Privacy Policy

1. Introduction

Metadata, Inc. and affiliated companies collect and process information as described in this policy. The company is committed to protecting privacy. This Privacy Policy details how personal information is collected, used, and shared when interacting through the website, email, and other online/offline channels.

The policy does not cover how Metadata processes Customer Data within products and services, which is governed by customer agreements and data processing addendums.

The company maintains a "Do Not Sell or Share My Personal Information / Opt Out of Targeted Advertising" link in the website footer and honors recognized UOOM signals where required by law.

This Privacy Policy applies to:

• The website www.metadata.io and related digital properties
• The Metadata Platform for personal information used for company purposes
• Development of data augmentation and intelligence services
• Social media, marketing activities, and live events

Exclusions: The policy does not apply to information processed on behalf of business customers or third-party data sources that don't constitute personal information under applicable law.

Services are designed for businesses and representatives, not individuals for personal use.

2. Personal Information We Collect

Information You Provide

• Contact data: First and last name, salutation, email, addresses, title, company name, phone number
• Professional information: Work history, location, residence details, age, social network profiles
• Account data: Username, password, biographical details, preferences, profile information
• Communications: Exchanges via Services, social media, phone, video platforms, and recordings
• Transactional data: Order information, transaction history. Full payment card numbers, CVV codes, and bank credentials are not collected; payment processors handle this directly
• Marketing data: Communication preferences and engagement details
• Payment information: Information needed for transactions
• Promotional information: Details from competitions, promotions, surveys, and sweepstakes
• Other data: Information not specifically listed, used as described

Third-Party Sources

Personal information may be obtained from:

• Public sources: Government agencies, public records, social media, publicly available sources
• Private sources: Business customers, data providers, information services, social media platforms, third-party integrations
• Marketing partners: Joint marketing partners, event co-sponsors

Automatic Data Collection

The company, service providers, and business partners automatically log:

• Device data: Operating system, manufacturer, model, browser, resolution, RAM, CPU usage, device type, IP address, unique identifiers, language settings, mobile carrier, network information, general location
• Online activity data: Pages viewed, time spent, previous websites, navigation paths, access times, email engagement
• Location data: City, state, country

Sensitive Personal Information

The company does not collect, infer, or solicit sensitive personal data as defined under U.S. state privacy laws (precise geolocation, biometric identifiers, health information, genetic data, union membership, financial account credentials). If this changes, the policy will be updated.

3. How We Use Your Personal Information

Service Delivery

Personal information is used to:

• Provide, operate, and improve Services and business
• Enhance Offerings for business customers to target advertising
• Establish and maintain business customer profiles
• Enable security features, remembering devices
• Communicate about Services, announcements, updates, security alerts, support messages
• Understand needs and interests, personalize experiences and communications
• Provide support and respond to requests, questions, feedback

Research and Development

Personal information is used for analyzing and improving Services and business through analytics, understanding user activity, and improving page performance.

Marketing and Advertising

• Direct marketing: Marketing communications may be sent to business customers and prospects. Opt-out options are available
• Interest-based advertising: Cookies and similar technologies collect interaction information to serve relevant online ads. Companies share user information to facilitate interest-based advertising on other platforms
• Targeted Advertising: Limited identifiers and online activity data support "targeted advertising" as defined by U.S. state laws. Opt-out options are available
• Profiling and automated decision-making: The company does not use profiling for decisions producing legal or significant effects. If this changes, required disclosures will be provided

Compliance and Protection

Personal information is used to:

• Comply with applicable laws, lawful requests, and legal process
• Protect rights, privacy, safety, property of the company, users, and others
• Audit internal processes for compliance
• Enforce terms and conditions
• Prevent, identify, investigate, and deter fraudulent, harmful, unauthorized, unethical, or illegal activity

With Consent

The company may ask for consent to collect, use, or share personal information when required by law.

To Create Anonymous, Aggregated, or De-identified Data

The company creates anonymous, aggregated, or de-identified data from personal information, which may be used and shared with third parties for lawful business purposes including analyzing and improving Services, developing new services, and promoting the business.

