Carta Privacy Policy

INTRODUCTION AND SCOPE

This Privacy Policy (the "Privacy Policy") is effective as of May 15, 2026 and describes how personal information is collected, used, disclosed, and otherwise processed in connection with the Services (as defined below). This Privacy Policy supersedes and replaces, in their entirety, any prior privacy notices or policies previously published by Carta or by Carta Law with respect to the Services.

For purposes of this Privacy Policy, the following terms have the meanings set forth below:

(a) "Carta," "we," "us," and "our" mean eShares, Inc. dba Carta, Inc., together with its related and affiliated companies and subsidiaries, including, without limitation, Avantia Law Limited t/a Carta Law ("Carta Law").

(b) "Carta Services" means the software products and services offered by Carta, together with the associated platforms, websites, and mobile applications through which such products and services are made available, including, without limitation, carta.com and the Carta mobile applications.

(c) "Carta Law Services" means the legal, compliance and related services offered by Carta Law, including, without limitation, contract preparation, review, and negotiation; anti-money laundering and know-your-customer ("AML/KYC") compliance services; and fund transfer support, together with the associated websites through which such services are made available, including, without limitation, avantialaw.com.

(d) "Services" means, collectively, the Carta Services and the Carta Law Services.

(e) "you" and "your" mean the individual to whom personal information processed under this Privacy Policy relates, including visitors to the Services, registered users of the Services, and other individuals whose personal information we collect or otherwise process in connection with the Services.

This Privacy Policy applies to all personal information processed by Carta and Carta Law in connection with the Services, regardless of the medium or format in which such personal information is collected, used, disclosed, or otherwise processed. Certain provisions of this Privacy Policy apply only to specified categories of individuals, jurisdictions, or product lines, as expressly indicated in the applicable Section. In particular, and without limitation: (a) Sections 10 through 13 (Financial Product End Users (US)) apply solely to end users of Carta's financial products and services that are subject to the Gramm-Leach-Bliley Act and do not apply to the Carta Law Services; (b) Section 14 (Additional Notice for U.S. Residents) provides supplemental disclosures applicable to residents of the United States and the enumerated U.S. states; and (c) Section 15 (Additional Notice for Users Outside the U.S.) provides supplemental disclosures applicable to individuals located outside of the United States.

Where Carta Law processes personal information solely on behalf of, and pursuant to the documented instructions of, a client of the Carta Law Services that determines the purposes and means of such processing, Carta Law acts as a data controller  (or service provider, as applicable) and the privacy policy of the relevant client controller governs such processing. In all other cases, Carta and / or Carta Law each process personal information as a processor (or business, as applicable) in accordance with this Privacy Policy.

By accessing or using the Services, or by otherwise providing personal information to Carta or Carta Law, you acknowledge that you have read and understood this Privacy Policy. Capitalized terms used but not defined in a particular Section have the meanings ascribed to them elsewhere in this Privacy Policy. In the event of any conflict between the general provisions of this Privacy Policy and any Section addressing a specific jurisdiction, product line, or category of individuals, the more specific provision shall control with respect to its subject matter.

1. PERSONAL INFORMATION WE COLLECT

We collect personal information from and about users of the Services in a variety of ways, including information you provide to us directly, information we collect automatically when you access or use the Services, and information we receive from third parties. The categories of personal information we collect, and the sources from which we collect such information, are described in this Section 1.

1.1 Categories of Personal Information Collected. Depending on your relationship with Carta and the Services you use, we may collect the following categories of personal information:

1.1.1 Identifiers and Contact Information. We collect identifiers and contact information such as your full name, postal address, email address, telephone number, account username, online identifiers, internet protocol (IP) address, device identifiers, and similar identifiers.

1.1.2 Account and Profile Information. We collect information you provide when you create or maintain an account with us, including your login credentials, security questions and answers, profile photograph, biographical information, employer or affiliated entity, role or title, and preferences relating to your account and the Services.

1.1.3 Financial and Transactional Information. We collect financial information necessary to provide the Carta Services, including bank account information, payment card details, brokerage and custodial account information, tax identification numbers, equity holdings, transaction histories, and other information related to financial transactions effected through the Carta Services. Where applicable, we collect such information directly or through integrated third-party service providers (including, for example, Plaid Inc., whose collection and use of information is governed by the Plaid privacy policy available at https://plaid.com/legal and Quiltt, Inc., whose collection and use of information is governed by the Quiltt privacy policy available at https://www.quiltt.io/policies/privacy-policy, and, where applicable, use of Quiltt enabled functionality may also be subject to the Quiltt terms available at https://www.quiltt.io/policies/terms-and-conditions.).

1.1.4 Commercial Information. We collect commercial information, including records of products or services purchased, obtained, or considered, and other purchasing or consuming histories or tendencies relating to your use of the Services.

1.1.5 Internet or Other Electronic Network Activity Information. We automatically collect information about your interaction with the Services, including browsing history, search history, pages viewed, links clicked, referring and exit pages, date and time stamps, and other information regarding your interaction with our websites, mobile applications, emails, and advertisements.

1.1.6 Geolocation, Device, and Inferences. We collect approximate geolocation data (such as that derived from IP address), device characteristics (such as operating system, browser type, and device model), and inferences drawn from the foregoing categories to create a profile reflecting your preferences, characteristics, behavior, and attitudes in connection with the Services.

1.2 Carta Law-Specific Personal Information Collection. In connection with the Carta Law Services, we collect the following additional categories of personal information:

1.2.1 Contact and Professional Information. We collect names, telephone numbers, email addresses, mailing addresses, job titles, contact preferences, and contact or authentication data from individuals who interact with the Services, including clients, client representatives, counterparties, and other parties to legal matters or transactions handled by Carta and/or Carta Law.

1.2.2 Sensitive Personal Information for AML/KYC Purposes. To the extent necessary to perform or assist with anti-money laundering (AML) and know-your-customer (KYC) checks on behalf of both itself and its clients in furtherance of their respective regulatory obligations, Carta  may collect sensitive personal information, including social security numbers, passport numbers, driver's license numbers, taxpayer identification numbers, and other government-issued identifiers. Such sensitive personal information is processed only where necessary for the foregoing purposes and is collected with your consent or as otherwise permitted or required by applicable law to comply with legal and regulatory obligations, including applicable anti-money laundering regulations.

1.3 Sources of Personal Information. We collect personal information from the following sources:

(f) Directly from you, when you register for an account, complete forms, communicate with us, use the Services, or otherwise interact with us;

(g) Automatically, through cookies and similar tracking technologies deployed across the Services, as further described in Section 3 (Online Tracking Technologies);

(h) From your employer, the entity that has engaged Carta or Carta Law, or other authorized representatives acting on your behalf; and

(i) With respect to the Carta Services only, from third parties, including identity verification vendors, financial institutions, payment processors, public databases, data analytics providers, marketing partners, and other service providers and business partners that supplement, validate, or enrich the information we collect directly.

1.4 No Third-Party Collection for Carta Law Services. Notwithstanding Section 1.3, Carta Law does not collect personal information about you from third-party sources in connection with the Carta Law Services. All personal information processed in connection with the Carta Law Services is obtained either directly from you, from the client engaging Carta Law, or automatically through your interaction with the Carta Law Services websites (including avantialaw.com).

1.5 Consequences of Not Providing Personal Information. Where we request personal information that is necessary to provide the Services, your failure to provide such information may prevent us from establishing or maintaining your account, completing a requested transaction, performing AML/KYC or other regulatory checks, or otherwise providing the Services to you or to the client on whose behalf you are acting or on whose behalf we are requesting your personal information.

