PRIVACY POLICY

How to Read This Policy. Some information described in this Privacy Policy is processed by CurrentWare as a controller, such as information relating to website visitors, prospective customers, billing contacts, and Authorized Users for CurrentWare’s own account administration, security, and business operations. Other information, including Employee Personal Data processed through the Service on behalf of a Customer, is processed by CurrentWare as a processor or service provider. Where CurrentWare acts on behalf of a Customer, the Customer is responsible for determining the lawful basis for processing, providing required notices, and responding to rights requests, except to the extent CurrentWare is required to assist under applicable law or contract.

1. Introduction

This Privacy Policy explains how CurrentWare Inc. (“CurrentWare,” “we,” “us,” or “our“) collects, uses, discloses, and protects personal information when you interact with our websites, products, and services. It also applies to the CurrentWare workforce analytics, security, and data-loss-prevention platform – including the modules, the console, and the endpoint agents – whether deployed on-premises, through CurrentWare Cloud, or under a hybrid model (collectively, the “Service“).

This Privacy Policy covers two broad categories of individuals:

Customers and Authorized Users – the organizations and individuals who purchase, administer, and configure the Service; and
Monitored Personnel – the employees, contractors, and other workers whose endpoint activity is collected through the Service at the direction of a Customer.

Important Note on Roles: When CurrentWare processes personal data on behalf of a Customer through the Service, the Customer is the controller (or “business,” as applicable under privacy laws) and CurrentWare is the processor (or “service provider,” as applicable). In that capacity, CurrentWare processes personal data only on the Customer’s documented instructions and when personal information is used with the Service, it is processed according to the Master Terms of Service (“Master TOS“) and the Data Processing Addendum (“DPA“) attached to or referenced in those terms. This Privacy Policy does not override or replace the DPA, which governs CurrentWare’s obligations as a processor. Where a provision in this Privacy Policy relates to processing that is more fully addressed in the DPA, this Policy provides a summary and cross-references the DPA for detailed terms.

2. Definitions

The following terms are used throughout this Privacy Policy:

“Agent” or “Endpoint Agent” means the CurrentWare software component installed on each Endpoint that collects and transmits telemetry to the Console.
“Authorized User” means an individual employee, contractor, or agent of a Customer whom the Customer authorizes to access and configure the Service.
“Console” means the management console — hosted by CurrentWare or by the Customer — through which Authorized Users administer the Service.
“Controller” means the entity that determines the purposes and means of the Processing of Personal Information. In the context of the Service, the Customer is the Controller with respect to Employee Personal Data.
“Customer” means the organization that has entered into a Master TOS and applicable Order Form with CurrentWare to access and use the Service.
“Employee Personal Data” means personal data relating to Customer’s personnel (including employees, contractors, and other workers) that is processed through the Service, including web activity, application usage, idle time, file-transfer events, USB and peripheral device activity, productivity scores, and related telemetry.
“Endpoint” means a workstation, laptop, server, virtual desktop instance, or other device on which the Agent is installed and from which telemetry is collected.
“Module” means a separately licensed functional component of the Service, including BrowseReporter, BrowseControl, AccessPatrol, and enPowerManager.
“Personal Information” (also referred to as “Personal Data“) means any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an identified or identifiable individual.
“Processing” means any operation or set of operations performed on Personal Information, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
“Processor” means the entity that processes Personal Information on behalf of and under the instructions of a Controller. CurrentWare acts as a Processor when it processes Employee Personal Data through the Service.

3. Who We Are – Controller Identity and Contact Information

CurrentWare Inc.
199 Bay Street Suite 5300
Toronto, Ontario M5L 1B9
Canada

Privacy Contact / Data Protection Officer: Email: privacy@currentware.com | 1-888-912-9619

4. What Personal Information We Collect

We collect and process the following categories of Personal Information, depending on how you interact with us:

4.1 Account and Organization Data

When a Customer signs up for the Service, we collect information necessary to create and maintain the account. Authorized Users and other individuals may be associated with the account, including information such as:

Company name, industry, and seat count
Billing and payment information

4.2 User Account Data (Authorized Users)

For individuals who access the Console as Authorized Users, we collect:

Internal user ID and work email address
Role (e.g., admin, manager, employee) and department
Account status (active, suspended, or deleted)

4.3 Authentication and Security Logs

To maintain the security of the Service, we collect:

Login and logout timestamps, including success or failure reasons
IP address, device type, operating system, browser, and MFA-enabled status
Key administrative actions, such as creating users, updating policies, and exporting reports

4.4 Product Usage and Engagement Data

We collect data about how Authorized Users interact with the Service, including:

Pages and modules accessed (e.g., Dashboard, Reports, Policies)
Feature engagement and event activity (e.g., report creation, policy updates)
Usage metrics such as number of logins, reports run, and active days
Onboarding progress (e.g., checklist completion, tours viewed)
Error events and stack traces, excluding free-text data

