delay. California Consumer Privacy Act / California Privacy Rights Act: Forty-five (45) days from receipt of a verifiable request, extendable by an additional forty-five (45) days where reasonably necessary. Notice of extension will be provided within the initial forty-five (45) day period. Virginia Consumer Data Protection Act / Colorado Privacy Act / Connecticut Data Privacy Act: Forty-five (45) days from receipt of the request, extendable by an additional forty-five (45) days where reasonably necessary, with notice provided to the consumer. General Inquiries: Seven (7) to fourteen (14) business days for non-statutory inquiries.

Fees: The Company does not charge fees for processing requests unless: The request is manifestly unfounded, excessive, or repetitive; or The data subject requests multiple copies of the same information beyond the first copy.

Where a fee is applicable, the Company will provide advance notice of the fee amount and the basis for the charge. The data subject may withdraw the request to avoid the fee.

Denial of Requests: If the Company denies a request in whole or in part, the denial notice will include: Reasons for denial, with reference to the applicable legal basis or exception; Rights of appeal or complaint (where applicable); Information concerning how to exercise such rights.

Appeals Process (U.S. State Laws): For residents of states providing appeal rights (Virginia, Colorado, Connecticut, and others), data subjects may appeal denials by: Submitting an appeal request to privacy@marketcrunch.ai within a reasonable time following receipt of the denial (typically thirty (30) to sixty (60) days); Including in the appeal submission: the original request reference number, grounds for appeal, and any additional supporting information.

The Company will respond to appeals within the timeframes required by applicable state law (typically forty-five (45) to sixty (60) days) and will provide information concerning the right to contact the state attorney general or relevant enforcement authority if the appeal is denied.

12. International Transfers

12.1 Transfer to the United States. The Company is domiciled in the United States of America, and personal information collected through the Service is transferred to, stored, and processed on servers located within the United States, operated by Amazon Web Services, Inc. and Google Cloud Platform. The United States has not been determined by the European Commission to provide an adequate level of data protection under Article 45 of the General Data Protection Regulation.

12.2 Legal Mechanisms for International Transfers. For data subjects located in the European Union, United Kingdom, or European Economic Area, the Company relies on the following transfer mechanisms to ensure adequate safeguards for international data transfers:

Standard Contractual Clauses (EU): The Company has implemented the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) with its sub-processors and service providers located outside the European Economic Area. The Standard Contractual Clauses impose contractual obligations on data importers to implement appropriate technical and organizational measures and provide enforceable data subject rights.

International Data Transfer Agreement / Addendum (UK): For transfers from the United Kingdom, the Company implements the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as approved by the UK Information Commissioner's Office.

Supplementary Measures: In addition to Standard Contractual Clauses and the UK IDTA, the Company implements supplementary technical and organizational measures to protect personal information during and following transfer, including: Encryption of data in transit and at rest; Logical and physical access controls restricting access to authorized personnel; Contractual obligations imposed on sub-processors requiring compliance with data protection standards; Regular security audits and assessments.

12.3 Requests for Transfer Documentation. Data subjects may request copies of the safeguards implemented for international data transfers by submitting requests to info@marketcrunch.ai or privacy@marketcrunch.ai. The Company may redact commercially sensitive information from documentation provided in response to such requests.

12.4 Supervisory Authorities and Complaints. Data subjects located in the European Union or United Kingdom who have concerns regarding international data transfers or other aspects of personal data processing may lodge complaints with supervisory authorities:

European Union: Contact information for supervisory authorities in EU Member States is available through the European Data Protection Board at: https://edpb.europa.eu/about-edpb/board/members_en

United Kingdom: Information Commissioner's Office (ICO)

Website: https://ico.org.uk
Email: casework@ico.org.uk
Telephone: +44 303 123 1113
Postal Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom

13. Children's Privacy

13.1 Services Not Directed to Minors. The Service is not directed to, intended for use by, or designed to attract individuals under eighteen (18) years of age. Consistent with the Terms of Service, access to and use of the Service is restricted to individuals who have attained the age of majority (eighteen (18) years or older in most jurisdictions). The Company does not knowingly or intentionally solicit, collect, or maintain personal information from persons under eighteen (18) years of age.

