Data Rights.

ShouldEye Trust Systems LLC ("ShouldEye", "we", "our", "us") is committed to protecting the privacy and data rights of every individual who uses our platform. We believe that transparency, user control, and regulatory compliance are foundational to trust — the very thing our platform is built to measure.

This Data Rights Policy explains the rights you have over your personal data when you use ShouldEye.com and our related services ("Services"), how to exercise those rights, and the legal frameworks we comply with. This policy supplements our Privacy Policy and Terms of Use.

We comply with all applicable data protection laws, including but not limited to:

• General Data Protection Regulation (GDPR) — EU Regulation 2016/679

• UK Data Protection Act 2018 and the UK GDPR

• California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA)

• Virginia Consumer Data Protection Act (VCDPA)

• Colorado Privacy Act (CPA)

• Connecticut Data Privacy Act (CTDPA)

• Australian Privacy Act 1988 and Australian Privacy Principles (APPs)

• Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)

• Brazil's Lei Geral de Proteção de Dados (LGPD)

Where local law provides stronger protections than those described here, the local law prevails.

Depending on your jurisdiction, you may have some or all of the following rights with respect to your personal data. We honor these rights for all users regardless of location, except where a specific right is legally inapplicable.

• Right of Access (Right to Know): You have the right to request confirmation of whether we process your personal data, and to obtain a copy of the specific personal data we hold about you. This includes the categories of data collected, the purposes of processing, the categories of third parties with whom data is shared, and the retention period.

• Right to Rectification (Right to Correct): You have the right to request correction of inaccurate personal data, or completion of incomplete personal data we hold about you.

• Right to Erasure (Right to Delete / Right to Be Forgotten): You have the right to request deletion of your personal data. We will comply unless we have a lawful basis to retain it (e.g., legal obligation, fraud prevention, exercising or defending legal claims).

• Right to Restriction of Processing: You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or object to processing.

• Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format (e.g., JSON or CSV), and to transmit that data to another controller without hindrance.

• Right to Object: You have the right to object to the processing of your personal data based on legitimate interests or for direct marketing purposes. Where you object, we will cease processing unless we demonstrate compelling legitimate grounds that override your interests.

• Right to Withdraw Consent: Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

• Right Not to Be Subject to Automated Decision-Making: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects you, unless it is necessary for a contract, authorized by law, or based on your explicit consent.

• Right to Non-Discrimination: We will not discriminate against you for exercising any of your data rights. You will not receive different pricing, service quality, or access levels as a result of exercising your rights.

• Right to Opt Out of Sale or Sharing: We do not sell your personal data. If this ever changes, you will have the right to opt out of the sale or sharing of your personal data for cross-context behavioral advertising.

You can exercise any of your data rights through the following methods:

1. Account Settings: Many rights can be exercised directly from your ShouldEye account. Navigate to Settings → Privacy & Data to access data export, deletion, consent management, and communication preferences.

2. Email Request: Send a request to privacy@shouldeye.com with the subject line "Data Rights Request". Include:

   • Your account email address

   • The specific right(s) you wish to exercise

   • Any details that help us locate the relevant data

3. Authorized Agent: You may designate an authorized agent to submit a request on your behalf. We may require the agent to provide proof of authorization (e.g., a signed written authorization or power of attorney) and may verify your identity directly.

Identity Verification: To protect your privacy and security, we will verify your identity before fulfilling any data rights request. Verification may involve confirming your email address, account credentials, or other identifying information. We will not fulfill a request if we cannot verify the requestor's identity.

We are committed to responding to data rights requests promptly and within the timeframes required by applicable law:

• Acknowledgment: We will acknowledge receipt of your request within 3 business days.

• GDPR / UK GDPR: We will respond to your request within 30 days of receipt. If the request is complex or we receive a high volume of requests, we may extend this by an additional 60 days, and we will inform you of the extension and the reasons within the initial 30-day period.