4. Data Retention

Personal information is retained only as long as reasonably necessary to achieve described purposes, including meeting legal, accounting, and reporting obligations, establishing or defending legal claims, and preventing fraud.

Retention criteria by category:

• Contact and account data: Duration of business relationship plus 3 years for record keeping and legal compliance
• Transactional and payment metadata: 7 years to meet tax, audit, and accounting requirements
• Marketing and online activity data: Up to 24 months from collection, unless opt-out occurs or law requires shorter period
• Security and log data: 12-24 months depending on system requirements and threat monitoring

When data is no longer needed, it is deleted, deidentified, or segregated from active processing. Periods may be adjusted to comply with applicable law or defend legal claims.

5. How We Share Your Personal Information

Affiliates

Corporate parent, subsidiaries, and affiliates for purposes consistent with the policy.

Service Providers

Third parties providing services including hosting, information technology, customer support, email delivery, marketing, consumer research, and website analytics.

Payment Processors

Payment card information is collected and processed directly by payment processors.

Business Customers

The company may enhance or supplement data received from business customers with data from other sources and provide enhanced data back. Business customers may combine shared personal information with their own data and process it for their purposes, including marketing and advertising. This policy does not apply to business customers' processing. Questions about their information processing should be directed to the relevant business customer.

Advertising Partners

• Information about business customers and prospects may be provided to third-party advertising companies for internet-based advertising
• Third-party advertising companies work with the company to enable business customers to target advertising
• Limited identifiers and online activity data are disclosed to advertising partners for targeted advertising and measurement. Opt-out options are available

Business and Marketing Partners

Third parties co-sponsoring events or promotions, jointly offering products or services, or whose products or services may be of interest.

Linked Third-Party Services

If users log into Services with or link accounts to social media, customer relationship management, or other third-party services, personal information may be shared. The third party's use is governed by its privacy policy and account settings.

Professional Advisors

Lawyers, auditors, bankers, and insurers where necessary for professional services.

Authorities and Others

Law enforcement, government authorities, and private parties believed necessary for compliance and protection purposes.

Business Transferees

Acquirers and participants in business transactions (or negotiations/due diligence) involving corporate divestiture, merger, consolidation, acquisition, reorganization, sale, or other disposition of business assets or equity interests, including bankruptcy proceedings.

With Consent

Personal information may be shared with third parties where users have consented.

6. Your Choices

Access or Update Information

Registered account holders may review and update account information by logging in.

Opt-out of Marketing Communications

Users may opt-out of marketing emails by following opt-out instructions at the email bottom or contacting the company. Service-related and non-marketing emails may continue. Users may opt-out of marketing or advertising calls during calls or by contacting the company.

Cookies

Information about cookies, tracking technologies, and choices (including interest-based advertising) is available in the Cookies Policy. Choices in the Cookies banner and UOOM signals are honored where required.

Universal Opt-Out Mechanisms (UOOM)

Browser or device-based opt-out signals such as Global Privacy Control (GPC) are honored for targeted advertising and sales/sharing of personal information where required by law. If logged in, signals apply to accounts where feasible; if not logged in, signals apply to specific browsers and devices.

Declining to Provide Information

The company needs certain personal information to provide Services. If required information is not provided, Services may not be available.

Linked Third-Party Platforms

Users may limit information the company receives by adjusting settings in third-party platform accounts. Revoking access does not apply to information already received.

Delete Content or Close Account

Users can delete certain content through accounts. Account closure requests should be sent to support@metadata.io.

7. Other Sites and Services

Services may contain links to third-party websites, applications, and online services. Content may be integrated into non-associated web pages. These links and integrations are not endorsements or representations of affiliation. The company does not control third-party sites and is not responsible for their actions. Users are encouraged to read privacy policies of other sites and services used.

8. Security

The company employs technical, organizational, and physical safeguards to protect personal information. However, security risk is inherent in internet and information technologies, and the company cannot guarantee security.

9. International Data Transfer

The company is headquartered in the United States and may use service providers in other countries. Personal information may be transferred to locations where privacy laws may be less protective.

For information on transfers from the European Economic Area, United Kingdom, and Switzerland, see the European Notice in Section 14.