2. PERSONAL INFORMATION USE AND DISCLOSURE

We may use, process, and/or disclose the categories of personal information described above for the following purposes:

2.1. Operate, maintain, and improve the Services, such as supporting delivery of our services, assisting with service requests or other enquiries, monitoring for errors, remedying security or technical issues, analyzing website and application performances, responding to comments and questions, verifying permission access, and providing customer service.

2.2. Deliver and facilitate the delivery of legal, compliance and related services to users of the Carta Law Services.

2.3 Deliver, facilitate the delivery of, sell, or market Carta Services to Carta and Carta Law users and Carta Law Services to Carta and Carta Law users.

2.4. Complete AML/KYC checks, where applicable, on behalf of our clients pursuant to their AML regulatory obligations using information gathered through the Carta or Carta Law Services.

2.5. Send information, such as confirmations, invoices and billing, technical notices, updates, security alerts, and administrative messages.

2.6. Communicate upcoming events and other news about products and services offered by us.

2.7. Communicate with and inform you about system updates and important Services-related notices, such as privacy and policy update notices or changes in our terms of service. These communications are administrative and you may not opt out of them.

2.8. Send marketing emails related to the Services, which you may opt out of using provided unsubscribe links or the opt-out mechanism in those communications.

2.9. Link or combine user information with other personal information, such as when we combine the information a company, fiduciary, or investment entity has provided about their stakeholders with the information entered by relevant stakeholders in their end user accounts to improve the user experience.

2.10. Protect, investigate, and deter against fraudulent, unauthorized, or illegal activity, such as validating your identity, preventing fraud on your account, and complying with AML/KYC rules and regulations.

2.11. Provide and deliver products and services to our business customers with respect to their employees or investors, such as when an employee exercises their employee stock options and we provide that information to their employer to facilitate the employer's compliance with tax laws or when an investor invests in a fund and we provide the investor’s submitted information to our fund customer to facilitate the fund customer’s compliance with applicable laws and regulations.

2.12. Facilitate online advertising, such as enabling third-party advertising companies and social media companies to use cookies, pixels, and similar technologies to collect information about your interaction over time across the Services, our communications and other online services, and use that information to serve online ads that they think will interest you.

2.13. Fulfill and manage your orders, payments, returns, and exchanges made through the Services.

2.14. Process your application for employment or engagement with Carta or Carta Law.

2.15. Save or protect an individual's vital interest, such as to prevent harm.

We may also disclose personal information:

2.16. To our business customers' equity administrators, authorized users, and other designated representatives who can access information that we hold about the equity information of their employees, investors, or other stakeholders.

2.17. With vendors, suppliers, and service providers to process information and support our business and services, such as providers of cloud hosting and storage services, analytics services, email delivery services, and customer support services.

2.18. With our lawyers, accountants, and other professional advisors in the course of the services they render to us.

2.19. To comply with laws, lawful requests, and legal or regulatory processes.

2.20. To protect the rights, safety, and property of Carta, Carta Law, our agents, users, customers, and others. This includes enforcing our agreements, policies, and terms of use, reporting on security breaches, or assisting with investigating and preventing fraud or security issues.

2.21. For instant verification of your bank account information with features you are utilizing on the Carta Services. We use Plaid Technologies, Inc. ("Plaid") and Quiltt, Inc. (“Quiltt”) to gather customer data from financial institutions. By using these features, you grant us and Plaid or Quiltt the right, power, and authority to act on your behalf to access and transmit your personal and financial information from the relevant financial institution. You agree to your personal and financial information being transferred, stored, and processed by Plaid in accordance with the Plaid Privacy Policy or Quiltt in accordance with the Quiltt Privacy Policy. 

2.22. We may share personal information with acquirers and other relevant participants in business transactions (or negotiations for such transactions) involving a corporate divestiture, merger, consolidation, acquisition, reorganization, sale, or other disposition of all or any portion of the business or assets of, or equity interests in, Carta or Carta Law (including in connection with a bankruptcy or similar proceedings).

2.23. With our affiliates, in which case we will require those affiliates to honor this Privacy Policy. Affiliates include our parent company and any subsidiaries, joint venture partners, or other companies that we control or that are under common control with us, including companies with the Carta name, financial companies such as Vauban Capital GP LLC, and Carta Law.

2.24. We may create, use, and share aggregated or anonymized data for any lawful purpose, such as marketing, analytics, or research purposes permitted by law.

2.25. We do not sell, share, or otherwise disclose personal information obtained for text message program consent purposes (opt-in consent data) to any third parties for those third parties' own marketing purposes.

2.26. We may share other information with third parties in other ways not described in this Privacy Policy when we have consent (either from users or business customers) to do so.

3. ONLINE TRACKING TECHNOLOGIES

Carta and its service providers use cookies, pixels, web beacons, software development kits (SDKs), local storage, session replay tools, and other similar tracking technologies (collectively, "Tracking Technologies") in connection with the Services. The following provisions describe how Tracking Technologies are deployed across the Carta Services and the Carta Law Services and the choices available to you with respect to such technologies.

3.1 Cookies Generally. A "cookie" is a small text file that is placed on your device when you visit a website or use an online application. Cookies enable the operator of the site or application to recognize your device, store preferences, authenticate sessions, measure usage, and deliver content tailored to your interests. We use both first-party cookies (set by Carta or Carta Law) and third-party cookies (set by our service providers and partners). Cookies may be "session" cookies, which expire when you close your browser, or "persistent" cookies, which remain on your device until they expire or are deleted.

3.2 Categories of Tracking Technologies We Use. We deploy the following categories of Tracking Technologies across the Services: (a) Strictly Necessary Technologies, which are required to operate the Services, authenticate users, maintain session integrity, and provide security; (b) Performance and Analytics Technologies, which help us understand how users interact with the Services, measure traffic and usage patterns, and improve functionality; (c) Functional Technologies, which enable enhanced functionality and personalization, such as remembering your preferences and settings; and (d) Advertising and Targeting Technologies, which are used to deliver advertisements that may be relevant to you, to measure the effectiveness of advertising campaigns, and to limit the number of times you see a particular advertisement.

3.3 Pixels, Web Beacons, and SDKs. In addition to cookies, we and our service providers use pixels (also known as "web beacons" or "clear GIFs"), which are small graphic images embedded in web pages or emails that allow us to track whether a page has been viewed or an email has been opened. We also use SDKs in our mobile applications, which are pieces of code that enable third-party functionality, including analytics, crash reporting, and advertising attribution.

3.4 Analytics Providers. We use third-party analytics providers, including Google Analytics, to collect information about your use of the Services and to help us improve the Services. These providers use cookies and similar Tracking Technologies to collect information such as the pages you view, the features you use, the time spent on the Services, the referring URL, and information about your device, browser, and IP address. You can learn more about Google Analytics and opt out of Google Analytics tracking by installing the Google Analytics Opt-Out Browser Add-On available at https://tools.google.com/dlpage/gaoptout.

3.5 Interest-Based Advertising. We and our advertising partners use Tracking Technologies to deliver advertisements about Carta and the Services on third-party websites and applications and to measure the performance of those advertisements. This activity, sometimes referred to as "interest-based advertising" or "online behavioral advertising," may involve the collection of information about your online activities over time and across different websites, devices, and online services. Our advertising partners include, without limitation, Google, Meta Platforms, Inc. (Meta), and Microsoft Corporation (Microsoft).

3.6 Do Not Track and Global Privacy Control. Certain web browsers and devices transmit "Do Not Track" (DNT) signals to websites with which the browser communicates. Because no industry standard has been adopted regarding how DNT signals should be interpreted, the Services do not currently respond to DNT signals. The Services do, however, recognize and honor the Global Privacy Control (GPC) signal where required by applicable law, in the manner described in Section 14 below.