• CCPA / CPRA: We will respond within 45 days of receipt. We may extend this by an additional 45 days where reasonably necessary, with notice to you.

• Other jurisdictions: We will respond within the timeframe required by your local law, or within 30 days if no specific timeframe is mandated.

All data rights requests are processed free of charge, unless the request is manifestly unfounded or excessive (e.g., repetitive requests), in which case we may charge a reasonable administrative fee or refuse the request, in accordance with applicable law.

For full details on the categories of personal data we collect, please refer to our Privacy Policy. In summary, we may process the following categories of personal data:

• Identifiers: Email address, display name (may be a pseudonym), account ID.

• Account Data: Hashed password, profile preferences, subscription status.

• Financial Data: Transaction history from connected accounts (via third-party integrations like Plaid), subscription billing records. ShouldEye does not store raw credit card numbers.

• Usage Data: Search queries, trust reports generated, reviews posted, feature interactions, game activity.

• Device & Technical Data: IP address, browser type, operating system, device identifiers, cookies, and similar technologies.

• Location Data: Approximate location derived from IP address. We do not collect precise GPS location.

• Communication Data: Support tickets, feedback submissions, and correspondence with our team.

We process personal data only for the purposes described in our Privacy Policy, and we do not collect or process sensitive personal data (e.g., racial or ethnic origin, political opinions, biometric data, health data) unless explicitly provided by you and with your consent.

We process your personal data under one or more of the following legal bases, as required by GDPR and equivalent legislation:

• Performance of a Contract: Processing necessary to provide the Services you have requested (e.g., creating your account, generating trust reports, processing payments).

• Consent: Processing based on your freely given, specific, informed, and unambiguous consent (e.g., optional email communications, connecting third-party accounts, AI model training opt-in). You may withdraw consent at any time.

• Legitimate Interests: Processing necessary for our legitimate interests or those of a third party, provided those interests are not overridden by your rights and freedoms (e.g., fraud prevention, platform security, service improvement, analytics).

• Legal Obligation: Processing necessary to comply with a legal obligation to which we are subject (e.g., tax records, law enforcement requests, regulatory compliance).

You have the right to object to processing based on legitimate interests at any time. We will cease processing unless we can demonstrate compelling legitimate grounds.

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Our retention practices are as follows:

• Active accounts: Data is retained for the duration of your account's existence and active use of the Services.

• Inactive accounts: If your account is inactive for more than 24 months, we may contact you to confirm whether you wish to retain your account. If no response is received, we may delete the account and associated data.

• Post-deletion: Upon account deletion or a valid erasure request, we will delete or anonymize your personal data within 30 days, except where retention is required by law (e.g., financial records for tax purposes, which may be retained for up to 7 years).

• Backups: Data in encrypted backups may persist for up to 90 days after deletion before being permanently purged through our standard backup rotation cycle.

• Aggregated/anonymized data: Data that has been fully anonymized (such that it can no longer identify you) may be retained indefinitely for analytics and service improvement purposes.

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption: All data in transit is encrypted using TLS 1.2 or higher. Sensitive data at rest is encrypted using AES-256 or equivalent standards.

• Access Controls: Access to personal data is restricted to authorized personnel on a need-to-know basis, with role-based access controls and multi-factor authentication.

• Infrastructure: Our Services are hosted on enterprise-grade cloud infrastructure with SOC 2 Type II compliance, regular security audits, and intrusion detection systems.

• Password Security: User passwords are hashed using industry-standard algorithms (bcrypt). We never store plaintext passwords.

• Incident Response: We maintain a data breach response plan. In the event of a breach affecting your personal data, we will notify you and the relevant supervisory authority within the timeframes required by applicable law (72 hours under GDPR).

While we take extensive measures to protect your data, no system is completely secure. We encourage you to use strong, unique passwords and to enable available security features on your account.

ShouldEye is based in the United States. If you access our Services from outside the United States, your personal data may be transferred to, stored, and processed in the United States or other countries where our service providers operate.

