Privacy Policy | Supernal AI

GLOBAL PRIVACY POLICY

(The "Privacy Policy")

INFINITY CONSTELLATION INC. D/B/A SUPERNAL

Last Reviewed: August 4, 2025

‍

Meet the Team

Thank you for visiting [https://www.getsupernal.ai/] and our other related digital platforms (the “Websites”). At Infinity Constellations Inc. (d/b/a Supernal), a U.S.-based AI agent service provider ("Company," "we," "us," or "our"), we take your privacy seriously. This Global Privacy Policy outlines how we handle your Personal Information when you interact with us through our Websites, our managed artificial intelligence services or any other of our services (the “Services”), or any public-facing activities.

By accessing or using our Websites or Services, you acknowledge that you have read and understood this Policy, and that you consent to the collection, use, and disclosure of your Personal Information as described herein.

By “Personal Information” we mean any information that can be used to identify a specific person, either on its own or when combined with other details. This includes obvious things like your name, email address, phone number, or home address, but also covers less obvious details like your IP address.

As part of our commitment to continuous improvement, we may update this Policy periodically. We will notify you of material changes by posting an update on our website, or, if available, by email.Continued use of our Services after any posted changes signifies your agreement to those changes.

‍

Regional Privacy Rights

Please refer to the sections below titled “Your Rights in the United Kingdom, Switzerland, EU and EEA,” and “Your Rights in California” for details on how to exercise your rights under certain region-specific applicable data protection laws.

‍

What This Policy Is About

This Global Privacy Policy ("Policy") explains how the Company collects, uses, discloses, process, stores, and protects Personal Information of individuals who interact with us, including but not limited to:

Visitors to our websites, users of our applications, widgets and AI services
Attendees at our events, webinars, or other business activities
Individuals who engage with us on social media or via our marketing channels
Individuals who interact with our services via partners or integrations
Persons who access our support, partner portals or contact us directly (e.g., for support or feedback)
Persons whose data we receive from trusted third parties or public sources

This Policy applies globally and strives to comply with applicable data protection and privacy laws, including but not limited to the General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act and California Privacy Rights Act ("CCPA/CPRA"), and other national or regional data protection frameworks.

This Privacy Policy also describes your rights with respect to personal information, and how to exercise them.

‍

Exclusions from this Policy

This Policy does not apply where we process Personal Information solely on behalf of our business customers, acting as a data processor or service provider. For example, this may include circumstances where your employer has provided you access to one of our AI products, or you are interacting with an application or service that is powered by our AI technology in the background.

In all cases where a third-party like an employer or service provider provides us with your Personal Information, we process your Personal Information on the basis of our agreement with the corresponding third party providing us with your Personal Information. The corresponding third party is the controller of your Personal Information, and their privacy policy will apply. We encourage you to consult the privacy policy of the corresponding company with whom you have a direct business relationship for information about how your data is handled in those situations. If you have questions regarding their data handling practices or their sharing of information with us, please contact the relevant organization directly.

This Policy does not apply to our current or former employees, nor to any person who engages in a specific contractual relationship with us and agrees to a particular privacy policy that differs from the present Privacy Policy. If you are in such a case, please refer to your agreed and applicable policy.

‍

The Basics of this Policy

To help you understand the foundation of this Policy and how we handle Personal Information, here are some important highlights:

We operate primarily in a business-to-business (“B2B”) context. Accordingly, we may collect Personal Information related to employees, representatives, or agents of our enterprise customers, prospective clients, vendors, and business partners where such data is needed to support our business activities and relationships. In certain cases, applicable laws and regulations do not apply to Personal Information collected related B2B relationships.
Where appropriate and necessary, Personal Information may be shared across our corporate group entities to ensure efficient internal operations and service delivery.
We rely on third-party service providers located around the world to store, manage, and process Personal Information for business continuity and global operations.
We do not sell your Personal Information to any third parties.
We conduct direct B2B marketing, including email communications, invitations to webinars and events, newsletters, and educational resources regarding our solution.
We use Personal Information to support key areas of our global business operations, such as sales, customer service, finance, partner management, and compliance.
Personal Information collected for the purposes outlined in this Policy is retained only for as long as necessary to fulfill the purpose for which it was collected or to support our ongoing business needs, subject to applicable legal or regulatory retention requirements.