3.7 Managing Tracking Technologies; Opt-Out Mechanisms. You may manage your preferences with respect to Tracking Technologies through a number of mechanisms. Most web browsers allow you to control cookies through your browser settings, including by blocking, deleting, or being notified when cookies are set. Please note, however, that disabling certain cookies may impair the functionality of the Services. In addition, you may opt out of interest-based advertising delivered by participating advertising networks by visiting the following resources: (a) the Digital Advertising Alliance (DAA) at https://optout.aboutads.info; (b) the Network Advertising Initiative (NAI) at https://optout.networkadvertising.org; (c) the European Interactive Digital Advertising Alliance (EDAA) at https://www.youronlinechoices.eu; (d) Google Ads Settings at https://adssettings.google.com; (e) Meta advertising preferences at https://www.facebook.com/settings?tab=ads; and (f) Microsoft advertising opt-out at https://account.microsoft.com/privacy/ad-settings. For mobile devices, you may also limit interest-based advertising through your device settings (for example, "Limit Ad Tracking" on iOS or "Opt out of Ads Personalization" on Android). These opt-out mechanisms are device- and browser-specific, and you will need to renew your choices if you clear your cookies, use a different browser, or use a different device.

3.8 Carta Law Services Tracking Technologies. The Carta Law Services, including the website located at avantialaw.com, also use cookies and similar Tracking Technologies. In particular, the Carta Law Services use Google Analytics, including the Google Analytics Demographics and Interests Reporting and Remarketing features, which rely on first-party cookies (such as the Google Analytics cookie) and third-party cookies (such as the DoubleClick cookie) to collect information about visitors to the Carta Law Services, including age range, gender, and interest categories, and to enable Google to serve advertisements to such visitors on other sites across the internet. You may opt out of Google Analytics for Display Advertising and customize Google Display Network advertisements through Google Ads Settings at https://adssettings.google.com, and you may opt out of the Google Analytics Demographics and Interests Reporting and Remarketing features using the Google Analytics Opt-Out Browser Add-On referenced in Section 3.4 above. The opt-out mechanisms identified in Section 3.7 apply equally to Tracking Technologies deployed through the Carta Law Services.

4. SECURITY

4.1 Carta has implemented and maintains administrative, technical, organizational, and physical safeguards designed to protect the confidentiality, integrity, and availability of personal information processed in connection with the Services against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to such information. These safeguards are designed in accordance with applicable laws and generally accepted industry standards and are commensurate with the nature, scope, context, and purposes of the processing, as well as the risks of varying likelihood and severity to the rights and freedoms of natural persons.

4.2 Our security program includes, without limitation: (i) encryption of personal information in transit and, where appropriate, at rest; (ii) network security controls, including firewalls, intrusion detection and prevention systems, and continuous monitoring; (iii) access controls based on the principles of least privilege and need-to-know, including role-based access, multi-factor authentication, and periodic access reviews; (iv) secure software development practices, vulnerability management, and regular penetration testing; (v) logging, auditing, and monitoring of access to systems containing personal information; (vi) physical security controls at facilities where personal information is stored or processed; (vii) personnel security measures, including background checks where permitted by law and mandatory privacy and security training; (viii) written information security policies and standards that are regularly reviewed and updated; and (ix) an incident response program designed to identify, contain, investigate, and remediate security incidents in a timely manner.

4.3 We require our service providers, vendors, and other third parties that process personal information on our behalf to implement appropriate technical and organizational measures consistent with the protections described in this Section 4 and to be bound by contractual obligations of confidentiality and security.

4.4 Notwithstanding the safeguards described above, no method of transmission over the Internet or method of electronic storage is completely secure, and we cannot guarantee the absolute security of personal information. You are responsible for maintaining the confidentiality of any account credentials used to access the Services, including usernames, passwords, and authentication codes, and for promptly notifying us of any suspected or actual unauthorized use of your account or any other breach of security. You should use a strong, unique password for the Services, enable available authentication features (such as multi-factor authentication), and take reasonable steps to safeguard your devices and credentials.

4.5 In the event of a security incident affecting personal information, Carta will notify affected individuals, regulators, and other parties as and to the extent required by applicable law.

5. RETENTION

5.1. We retain personal information for as long as necessary to fulfill the purposes for which we collected it, including for the purposes of satisfying any legal, regulatory, accounting, or reporting requirements; to establish or defend legal claims; or for fraud prevention purposes. To determine the appropriate retention period for personal information, we may consider factors such as the amount, nature, and sensitivity of the personal information; the potential risk of harm from unauthorized use or disclosure of your personal information; the purposes for which we process your personal information and whether we can achieve those purposes through other means; and the applicable legal requirements. Our obligations may continue after we stop providing our services directly to you.

5.2. When we no longer require the personal information we have collected about you, we will either delete or anonymize it or, if this is not practicable (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible. If we anonymize your personal information (so that it can no longer be associated with you), we may use this information indefinitely without further notice to you.

5.3. The following retention periods apply to personal information collected through the Carta Law Services. Where the retention periods below differ from the general principles described in Sections 5.1 and 5.2, the more specific period below governs for Carta Law Services data.

5.4. For personal information collected through the Carta Services, we apply the general retention principles described in Sections 5.1 and 5.2. 

6. AGE LIMITATIONS

6.1 The Services are intended for use solely by individuals who are at least eighteen (18) years of age. Carta does not knowingly offer, market, or provide the Services to, and does not knowingly collect, solicit, or process personal information from, any individual under the age of 18. By accessing or using the Services, you represent and warrant that you are at least 18 years of age and that you have the legal capacity to enter into a binding agreement with Carta.

6.2 If you are under 18 years of age, you may not use, register for, or submit any personal information through the Services. Any individual who is under 18 and who has nevertheless provided personal information through the Services should immediately discontinue use of the Services, and a parent or legal guardian should contact Carta using the contact information set forth in Section 17 (Contact Information) so that the relevant information may be reviewed and, where appropriate, deleted.

6.3 If Carta becomes aware that it has collected personal information from an individual under the age of 18 without verification of appropriate legal authority, Carta will take commercially reasonable steps to delete such information from its records as promptly as practicable, subject to any retention obligations imposed by applicable law or as otherwise described in Section 5 (Retention).

7. YOUR PREFERENCES

7.1 Communications Preferences. We provide you with choices regarding the personal information you provide to us and how we communicate with you in connection with the Services. You may update your account information, communication preferences, and marketing subscriptions at any time by logging into your account, by following the unsubscribe instructions included in any marketing email we send, or by contacting us using the details set forth in Section 17 (Contact Information). Please note that, even if you opt out of receiving marketing or promotional communications, we may continue to send you transactional, administrative, security, fraud-prevention, and other service-related communications relating to your use of the Services, as such communications are necessary for the operation of your account and the provision of the Services.

7.2 Cookies and Online Tracking. You may exercise choices regarding cookies, pixels, and similar tracking technologies as described in Section 3 (Online Tracking Technologies), including by adjusting your browser settings, using the opt-out mechanisms made available by Google, Meta, and Microsoft, and by visiting the opt-out pages of the Digital Advertising Alliance (DAA) and the Network Advertising Initiative (NAI). Where required by applicable law, we will honor recognized opt-out preference signals (such as the Global Privacy Control) transmitted by your browser or device.

7.3 Privacy Rights Requests. To the extent you wish to exercise any rights afforded to you under applicable data protection laws (including, where applicable, the rights described in Sections 14 and 15), you may submit a request through the mechanisms identified in those Sections or by contacting us using the details in Section 17. We may need to verify your identity before responding to your request, and we will respond within the time periods required by applicable law.