4.5 Employee Personal Data (Workforce Telemetry)

When Customers deploy the Service to monitor their personnel, the Endpoint Agent collects telemetry from managed devices. This data is processed by CurrentWare on behalf of, and at the direction of, the Customer. Categories of Employee Personal Data include:

Web activity – websites visited, URLs accessed, website categories, and time spent on each site
Application usage – applications opened, time spent in each application, and application categories
Idle time and productivity data – active versus inactive work patterns, productivity scores, and time-wasting pattern detection
File-transfer events – records of file transfers to or from Endpoints, including file names and destinations
USB and peripheral device activity – connection, disconnection, and usage of USB storage devices, Bluetooth adapters, Wi-Fi adapters, and other peripherals
Screenshot capture status – whether screenshot capture is enabled or disabled on a per-device basis (on/off flag only)

What the Service Does Not Collect: The Service does not perform keystroke logging, screen recording, email content capture, deep forensic endpoint detection (EDR), or network-level monitoring.

Note for Monitored Personnel: If you are an employee, contractor, or worker whose employer uses the CurrentWare Service, your employer not CurrentWare is responsible for providing you with notice about the monitoring, for obtaining any required consent, and for ensuring that its use of the Service complies with applicable law. If you have questions about how your employer uses the Service or wish to exercise your privacy rights with respect to Employee Personal Data, please contact your employer directly.

Sensitive or Special-Category Data. The Service is not intended to collect or process special categories of personal data or other sensitive personal information except to the extent such information is incidentally included in telemetry, file names, URLs, application names, support submissions, or account credentials. Customers are responsible for configuring and using the Service in a manner that is proportionate to their legitimate business purposes and that minimizes the incidental collection of sensitive information. To the extent such information is incidentally processed through the Service, CurrentWare processes it only on the Customer’s documented instructions and subject to applicable contractual and security safeguards.

4.6 Support Communications

When you contact us for support, we may collect your name, email address, the content of your communications, and any attachments or diagnostic data you provide.

4.7 Website and Cookie Data

When you visit our websites (including www.currentware.com), we collect information through cookies and similar tracking technologies, as described in Section 7 (Cookies and Tracking Technologies) below.

5. How We Use Personal Information

We use Personal Information for the following purposes:

5.1 Providing and Operating the Service

We process Personal Information to deliver the Service to our Customers, including hosting the Console, transmitting and storing telemetry data, generating reports and dashboards, enforcing web-filtering and device-control policies, and administering Customer accounts.

5.2 Artificial Intelligence and Automated Insights

The Service may include artificial intelligence, machine learning, or automated analytics features used to generate insights, alerts, summaries, or recommendations based on Customer Data and product usage data.

These AI-powered features may be used to:

Detect productivity trends, anomalies, or workflow inefficiencies
Generate automated productivity scores, time-use analytics, and team-level reporting
Produce summaries, recommendations, or predictive insights to assist Customer decision-making

Unless otherwise expressly stated in supplemental terms or product documentation:

AI-assisted features are intended to support, and not replace, human review and decision-making;
CurrentWare does not use identifiable Customer Personal Data or Employee Personal Data processed on behalf of Customers to train shared foundation models for unrelated customers;
where third-party AI providers are used, they act as service providers or subprocessors subject to contractual restrictions designed to limit retention and use of data for unauthorized purposes; and
Customers are responsible for determining whether and how to enable, configure, or rely on AI-generated outputs in a manner consistent with applicable law.

CurrentWare’s artificial intelligence and analytics features are intended to provide decision‑support information only. The Services do not make employment decisions, disciplinary determinations, or other decisions that produce legal or similarly significant effects concerning individuals. Customers are solely responsible for reviewing and interpreting any insights, scores, classifications, or recommendations generated by the Services and for ensuring appropriate human oversight, fairness, and compliance with applicable employment and data protection laws.

5.3 Security and Insider Threat Protection

We process data to enable the Service’s data-loss-prevention and insider-threat-protection capabilities, including USB and peripheral device control, file-transfer auditing, shadow IT visibility, and policy enforcement.

5.4 Service Improvement, Analytics, and Product Development

We use product usage and engagement data to analyze feature adoption, diagnose errors, improve Service performance and usability, and develop new features.

5.5 Aggregated and De-Identified Data

CurrentWare may generate aggregated, anonymized, or de-identified data derived from Customer Data and use such data for any lawful business purpose, including improving the Service, developing new features, and producing benchmarks — provided that such data does not identify any Customer or individual. Data used for machine-learning model improvement may be aggregated, anonymized, or otherwise de-identified.

5.6 Compliance and License Management

We may collect and use information regarding use of the Service and Endpoints for purposes of providing maintenance and support, verifying compliance with the Master TOS, detecting over-deployment, and managing software licenses.

5.7 Employee and End-User Data

To the extent Customer Data includes Employee Personal Data, CurrentWare processes such information solely on behalf of and in accordance with the documented instructions of the applicable Customer and for the purpose of providing the Services. CurrentWare does not use Employee Personal Data for its own independent business purposes. Any use of Employee Personal Data for service analytics, product improvement, security enhancement, or artificial intelligence model development is limited to data that has been aggregated, anonymized, or de‑identified such that it cannot reasonably be used to identify an individual, unless otherwise expressly permitted by applicable law or a written agreement with the Customer.