‍

What We Collect, Keep, and Why

We collect different categories of Personal Information in a variety of contexts and for diverse purposes. These include data you voluntarily provide, data we automatically collect based on your use of our Websites and Services, and data we gather or receive to support and improve our Websites and Services.

Each data collection situation is described in detail, including the types of data collected, how the data is used, the lawful basis relied upon for such processing, and any third parties with whom the data may be shared.

For your convenience and transparency, see below a comprehensive table, outlining our standard data collection and process activities, including :

Situations in which data collection occurs.
The specific types of Personal Information collected in each situation.
The purposes for which this data is used.
The legal bases that justify such collection and use.
The categories of recipients with whom the data may be shared.

This framework ensures a detailed, lawful, and transparent approach to data collection, consistent with our obligations under global privacy regulations.

‍

Data Collection Activities	Data we Collect	How we Use it	Our Lawful Basis	How do we Share it?
If you browse any of our websites	IP address, browser type, device identifiers, language settings	To present the site correctly based on your device and locale	Legitimate interests	Web infrastructure and CDN providers
	Clickstream data, cookie identifiers, session logs	To monitor and analyze site usage for improvements	Consent (cookies); Legitimate interests	Analytics providers
	IP address, activity timestamps	To detect fraud or unauthorized access	Legitimate interests; Legal obligation	Security monitoring vendors
	Essential cookies (e.g., session identifiers, login tokens, CSRF tokens)	To enable secure login, maintain session continuity, and deliver core site functionality	Legitimate interests; Contractual necessity	Hosting and authentication service providers
	Non-essential cookies (e.g., analytics cookies, ad tracking cookies)	To perform audience measurement, track user behavior, and deliver personalized ads	Consent (required under applicable law)	Analytics providers, advertising partners
If you contact us	Support transcripts, screenshots, system logs	To resolve product or service issues	Contract; Legitimate interests	Support platforms, external technical escalation teams
If you engage with our events and resources (such as webinars)	Name, role, dietary restrictions, access needs	To plan logistics and accommodate participants	Consent	Event venues, catering services
	Event attendance logs, participation behavior	To follow up with additional content or surveys	Legitimate interests	Marketing platforms, CRM systems
If you create an account with us	Password hashes, email verification tokens	To verify identity and enable secure login	Contractual necessity	Authentication vendors
If you use any of our services or product	Prompt text, documents, files, chat messages	To provide responses and facilitate AI functionality	Contractual necessity	Processing infrastructure and AI service engines
	Prompts and outputs (where permitted by user)	To improve model performance via supervised training	Consent	Third-party Sub-processors
	Session metadata, feature usage logs, timestamps, error codes	To maintain performance, detect issues, and improve product features	Legitimate interests	Observability and analytics tools
If you access or use API services	API keys, account ID, usage volume, endpoint calls, error logs	To provide and maintain API functionality, ensure fair use, monitor for abuse	Contractual necessity; Legitimate interests	Backend infrastructure providers, monitoring services
If you are involved in legal inquiries, requests or enforcement matters	All records relevant to the subject request or investigation	To comply with court orders, subpoenas, and legal requirements	Legal obligation	Law enforcement, regulatory bodies, legal counsel
If you interact with third-party integrations, plug-ins or log in via federated identity	OAuth tokens, user ID from third-party platform, integration metadata	To allow access and functionality through third-party integrations	Consent; Contractual necessity	Third-party identity providers, plug-in vendors
If we collect data from enterprise customers	Employee identifiers, usage logs, content shared through enterprise accounts	To deliver services on behalf of enterprise customers and support integrations	Processor obligation under contract	Authorized sub-processors, IT integrators
If you subscribe to a newsletter or promotional communications	Email address, name, communication preferences	To send promotional messages, newsletters, and product announcements	Consent	Email marketing providers, CRM systems
If we send you service notifications or administrative communications	Email address, account ID, activity logs	To notify you about service status, updates, outages, and security alerts	Contractual necessity; Legal obligation	Infrastructure and email delivery vendors
If you are a business client's administrator or billing contact	Contact details, role, payment and invoicing records	To manage the commercial and billing relationship with the enterprise customer	Contractual necessity; Legitimate interests	Billing processors, finance systems
If you provide sensitive data (e.g. dietary, accessibility, biometric)	Health, biometric, dietary restrictions, accessibility requests	To accommodate your needs at events or during platform use	Explicit consent	Event organizers, hosting platforms with restricted access
If we build user profiles or perform automated personalization	Usage patterns, interactions, preferences, model outputs	To personalize experiences or optimize service behavior	Legitimate interests; Consent (if marketing involved)	Sub-processors
If you request a data export or portability request	All Personal Information held about you across systems	To comply with your right to data portability	Legal obligation	Data subject or authorized representative

‍

We may need to use any of your Personal Information to comply with legal requirements and exercise or defend legal claims.