7.4 Carta Law Services Users. If your inquiry, preference change, or rights request relates specifically to the Carta Law Services, you may, as an alternative to the contact methods described above, contact Carta Law directly at dataprotection@avantialaw.com. Requests submitted to either Carta or Carta Law will be routed internally to the appropriate team for handling, and you are not required to submit duplicate requests to both entities.

7.5 Effect of Preferences. Exercising the preferences and choices described in this Section 7 may, in certain circumstances, limit our ability to provide you with all features or functionality of the Services, or may affect the manner in which the Services are made available to you. We will inform you of any such limitations at the time you exercise your preferences, where reasonably practicable.

8. EXTERNAL WEBSITES

8.1 The Services may contain links, references, or integrations to websites, applications, platforms, content, or other online resources that are operated, owned, or controlled by third parties (collectively, "External Websites"). Such links are provided solely for convenience and informational purposes, and the inclusion of any link to an External Website does not constitute an endorsement, sponsorship, recommendation, approval, or verification by Carta or Carta Law of the External Website or of any products, services, content, opinions, advertisements, or other materials made available through the External Website.

8.2 External Websites are not under the control of Carta or Carta Law, and neither Carta nor Carta Law is responsible for the availability, accuracy, legality, reliability, security, or content of any External Website, or for the privacy practices or data processing activities of the operators of such External Websites. Any access to or use of an External Website is undertaken at the user's own risk and is subject to the terms of use, privacy policies, and other policies established by the operator of such External Website.

8.3 This Privacy Policy applies only to personal information collected, used, disclosed, or otherwise processed by Carta or Carta Law in connection with the Services. This Privacy Policy does not apply to any personal information that users may provide to, or that may be collected by, any External Website, even where such External Website is accessed through a link, frame, embedded feature, or other reference appearing within the Services. Carta and Carta Law expressly disclaim any and all liability arising from or relating to a user's access to, use of, or disclosure of personal information to any External Website.

8.4 Users are strongly encouraged to review the privacy policies, cookie policies, and terms of service of each External Website prior to providing any personal information to, or otherwise interacting with, such External Website. Questions, complaints, or requests concerning the data practices of an External Website should be directed to the operator of that External Website.

9. THIRD-PARTY INTEGRATIONS AND SOCIAL FEATURES

9.1 Third-Party Integrations. The Services may offer integrations with, or otherwise connect to, products, applications, application programming interfaces (APIs), or services operated by third parties (each, a "Third-Party Integration"). When you elect to enable, link, or otherwise use a Third-Party Integration in connection with the Services, you authorize Carta to access, transmit, receive, and process personal information and other data between the Services and such Third-Party Integration as reasonably necessary to provide the requested functionality. The personal information that is shared with, or received from, a Third-Party Integration will depend on the nature of the integration and the permissions you grant.

9.2 Financial Account Connectivity (Plaid, Quiltt). Certain Carta Services permit you to connect a bank, brokerage, or other financial account through Plaid Inc. and/or Quiltt, Inc. When you use this functionality, you authorize Carta and Plaid or Quiltt to access, transmit, receive, store, and use your account information (including account numbers, balances, transaction history, and account holder information) in accordance with Plaid's privacy policy, available at https://plaid.com/legal/#consumers or in accordance with Quiltt’s privacy policy, available at https://quiltt.io/policies/privacy-policy. By using the Plaid integration, you grant Plaid the right, power, and authority to act on your behalf to access and transmit your personal and financial information from the relevant financial institution. You agree that your personal and financial information will be treated in accordance with Plaid's privacy policy.

9.3 Other Third-Party Service Providers and Integrations. The Services may also integrate with other third-party service providers, including identity verification providers, payment processors, electronic signature providers, communications platforms, calendar and email providers, cloud storage providers, single sign-on (SSO) providers, and analytics providers. Personal information disclosed to or received from such third parties through these integrations is governed by the applicable third party's privacy policy and terms of service, and we encourage you to review those documents before enabling any such integration.

9.4 Social Media Features. The Services may include social media features, such as the Facebook "Like" button, LinkedIn share button, X (formerly Twitter) share button, and other widgets or interactive mini-programs that run on the Services (collectively, "Social Media Features"). Social Media Features may collect your IP address, the page you are visiting on the Services, and may set a cookie to enable the Social Media Feature to function properly. Social Media Features are either hosted by a third party or hosted directly on the Services. Your interactions with Social Media Features are governed by the privacy policy of the company providing them.

9.5 Logging In Through Third-Party Accounts. If you choose to register for, or log in to, the Services using a third-party account (such as a Google, Microsoft, or LinkedIn account), or if you otherwise link your Services account with a third-party account, we may receive certain profile and account information about you from that third party, including your name, email address, profile picture, and other information that you have authorized the third party to share. The information we receive depends on the third party's privacy settings and your authorization. You may revoke the connection between your Services account and a third-party account at any time through your account settings or through the third party's settings.

9.6 No Endorsement; No Responsibility for Third Parties. The inclusion of a Third-Party Integration or Social Media Feature within the Services does not constitute an endorsement, sponsorship, or recommendation by Carta of the relevant third party, its products, or its privacy or security practices. Carta does not control, and is not responsible or liable for, the collection, use, disclosure, security, or other processing of personal information by any third party providing a Third-Party Integration or Social Media Feature. Any personal information you provide to, or that is collected by, such third parties is subject to the applicable third party's privacy policy and terms, and not this Privacy Policy.

10. FINANCIAL PRODUCT END USERS (US) — SCOPE AND APPLICABILITY

10.1 Scope of Sections 10 through 13. Sections 10 through 13 of this Privacy Policy (collectively, the "Financial Product Provisions") apply solely to end users of Carta's financial products and services that are subject to the Gramm-Leach-Bliley Act, 15 U.S.C. § 6801 et seq., and its implementing regulations, including Regulation P, 12 C.F.R. Part 1016 (collectively, "GLBA"). The Financial Product Provisions govern the collection, use, disclosure, and protection of nonpublic personal information (as defined under GLBA) obtained by Carta in connection with the offering or provision of financial products or services to consumers, including, without limitation, equity management, compensation, venture capital, liquidity, and related financial offerings provided as part of the Carta Services.

10.2 Relationship to the Remainder of this Privacy Policy. The Financial Product Provisions supplement, and do not replace or limit, the other provisions of this Privacy Policy. To the extent of any conflict between the Financial Product Provisions and any other provision of this Privacy Policy with respect to nonpublic personal information governed by GLBA, the Financial Product Provisions shall control as to such information. All other personal information collected, used, or disclosed by Carta in connection with the Carta Services remains subject to the generally applicable provisions of this Privacy Policy.

10.3 Non-Applicability to Carta Law Services. The Financial Product Provisions do not apply to the Carta Law Services or to any personal information collected, used, or disclosed by Carta Law in connection with the provision of legal and compliance services, including contract preparation, review, and negotiation; anti-money laundering and know-your-customer ("AML/KYC") compliance; and fund transfer support. Carta Law is not a "financial institution" within the meaning of GLBA with respect to the Carta Law Services, and the Carta Law Services are not "financial products or services" subject to GLBA. Personal information processed by Carta Law in connection with the Carta Law Services is governed by the other applicable provisions of this Privacy Policy and by applicable laws and professional rules of conduct, including, where applicable, rules governing attorney-client confidentiality and the attorney-client privilege.

