terms of service

1. Introduction

Asseta AI Inc. ("Asseta", "we", "us", or "our") provides a financial management software platform and related services to family offices, advisors, and their professionals. We respect the privacy of the people who visit our website, evaluate our Services, and use our platform as account holders. This Privacy Policy explains what personal information we collect, how we use it, with whom we share it, and the choices and rights you have.

This Privacy Policy applies to the website at www.asseta.ai (the "Site"), all related subdomains, and the Asseta platform and related services (collectively, the "Services"). By using the Services, you agree to the practices described in this Privacy Policy. If you do not agree, please do not use the Services.

2. Scope: Asseta as Controller versus Processor

Asseta acts in two different capacities depending on the data in question, and this Privacy Policy covers only one of them.

• Asseta as Controller. This Privacy Policy applies when Asseta determines the purposes and means of processing personal data, including personal data of website visitors, prospects, demo requesters, marketing contacts, account administrators, employees, contractors, and candidates.
• Asseta as Processor. When Asseta processes personal data on behalf of a customer (the "Customer Personal Data" defined in our Data Processing Addendum, or "DPA"), the customer is the controller. Customer Personal Data is governed by the DPA and by the customer's own privacy notices, not this Privacy Policy. This Privacy Policy does not modify the DPA.

If you are a data subject whose personal data is processed by Asseta on behalf of a customer (for example, an individual whose financial information is loaded into the Asseta platform by a family office), please direct any rights requests to the relevant customer. If you submit a request to Asseta and we are the processor for the relevant data, we will route your request to the customer and provide reasonable assistance, as described in our GDPR Request Handling Process.

3. Definitions

Capitalized terms used here have the meanings given in this Section. Other terms have the meanings given in the DPA and applicable law.

• "Personal Information" and "Personal Data" mean information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, as those terms are defined under applicable Data Protection Laws including the EU and UK General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA"), and other US state consumer privacy laws.
• "Sensitive Personal Information" means the sensitive categories defined under applicable law, including under CCPA Section 1798.140(ae) and Article 9 GDPR.
• "Sell" and "Share" have the meanings given under CCPA and other US state laws. As described below, we do not sell Personal Information for money and we do not share Personal Information for cross context behavioral advertising as those terms are defined under CCPA.
• "Site" means www.asseta.ai and our related subdomains.
• "Services" means the Asseta platform and related services.

4. Categories of Personal Information We Collect

Over the past 12 months we have collected the following categories of Personal Information about visitors, prospects, account administrators, and other individuals interacting with the Services:

Category	Examples	CCPA Statutory Category
Identifiers	Name, email address, telephone number, postal address, account username, IP address, device identifiers.	§1798.140(o)(1)(A)
Customer Records	Billing contact details, account administrator records, signed agreements.	§1798.140(o)(1)(B)
Commercial Information	Subscription, billing history, purchasing or service usage history.	§1798.140(o)(1)(D)
Internet or Network Activity	Browsing on our Site, interactions with our Services and emails, log data, referring URLs, cookie identifiers.	§1798.140(o)(1)(F)
Geolocation Data	General location inferred from IP address. We do not collect precise geolocation from end users.	§1798.140(o)(1)(G)
Professional Information	Employer, job title, professional role, business contact details.	§1798.140(o)(1)(I)
Inferences	Inferences drawn from the above to characterize preferences, interests, or behavior for product and marketing purposes.	§1798.140(o)(1)(K)
Audio and Visual	Recordings or transcripts of sales and support calls where you consent or where notice is provided at the start of the call.	§1798.140(o)(1)(E)
Sensitive Personal Information	Account credentials. We do not knowingly collect government identifiers, precise geolocation, racial or ethnic origin, religious beliefs, union membership, health, sex life, or sexual orientation through the Site.	§1798.140(ae)

5. Sources of Personal Information

We collect Personal Information from the following sources:

• Directly from you. When you visit the Site, request a demo, sign up for a newsletter, fill in a form, attend a webinar, communicate with us, or use the Services as an account administrator.
• From your devices. Through cookies, log files, and similar technologies as described in Section 8 and in our Cookie Policy.
• From your employer or organization. When the family office, firm, or other organization that subscribes to the Services adds you as an administrator or user.
• From service providers and partners. From CRM and marketing tools, sales intelligence and enrichment providers, identity verification providers, and analytics providers.
• From public sources. Public business directories, social networks where you have a public business profile, and similar public sources used for sales and recruiting.
• From our sub-processors. From sub-processors that support delivery of the Services, as listed in our DPA Annex III and Sub-processor Inventory.