5.8 Legal Obligations and Dispute Resolution

We may process Personal Information to comply with legal obligations, respond to lawful requests from public authorities, enforce our terms, and protect our rights and the rights of others.

5.9 Communications and Support

We use contact information to respond to inquiries, provide technical support, and send service-related notices.

6. How We Share Personal Information

We may share Personal Information in the following circumstances:

6.1 With Customers (Employee Personnel Data)

Employee Personal Data collected through the Service is made available to the Customer (and its Authorized Users) through the Console. CurrentWare processes this data at the Customer’s direction.

6.2 Service Providers and Sub-Processors

CurrentWare uses third-party service providers and subprocessors to support the Service and its business operations, including providers of cloud hosting, infrastructure, authentication, customer support, communications, analytics, and, where applicable, artificial intelligence functionality. These providers are contractually required to process Personal Information only for authorized purposes and subject to appropriate confidentiality, security, and data protection obligations.

A current list of CurrentWare subprocessors that process Customer Personal Data in connection with the Service, including the name, location, and processing function of each such subprocessor, is maintained at https://www.currentware.com/data-processing-addendum/#Schedule3 and may be updated from time to time in accordance with the DPA.

Third-party advertising and analytics partners used on CurrentWare’s public marketing websites are separate from Service subprocessors and are described in Section 7 and the applicable Regional Addenda.

6.3 Advertising and Analytics Partners

We may share data collected through our websites with advertising partners or analytics providers for purposes such as retargeting, campaign attribution, and measuring ad effectiveness. Where applicable law requires, we provide opt-out mechanisms for such sharing (see Section 7 and the applicable Regional Addenda).

6.4 Legal and Regulatory Disclosures

We may disclose Personal Information when required by law, in response to valid legal process (such as a court order or subpoena), or to cooperate with regulatory inquiries and investigations.

6.5 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of all or substantially all of our assets, Personal Information may be transferred to the acquiring entity.

6.6 With Customer Consent or at Customer Direction

We may share Personal Information in other circumstances with the Customer’s consent or at the Customer’s documented instruction, as contemplated by the Master TOS and DPA.

7. Cookies and Tracking Technologies

7.1 Cookies on Public Websites

CurrentWare uses cookies and similar technologies on its public websites to operate the site, understand usage, improve performance, and, where permitted, measure and support marketing activities. These technologies may include analytics and limited marketing tools. Where required by applicable law, users may opt out of non-essential cookies through available cookie management tools.

7.2 Cookies Used in the Cloud-Hosted Service

The cloud-hosted version of the Service may use cookies and similar technologies for authentication, session management, security, fraud prevention, preference storage, and limited service analytics. Cookies used solely for core service functionality and security do not require consent where permitted by law. Analytics or optional functionality cookies used in the Service are subject to the applicable consent and preference mechanisms where required.

Cookie Category	Purpose	Consent Required?
Necessary / Essential	Core functionality, authentication, session management, fraud prevention, load balancing	No — strictly necessary for service provision
Functional / Preference	Remember user choices (language, display, theme, region preferences)	Yes (where required)
Analytics / Performance	Measure and improve Service performance, usability, feature adoption, and error diagnostics	Yes
Marketing / Advertising	Personalized advertising, retargeting, campaign attribution, ad impression tracking	Yes

Analytics and telemetry data collected through cookies may also be used to support machine-learning models or AI-driven insights about product usage and feature adoption.

Some cookies are strictly necessary for the operation and security of the website and do not require user consent under applicable law.

7.4 Managing Your Preferences

When interacting with our website or online features of our Service, you can manage your cookie preferences at any time through our cookie banner, cookie settings page, or your browser settings. Except for strictly necessary cookies, you may change or withdraw your consent at any time where applicable law provides that right. See the applicable Regional Addendum for jurisdiction-specific rights related to cookies and tracking technologies.

8. International Data Transfers

CurrentWare is headquartered in Ontario, Canada. Personal Information may be transferred to, stored in, and processed in Canada, the United States, or other countries where CurrentWare or its sub-processors operate.

When Personal Information is transferred across borders, we implement appropriate safeguards as required by applicable law, including:

Standard Contractual Clauses (SCCs) approved by the European Commission (for transfers from the EU/EEA)
UK International Data Transfer Agreement (UK IDTA) or UK Addendum to the EU SCCs (for transfers from the UK)
Adequacy decisions, where available
Other lawful transfer mechanisms recognized under applicable data-protection law

9. Data Retention

We retain Personal Information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Our general approach to retention is as follows:

Account and organization data is retained for the duration of the Customer’s subscription and for a reasonable period thereafter for legal and compliance purposes.
Employee Personal Data (workforce telemetry) is retained in accordance with default retention periods established by CurrentWare and any customer-configurable deletion controls, as described in the DPA.
Authentication and security logs are retained for a reasonable period for security, compliance, and operational purposes.