10.4 Mixed-Use Information. Where an individual interacts with both the Carta Services and the Carta Law Services, only that portion of the individual's personal information that is collected, used, or disclosed in connection with Carta's financial products or services subject to GLBA shall be treated as nonpublic personal information for purposes of the Financial Product Provisions. The remaining personal information shall be governed by the other applicable provisions of this Privacy Policy.

10.5 Defined Terms. Capitalized terms used but not otherwise defined in the Financial Product Provisions shall have the meanings ascribed to them elsewhere in this Privacy Policy or, where applicable, under GLBA.

11. FINANCIAL PRODUCT END USERS IN THE UNITED STATES: PERSONAL INFORMATION COLLECTION

11.1. We collect your personal information, for example, when you or your employer, fiduciary, or investment entity open an account, provide data required under Carta's KYC policies, provide employment information, manage your end user account, accept your shares, exercise your options, provide fund transactional data, or deploy or exit an investment.

11.2. We also collect your personal information from others, such as vendors, affiliates, or other companies.

12.Financial Product End Users in the United States: Personal Information Sharing

12.1. We may need to share customers' personal information to run our everyday business. In the following chart, we list the reasons financial companies can share their customers' personal information; the reasons Carta chooses to share; and whether you can limit this sharing.

12.2. Affiliates are companies related by common ownership or control. They can be financial and nonfinancial companies. Our affiliates include companies with the Carta name, financial companies such as Vauban Capital GP LLC, and Carta Law.

12.3. Nonaffiliates are companies not related by common ownership or control. We do not share with nonaffiliates so they can market to you.

13. Financial Product End Users in the United States: Privacy Rights

13.1. You can limit the sharing of your personal information as described in the chart above. Financial product end users in the United States have the right to limit: sharing for affiliates' everyday business purposes (information about your creditworthiness); affiliates from using your information to market to you; and sharing for nonaffiliates to market to you. State laws and individual companies may give you additional rights to limit sharing, as described in this Privacy Policy.

13.2. To limit our sharing of your personal information collected through the Carta Services, you may submit requests to exercise your privacy rights at https://preferences.carta.com/privacy or email privacy@carta.com.

14. ADDITIONAL NOTICE FOR U.S. RESIDENTS

This Section 14 supplements the information contained elsewhere in this Privacy Policy and applies to residents of the United States whose personal information we collect through the Services. To the extent any provision of this Section 14 conflicts with any other provision of this Privacy Policy with respect to a U.S. resident, this Section 14 controls. The rights, disclosures, and obligations described in this Section 14 apply, as and to the extent required by applicable state consumer privacy law.

14.1. Sales and Sharing for Targeted Advertising. Under applicable state privacy laws, a sale of personal information does not always involve the exchange of money. Selling can also refer to disclosures of personal information to third parties who may use the information for their own purposes, such as Cookie vendors. We do not sell personal information for monetary consideration, but we share personal information with third parties for cross-context behavioral advertising and targeted advertising (collectively, "Targeted Advertising"). This includes personal information collected through both the Carta Services and the Carta Law Services.

In this context, we sell and share for Targeted Advertising the following categories of personal information: Identifiers, Personal Records, Internet or Other Electronic Network Activity, Geolocation Data, and Inferences. We have share personal information for Targeted Advertising to third parties, including our vendors and other third parties for marketing and advertising services that we utilize on our Sites.

We do not have actual knowledge that we sell or share the personal information of consumers under 16 years of age.

14.2. Personal Information Collection, Use, and Disclosure.

We may collect the personal information described in the "Personal Information We Collect" section from offline sources as well. In addition, we also collect the following categories of personal information from online and offline sources:

14.2.1. Personal records (including personal information described in Cal. Civ. Code § 1798.80(e)), such as name, signature, social security number, address, telephone number, passport number, driver's license or state identification card number, employment, bank account number, credit card number, debit card number, or other financial information.

14.2.2. Audio, electronic, visual, or similar information, such as recordings from video calls.

14.2.3. Inferences used to create a profile reflecting someone's preferences, characteristics, and behavior.

We use and disclose the above categories of personal information as described in the "Personal Information Use and Disclosure" section above.

The following table shows the categories of personal information we have collected in the past twelve (12) months across the Carta Services and the Carta Law Services. Because the Services differ in nature, not all categories are collected through both.

We will use and retain the collected personal information as needed to provide the Services. For retention periods applicable to personal information collected through the Carta Law Services, see Section 5.3. For retention periods applicable to personal information collected through the Carta Services, see Sections 5.1 and 5.2.

14.3. Consumer Rights.

Depending on your state of residence, you may have the following rights related to your personal information:

14.3.1. Right to know, confirm, and access: You may have the right to know the categories of personal information we have collected about you, confirm that we process your personal information, know details about the personal information we process and who we disclose personal information to, and access your personal information.

14.3.2. Right to portability: You may have the right to request a copy of your personal information in a portable format.

14.3.3. Right to correct: You may request that we correct personal information that we maintain about you if you believe such personal information is inaccurate.

14.3.4. Right to request deletion: You may have the right to request that we delete your personal information.

14.3.5. Right to opt out of sales and sharing for Targeted Advertising: You may have the right to opt out of the sale of your personal information or the sharing of your personal information for Targeted Advertising, as described above. To opt out of sales and sharing for Targeted Advertising on the Carta Services, please visit our cookie preference manager by clicking the "Do not share or sell my personal information (cookie preferences)" link in the Carta website footer. To opt out of sales and sharing for Targeted Advertising on the Carta Law Sites, please visit our cookie preference manager by clicking the equivalent link in the website footer or by emailing dataprotection@avantialaw.com.

14.3.6. Right to opt out of profiling: We do not profile in furtherance of decisions that produce legal or similarly significant effects. If a decision that produces legal or similarly significant effects is made solely by automated means, we will inform you, explain the main factors, and offer a simple way to request human review.

14.3.7. Right to non-discrimination: We will not discriminate against you for choosing to exercise any of your privacy rights.

Depending upon the state where you live, you may also have the following rights:

14.3.8. Right to access the categories of personal data being processed (as permitted by applicable law, including Minnesota's privacy law).

14.3.9. Right to obtain a list of the categories of third parties to which we have disclosed personal data (as permitted by applicable law, including the privacy laws of California, Delaware, and Maryland).

14.3.10. Right to obtain a list of specific third parties to which we have disclosed personal data (as permitted by applicable law, including the privacy laws of Minnesota and Oregon).

14.3.11. Right to obtain a list of third parties to which we have sold personal data (as permitted by applicable law, including Connecticut's privacy law).

14.3.12. Right to review, understand, question, and, depending on where you live, correct how personal data has been profiled (as permitted by applicable law, including the privacy laws of Connecticut and Minnesota).

14.3.13. Right to limit use and disclosure of sensitive personal data (as permitted by applicable law, including California's privacy law).

14.3.14. Right to opt out of the collection of sensitive data and personal data collected through the operation of a voice or facial recognition feature (as permitted by applicable law, including Florida's privacy law).

14.3.15. To exercise your privacy rights with respect to the Carta Services, you may submit requests at https://preferences.carta.com/privacy, via email to privacy@carta.com, or toll-free at +1-855-921-2859. To exercise your privacy rights with respect to the Carta Law Services, you may email mailto:dataprotection@avantialaw.com.

14.3.16. We may need to verify your identity to process certain requests and we reserve the right to confirm your state residency. You may designate an authorized agent to make a request on your behalf; however, you may still need to verify your identity directly with us before your request can be processed. We may deny a request from an authorized agent that does not submit proof that they have been validly authorized to act on your behalf in accordance with applicable laws.