To ensure the data we hold is up-to-date we may periodically ask you to confirm this information or we may supplement this information with additional data we collect from other sources.

We may aggregate and anonymise Personal Information such that it is no longer Personal Information for the purposes of enhancing our services and business practices.

‍

Lawfulness of our Data Processing

Where we process your personal information, we do so in accordance with applicable privacy laws. The most common legal bases we rely on are:

Consent: You have provided your express consent to process your Personal Information for the purposes set out in this Global Privacy Policy during the capture of your personal information.
Legitimate Interests: The processing is done pursuant to our legitimate interests of conducting our business, in accordance with applicable law and in consideration of your rights. Personal Information.
Performance of a contract: We must process your Personal Information in order to be able to provide you or the organisation you represent with one of our products or services.

While we primarily rely on the legal bases outlined above, there may be limited circumstances in which other legal grounds apply to the Processing of your Personal Information. These may include:

Vital Interests: Where the Processing of your Personal Information is necessary to protect your life or the physical safety of another individual.
Legal Obligation: Where we are required to Process your Personal Information in order to comply with applicable laws or regulatory requirements.

‍

Our Third-Party Websites

Our websites and applications may contain links to websites or platforms operated by third parties. We do not control, and are not responsible for, the privacy practices, content, or security of such third-party websites. The presence of a link to a third-party site does not imply endorsement by us. We strongly encourage you to review the privacy policies and data protection practices of any third-party platform or website before providing your Personal Information to them.

‍

Our Use of Cookies

We use cookies and similar technologies to provide functionality, enhance your browsing experience, deliver personalized content and advertisements, and analyze usage patterns. Our websites and applications deploy cookies that are essential for their technical operation, as well as non-essential cookies for analytics, marketing, and customization.

Where required by applicable law—such as the GDPR, UK GDPR, and Quebec’s Law 25—we obtain your prior consent before placing any non-essential cookies on your device. This ensures that only strictly necessary cookies are active by default unless and until you consent otherwise.

We honor browser-based “Do Not Track” signals and Global Privacy Control settings where legally required. You have the right to manage your cookie preferences and withdraw consent at any time by accessing our cookie management platform, which is available via the “Cookie Settings” link located in the footer of our website.

Through this platform, you can:

View detailed information about each category of cookies (essential, analytics, functional, marketing);
Enable or disable non-essential cookies based on your preferences;
Review a list of third-party vendors that may place cookies via our site;
Access and update your consent history;
Revoke consent for previously accepted cookie categories.

Your preferences will be stored using a browser cookie, so please note that if you delete your cookies or use a different browser or device, you will need to set your preferences again.

‍

What do we Share with Third Parties

When we share your personal information, we do so in accordance with applicable data protection laws. This includes implementing appropriate safeguards such as transferring data only to jurisdictions with adequate protection, using standard contractual clauses approved by regulatory authorities, or binding intercompany agreements.

‍

Sharing Within our Corporate Group:

As a global organization, we may share Personal Information among our affiliated entities, subsidiaries, and global offices. All such transfers are governed by intercompany agreements aligned with international data transfer standards (see the section below on “Where Is Your Personal Information Stored?”).

‍

Sharing With Reseller and Business Partners:

We may work with resellers, distributors, or strategic partners to deliver our services. If needed to fulfill obligations, we may share Personal Information with these partners, especially when they assist in customer support, onboarding, or provisioning of services.

‍

Sharing With our Vendors and Service Providers:

We may rely on trusted third-party vendors and services providers to support our operations and help us in our duties towards you. When doing so, such vendors and service providers may access your Personal Information in the following situations:

Marketing and Business Development: to deliver our marketing and business development campaigns we may share data with digital marketing providers, social media companies with whom we have a business account and advertising companies, market research partners, webinar hosts, venues, event organisers and registration providers, and other trusted vendors who assist in the performance of our marketing campaigns.