6. Purposes of Processing and Legal Bases (EU and UK)

We process Personal Information for the purposes described below. For data subjects in the EEA, the UK, and Switzerland, we identify the legal basis under GDPR Article 6 for each purpose.

Processing Activity	Legal Basis (GDPR Art. 6)	Notes
Provide and operate the Services to account holders	Contract (Art. 6(1)(b))	Performance of the agreement between Asseta and the customer or user.
Respond to demo requests, sales inquiries, and support tickets	Pre-contract steps and legitimate interests (Art. 6(1)(b) and (f))	Includes routing inquiries through our CRM and contact center.
Send marketing communications	Consent (Art. 6(1)(a)) or legitimate interests (Art. 6(1)(f)), depending on jurisdiction	Recipients may opt out at any time using the unsubscribe link or by contacting privacy@asseta.ai.
Improve and secure the Services	Legitimate interests (Art. 6(1)(f))	Includes product analytics, abuse prevention, fraud detection, and security monitoring.
Comply with legal obligations	Legal obligation (Art. 6(1)(c))	Includes tax, accounting, anti money laundering, and record retention obligations.
Establish, exercise, or defend legal claims	Legitimate interests (Art. 6(1)(f)) or legal obligation (Art. 6(1)(c))	Includes responding to lawful requests by public authorities.
Corporate transactions	Legitimate interests (Art. 6(1)(f))	Mergers, acquisitions, financings, restructurings, and similar transactions.

If we ever rely on "legitimate interests" as the legal basis, you can request a copy of our legitimate interests assessment by contacting privacy@asseta.ai.

7. AI Features and Automated Processing

The Services include features that use artificial intelligence ("AI"), including features that use large language models from third party AI sub-processors such as OpenAI and Anthropic. We are committed to operating these features responsibly and aligned to ISO/IEC 42001, our AI Governance and Risk Management Framework, and applicable Data Protection Laws.

• AI sub-processors. We contract with AI sub-processors under data processing terms substantially equivalent to those we provide to customers. Where available, we configure AI sub-processors to a zero retention setting, meaning the provider does not retain prompts or completions beyond the time necessary to return a response.
• No training on Customer Personal Data. We do not permit AI sub-processors to use Customer Personal Data to train their models, and we do not use Customer Personal Data to train our own models, unless a customer has expressly opted in to a separate written agreement.
• Human oversight. AI features that drive decisions affecting individuals are subject to human review proportionate to the risk. We do not make decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects on individuals through the Services. If we change this practice in the future, we will update this Privacy Policy and provide appropriate information and rights under GDPR Article 22.
• Evaluation and monitoring. AI features are evaluated before launch and monitored in production for quality and safety. Material changes trigger reassessment.
• Customer choice. Where Asseta offers AI features that customers can enable or disable, customers control whether those features are used in their environment, consistent with the Software Services Agreement and DPA.

For specific AI sub-processors, retention configurations, and evaluations, see our DPA Annex III, AI Inventory, and Data Protection Impact Assessments (DPIAs) for the Asseta Platform, Claude AI, and Granola, available to customers on request.

8. Cookies and Similar Technologies

We use cookies, web beacons, and similar technologies on the Site to operate, secure, and improve the Services, remember preferences, measure performance, and (with consent where required) deliver marketing. The categories include:

• Strictly necessary. Required for the Site to function (for example, session management, security). These cannot be disabled in our consent banner.
• Performance and analytics. Help us understand how the Site is used. We use Google Analytics; see policies.google.com/technologies/partner-sites and tools.google.com/dlpage/gaoptout/ for Google's information and opt out tools.
• Functional. Remember preferences and choices.
• Marketing. Used to measure and improve our marketing. Set only with your consent in jurisdictions that require it.