10. Children

Services are not intended for anyone under 18 years of age. Parents or guardians believing the company collected information from children in violation of law should contact the company. If the company learns it collected information from children without required parental consent, it will comply with legal requirements to delete the information.

The company does not sell personal information or process information for targeted advertising for individuals known to be under 16 years of age.

11. Changes to This Privacy Policy

The company reserves the right to modify this Privacy Policy. Material changes will be notified by updating the date and posting on Services or other appropriate means. Modified policies become effective upon posting. Use of Services after modification indicates acceptance. For rights-impacting changes, prominent notice will be provided.

12. How to Contact Us

• Email: privacy@metadata.io
• Mail: Metadata, Inc., 2261 Market Street, Suite 10977, San Francisco, CA 94114
• Phone: 650-753-7077 | Toll-Free (US): 1-888-905-8193
• Appeals of Denied Requests: privacy@metadata.io (subject: "Privacy Appeal")

13. State Privacy Rights Notice

This section applies to residents of U.S. states with comprehensive privacy laws: California, Colorado, Connecticut, Oregon, Texas, Utah, Virginia, Florida, Montana, Delaware, New Hampshire, New Jersey, Iowa, Tennessee, Minnesota, and Maryland.

Your Privacy Rights

Covered Individual Residents may exercise the following rights regarding collected personal information, subject to limitations, identity verification, and the company's right to retain information for legal compliance:

Information

Residents can request information about collection and use during the past 12 months:

• Categories of personal information collected
• Categories of collection sources
• Business or commercial collection/sale purposes
• Categories of third parties receiving personal information
• Categories sold or disclosed for business purposes
• Categories of third parties to whom information was sold or disclosed

Access

Residents can request a copy of collected personal information.

Correction

Residents can request correction of inaccurate personal information.

Deletion

Residents can request deletion of collected personal information.

Opt-out

• Targeted advertising: Residents can opt-out of processing for targeted advertising purposes
• Other sales: Residents can opt-out of personal information sales

Opt-in

Services are intended for users 18 and older. The company does not intentionally collect or sell personal information for individuals aged 13-15.

Nondiscrimination

Residents may exercise rights without discrimination.

Sensitive Information

The company does not collect or seek sensitive personal information as defined by applicable laws, including social security numbers, drivers' licenses, financial account or credit card numbers (except as provided by business customers for payment processing), precise geolocation, racial and ethnic characteristics, religious and philosophical beliefs, union membership, message contents, mental or physical health condition or diagnosis, sex life or sexual orientation, genetic and biometric data, or personal data from known children.

Appeals

Declined requests may be appealed by emailing privacy@metadata.io with "Privacy Appeal" in the subject line and describing the appeal reason. The company responds within 45 days or as required by law. Denied appeals may be addressed to state attorneys general.

Exercising Rights

Requests for information/know, access, correction, or deletion can be submitted at https://privacy.metadata.io/, calling 650-753-7077 | Toll-Free (US): 1-888-905-8193, or emailing privacy@metadata.io.

Notice of Right to Opt-Out

Data sharing may be classified as "sale" or "sharing" under applicable laws. Opt-out requests can be submitted at https://privacy.metadata.io/ or via email: privacy@metadata.io.

Verification and Authorized Agents

Sufficient detail is required for request processing. Identity verification may require government identification, declarations under penalty of perjury, or other information. Residency confirmation is reserved.

Authorized agents may request on behalf of residents upon verification of agent identity and receipt of valid power of attorney. Without power of attorney, agents must provide written and signed permission, information to verify resident identity, and confirmation of permission to submit requests.

Financial Incentives

Financial incentives as permitted by applicable laws may be offered, resulting in different prices, rates, levels, or service quality. Terms are provided separately at offering.

Deidentified Data Commitments

The company may create and use deidentified data. Reasonable measures prevent reidentification, with public commitments not to attempt reidentification and requirements for recipients to comply.

14. European Notice

This section applies to individuals in the United Kingdom, Switzerland, and the European Economic Area.