Sales, Finance, Business Operations and Delivering Services: we use (a) third-party sales tools to track pipeline activity and order information, (b) finance and invoicing tools to assist in managing orders, customer billing and fulfillment, (c) legal and compliance tools to assist in our contracting and compliance activities including credit checks, (d) consultants, contractors and other specialists to provide professional services, and (e) other vendors which support our business operation.

Further vendors: We use trusted vendors to provide goods and services which support our business operations

We engage third-party vendors and service providers under legally binding agreements that govern their access to and processing of Personal Information. These agreements require such third parties to implement appropriate safeguards and adhere to our instructions regarding the protection and use of Personal Information.

Where applicable, these arrangements may include compliance with recognized international data transfer frameworks, such as the Data Privacy Framework (DPF), including any relevant extensions or equivalents.

We remain responsible and accountable under applicable data protection laws for the actions of our third-party agents who process Personal Information on our behalf, except where we can demonstrate that we are not responsible for the event giving rise to the non-compliance.

We use service providers and sub-processors to help us deliver our Services. We strive to ensure that all sub-processors adhere to data protection obligations consistent with this policy. We maintain and publish an up-to-date list of sub-processors, accessible at: https://www.getsupernal.ai/legal/subprocessors

‍

Sharing your Personal Information for Legal Reasons

We may also use and disclose personal information, as we believe to be necessary, appropriate, or required for Legal and Regulatory compliance.

That situation includes the following disclosures :

To comply with legal obligations, regulatory inquiries, court orders, or subpoenas;
In response to lawful requests by public authorities, including to meet national security or law enforcement requirements;
To enforce our terms and agreements;
To protect our rights, property, operations, or safety, or those of others;
In the context of mergers, acquisitions, or corporate restructuring;
To pursue legal remedies or mitigate damages.

Our group, including our related entities may at times be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements and shall do so in compliance with applicable laws and regulations.

‍

How we Secure Personal Information

We implement robust technical and organizational measures to safeguard Personal Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These security measures are tailored to the nature, scope, context, and purposes of the data processing, as well as the risks posed to individuals.

Specifically, we apply industry-standard security practices where relevant. For example, we may leverage measures such as encryption at rest and in transit, strict access controls and authentication protocols, continuous monitoring, vulnerability management, and regular audits.

All personnel with access to Personal Information are trained in privacy and security best practices and are bound by confidentiality obligations.

If you suspect or become aware of any security vulnerabilities, incidents, or unauthorized access involving your Personal Information or our systems, please notify us immediately by contacting us at Legal@getsupernal.ai. We take such notifications seriously and will respond promptly in accordance with our incident response protocols.

‍

Where we Store Personal Information

We operate from the United States, and the majority of the Personal Information we collect is processed and stored within infrastructure located in the United States . In accordance with the global nature of our business, we may transfer your Personal Information to our affiliated companies, trusted partners, and service providers located in countries outside of your own jurisdiction, including outside the United States, European Economic Area (EEA), Asia-Pacific (APAC) region, Brazil, and other territories.

These transfers are made for the purposes described in this Global Privacy Policy, including to provide our services, improve functionality, and support global operations. The primary jurisdictions to which we transfer data include the USA and countries within the EEA, where business needs or technical infrastructure require such processing. Prior to initiating such transfers, we conduct appropriate assessments when required by applicable law to evaluate potential risks and ensure adequate protection measures are in place.

To protect your Personal Information in cross-border transfers, we implement one or more legally recognized safeguards, such as:

Transferring to jurisdictions formally recognized by relevant authorities (e.g., UK, EU, EEA) as providing an adequate level of data protection;
Executing Standard Contractual Clauses (SCCs) approved by data protection authorities, when appropriate;
Relying on other applicable legal mechanisms, such as binding corporate rules, certifications, or contractual commitments.

All intra-group transfers are governed by binding intercompany agreements reflecting internationally recognized privacy standards, ensuring your Personal Information remains protected regardless of where it is processed.

‍

How we Retain and Delete Data

We retain Personal Information for as long as necessary to fulfill the purposes for which it was collected, as outlined in this Global Privacy Policy, and in accordance with applicable data protection laws and regulatory obligations.

‍

To decide how long we keep your personal information, our retention practices are guided by :

The duration of your relationship with us, including the provision of services and active use of accounts – For example, for as long as you have an account with us or keep using the services.
Legal obligations that require retention of certain information for regulatory or compliance purposes – For example, certain laws require us to keep records of your transactions for a certain period of time before we can delete them.
The necessity of retaining data to resolve disputes, enforce agreements, or manage legal claims.