14.3.17. In certain circumstances, you may also appeal for reconsideration of your request. For the Carta Services, you may appeal using our webform at https://preferences.carta.com/privacy or toll-free phone number. For the Carta Law Services, you may appeal by emailing dataprotection@avantialaw.com. We will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision. If your appeal is denied, you may submit a complaint to your state attorney general.

14.4. Additional California Disclosures and Rights.

Unless otherwise noted, the information in this Privacy Policy that describes how and why we collect and use your personal information also describes how we have collected and used your personal information in the preceding twelve (12) months.

14.4.1. Right to limit the use of sensitive personal information: We do not use or disclose sensitive personal information for purposes to which the right to limit use and disclosure applies under California law. For this reason, this right is not applicable.

14.4.2. California's Shine the Light Law: California Civil Code § 1798.83 permits California residents who have an established business relationship with us to request certain information regarding our disclosure of personal information to third parties for those third parties' direct marketing purposes. To make such a request, please contact us using the information set forth in Section 17. In your request, please state that you are a California resident and provide a current California mailing address for our response.

You may exercise your right to opt out of the sale or sharing of your personal information, and the processing of your personal information for purposes of targeted advertising, by following the instructions in Section 7 (Your Preferences) and Section 3 (Online Tracking Technologies), by adjusting the cookie preferences available through our cookie consent management tool, or by transmitting an opt-out preference signal (including the Global Privacy Control) through a compatible browser or browser extension. You may also exercise opt-out rights through the industry mechanisms identified in Section 3, including the Digital Advertising Alliance (https://optout.aboutads.info), the Network Advertising Initiative (https://optout.networkadvertising.org), and the platform-specific opt-outs offered by Google (https://adssettings.google.com), Meta (https://www.facebook.com/settings?tab=ads), and Microsoft (https://account.microsoft.com/privacy/ad-settings).

14.2 Categories of Personal Information Collected, Sources, Purposes, Disclosures, and Retention. The following table summarizes, for purposes of the CCPA and analogous U.S. state privacy laws, the categories of personal information we have collected from U.S. residents in the preceding twelve (12) months, the categories of sources from which the information was collected, the business or commercial purposes for which the information was collected, the categories of third parties to whom the information was disclosed for a business purpose, and the applicable retention periods. The categories below correspond to those enumerated in California Civil Code § 1798.140.

14.2.1 Category A — Identifiers (e.g., real name, alias, postal address, unique personal identifier, online identifier, IP address, email address, account name, government-issued identifiers other than those listed under Category L). Sources: directly from you, your employer or issuer, automatically through your use of the Services, and (for Carta Services only) from third parties such as service providers, business partners, and publicly available sources. Purposes: as described in Section 2. Disclosures: to service providers, professional advisors, affiliates, and as otherwise described in Section 2. Retention: for Carta Services, as described in Section 5; for Carta Law Services, six (6) years.

14.2.2 Category B — Personal records described in California Civil Code § 1798.80(e) (e.g., name, signature, address, telephone number, employment, financial information). Sources, Purposes, and Disclosures: as described above for Category A. Retention: for Carta Services, as described in Section 5; for Carta Law Services, six (6) years.

14.2.3 Category C — Protected classifications under California or federal law (e.g., age, citizenship, marital status, where collected for compliance, employment, or beneficiary purposes). Sources: directly from you or your employer. Purposes: compliance with legal obligations, employment processing, and AML/KYC. Disclosures: to service providers, regulators, and affiliates. Retention: for Carta Services, as described in Section 5; for Carta Law Services, six (6) years.

14.2.4 Category D — Commercial information (e.g., records of products or services purchased, obtained, or considered, and other purchasing or consuming histories or tendencies). Sources: directly from you and through your use of the Services. Purposes: order fulfillment, account management, and the purposes described in Section 2. Disclosures: to service providers, payment processors, and affiliates. Retention: for Carta Services, as described in Section 5; for Carta Law Services, the duration of the account.

14.2.5  Category E — Biometric information. We do not collect Category E information.

14.2.6 Category F — Internet or other electronic network activity information (e.g., browsing history, search history, and information regarding interaction with the Services). Sources: automatically through your use of the Services. Purposes: as described in Sections 2 and 3. Disclosures: to service providers, analytics providers, and advertising partners (subject to Section 14.1). Retention: for Carta Services, as described in Section 5; for Carta Law Services, two (2) years.

14.2.7 Category G — Geolocation data (general, non-precise). Sources: automatically through your use of the Services. Purposes: as described in Sections 2 and 3. Disclosures: to service providers and affiliates. Retention: as described in Section 5.

14.2.8 Category H — Audio, electronic, visual, or similar information (e.g., recordings of customer support calls, where permitted). Sources: directly from you. Purposes: training, quality assurance, and as described in Section 2. Disclosures: to service providers and affiliates. Retention: as described in Section 5.

14.2.9 Category I — Professional or employment-related information (e.g., job title, employer, work history, and information related to employment applications). Sources: directly from you, your employer, and third-party sources such as background-check providers. Purposes: account administration, employment processing, and the purposes described in Section 2. Disclosures: to service providers, affiliates, and prospective or current employers as applicable. Retention: for Carta Services, as described in Section 5; for Carta Law Services, up to six (6) years following the individual's departure or the conclusion of the engagement.

14.2.10 Category J — Education information that is not publicly available personally identifiable information as defined under the federal Family Educational Rights and Privacy Act. Sources: directly from you. Purposes: as described in Section 2. Disclosures: to service providers and affiliates. Retention: as described in Section 5.

14.2.11 Category K — Inferences drawn from any of the above to create a profile reflecting preferences, characteristics, behavior, or aptitudes. Sources: derived internally from other categories of information. Purposes: as described in Section 2. Disclosures: to service providers and affiliates. Retention: as described in Section 5.

14.2.12 Category L — Sensitive personal information (e.g., social security number, driver's license, state identification card, or passport number; account log-in or financial account information in combination with required access credentials; precise geolocation; and information processed for AML/KYC purposes). Sources: directly from you and from your employer or issuer. Purposes: identity verification, AML/KYC compliance, fraud prevention, account security, and as otherwise permitted or required by law or with your consent. Disclosures: to service providers, regulators, clients and affiliates as required to perform the foregoing purposes. Retention: for Carta Services, as described in Section 5; for Carta Law Services, six (6) years. We do not use or disclose sensitive personal information for purposes other than those permitted under California Civil Code § 1798.121 and analogous provisions of other U.S. state privacy laws.

14.3 Sources of Personal Information. We collect personal information from the sources described in Section 1, including: (a) directly from you when you create an account, use the Services, communicate with us, or apply for employment; (b) automatically through your use of the Services, as described in Section 3; (c) from your employer, the issuer of securities you hold, fund administrators, clients (in the case of Carta Law Services), and other authorized parties; and (d) for Carta Services only, from third parties including service providers, business partners, identity verification and background-check providers, advertising and analytics partners, and publicly available sources. Carta Law does not collect personal information from third-party sources.

14.4 Business and Commercial Purposes. We collect, use, and disclose personal information for the business and commercial purposes described in Section 2 of this Privacy Policy, including, to deliver and facilitate legal, compliance and related services, to complete AML/KYC checks on behalf of both ourselves and clients pursuant to their respective regulatory obligations, to fulfill and manage client orders and payments, to process applications for employment, and to protect the vital interests of an individual.