13.2 Compliance with Children's Online Privacy Protection Act. The Company does not knowingly collect personal information from children under thirteen (13) years of age in violation of the Children's Online Privacy Protection Act (15 U.S.C. §§ 6501–6506) or equivalent jurisdictional requirements. In compliance with Article 8 of the General Data Protection Regulation, the Company does not knowingly process personal information of children under sixteen (16) years of age located in the European Union without verifiable parental or guardian consent.

13.3 Parental Notification and Deletion Rights. If a parent or legal guardian becomes aware that a child under the applicable age threshold has provided personal information to the Company without parental consent, the parent or guardian should immediately contact the Company at info@marketcrunch.ai or privacy@marketcrunch.ai. Upon verification of the claim, the Company will undertake commercially reasonable efforts to: Verify the identity of the parent or guardian; Confirm that personal information of a minor has been collected; Permanently delete such personal information from Company systems as soon as reasonably practicable, except where retention is required by law.

13.4 Age Verification Limitations. The Company relies on users to provide accurate information concerning age during account registration. The Company does not independently verify the ages of users. Should the Company implement additional age verification or age-gating mechanisms in the future, this Policy will be updated to reflect such measures.

14. Third-Party Sites & Services

14.1 Hyperlinks to External Resources. The Service may contain hyperlinks to third-party websites, applications, platforms, and online services (including, without limitation, broker-dealer websites, financial institution portals, educational resources, and news sources). The Company does not control, endorse, or assume responsibility for the privacy practices, content, or operations of third-party sites and services. Access to and use of third-party sites is at the user's sole risk and subject to the terms and privacy policies of such third parties.

14.2 Third-Party Service Provider Policies. The Service integrates with and relies upon third-party service providers as described in Section 6. Such providers operate under their own terms of service and privacy policies, which govern their collection, use, and disclosure of personal information. The Company encourages data subjects to review the privacy policies of all third-party service providers.

Third-party policies include, without limitation:

• Stripe, Inc.: https://stripe.com/privacy
• Plaid Inc.: https://plaid.com/legal/#end-user-privacy-policy
• Google LLC (Firebase, Analytics): https://policies.google.com/privacy
• Amazon Web Services, Inc.: https://aws.amazon.com/privacy/
• Google Cloud Platform: https://cloud.google.com/terms/cloud-privacy-notice
• Alpaca Markets LLC: https://alpaca.markets/docs/disclosures/privacy-policy/
• Polygon.io: https://polygon.io/privacy

14.3 Brokerage Accounts and Financial Institutions. When data subjects elect to link external brokerage accounts via Plaid, they become subject to Plaid's End User Privacy Policy and the terms of service and privacy policies of their respective broker-dealers or financial institutions. The Company is not responsible for: Data collection, use, disclosure, or security practices of Plaid or broker-dealers; Availability, accuracy, or reliability of data transmitted through Plaid's infrastructure; Actions, omissions, or policies of broker-dealers or financial institutions; Disruptions, errors, or failures in data aggregation or transmission; Investment decisions, trade executions, or account management conducted through broker-dealer platforms.

Data subjects should direct inquiries concerning Plaid's or broker-dealers' data practices to those entities directly.

14.4 Market Data Providers. Securities market data incorporated into the Service is obtained from third-party vendors, including Alpaca Markets LLC and Polygon.io. Such data is subject to the vendors' terms and conditions. The Company does not warrant the accuracy, completeness, timeliness, or reliability of third-party market data and is not responsible for errors, omissions, delays, or inaccuracies in such data.

14.5 No Endorsement. The presence of hyperlinks to third-party sites or references to third-party service providers does not constitute an endorsement, recommendation, or warranty by the Company concerning such third parties or their services, products, or content.

15. Changes to This Policy

15.1 Right to Modify. The Company reserves the right to modify, amend, supplement, or replace this Privacy Policy at any time in its sole discretion to reflect changes in business practices, legal or regulatory requirements, technological developments, or other operational considerations.