Our retention periods vary by data category, based on the type of information we process. In order to provide a general idea of our data retention practices, we reproduce our main guidelines below.

Account and contact data: retained for the duration of the relationship and up to 7 years post-termination for compliance and legal recordkeeping.
Marketing and analytics data: retained for up to 24 months unless consent is withdrawn earlier.
AI service inputs/outputs: retained only when legally justified, and anonymized or deidentified where applicable, for training and improvement purposes.

We apply secure deletion and de-identification procedures when data is no longer needed. You may contact us to request additional information about retention practices specific to your Personal Information.

‍

Contact Us

If you have a question, complaint or any feedback about how your Personal Information is processed or this Global Privacy Policy, please contact us here legal@getsupernal.ai . To help us efficiently process your request, we utilize a third-party privacy management platform.

Where required by law, our entities have appointed Data Protection Officers (DPOs). Please refer to the jurisdiction-specific section of this Global Privacy Policy for DPO contact information relevant to your region.

‍

Complaints

If we are unable to resolve your concern to your satisfaction, you have the right to lodge a complaint with the competent regulatory authority in your jurisdiction.

‍

Your Rights in the United Kingdom, Switzerland, EU and EEA

If you are in United Kingdom (“UK“), Switzerland, the European Union (“EU“) or European Economic Area (“EEA“), you may have the following rights under applicable data protection laws:

Right of Access: You may request confirmation of whether we are Processing your Personal Information and, where applicable, receive a copy of that information.
Right to Rectification: You may request correction of inaccurate or incomplete Personal Information.
Right to Erasure: You may request the deletion of your Personal Information in certain circumstances, subject to legal exceptions.
Right to Restrict Processing: You may ask us to limit the Processing of your Personal Information in specific situations.
Right to Data Portability: Where legally applicable, you may request to receive Personal Information you provided to us in a structured, commonly used, machine-readable format and to have it transferred to another controller.
Right to Object: In some cases, you may object to the Processing of your Personal Information, including where it is based on our legitimate interests or used for direct marketing purposes.
Right to Withdraw Consent: Where Processing is based on your consent, you may withdraw it at any time. All marketing emails include an unsubscribe option and a link to manage preferences.
Rights in Relation to Automated Decision-Making: If we use automated decision-making that has legal or similar significant effects on you, you may have the right to request human review and to challenge the decision.

We apply these rights consistently, regardless of your location, where required by applicable law.

‍

How to exercise your rights Under European and Swiss Privacy Laws

As stated above, to exercise any of your rights, please contact us here legal@getsupernal.ai.

We will typically be able to respond within one month. If your request is complex, we may need longer and will inform you accordingly.

We may need to verify your identity and ask for more information before processing your request. We may use a trusted third-party vendor to collect the information in the contact us form.

If you have a complaint which has not been resolved to your satisfaction or its specifically appointed country representatives, please refer the section “How to Contact Us” or the country-specific sections that follow.

Your Rights in California

If you are in California, the following section on your rights in Personal Information also applies.

If you are a California resident, please review this section below as it is applicable to your Personal Information (“California Personal Information“). Unless otherwise expressly stated, all terms in this California Global Privacy Policy have the same meaning as defined in our Global Privacy Policy or as otherwise defined in the CCPA.

‍

Your Rights Under Brazil Privacy Laws

This section supplements the information contained in our Global Privacy Policy and applies solely to individual residents of California. This California Global Privacy Policy provides additional information about how we collect, use, disclose and otherwise process Personal Information of consumers, either offline or online, within the scope of the California Consumer Privacy Act (“CCPA”), as amended by the California Consumer Rights Act (“CPRA) (collectively, “California Privacy Law”).