10. Data Security

CurrentWare implements and maintains appropriate technical and organizational security measures designed to protect Personal Information against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures include, at a high level:

Access controls and authentication mechanisms
Encryption of data in transit
Logging and monitoring of administrative access
Segregation of customer environments
Vulnerability management and patch deployment
Business continuity and disaster recovery procedures

11. Your Privacy Rights

Depending on where you are located, you may have certain rights regarding your Personal Information. The specific rights available to you, and how to exercise them, are set out in the applicable Regional Addendum below. In general, these may include:

The right to access the Personal Information we hold about you
The right to correct inaccurate Personal Information
The right to delete your Personal Information
The right to restrict or object to certain processing
The right to data portability
The right to withdraw consent where processing is based on consent
The right to opt out of the sale or sharing of Personal Information, targeted advertising, or profiling
Where applicable, the right to object to automated processing or profiling

Requests Relating to Customer Data.

Where personal information is processed by CurrentWare on behalf of a Customer, requests to exercise data protection rights (including access, correction, deletion, or objection) should be directed to the Customer, who controls such data. CurrentWare will reasonably assist Customers in fulfilling such requests as required by applicable law and contractual obligations. Except where required by law, CurrentWare does not respond directly to such requests without Customer authorization.

How to Submit a Privacy Request. You may submit a request by contacting CurrentWare using the contact details provided below and describing the nature of your request with reasonable specificity. CurrentWare may take reasonable steps to verify the identity and authority of the requestor before responding, including confirming access to the relevant email address, account, or organizational relationship. Where permitted by law, CurrentWare may request additional information necessary to verify the request and locate the relevant records.

If CurrentWare processes the relevant Personal Information on behalf of a Customer, CurrentWare may refer the request to the Customer or respond only with the Customer’s authorization, except where required by applicable law. Where applicable law provides a right to appeal a denial of a privacy request, CurrentWare will inform the requestor of the appeal mechanism and how to use it.

To exercise your rights, contact us at privacy@currentware.com | 1-888-912-9619

We will not discriminate against you for exercising your privacy rights.

12. Children’s Data

The Service is designed for use in enterprise and institutional environments and is not directed to children under the age of 16 (or the applicable age of digital consent in your jurisdiction). However, some Customers (including schools or other educational institutions) may deploy the Service in environments where devices or accounts are used by students or other minors and where Customer Data may include Personal Information relating to minors (for example, device identifiers, usernames, authentication logs, and internet or application activity captured by an Endpoint Agent on a school-managed device).

In these deployments, the Customer is the controller (or equivalent) of such information and is responsible for (i) determining what data is collected and how it is used, (ii) providing any required notices to students, parents/guardians, and staff, and (iii) obtaining any required consents or authorizations under applicable law. CurrentWare acts as a processor/service provider and processes such information only on the Customer’s documented instructions and as described in the applicable agreement (including the DPA). If you are a student, parent/guardian, or other individual and believe a school Customer is using the Service in a way that raises privacy concerns, or you wish to exercise your rights with respect to data processed on behalf of that Customer, please contact the school or district directly. If you believe CurrentWare has inadvertently collected children’s Personal Information outside of a Customer-directed deployment, please contact us at privacy@currentware.com and we will take reasonable steps to investigate and, where appropriate, delete such information.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Service, or applicable law. When we make material changes, we will update the “Last Updated” date at the top of this Policy and, where required, provide notice through the Service, by email, or by other appropriate means.

We encourage you to review this Privacy Policy periodically.

14. How to Contact Us

If you have questions or concerns about this Privacy Policy or our privacy practices, please contact us at:

Privacy Contact / Data Protection Officer: Email: privacy@currentware.com | 1-888-912-9619

For jurisdiction-specific regulatory and supervisory authority contact information, please refer to the applicable Regional Addendum below.

EXHIBIT A — CANADA REGIONAL ADDENDUM

This Addendum supplements the main body of the Privacy Policy for individuals located in Canada and addresses CurrentWare’s obligations under Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA“), Quebec’s Act Respecting the Protection of Personal Information in the Private Sector (“Law 25“), and applicable provincial privacy legislation.

A.1 Applicability

This Addendum applies when CurrentWare collects, uses, or discloses Personal Information of individuals located in Canada, including in its capacity as a controller (e.g., with respect to website visitors, prospective customers, and Authorized Users of Canadian Customers) and, to the extent applicable, as a processor acting on behalf of Canadian Customers.

A.2 Accountability and Privacy Governance

CurrentWare is responsible for Personal Information under its control and maintains a privacy management program designed to support compliance with applicable Canadian privacy laws, including PIPEDA and, where applicable, provincial private-sector privacy legislation. CurrentWare has designated a person responsible for privacy oversight and compliance, who may be contacted using the information provided in this Privacy Policy.