15.2 Notice and Publication of Changes. Upon adoption of material modifications to this Policy, the Company will: Update the "Effective Date" displayed at the beginning of this Policy; Publish the revised Policy on the Service at the URL where this Policy is maintained; Provide notice of material changes through one or more of the following methods: Prominent notice on the Service homepage or login page; Electronic mail notification to the address associated with user accounts; In-Service notifications or alerts; Other commercially reasonable means calculated to provide actual notice.

The Company may, in its discretion, provide a summary of material changes or a redlined version showing modifications to the prior version.

15.3 Continued Use Constitutes Acceptance. Continued access to or use of the Service following publication of a revised Privacy Policy constitutes acceptance of and agreement to be bound by the revised Policy. Data subjects who do not agree to the revised Policy must discontinue use of the Service and may request deletion of their accounts and personal information as provided in Section 11.

15.4 Material Changes Requiring Consent. For certain material changes that expand the purposes for which personal information is processed, introduce new categories of recipients, or otherwise materially diminish data subject rights or protections, the Company may seek affirmative consent from data subjects where required by applicable law, including: Article 6(1)(a) GDPR (consent as legal basis for new processing purposes); Cal. Civ. Code § 1798.100(b) (notice at or before collection for new categories or purposes); Other jurisdiction-specific requirements.

15.5 Version Control and Access to Prior Versions. The Company maintains a version history of this Privacy Policy. Prior versions may be made available upon request by contacting info@marketcrunch.ai, subject to the Company's document retention policies.

16. Contact Us

16.1 General Inquiries. Inquiries concerning this Privacy Policy, the Company's data processing practices, or related matters should be directed to:

MarketCrunch AI, Inc.
Electronic Mail:
info@marketcrunch.ai (general inquiries)
privacy@marketcrunch.ai (privacy-specific inquiries and data subject requests)
Postal Address:
490 Post St. STE 500 #2010, San Francisco CA 94102

16.2 Data Subject Rights Requests. Requests to exercise data subject rights described in Section 11 should be submitted via electronic mail to: privacy@marketcrunch.ai or info@marketcrunch.ai

Recommended Subject Lines: "Data Subject Request" or "Privacy Rights Request" (general requests); "GDPR Request" (EU/UK data subject requests); "CCPA Request" or "California Privacy Request" (California resident requests); "Access Request," "Deletion Request," "Correction Request," or "Portability Request" (specific right being exercised)

16.3 Complaints and Concerns. Data subjects with complaints or concerns regarding the Company's compliance with this Privacy Policy or applicable data protection laws should contact privacy@marketcrunch.ai with the subject line "Privacy Complaint" or "Compliance Concern."

16.4 Response Commitments. The Company commits to responding to all substantive inquiries and requests within the timelines specified in Section 11.4 or, for general inquiries not subject to statutory timelines, within seven (7) to fourteen (14) business days.

16.5 European Union and United Kingdom Representatives. If and when the Company appoints a representative in the European Union pursuant to Article 27 GDPR or in the United Kingdom pursuant to UK GDPR Article 27, contact information for such representative(s) will be published in this section.

16.6 Data Protection Officer. In the event the Company appoints a Data Protection Officer (DPO) as required under Article 37 GDPR or elects to designate a DPO voluntarily, contact information will be provided here.

17. Jurisdictional Addenda

17.1 European Union and United Kingdom Addendum. This addendum applies to data subjects located in the European Union, United Kingdom, or European Economic Area and supplements the foregoing provisions of this Privacy Policy.

A. Controller Identification. MarketCrunch AI, Inc., a Delaware corporation with principal place of business in the United States, serves as the data controller for purposes of the General Data Protection Regulation (Regulation (EU) 2016/679) and the UK General Data Protection Regulation.