California Personal Information: Depending on your online and offline interactions with us, we may collect and process the different categories of California Personal Information including Identifiers, Professional or employment-related information, Internet or other electronic network activity information, Audio, electronic, visual or similar information, and Inferences drawn from the information collected.
Sensitive California Personal Information: Certain California Personal Information that we collect about you may be considered sensitive Personal Information within the meaning of California Privacy Law. We only use and disclose sensitive Personal Information as necessary in connection with the performance of services and the provision of goods, compliance with federal, state, or local laws, and as otherwise permitted by California Privacy Law.‍
Sources of California Personal Information: We generally source the categories of California Personal Information identified above directly from you – for instance, when you provide information as part of a business transaction or otherwise – or from third parties, such as business partners and analytics providers. We do not knowingly share the California Personal Information of individuals under 16 years of age, in a manner that constitutes a “sale” under California law.
‍Purposes of our use of California Personal Information: Our uses of California Personal Information is fully detailed above in this General Privacy Policy. For sake of clarity, all purpose of use entails business purposes, including to ensure our Services (as defined above) are presented to you in the most effective way on your device, diagnose problems with our server or administer our websites, analyse user traffic to understand how people use our Services, measure use of our websites and to improve the content of our websites and our services, reply to your form submissions, events, feedback, and enquiries, administer your access to our websites, online services, applications and mobile apps, improve our services, ensure our premises remain safe and secure, or for compliance, quality, training and other purposes.‍
Disclosure of California Personal Information: We may disclose the categories of California Personal Information described above for the business purposes described above to our group entities, to our resellers, distributors, and business support partners, or to Law enforcement officials, when required by law. We may disclose Identifiers and Internet or other electronic network activity information for the commercial purposes described above to third party services providers.‍
Retention of California Personal Information: We retain your California Personal Information for as long as needed or permitted in light of the purpose(s) for which it was obtained. To direct our retention of information, we consider the length of time we have a relationship with you and provide services to you or our customer (for example, for as long as you have an account with us or keep using the services); our legal obligations related to retention of California Personal Information(for example, certain laws require us to keep records of your transactions for a certain period of time before we can delete them); or our needs to retain information in case of a dispute or investigation, including to bring, defend and manage any litigation.

‍

Subject to certain exceptions and limits, if you are a California resident, you may also have the following rights :

Request Information on California Personal Information: For certain categories of California Personal Information, you may seek more information about public and private entities with which we shared your personal information, for their own direct marketing purposes in the previous calendar year and the names and addresses of those third parties.
Obtain Confirmation and Access to California Personal Information: You may request to know and access the specific pieces of California Personal Information we have collected about you, disclosed for a business purpose or sold to third parties (if any). In each case, you may ask the specific categories of the related California Personal Information, their source categories and the categories of recipients to whom this information was disclosed or sold and the business or commercial purposes for collecting or, if applicable, selling such California Personal Information about you.
Erasure/Deletion California Personal Information: You may have the right to ask us to erase the California Personal Information we have collected from you, although this right applies in certain circumstances, and we may be permitted to retain your Personal Information notwithstanding your request if an exception under data protection laws applies.
Consent to sell California Personal Information: You may direct us not to sell or share California Personal Information we have collected about you, now or in the future. If you are under the age of 16, you have the right to opt in, or to have a parent or guardian opt in on your behalf, to such sales.
Correct Inaccurate California Personal Information: You may have the right to correct incomplete California Personal Information that has been collected about you.
Restrict our Use of Sensitive California Personal Information: You may have the right to limit, at any time to the processing of your Sensitive Personal Information (as the term is defined under California Privacy Law), we have collected from you or maintain about you to only what is necessary to provide our services.
Discriminatory treatment: You have the right not to receive discriminatory treatment for the exercise of the privacy rights conferred by the California Privacy Law.
Sell or Share of California Personal Information: As a California resident, you may also have the right to opt-out of the selling or sharing of your California Personal Information, as such terms are defined under California Privacy Law, if applicable. We will not discriminate against you by offering you different pricing or products, or by providing you with a different level or quality of products, based solely upon this request.
Authorized Agents: To the extent that you elect to designate an authorized agent to make a request on your behalf, they must provide appropriate documentation including written signed permission from you, proof of your identity, and verification of their identity; or a valid, designated power of attorney as defined under the California Probate Code.

If the exercise of the rights described above limits our ability to process your California Personal Information(such as in the case of a deletion request), we may no longer be able to provide you our products or services or engage with you in the same manner.

‍

How to exercise your rights Under California Privacy Laws

When submitting your request, please include the specific nature of your request, referencing “Your California Privacy Rights,” as well as your first and last name, email address, and zip code or mailing address.

As stated above, to exercise any of your rights, please contact us here legal@getsupernal.ai].

Alternatively, you may contact our California-specific contacts as detailed under the section “How to Contact Us” or the state-specific sections that follow. We will typically be able to respond within one month. In some circumstances, for example if your request is complex, we may need longer. We will inform you if this is the case.