14.5 Disclosures of Personal Information. In the preceding twelve (12) months, we have disclosed each of the categories of personal information identified in Section 14.2 (other than Categories E, which we do not collect) for one or more business purposes to the following categories of recipients: our affiliates (as defined in Section 12.2, including companies with the Carta name, financial companies such as Vauban Capital GP LLC, and Carta Law); our service providers and processors (including hosting, analytics, payment processing, identity verification, and customer support providers); professional advisors (including auditors, attorneys, and accountants); regulators, law enforcement, and other governmental authorities where required or permitted by law; counterparties to corporate transactions; and, subject to Section 14.1, advertising and analytics partners. We do not knowingly disclose the personal information of consumers under the age of 16 for purposes of sale, sharing, or targeted advertising.

14.6 Your Rights. Subject to verification of your identity and the exceptions, thresholds, and limitations set forth in applicable law, you have the following rights with respect to your personal information:

14.6.1 Right to Know / Right of Access. The right to request that we disclose to you the categories and specific pieces of personal information we have collected about you, the categories of sources from which the personal information was collected, the business or commercial purpose for collecting, selling, or sharing personal information, the categories of third parties to whom we have disclosed personal information, and the categories of personal information sold or shared and the categories of third parties to whom each category was sold or shared.

14.6.2 Right to Data Portability. The right to obtain a copy of your personal information in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the personal information to another entity without hindrance.

14.6.3 Right to Correct. The right to request that we correct inaccurate personal information that we maintain about you, taking into account the nature of the personal information and the purposes of the processing.

14.6.4 Right to Delete. The right to request that we delete personal information we have collected from you, subject to certain exceptions, including where the information is necessary to complete a transaction, detect security incidents, comply with a legal obligation, or for other purposes permitted by applicable law.

14.6.5 Right to Opt Out of Sale or Sharing. The right to opt out of the sale or sharing of your personal information, as described in Section 14.1.

14.6.6 Right to Opt Out of Targeted Advertising. The right to opt out of the processing of your personal information for purposes of targeted advertising (also referred to as cross-context behavioral advertising), as described in Section 14.1.

14.6.7 Right to Opt Out of Profiling. The right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning you, where applicable. We do not currently engage in profiling that produces such effects.

14.6.8 Right to Limit Use of Sensitive Personal Information. The right to limit our use and disclosure of your sensitive personal information to those uses that are necessary to perform the Services or as otherwise permitted by California Civil Code § 1798.121 and analogous provisions of other state laws.

14.6.9 Right to Non-Discrimination. The right not to receive discriminatory treatment for the exercise of any of the rights described in this Section 14.6.

14.6.10 Right to Appeal. In states that provide such a right, the right to appeal a decision we make with respect to a request to exercise the foregoing rights.

14.7 How to Exercise Your Rights. You may submit a request to exercise any of the rights described in this Section 14 by contacting us using the information set forth in Section 17 (Contact Information). Users of Carta Services may submit requests to privacy@carta.com, and users of Carta Law Services may submit requests to dataprotection@avantialaw.com. We will acknowledge receipt of your request and respond within the time period required by applicable law. We may need to verify your identity before processing your request, and we will request only the information necessary to do so. If we deny your request in whole or in part, you may, where applicable, appeal our decision by replying to our response or by contacting us at the addresses provided in Section 17, and we will respond to your appeal within the time period required by applicable law.

14.8 Authorized Agents. You may designate an authorized agent to submit a request on your behalf. We may require the authorized agent to provide proof of your written authorization and may require you to verify your identity directly with us before we process the request, except as otherwise required by applicable law.

14.9 Notice of Financial Incentives. We do not offer financial incentives or price or service differences in exchange for the collection, sale, sharing, or retention of personal information.

14.10 Retention. We retain personal information collected from U.S. residents for the periods described in Section 5 and, for Carta Law Services, the additional retention periods set forth in Section 14.2 above.

15. ADDITIONAL NOTICE FOR USERS OUTSIDE THE US

This Section 15 applies to individuals who access or use the Services from jurisdictions outside the United States, including the European Economic Area ("EEA"), the United Kingdom ("UK"), Switzerland, and Canada. To the extent of any conflict between this Section 15 and other provisions of this Privacy Policy, this Section 15 controls with respect to such individuals.

15.1 International Transfers. Carta is headquartered in the United States, and the Services are operated, in whole or in part, from the United States. Personal information that we collect from you may be transferred to, stored in, and processed in the United States and other jurisdictions in which Carta or its service providers maintain operations. By using the Services or otherwise providing personal information to us, you acknowledge that your personal information may be transferred to and processed in jurisdictions whose data protection laws may differ from those of your country of residence.

15.2 Legal Bases for Processing (EEA, UK, and Switzerland). Where the EU General Data Protection Regulation ("GDPR"), the UK GDPR, or the Swiss Federal Act on Data Protection applies, we process personal information on one or more of the following legal bases: (a) your consent; (b) the performance of a contract to which you are a party or to take steps at your request prior to entering into a contract; (c) compliance with a legal or regulatory obligation to which we or our clients  are subject; (d) the protection of your vital interests or those of another natural person; or (e) the legitimate interests pursued by us or a third party, except where such interests are overridden by your interests or fundamental rights and freedoms. Where we rely on consent, you have the right to withdraw your consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

15.3 Your Rights (EEA, UK, and Switzerland). Subject to applicable law and any applicable exemptions, you may have the right to: (a) request access to and a copy of your personal information; (b) request rectification of inaccurate or incomplete personal information; (c) request erasure of your personal information; (d) request restriction of, or object to, our processing of your personal information; (e) request data portability; (f) withdraw your consent where processing is based on consent; and (g) lodge a complaint with your local data protection supervisory authority. To exercise these rights, please contact us using the details set forth in Section 17.

15.4 Cross-Border Transfer Mechanisms. Where we transfer personal information from the EEA, the UK, or Switzerland to a country that has not been deemed by the European Commission, the UK Government, or the Swiss Federal Data Protection and Information Commissioner (as applicable) to provide an adequate level of data protection, we implement appropriate safeguards, such as the European Commission's Standard Contractual Clauses, the UK International Data Transfer Agreement or Addendum, and supplementary measures where required. Copies of the relevant safeguards may be obtained by contacting us using the details set forth in Section 17.

15.5 Retention (EEA, UK, and Switzerland). We retain personal information for no longer than is necessary for the purposes for which it was collected, as further described in Section 5, unless a longer retention period is required or permitted by applicable law.

15.6 Automated Decision-Making. We do not use personal information for automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you, except as may be required to comply with applicable law (including AML/KYC obligations performed in connection with Carta Law Services) or as otherwise disclosed to you at the time of collection.

15.7 Canada. If you are located in Canada, we process your personal information in accordance with the Personal Information Protection and Electronic Documents Act ("PIPEDA") and applicable provincial privacy legislation. We rely on your express or implied consent to collect, use, and disclose your personal information for the purposes identified at or before the time of collection, unless an exception applies under applicable law.

15.7.1 Express Consent. We obtain your express consent (whether orally, in writing, or electronically) where required by law, including in connection with the collection, use, or disclosure of sensitive personal information.

15.7.2 Implied Consent. We may rely on your implied consent where the purpose of collection, use, or disclosure would be considered obvious or reasonable in the circumstances and you voluntarily provide the personal information for that purpose.