Personal Information

References to "personal information" are equivalent to "personal data" under European data protection legislation, including the GDPR (General Data Protection Regulation 2016/679) and the EU GDPR as it forms part of UK law. Personal data is information about an individual who is either directly identified or identifiable. It does not include anonymous data where identity has been permanently removed.

Controller

Metadata, Inc. is the controller of personal information covered by this policy for European data protection legislation purposes.

GDPR Representatives

For EEA or UK users:

EU Representative: VeraSafe Ireland Ltd.
Inquiries: https://verasafe.com/public-resources/contact-data-protection-representative or +420 228 881 031

UK Representative: VeraSafe UK Ltd.
Inquiries: https://verasafe.com/public-resources/contact-data-protection-representative or +420 228 881 031

Legal Bases for Processing

European data protection legislation requires a "legal basis" for personal information use. Legal bases are:

• Contractual Necessity: Where performance of a contract entered into or about to be entered is needed
• Legitimate Interests: Where necessary for legitimate interests and user interests and fundamental rights do not override those interests
• Compliance with Law: Where needed to comply with legal or regulatory obligations
• Consent: Where specific consent to processing for a purpose is obtained

Use for New Purposes

Personal information may be used for reasons not described where permitted by law and compatible with collection purposes. Notification and legal basis explanation will be provided for unrelated purposes.

Retention

Personal information is retained as long as necessary to fulfill collection purposes, including satisfying legal, accounting, and reporting requirements, establishing or defending legal claims, or compliance and protection purposes.

Appropriate retention periods are determined by considering:

• Amount, nature, and sensitivity of personal information
• Potential harm risk from unauthorized use or disclosure
• Processing purposes and achievement through other means
• Applicable legal requirements

When no longer needed, personal information is deleted or anonymized. If impossible (backup archives), it is securely stored and isolated from active processing until deletion becomes possible. Anonymized information (no longer associated with users) may be used indefinitely without further notice.

Sensitive Personal Information

Users are asked not to provide sensitive personal information (social security numbers, racial or ethnic origin information, political opinions, religion or beliefs, health, biometrics or genetic characteristics, criminal background, or trade union membership) through Services or otherwise.

If sensitive personal information is provided, users must consent to processing and use in accordance with the policy. Non-consent requires not submitting such information through Services.

Your Rights

European data protection laws grant certain rights. European users may request:

• Access: Information about personal information processing and access to personal information
• Correct: Update or correct inaccuracies
• Delete: Delete personal information
• Transfer: Machine-readable copy transfer to the user or third party of their choice
• Restrict: Restrict processing
• Object: Object to reliance on legitimate interests affecting rights
• Opt-out: Stop direct marketing communications. Service-related and non-marketing emails may continue
• Consent Withdrawal: Withdraw consent where relied upon for processing

Requests may be submitted to privacy@metadata.io or the postal address in Section 12. Specific identity information may be requested. Applicable law may require or permit request decline. Declined requests explain reasons, subject to legal restrictions. Complaints about personal information use or response to requests may be submitted to company contacts or the data protection regulator in the user's jurisdiction. Data protection regulators are found at: https://edpb.europa.eu/about-edpb/about-edpb/members_en.

Cross-Border Data Transfer

Personal information may be shared with third parties outside Europe. Such sharing involves transfer outside Europe.

The company ensures people receiving personal information hold it subject to European data protection legislation standards. When transferring personal information outside Europe, at least one of the following mechanisms is implemented:

Transfers to Adequacy Decision Territories: Personal information may be transferred to countries or territories whose laws have been deemed providing adequate personal data protection by the European Commission or UK Government.

Transfers to Non-Adequacy Decision Territories: Personal information may be transferred to countries or territories whose laws have NOT been deemed providing adequate protection (no adequacy decision exists, for example regarding the United States). In such cases:

• Specific approved safeguards designed to give personal information European-level protection may be used, such as requiring recipients to enter Standard Contractual Clauses; or
• Limited circumstances may allow reliance on exceptions or derogations permitting transfer despite lacking adequacy decisions or appropriate safeguards, such as explicit consent to transfer.

Contact the company using Section 12 details for further information on transfer mechanisms used when transferring personal information out of Europe.