We may need to ask for additional information to verify your request and action your request. This helps us to protect Personal Information against fraudulent requests. If you do not provide sufficient information initially and do not respond to our request for additional information, we may be unable to action your request. We may ask you to complete our standard form in order to ensure your request is processed in accordance with applicable privacy laws. We may use a trusted third-party vendor to collect the information in the contact us form.

We may apply any exceptions or other conditions available under law when responding to correction, deletion, or other requests.

‍

Our Local Californian Data Protection Officers

If you are a California resident and have any questions about this California Consumer Protection Act Global Privacy Policy addendum you can also contact our state-specific contacts:

‍

Compliance with the Data Privacy Framework (DPF) Principles

Our Company complies with the EU-U.S. Data Privacy Framework ("EU-U.S. DPF"), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework ("Swiss-U.S. DPF"), as set forth by the U.S. Department of Commerce.

We have certified to the U.S. Department of Commerce that we adhere to the EU-U.S. DPF Principles with regard to the processing of Personal Information received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. We have also certified that we adhere to the Swiss-U.S. DPF Principles with regard to the processing of Personal Information received from Switzerland in reliance on the Swiss-U.S. DPF. We refer to the EU-U.S. DPF Principles, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF Principles collectively as the "DPF Principles."

If there is any conflict between the terms in this Global Privacy Policy and the DPF Principles of this Section, the applicable DPF Principles shall govern.

To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/. The U.S. Federal Trade Commission has jurisdiction over our compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.

For sake of clarity, we confirm that we comply with the following.

‍

Commitment to comply with the DPF Principles

We adhere to the DPF Principles with regard to Personal Information received from the EU, United Kingdom (and Gibraltar), and/or Switzerland.

‍

Types of Personal Information collected

The types of Personal Information collected are those identified in the "What information do we collect and hold, and what do we use this for?" section of this Global Privacy Policy.

‍

Purpose for which Personal Information is collected

The purposes for which we collect and process Personal Information are described in the same section of the Global Privacy Policy.

‍

Type and identity of third parties to which we disclose Personal Information

We use third-party service providers to provide business support services. The types and identity of third parties to whom we disclose Personal Information are described in the “Who might we share your Personal Information with?” section of this Global Privacy Policy. We remain responsible under the DPF Principles if third-party agents that we engage to process Personal Information on our behalf do so in a manner inconsistent with the DPF Principles unless we prove we are not responsible for the event giving rise to the non-compliance.

‍

How to exercise your individual rights (access, correction, deletion)

Where we have collected Personal Information about you which is transferred to the United States for processing under the DPF Principles, you have the right to request access to your Personal Information, request a correction, or request deletion of your Personal Information by completing our contact form or emailing us at legal@getsupernal.ai.

We cannot action certain requests, such as access, deletion, or limitation of use requests, where we are not the controller of the Personal Information because we have been appointed as a “processor” or “service provider” to a data controller based in the EU, UK, or Switzerland. You should make such requests directly to that data controller. If you make the request directly to us, we may assist in redirecting you to the appropriate data controller.

‍

Your choices for limiting the use and disclosure of Personal Information

Where we wish to use Personal Information collected under this Global Privacy Policy for a new or different purpose which is materially different from the purpose for which it was originally collected, we will provide you with an opportunity to agree to or opt out of that new or different purpose.

In addition to the rights described in response to item 6 above, you may at any time request that we cease using your Personal Information by completing our contact form or emailing us at legal@getsupernal.ai]. We will respond within 45 days.

‍

Complaints

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, we commit to resolve DPF Principles-related complaints about our collection and use of your personal information. Individuals from the EU, UK, and Switzerland with inquiries or complaints regarding our handling of Personal Information received in reliance on the DPF should first contact us using our contact form or email legal@getsupernal.ai. We will respond within 45 days.

We are also committed to cost-free independent resolution where you cannot resolve a dispute directly with us. We will inform you about those options in further detail if we are unable to amicably resolve a dispute. We commit to cooperate and comply with the advice of the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner’s Office (ICO), and the Swiss Federal Data Protection and Information Commissioner (FDPIC) regarding unresolved complaints.

As further explained in the DPF Principles, binding arbitration is available to address residual complaints not resolved by other means in accordance with Annex I of the DPF Principles.

‍

Disclosure of Personal Information for lawful requests by public authorities

We may be required to disclose Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements, in compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.

‍

Oversight

The U.S. Federal Trade Commission has jurisdiction over our compliance with the DPF.