Where required by law (including in the EEA, UK, and certain US states), we use a consent management mechanism to obtain and record your cookie preferences. You can change your preferences at any time through the cookie settings link in the Site footer. For more detail, see our Cookie Policy.

9. How We Share Personal Information

We share Personal Information only as described below.

• Service providers and sub-processors. We share Personal Information with vendors that perform services on our behalf under written contracts that restrict their use of the information. Our sub-processors that process Customer Personal Data are listed in DPA Annex III. Categories of providers include cloud hosting (Amazon Web Services), AI providers (OpenAI, Anthropic), identity and authentication providers, financial data providers (such as Plaid), productivity and collaboration tools (Google Workspace), CRM and marketing platforms, analytics, support and communications tools, and professional services firms (such as auditors and counsel).
• Affiliates. We may share Personal Information with current or future Asseta affiliates for the purposes described in this Privacy Policy.
• Compliance with law and protection of rights. We may disclose Personal Information when we believe in good faith that disclosure is required by law, regulation, legal process, or government request, or where necessary to protect the rights, property, or safety of Asseta, our customers, our users, or others, or to detect or prevent fraud or security incidents.
• Corporate transactions. In connection with a merger, financing, acquisition, divestiture, restructuring, dissolution, or similar transaction, including in bankruptcy or similar proceedings, we may transfer Personal Information to the relevant counterparty under appropriate confidentiality.
• With your consent or at your direction. We share Personal Information in additional ways with your consent or where you direct.

We may share aggregated or de identified information that does not identify any individual without restriction.

10. International Data Transfers

Asseta is headquartered in the United States and operates production infrastructure in Amazon Web Services in us-east-2 (primary) with disaster recovery in us-west-2 and eu-central-1. Our sub-processors may operate in the United States and other countries.

Where we transfer Personal Information from the EEA, UK, or Switzerland to a country that is not the subject of an adequacy decision, we rely on appropriate safeguards, including the European Commission's Standard Contractual Clauses ("SCCs") and, for transfers from the UK, the UK International Data Transfer Addendum, supplemented by additional safeguards where required following our transfer impact assessments. A copy of the relevant transfer mechanism can be requested at privacy@asseta.ai.

11. Data Retention

We retain Personal Information for as long as necessary to fulfill the purposes for which we collected it, including to provide the Services, comply with legal obligations (including tax, audit, and accounting), resolve disputes, and enforce our agreements. Specific retention periods include:

Data Category	Retention Period
Account and customer records	For the duration of the customer relationship plus up to 7 years thereafter for legal, tax, and audit purposes.
Marketing leads and prospect records	Up to 36 months from the last meaningful engagement, or until you opt out, whichever is earlier.
Support communications	Up to 5 years from case closure.
Site analytics and cookie identifiers	As described in our Cookie Policy, typically from session length up to 24 months.
Security and audit logs	At least 12 months and up to 7 years, depending on system and audit requirements.
Recordings of sales and support calls	Up to 24 months from the call date, unless retained longer for a specific legal or audit reason.
Backups	Encrypted backups are retained on a defined rotation; deleted personal data is removed from production immediately and from backups within the backup retention cycle.

When we no longer need Personal Information, we delete it or de identify it, consistent with our Data Deletion Policy and Process.

12. Data Security

We maintain a documented information security program aligned to SOC 2 (Trust Services Criteria, 2017), ISO/IEC 42001, and the practices required under GDPR Article 32. The program includes administrative, technical, and physical safeguards designed to protect Personal Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

• Encryption. Personal Information is encrypted in transit using TLS 1.2 or higher and at rest using AES 256 or equivalent.
• Access controls. Access is granted on a least privilege basis, with multi factor authentication and quarterly access reviews.
• Monitoring and testing. We perform continuous logging and monitoring and at least annual penetration testing by an independent third party. Our most recent web application penetration test was conducted in April 2026.
• Incident response. We maintain a documented Incident Response Plan that includes notification timelines consistent with GDPR Article 33 and our DPA Section 9.

While we take protection of Personal Information seriously, no system is perfectly secure. Where we provide credentials, you are responsible for keeping them confidential and for the activity that occurs under your account.

13. Your Privacy Rights

Subject to applicable law and verification of your identity, you may have the following rights. Where rights overlap, we will apply the most protective interpretation in the requester's jurisdiction.