CurrentWare’s privacy management program includes policies and practices relating to governance and internal accountability, complaint handling and escalation, staff confidentiality and privacy training, safeguards and incident response, retention and secure disposal, management of service providers and subprocessors, and periodic review of privacy practices.

A.2 Consent

Under PIPEDA and applicable provincial law, we generally rely on the following forms of consent for the collection, use, and disclosure of Personal Information:

Express consent — for sensitive personal information, for direct marketing communications, and where otherwise required.
Implied consent — where the collection, use, or disclosure is reasonably expected in the context of the individual’s relationship with CurrentWare and is not sensitive in nature.
Consent exceptions — where permitted by PIPEDA or applicable provincial law (e.g., processing necessary for legal or security purposes).

You may withdraw your consent at any time, subject to legal or contractual restrictions and upon reasonable notice. Withdrawal of consent may limit our ability to provide certain services.

A.3 Law 25 (Quebec)

For individuals in Quebec, the following additional requirements apply under Law 25:

Privacy Governance and Accountability: CurrentWare has designated, or caused to be delegated, responsibility for personal information protection in accordance with applicable law. Contact information for privacy-related inquiries is provided in this Privacy Policy.
Privacy Impact Assessments: CurrentWare conducts privacy impact assessments for projects involving the collection, use, or disclosure of Personal Information, as required by Law 25.
Automated Decision-Making: Where the Service is used by a Customer in connection with a decision based exclusively on automated processing that produces legal effects or similarly significant effects concerning an individual, the Customer is responsible for providing any notices and rights required by law. CurrentWare will provide reasonable assistance to Customers as required by contract or applicable law.
Cross-Border Transfers: Before communicating Personal Information outside Quebec where required by law, CurrentWare assesses whether the information will receive adequate protection, taking into account the sensitivity of the information, the purposes for which it is to be used, the safeguards applicable to it, and the legal framework of the destination jurisdiction. Where required, such transfers are governed by written contractual safeguards designed to ensure a level of protection equivalent to that required by applicable law.
De-Identification and Anonymization: CurrentWare applies de-identification and anonymization practices in accordance with applicable legal requirements and internal controls designed to prevent unauthorized re-identification.
Confidentiality Incidents: CurrentWare maintains internal processes for identifying, assessing, documenting, and responding to confidentiality incidents and, where required by law, maintains a record of such incidents. CurrentWare will notify Customers of reportable incidents involving Customer Personal Data as required by contract and applicable law.

A.4 Your Rights Under Canadian Privacy Law

Under PIPEDA, Law 25, and applicable provincial legislation, individuals in Canada have the following rights:

Access: You have the right to request access to the Personal Information we hold about you.
Correction: You have the right to request correction of inaccurate or incomplete Personal Information.
Withdrawal of Consent: You may withdraw your consent to the collection, use, or disclosure of your Personal Information, subject to legal or contractual limitations.
Complaint: You may file a complaint with the applicable privacy commissioner (see below).
De-indexation (Quebec): Under Law 25, individuals may request that any hyperlink attached to their name providing access to Personal Information be de-indexed, where the dissemination of that information violates the law or a court order.
Portability (Quebec): Under Law 25, individuals may request the communication of their Personal Information in a commonly used technological format.

A.5 Complaints and Inquiries

Individuals may submit privacy questions, access or correction requests, or complaints using the contact information provided in this Privacy Policy. CurrentWare may take reasonable steps to verify the identity and authority of the requestor before responding.
CurrentWare will review complaints in accordance with its internal privacy handling procedures and will respond within a reasonable time. If an individual is not satisfied with CurrentWare’s response, the individual may contact the appropriate privacy regulator, including the Office of the Privacy Commissioner of Canada or, where applicable, the Commission d’accès à l’information du Québec.

A.6 Regulatory Contact

Office of the Privacy Commissioner of Canada 30 Victoria Street, Gatineau, Quebec K1A 1H3 Toll-free: 1-800-282-1376 Website: www.priv.gc.ca

Commission d’accès à l’information du Québec (for Quebec residents): 525, boul. René-Lévesque Est, bureau 2.36, Québec (Québec) G1R 5S9 Telephone: 418-528-7741

Office of the Information and Privacy Commissioner for British Columbia (OIPC-BC) (for British Columbia residents): PO Box 9038, Stn Prov Govt, Victoria, British Columbia V8W 9A4 Telephone: 250-387-5629 Website:

Office of the Information and Privacy Commissioner of Alberta (OIPC-AB) (for Alberta residents): Suite 410, 9925 109 Street NW, Edmonton, Alberta T5K 2J8 Telephone: 780-422-6860

EXHIBIT B — UNITED STATES REGIONAL ADDENDUM

This Addendum supplements the main body of the Privacy Policy for individuals located in the United States and addresses CurrentWare’s obligations under applicable U.S. federal and state privacy laws, including the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA“), the Virginia Consumer Data Protection Act (“VCDPA“), the Colorado Privacy Act (“CPA“), the Connecticut Data Privacy Act (“CTDPA“), the Utah Consumer Privacy Act (“UCPA“), and the Texas Data Privacy and Security Act (“TDPSA“).