B. Legal Bases for Processing (Summary). The Company processes personal information pursuant to the following legal bases under Article 6 GDPR:

Processing Activity: Service provisioning, account authentication, subscription management, alert delivery - Legal Basis: Performance of contract - GDPR Article: Article 6(1)(b)

Processing Activity: Analytics, service improvement, security operations, fraud prevention - Legal Basis: Legitimate interests - GDPR Article: Article 6(1)(f)

Processing Activity: Marketing communications (where consent required), non-essential cookies - Legal Basis: Consent - GDPR Article: Article 6(1)(a)

Processing Activity: Compliance with legal obligations, regulatory reporting - Legal Basis: Legal obligation - GDPR Article: Article 6(1)(c)

C. Legitimate Interests Assessment. Where processing is based on legitimate interests pursuant to Article 6(1)(f) GDPR, the Company has conducted balancing tests and determined that its legitimate interests in conducting such processing are not overridden by the interests, rights, or freedoms of data subjects. Legitimate interests pursued include: Enhancement of Service quality, functionality, and user experience through analytics and product development; Protection of Company systems, infrastructure, and users against security threats, fraud, and abuse; Efficient operation of business processes and technical infrastructure; Marketing of Service features and offerings to existing customers.

Data subjects may request information concerning specific legitimate interests assessments by contacting privacy@marketcrunch.ai.

D. International Data Transfers. As described in Section 12, personal information is transferred from the European Economic Area and United Kingdom to the United States. The Company implements Standard Contractual Clauses (EU) and the International Data Transfer Agreement / Addendum (UK) as appropriate safeguards for such transfers.

E. Data Retention. Retention periods for categories of personal information are specified in Section 9. Personal information is retained only for the duration necessary to fulfill processing purposes or satisfy legal obligations.

F. Automated Decision-Making and Profiling. As detailed in Section 7, the Company does not engage in solely automated decision-making that produces legal effects or similarly significantly affects data subjects within the meaning of Article 22 GDPR. Service outputs constitute informational content only and do not impose binding consequences.

G. Data Subject Rights (Summary). Data subjects possess the rights enumerated in Section 11.3, including rights of access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. Rights may be exercised as described in Section 11.4.

H. Right to Lodge Complaints. Data subjects may lodge complaints concerning the Company's data processing practices with supervisory authorities. Contact information for the European Data Protection Board and UK Information Commissioner's Office is provided in Section 12.4.

I. Data Protection Officer and EU/UK Representative. If appointed, contact information for the Company's Data Protection Officer and EU/UK representatives will be provided in Section 16.

17.2 California Addendum (CCPA / CPRA). This addendum applies to California residents and supplements the information provided in this Privacy Policy pursuant to the California Consumer Privacy Act (Cal. Civ. Code §§ 1798.100–1798.199) as amended by the California Privacy Rights Act.

A. Notice at Collection. At or before the point of collection, the Company provides notice to California consumers concerning: Categories of personal information to be collected (Section 2); Purposes for which personal information will be used (Section 4); Whether personal information is sold or shared (Section 6.6: No); Retention periods or criteria (Section 9); Consumer rights (Section 11.2).

B. Categories of Personal Information Collected. The following table summarizes categories of personal information collected during the twelve (12) months preceding the Effective Date of this Policy:

CCPA Category: Identifiers - Examples: Name, email address, IP address, device identifiers - Collected: Yes - Business Purpose: Service operation, authentication, communications - Disclosed to Third Parties: Service providers (Google, Firebase, AWS, GCP, email providers)

CCPA Category: Financial Information - Examples: Payment transaction metadata (via Stripe); brokerage holdings metadata (via Plaid) - Collected: Yes - Business Purpose: Payment processing; alert generation - Disclosed to Third Parties: Service providers (Stripe, Plaid)

CCPA Category: Commercial Information - Examples: Subscription status, billing history, purchase records - Collected: Yes - Business Purpose: Subscription management, billing - Disclosed to Third Parties: Service providers (Stripe)

CCPA Category: Internet/Network Activity - Examples: Usage data, logs, cookies, browsing behavior - Collected: Yes - Business Purpose: Analytics, service improvement, security - Disclosed to Third Parties: Service providers (Google Analytics, AWS, GCP)