13.1 EEA, United Kingdom, and Switzerland (GDPR)

If you are in the EEA, the UK, or Switzerland, you have the following rights under GDPR and equivalent law:

• Access (Art. 15). Confirmation of whether we process your Personal Data, a copy of that data, and supplementary information.
• Rectification (Art. 16). Correction of inaccurate or incomplete Personal Data.
• Erasure (Art. 17). Deletion of your Personal Data in defined circumstances.
• Restriction (Art. 18). Restriction of processing in defined circumstances.
• Notification (Art. 19). Where we rectify, erase, or restrict processing, we will notify recipients to whom your Personal Data was disclosed where required.
• Portability (Art. 20). Receipt of your Personal Data in a structured, commonly used, machine readable format where processing is based on consent or contract and carried out by automated means.
• Object (Art. 21). Objection to processing based on legitimate interests or public interest, including objection to direct marketing.
• Automated decision making (Art. 22). The right not to be subject to a decision based solely on automated processing, including profiling, that produces legal or similarly significant effects.
• Withdraw consent (Art. 7(3)). Withdrawal of consent at any time for processing based on consent, without affecting prior lawful processing.
• Lodge a complaint (Art. 77). The right to lodge a complaint with a supervisory authority. Our lead supervisory authority for the EU is the Irish Data Protection Commission (www.dataprotection.ie). UK residents may complain to the Information Commissioner's Office (www.ico.org.uk). You may also complain in the EEA member state where you live or where the issue arose.

To exercise these rights, see Section 14. For details on how we process requests, see our GDPR Request Handling Process.

13.2 California (CCPA, as amended by CPRA)

If you are a California resident, you have the following rights:

• Right to Know. Request disclosure of the categories and specific pieces of Personal Information we collected, the sources, the business or commercial purposes, and the categories of recipients.
• Right to Delete. Request deletion of Personal Information we collected from you, subject to legal exceptions.
• Right to Correct. Request correction of inaccurate Personal Information.
• Right to Opt Out of Sale or Sharing. As stated above, we do not sell Personal Information for money and do not share Personal Information for cross context behavioral advertising. You may submit a request anyway, and we will honor it.
• Right to Limit Use of Sensitive Personal Information. We do not use or disclose Sensitive Personal Information for purposes other than those permitted under CCPA Section 1798.121, so the right to limit does not currently apply.
• Right to Non Discrimination. We will not discriminate against you for exercising your rights.

Authorized agents may submit requests on your behalf with proof of authorization.

13.3 Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Delaware, New Hampshire, New Jersey, Iowa, Tennessee, Indiana, Maryland, Minnesota, Rhode Island, and Kentucky

If you are a resident of one of these states, you have rights that may include:

• Confirm processing and access. Confirm whether we process your Personal Information and access it.
• Correct. Request correction of inaccurate Personal Information.
• Delete. Request deletion of Personal Information.
• Portability. Request a portable copy of your Personal Information.
• Opt out. Opt out of targeted advertising, sale of Personal Information, and profiling in furtherance of decisions that produce legal or similarly significant effects.
• Appeal. If we decline your request, you may appeal as described in Section 14.3.

Specific rights vary by state. We honor the broadest right available to you under your state of residence and applicable federal law.

13.4 Other Jurisdictions

Where another Data Protection Law applies to you, including Brazil (LGPD), Canada (PIPEDA and provincial laws), Australia (Privacy Act), Singapore (PDPA), or others, we will honor the substantive rights available to you under that law using the request process below.

14. How to Exercise Your Rights

14.1 Where to Submit a Request

You can submit a privacy rights request through any of the following channels:

• Email: privacy@asseta.ai (preferred for privacy requests).
• Support: support@asseta.ai.
• Postal mail: Privacy Team, Asseta AI Inc., at the registered office published on the Site.

Account administrators may also use the in product tools available in their account.

14.2 Identity Verification and Authorized Agents

To protect you, we will verify your identity before responding. The level of verification is proportionate to the sensitivity of the data and the request. We may request additional information from you to verify your identity under GDPR Article 12(6) or applicable US state law.