Notice at Collection. Where required by applicable California law, CurrentWare provides a separate Notice at Collection at or before the point at which Personal Information is collected through its public websites, forms, or related interactions. That notice supplements this Privacy Policy and describes the categories of Personal Information collected, the purposes of collection, whether such information is sold or shared, and applicable retention periods or criteria.

B.1 Categories of Personal Information Collected

Under the CCPA/CPRA and similar state laws, the categories of Personal Information we collect include:

Category	Examples	Source
Identifiers	Name, email address, user ID, customer ID, IP address, device identifiers	Directly from you; automatically collected
Commercial Information	Subscription details, plan type, license usage, billing information	Directly from Customer
Internet or Network Activity	Website browsing history, application usage, pages/modules accessed within the Service, feature engagement	Automatically collected via Agent and cookies
Geolocation Data	IP-derived approximate location	Automatically collected
Professional or Employment Information	Role, department, employer name	Provided by Customer
Inferences	Productivity scores, idle time patterns, workflow bottleneck indicators, AI-generated insights	Generated through the Service
Sensitive Personal Information	Account login credentials (username and password)	Provided by you

B.2 Business and Commercial Purposes for Collection

We collect and use Personal Information for the business and commercial purposes described in Section 5 of the main body of this Privacy Policy, including providing the Service, security, analytics, product improvement, and advertising.

B.3 Sale and Sharing of Personal Information

Under the CCPA/CPRA, “sale” means making Personal Information available to a third party for monetary or other valuable consideration, and “sharing” means making Personal Information available for cross-context behavioral advertising.

CurrentWare does not sell or share Employee Personal Data (workforce telemetry) processed on behalf of Customers.

With respect to website visitors, we may share certain Personal Information (such as IP addresses, device identifiers, or cookie identifiers) with advertising and analytics partners through cookies and similar technologies for purposes that may constitute a “sale” or “sharing” under state privacy laws. You have the right to opt out of such sale and sharing, as described in Section B.5 below.

B.4 Sensitive Personal Information

CurrentWare may collect limited categories of Sensitive Personal Information, such as account login credentials or other information that qualifies as sensitive personal information under applicable law. CurrentWare uses such information only for purposes permitted by applicable law, including providing and securing the Service, authenticating users, detecting and preventing security incidents, maintaining accounts, and complying with legal obligations.

CurrentWare does not use or disclose Sensitive Personal Information for purposes that would require offering a separate right to limit use or disclosure, except where expressly stated in a supplemental notice. If CurrentWare’s practices change in a way that triggers such a requirement, CurrentWare will provide the disclosures and choice mechanisms required by applicable law.

B.5 Retention

We retain Personal Information as described in Section 9 of the main body of this Privacy Policy. We do not retain Personal Information for longer than is reasonably necessary for the purposes for which it was collected.

B.6 Your Rights Under U.S. State Privacy Laws

Depending on your state of residence, you may have the following rights:

Right to Know / Access: You may request that we disclose the categories and specific pieces of Personal Information we have collected about you, the sources of collection, the purposes of collection, and the third parties with whom we share it.
Right to Delete: You may request deletion of your Personal Information, subject to applicable exceptions.
Right to Correct: You may request that we correct inaccurate Personal Information (CCPA/CPRA, VCDPA, CPA, CTDPA, TDPSA).
Right to Data Portability: You may request a copy of your Personal Information in a portable, readily usable format.
Right to Opt Out of Sale/Sharing: You may opt out of the “sale” or “sharing” of your Personal Information (CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, TDPSA).
Right to Opt Out of Targeted Advertising: You may opt out of the processing of your Personal Information for purposes of targeted advertising (VCDPA, CPA, CTDPA, UCPA, TDPSA).
Right to Opt Out of Profiling: You may opt out of profiling in furtherance of decisions that produce legal or similarly significant effects (VCDPA, CPA, CTDPA, TDPSA).
Right to Limit Use of Sensitive Personal Information: Under the CCPA/CPRA, you may limit the use and disclosure of your sensitive personal information.
Right to Appeal: If we deny your privacy request, you may appeal the decision (VCDPA, CPA, CTDPA, TDPSA).
Right to Non-Discrimination: We will not discriminate against you for exercising your rights.

Authorized Agents: Under the CCPA/CPRA, you may designate an authorized agent to submit requests on your behalf. We may require verification of the agent’s authority.

B.7 Universal Opt-Out Mechanism and Global Privacy Control (GPC)

CurrentWare honors universal opt-out preference signals, including the Global Privacy Control (“GPC“), as a valid opt-out of the sale and sharing of Personal Information and of targeted advertising, as required under the CCPA/CPRA, CPA, CTDPA, and TDPSA.

When we detect a GPC or similar universal opt-out signal from your browser, we will treat it as a valid request to opt out of:

The “sale” of your Personal Information
The “sharing” of your Personal Information for cross-context behavioral advertising
Targeted advertising

This means you do not need to separately submit an opt-out request if your browser sends a GPC signal — we will process it automatically.