15.7.3 Exceptions. In limited circumstances, we may collect, use, or disclose your personal information without your knowledge or consent where permitted or required by applicable law, including where:

15.7.3.1 the collection, use, or disclosure is clearly in your interests and consent cannot be obtained in a timely way;

15.7.3.2  obtaining consent would compromise the availability or accuracy of the personal information and the collection is reasonable for purposes related to investigating a breach of an agreement or a contravention of the laws of Canada or a province;

15.7.3.3 the personal information is produced by you in the course of your employment, business, or profession and the collection, use, or disclosure is consistent with the purposes for which it was produced;

15.7.3.4  the disclosure is made to a lawyer representing Carta or Carta Law;

15.7.3.5  the disclosure is required to comply with a subpoena, warrant, court order, or rules of court relating to the production of records;

15.7.3.6  the disclosure is made to a government institution that has identified its lawful authority to obtain the personal information;

15.7.3.7 the disclosure is necessary to respond to an emergency that threatens the life, health, or security of an individual;

15.7.3.8 the personal information is publicly available and specified by regulation; or

15.7.3.9 the collection, use, or disclosure is otherwise required or authorized by law.

You may withdraw your consent at any time, subject to legal or contractual restrictions and reasonable notice, by contacting us using the details set forth in Section 17. Withdrawal of consent may affect our ability to provide the Services to you.

15.8 Controller and Processor Roles. With respect to Carta Services, Carta is the processor (or equivalent) of personal information processed in connection with the Services it provides directly to you. With respect to Carta Law Services, Carta Law may act as a data controller in certain circumstances (for example, with respect to its own website visitors, prospective clients, and personnel) and, in other circumstances, may act as a data processor or service provider on behalf of its clients, who are the data controllers of the personal information processed in connection with certain  compliance and related services provided to those clients ). Where Carta Law acts as a processor on behalf of a client controller, the privacy policy and instructions of that client govern the processing of the relevant personal information, and individuals should direct privacy inquiries and requests to exercise data subject rights to that client in the first instance. Carta Law will reasonably cooperate with its client controllers to facilitate responses to such requests as required by applicable law and the relevant data processing agreement.

15.9 EU and UK Representatives. Pursuant to Article 27 of the GDPR and Article 27 of the UK GDPR, we have appointed the following representatives:

15.9.1  EU Representative: DataRep. You may contact DataRep regarding matters relating to the processing of personal information of individuals located in the EEA by submitting a request at datarep.com/data-request.

15.9.2 UK Representative: Hannah Thompson, contactable at dataprotection@avantialaw.com, regarding matters relating to the processing of personal information of individuals located in the United Kingdom.

15.10 EU-U.S., UK Extension, and Swiss-U.S. Data Privacy Framework. Carta complies with the EU-U.S. Data Privacy Framework ("EU-U.S. DPF"), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework ("Swiss-U.S. DPF") (collectively, the "DPF") as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the EEA, the UK (and Gibraltar), and Switzerland, respectively, to the United States. Carta (as  eShares, Inc.) has certified to the U.S. Department of Commerce that it adheres to the DPF Principles with respect to such personal information. If there is any conflict between the terms in this Privacy Policy and the DPF Principles, the DPF Principles shall govern. To learn more about the DPF program, and to view our certification, please visit www.dataprivacyframework.gov.

The following Carta subsidiaries and affiliated entities are covered by our DPF certification: The following Carta subsidiaries also adhere to the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF and to the rights of EU and UK individuals and Swiss individuals, as your organization’s DPF submission covers all of the following: the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF: Carta Valuations LLC, Carta Investor Services, Inc., Carta Financial Technologies, LLC, Carta US Syndicate Administrator LLC, Vauban Platform LP, Vauban Capital GP LLC, Carta Tax Operations, LLC, Vauban Advisers LLC.

In compliance with the DPF Principles, Carta commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EEA, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal information received in reliance on the DPF should first contact us using the details set forth in Section 17. Carta has further committed to cooperate with the panel established by the EU data protection authorities (DPAs), the UK Information Commissioner's Office (ICO) and the Gibraltar Regulatory Authority (GRA), and the Swiss Federal Data Protection and Information Commissioner (FDPIC), as applicable, with regard to unresolved DPF complaints. Under certain conditions, individuals may invoke binding arbitration before the DPF Panel. Carta is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

16. CHANGES TO THIS PRIVACY POLICY

16.1 We may amend, modify, supplement, or otherwise update this Privacy Policy from time to time in our sole discretion to reflect changes in our business operations, the Services, applicable law, regulatory guidance, industry practice, or for any other reason. Any such changes will become effective upon posting of the revised Privacy Policy to carta.com, avantialaw.com, or such other location at which this Privacy Policy is then made available, unless a later effective date is specified in the revised version.

16.2 When we make material changes to this Privacy Policy, we will provide notice to users in a manner reasonably designed to bring the changes to their attention, which may include, without limitation: (i) updating the "Effective Date" or "Last Updated" date appearing at the top of this Privacy Policy; (ii) posting a prominent notice on the home page or login page of carta.com, avantialaw.com, or the applicable Carta mobile application; (iii) sending an email notification to the email address associated with the user's account; or (iv) providing in-product notification through the Services. The form and timing of notice will be determined by us in light of the nature of the change and applicable legal requirements.

16.3 Where required by applicable law, we will obtain your consent to material changes to this Privacy Policy before such changes apply to you. In all other cases, your continued access to or use of the Services following the effective date of the revised Privacy Policy constitutes your acknowledgment of the revised Privacy Policy and, to the extent permitted by law, your agreement to be bound by its terms. If you do not agree to the revised Privacy Policy, you must discontinue your access to and use of the Services.

16.4 We encourage you to review this Privacy Policy periodically to remain informed about how Carta and Carta Law collect, use, disclose, and protect your personal information in connection with the Services. Prior versions of this Privacy Policy will be made available upon request through the contact channels identified in Section 17 (Contact Information).

17. CONTACT INFORMATION

If you have any questions, comments, or concerns regarding this Privacy Policy or our privacy practices, or if you wish to exercise any rights described in this Privacy Policy, you may contact us using the information set forth below. Inquiries relating to Carta Services should be directed to Carta, and inquiries relating to Carta Law Services should be directed to Carta Law. Where appropriate, please specify the Service to which your inquiry relates so that we may route your request to the correct team.

17.1 Carta. For matters relating to Carta Services, you may contact Carta's Data Protection Officer at:

●        Email: privacy@carta.com

●        Postal Address: Data Protection Officer, eShares, Inc. dba Carta, Inc., 333 Bush Street, Floor 23, Suite 2300, San Francisco, CA 94104, United States

17.2 Carta Law. For matters relating to Carta Law Services, including requests submitted by users of avantialaw.com, you may contact Carta Law at:

●        Email: dataprotection@avantialaw.com

●        Postal Address: Avantia Law Limited t/a Carta Law, 305-308 Metal Box Factory, 30 Great Guildford Street, London SE1 0HS, United Kingdom

17.3 EU Representative. In accordance with Article 27 of the EU General Data Protection Regulation (Regulation (EU) 2016/679), we have appointed DataRep as our representative in the European Union for data protection matters. Individuals located in the European Economic Area may contact DataRep with respect to the processing of their personal information by submitting a request through the online form available at https://www.datarep.com/data-request, or by writing to DataRep at any of its offices listed at https://www.datarep.com.

17.4 UK Representative. In accordance with Article 27 of the UK General Data Protection Regulation, we have appointed Hannah Thompson as our representative in the United Kingdom for data protection matters related to Carta Law. Individuals located in the United Kingdom may contact our UK Representative at dataprotection@avantialaw.com. Please mark your correspondence to the attention of "Hannah Thompson, UK Representative."

17.5 Response to Inquiries. We will endeavor to respond to all legitimate inquiries within the timeframes required by applicable law. We may need to verify your identity, or the identity of any authorized agent acting on your behalf, before responding to certain requests, and we may decline requests as permitted by applicable law.

Versions:

Privacy Policy Version 4 (current)
Privacy Policy Version 3
Privacy Policy Version 2
Privacy Policy Version 1