CCPA Category: Geolocation Data - Examples: Approximate location derived from IP address - Collected: Yes - Business Purpose: Analytics, compliance, security - Disclosed to Third Parties: Service providers (AWS, GCP)

CCPA Category: Inferences - Examples: Usage preferences, interests derived from activity - Collected: Yes - Business Purpose: Personalization, service improvement - Disclosed to Third Parties: Service providers (AWS, GCP)

CCPA Category: Sensitive Personal Information - Examples: Financial account information (holdings metadata for alert purposes only) - Collected: Yes (limited) - Business Purpose: Alert generation, fraud prevention - Disclosed to Third Parties: Service providers (Plaid, AWS, GCP)

C. Sources of Personal Information. Personal information is obtained from the sources described in Section 3, including: Directly from consumers; Automatically from consumer devices; Third-party service providers (Google, Plaid, Stripe); Public and commercial data sources (market data vendors).

D. Purposes for Collection and Use. Personal information is collected and used for the business and commercial purposes described in Section 4, including service provisioning, payment processing, communications, analytics, security, and compliance.

E. Categories of Third Parties to Whom Personal Information is Disclosed. Personal information is disclosed to the categories of service providers and processors identified in Section 6.1, including payment processors, authentication providers, cloud infrastructure providers, email service providers, and market data vendors.

F. Sale and Sharing of Personal Information. The Company does not sell personal information as "sale" is defined in Cal. Civ. Code § 1798.140(ad). The Company has not sold personal information during the twelve (12) months preceding the Effective Date.

The Company does not share personal information for cross-context behavioral advertising as "sharing" is defined in Cal. Civ. Code § 1798.140(ah). The Company has not shared personal information for such purposes during the twelve (12) months preceding the Effective Date.

In the event the Company's practices change, the Company will update this Policy and implement required "Do Not Sell or Share My Personal Information" mechanisms.

G. Sensitive Personal Information. The Company's use and disclosure of sensitive personal information (financial account information obtained via Plaid) is limited to purposes specified in Cal. Civ. Code § 1798.121(a), specifically: Performing services reasonably expected by consumers (alert generation); Detecting security incidents and preventing fraud.

The Company does not use or disclose sensitive personal information for purposes that would trigger the right to limit pursuant to Cal. Civ. Code § 1798.121(b).

H. Retention. Retention periods for categories of personal information are set forth in Section 9. The Company retains personal information only for the duration necessary to fulfill disclosed purposes or satisfy legal obligations.

I. Consumer Rights. California residents possess the rights described in Section 11.2, including: Right to know (access) categories and specific pieces of personal information; Right to delete personal information; Right to correct inaccurate personal information; Right to data portability; Right to opt out of sale or sharing (not applicable, as the Company does not sell or share); Right to limit use of sensitive personal information (not applicable, as sensitive information is used only for permitted purposes); Right to non-discrimination for exercise of privacy rights.

J. Authorized Agents. California residents may designate authorized agents to submit requests as described in Section 11.2.

K. Verification Procedures. The Company verifies consumer identity prior to fulfilling requests using the procedures described in Section 11.4.

L. Contact for California Privacy Rights. California residents should submit privacy requests to privacy@marketcrunch.ai or info@marketcrunch.ai as described in Section 16.

M. Shine the Light Law. California Civil Code § 1798.83 permits California residents to request information concerning disclosure of personal information to third parties for direct marketing purposes. Because the Company does not disclose personal information to third parties for their own direct marketing purposes, this provision does not apply.

17.3 Other United States Jurisdictions. Residents of Virginia, Colorado, Connecticut, Utah, and other U.S. states that have enacted comprehensive privacy legislation possess rights substantially similar to those described in Section 11.2, subject to jurisdiction-specific variations. Such rights typically include access, deletion, correction, portability, and opt-out rights. Residents of such states may exercise rights by contacting privacy@marketcrunch.ai using the procedures described in Section 11.4.

Where applicable state law provides for appeals of denials of consumer requests, residents may appeal as described in Section 11.4.

Last Updated: Nov 04, 2025