You can enable GPC in supported browsers or browser extensions. For more information about GPC, visit https://globalprivacycontrol.org.

B.8 How to Exercise Your Rights

You may submit a privacy request by:

Emailing us at privacy@currentware.com
Activating GPC in your browser for sale/sharing/targeted advertising opt-outs

We will verify your identity before processing your request. We aim to respond within the timeframes required by applicable law (generally 45 days under the CCPA/CPRA, with extensions as permitted).

B.9 “Do Not Sell or Share My Personal Information”

To opt out of the sale or sharing of your Personal Information, you may:

Click the “Do Not Sell or Share My Personal Information” link on our website
Adjust your preferences on our Cookie Settings or Privacy Choices page
Enable GPC in your browser

B.10 California-Specific Disclosures

In addition to the rights above:

Financial Incentives: We do not offer financial incentives tied to the collection, sale, or deletion of Personal Information.
Shine the Light: California residents may request information about disclosures of Personal Information to third parties for direct marketing purposes. Contact us at privacy@currentware.com.
CPRA Service Provider Obligations: When CurrentWare acts as a “Service Provider” under the CPRA on behalf of a Customer, CurrentWare will not sell or share Customer Personal Information, and will not retain, use, or disclose it outside the business purpose for which it was provided or other purposes permitted by the CPRA.

B.11 Employee Monitoring — Notice to U.S. Employers

Customers that deploy the Service to monitor employees in the United States are responsible for compliance with applicable federal and state employee-monitoring laws, including the New York Electronic Monitoring Law (N.Y. Civ. Rights Law § 52-c) and the Connecticut electronic monitoring notice statute (Conn. Gen. Stat. § 31-48d).

B.12 Categories of Recipients Recipient Category. The table below summarizes the categories of recipients with whom CurrentWare may disclose Personal Information, the role such recipients generally play, and the purpose of disclosure:

Recipient Category	Typical Role	Purpose of Disclosure
Customers and their Authorized Users	Controller / business customer	To provide Customer-configured reports, telemetry, dashboards, policy administration, and related Service functionality
Cloud hosting and infrastructure providers	Service provider / subprocessor	To host, store, secure, and transmit data used in connection with the Service
Authentication, support, communications, and ticketing vendors	Service provider / subprocessor	To authenticate users, support Service operations, manage tickets, and communicate with users and customers
Analytics providers	Service provider or third party, depending on context	To understand product usage, diagnose errors, and measure website or service engagement
Advertising partners used on public marketing websites	Third party	To support campaign attribution, advertising performance measurement, and retargeting where permitted by law
Artificial intelligence or model providers, where enabled	Service provider / subprocessor	To generate AI-assisted summaries, insights, or outputs requested through the Service or related support tools
Legal, regulatory, and transaction counterparties	Independent recipient	To comply with law, respond to legal process, protect rights, or support a merger, acquisition, reorganization, or sale

EXHIBIT C — EUROPEAN UNION REGIONAL ADDENDUM (GDPR)

This Addendum supplements the main body of the Privacy Policy for individuals located in the European Economic Area (“EEA“) and addresses CurrentWare’s obligations under the General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR“).

C.1 Legal Bases for Processing

Under the GDPR, we process Personal Data on the following legal bases:

Purpose of Processing	Legal Basis
Providing and operating the Service to Customers	Performance of a contract (Art. 6(1)(b))
Account administration and billing	Performance of a contract (Art. 6(1)(b))
Security, fraud prevention, and authentication logging	Legitimate interests (Art. 6(1)(f)) — maintaining the security and integrity of the Service
Service improvement, analytics, and product development	Legitimate interests (Art. 6(1)(f)) — improving our products and understanding usage patterns
AI-powered insights and automated analytics	Legitimate interests (Art. 6(1)(f)) — enhancing Service functionality; or performance of a contract (Art. 6(1)(b)) where configured by Customer
Compliance with legal obligations (e.g., tax, regulatory)	Legal obligation (Art. 6(1)(c))
Marketing and advertising cookies	Consent (Art. 6(1)(a))
Analytics / performance cookies	Consent (Art. 6(1)(a))
Processing Employee Personal Data on behalf of Customers	Performance of a contract with the Customer (Art. 6(1)(b)); the Customer (as Controller) is responsible for establishing its own lawful basis for monitoring its personnel

Where we rely on legitimate interests, we have conducted balancing tests to ensure our interests are not overridden by the rights and freedoms of the individuals concerned.