You may use an authorized agent to submit a request on your behalf. We may require proof of the agent's authorization (for example, a signed permission or a power of attorney) and may verify your identity directly.

14.3 Response Timelines and Appeals

• GDPR. We will respond within one calendar month of receipt and may extend by up to two further months where the request is complex or numerous, with reasons provided.
• CCPA and other US states. We will acknowledge requests within 10 business days where required and respond within 45 days, extendable once by another 45 days with notice.
• Appeals. If we deny your request and you reside in a state that provides an appeals right (currently Colorado, Connecticut, Virginia, Texas, Oregon, Montana, Delaware, New Hampshire, New Jersey, Iowa, Tennessee, Indiana, Maryland, Minnesota, Rhode Island, and Kentucky, among others), you may appeal by replying to our response within 60 days. We will respond to appeals within the time required by the applicable law, generally 60 days. If we deny the appeal, we will inform you how to contact the relevant state attorney general.

14.4 Fees and Refusals

We do not charge a fee for the first response to a request unless it is manifestly unfounded or excessive, in particular because of its repetitive character. Where we refuse a request, we will provide our reasoning and the rights available to you, including the right to lodge a complaint with a supervisory authority and to seek a judicial remedy.

15. Children's Privacy

The Services are intended for business use by adults. We do not direct the Services to children, and we do not knowingly collect Personal Information from children under the ages set out below.

• Under 13 (US, COPPA). We do not knowingly collect Personal Information from children under 13. If we learn that we have collected Personal Information from a child under 13 without verified parental consent, we will delete it promptly.
• Under 16 (EEA, UK, and certain US state laws). We do not knowingly process Personal Information of individuals under 16 for purposes that require parental consent under applicable law.

If you believe we have inadvertently collected Personal Information from a minor, please contact us at privacy@asseta.ai and we will take appropriate steps.

16. Sensitive Personal Information

We do not seek to collect Sensitive Personal Information about Site visitors and prospects, beyond account credentials needed to authenticate users. Customers may upload information classified as sensitive into the Asseta platform as part of their use of the Services; that data is Customer Personal Data and is processed under the DPA, not this Privacy Policy. We do not use or disclose Sensitive Personal Information for purposes that require a right to limit use under CCPA Section 1798.121 or analogous US state law.

17. Global Privacy Control and Do Not Track

Where required by applicable law, we honor browser based opt out preference signals, including the Global Privacy Control ("GPC"), as an opt out of sale and sharing under CCPA and similar US state laws. Because we do not currently sell or share Personal Information for cross context behavioral advertising, the practical effect of GPC on Asseta is to reinforce our existing practice. We do not currently respond to Do Not Track signals because no industry standard governs them.

18. Third Party Sites, Plug Ins, and Services

The Services may contain links to or embeds from third party sites and services, including social media plug ins and integrations with services such as Plaid and Google. Their privacy practices are governed by their own privacy policies. We are not responsible for the content or privacy practices of third party sites or services.

19. EU and UK Representatives

Where required by GDPR Article 27, Asseta has designated representatives for data subjects and supervisory authorities to contact about matters related to GDPR or UK GDPR processing. Representative information will be posted in this section once appointed. In the interim, EU and UK residents may contact us directly at privacy@asseta.ai.

20. Lead Supervisory Authority

Our lead supervisory authority for cross border processing in the EU is the Irish Data Protection Commission. In the UK, the supervisory authority is the Information Commissioner's Office (ICO). EEA residents may also contact the supervisory authority in their member state of residence.

21. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we do, we will revise the version number and Effective Date at the top, post the updated policy on the Site, and, where the changes are material, notify you by email to the address associated with your account or through a notice on the Site. You are responsible for keeping your contact information current and for periodically reviewing this Privacy Policy.

22. Contact Information

If you have questions or concerns about this Privacy Policy or our privacy practices, contact us:

• Privacy team: privacy@asseta.ai.
• General support: support@asseta.ai.
• Postal mail: Privacy Team, Asseta AI Inc., at the registered office published on the Site.

If you are not satisfied with our response, you have the right to lodge a complaint with a supervisory authority in your jurisdiction as described in Sections 13 and 20.

---

Effective Date: May 14, 2026 · Version 2.0 · Supersedes May 22, 2025