When we transfer personal data internationally, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs): We use EU-approved Standard Contractual Clauses for transfers of personal data from the EEA, UK, or Switzerland to countries that have not received an adequacy decision.

• Adequacy Decisions: Where applicable, we rely on adequacy decisions issued by the European Commission or the UK Secretary of State.

• Supplementary Measures: Where required, we implement additional technical, organizational, or contractual measures to ensure the transferred data receives an essentially equivalent level of protection.

You may request a copy of the safeguards we use for international transfers by contacting privacy@shouldeye.com.

We use cookies and similar tracking technologies to operate and improve our Services. Your rights regarding cookies include:

• Essential Cookies: Required for the basic functionality of the Services (e.g., authentication, security). These cannot be disabled without impairing core functionality.

• Analytics Cookies: Used to understand how users interact with our Services. You may opt out of analytics cookies through your browser settings or our cookie consent mechanism.

• Preference Cookies: Used to remember your settings and preferences. These are optional and can be managed through your account settings.

We do not use cookies for cross-site behavioral advertising. We do not sell data collected through cookies. You can manage your cookie preferences at any time through your browser settings or by contacting us.

We engage third-party service providers ("data processors") to help us operate the Services. All processors are contractually bound to process personal data only on our instructions and in compliance with applicable data protection laws. Key categories of processors include:

• Cloud Infrastructure: Hosting and storage providers with SOC 2 compliance.

• Payment Processing: Secure payment processors (e.g., Stripe). ShouldEye does not store credit card numbers.

• AI & Analytics: AI model providers used to generate trust reports and analysis. Data shared with AI providers is subject to data processing agreements that prohibit use of your data for their own training purposes.

• Email & Communications: Transactional email providers for account notifications and support.

• Financial Data Aggregation: Third-party services (e.g., Plaid) for optional bank/email account connections, governed by their own privacy policies and your explicit consent.

A list of our current sub-processors is available upon request by contacting privacy@shouldeye.com.

ShouldEye is not directed at children under the age of 13 (or the applicable minimum age in your jurisdiction). We do not knowingly collect personal data from children.

If we become aware that we have collected personal data from a child without appropriate parental or guardian consent, we will take steps to delete that data promptly. If you believe a child has provided us with personal data, please contact us at privacy@shouldeye.com.

If you believe that your data rights have not been respected, you have the right to lodge a complaint with your local data protection supervisory authority. Key authorities include:

• European Union: Your local Data Protection Authority (DPA). A list is available at edpb.europa.eu.

• United Kingdom: Information Commissioner's Office (ICO) — ico.org.uk

• United States (California): California Attorney General — oag.ca.gov/privacy

• Australia: Office of the Australian Information Commissioner (OAIC) — oaic.gov.au

We encourage you to contact us first so we can attempt to resolve your concern directly. We take all complaints seriously and aim to resolve them within 30 days.

Some browsers transmit "Do Not Track" (DNT) signals. There is currently no universally accepted standard for how companies should respond to DNT signals.

ShouldEye does not currently respond to DNT signals. However, we do not engage in cross-site tracking or sell personal data, and we provide you with direct controls over your data and privacy preferences through your account settings.

If a universal DNT standard is adopted, we will update our practices accordingly.

We may update this Data Rights Policy from time to time to reflect changes in our practices, the Services, or applicable law. When we make material changes:

• We will notify you via email or in-product notification at least 30 days before the changes take effect.

• The updated policy will be posted on this page with a revised "Last Updated" date.

• Material changes will not retroactively reduce your rights without your consent.

We encourage you to review this policy periodically to stay informed about your data rights.

If you have any questions about your data rights, wish to exercise a right, or have concerns about how your data is handled, please contact us:

• Data Rights Requests: privacy@shouldeye.com

• General Support: hello@shouldeye.com

• Entity: ShouldEye Trust Systems LLC

We aim to respond to all data rights inquiries within 3 business days and to fulfill requests within the timeframes specified in Section 04 of this policy.