C.2 Data Subject Rights Under the GDPR

If you are located in the EEA, you have the following rights under the GDPR:

Right of Access (Art. 15): You may request a copy of the Personal Data we hold about you.
Right to Rectification (Art. 16): You may request correction of inaccurate or incomplete data.
Right to Erasure (Art. 17): You may request deletion of your Personal Data in certain circumstances.
Right to Restriction of Processing (Art. 18): You may request that we restrict processing of your data in certain circumstances.
Right to Data Portability (Art. 20): You may request your data in a structured, commonly used, machine-readable format.
Right to Object (Art. 21): You may object to processing based on legitimate interests or for direct marketing purposes.
Right Not to Be Subject to Automated Decision-Making (Art. 22): You may object to decisions based solely on automated processing, including profiling, that produce legal effects or similarly significantly affect you.
Right to Withdraw Consent (Art. 7): Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

C.3 International Data Transfers from the EEA

Personal Data may be transferred from the EEA to Canada, the United States, or other countries where CurrentWare or its sub-processors operate. For such transfers, we rely on:

Adequacy Decisions: Where the European Commission has determined that the recipient country provides an adequate level of data protection (e.g., Canada, for transfers subject to PIPEDA).
Standard Contractual Clauses (SCCs): We use the European Commission’s approved SCCs for transfers to countries without an adequacy decision.
Supplementary measures: Where required following a transfer impact assessment, we implement additional technical or organizational safeguards.

C.4 Works Councils and Employee Representation

Customers deploying the Service in the EU are responsible for compliance with member-state works-council, co-determination, and employee-representation requirements, including any obligation to consult with or obtain agreement from a works council, social-economic committee, or similar body before deploying monitoring software.

C.5 Supervisory Authority

You have the right to lodge a complaint with a data-protection supervisory authority, in particular in the EU member state of your habitual residence, place of work, or place of the alleged infringement. For a list of supervisory authorities, visit: https://edpb.europa.eu/about-edpb/about-edpb/members_en.

C.6 EU Representative

Where required under the GDPR or UK GDPR, CurrentWare will designate an authorized representative in the European Union and the United Kingdom. Information regarding such representatives will be made available in an updated version of this Privacy Policy or upon request.

EXHIBIT D — UNITED KINGDOM REGIONAL ADDENDUM (UK GDPR)

This Addendum supplements the main body of the Privacy Policy for individuals located in the United Kingdom and addresses CurrentWare’s obligations under the UK General Data Protection Regulation (“UK GDPR“) and the Data Protection Act 2018.

D.1 Legal Bases for Processing

The legal bases for processing Personal Data of UK individuals are substantially the same as those described in Exhibit C (EU Regional Addendum), Section C.1 above, as the UK GDPR mirrors the GDPR’s lawful bases framework.

D.2 Data Subject Rights Under UK GDPR

Individuals located in the United Kingdom have the same data subject rights as described in Exhibit C, Section C.2 above, as provided under the UK GDPR and the Data Protection Act 2018.

D.3 International Data Transfers from the UK

Personal Data may be transferred from the UK to Canada, the United States, or other countries where CurrentWare or its sub-processors operate. For such transfers, we rely on:

Adequacy Regulations: Where the UK Secretary of State has made regulations recognizing a country as providing adequate data protection.
UK International Data Transfer Agreement (IDTA): We use the UK IDTA approved by the Information Commissioner’s Office for transfers to countries without adequacy.
UK Addendum to the EU SCCs: Where applicable, we use the UK Addendum in conjunction with the EU Standard Contractual Clauses.
Supplementary measures: Additional technical or organizational safeguards where required.

D.4 Supervisory Authority

You have the right to lodge a complaint with the Information Commissioner’s Office (“ICO“):

Information Commissioner’s Office Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF Telephone: 0303 123 1113 Website: https://ico.org.uk

D.5 UK Representative

EXHIBIT E — AUSTRALIA REGIONAL ADDENDUM

This Addendum supplements the main body of the Privacy Policy for individuals located in Australia and addresses CurrentWare’s obligations under the Privacy Act 1988 (Cth) and the Australian Privacy Principles (“APPs“).

E.1 Applicability

This Addendum applies when CurrentWare collects, uses, or discloses Personal Information of individuals located in Australia, including in its capacity as a controller (e.g., with respect to Australian website visitors and Authorized Users of Australian Customers) and as a processor acting on behalf of Australian Customers.

E.2 Collection of Personal Information (APP 3–5)

CurrentWare collects only the Personal Information that is reasonably necessary for its functions and activities, as described in Section 4 of the main body of this Privacy Policy. We collect Personal Information by lawful and fair means, and where reasonable and practicable, directly from the individual concerned. Where Personal Information is collected from a third party (e.g., from a Customer that has deployed the Service), we take reasonable steps to ensure the individual is made aware of the collection.

E.3 Use and Disclosure (APP 6)

CurrentWare uses and discloses Personal Information only for the primary purpose for which it was collected, or for a secondary purpose that is directly related to the primary purpose and within the individual’s reasonable expectations, or with the individual’s consent, or as otherwise permitted under the APPs.

E.4 Cross-Border Disclosure (APP 8)

CurrentWare may disclose Personal Information to recipients located outside Australia, including in Canada and the United States, where our servers and sub-processors are located. Before disclosing Personal Information overseas, CurrentWare takes reasonable steps to ensure that the overseas recipient handles the information in accordance with the APPs, including by entering into enforceable contractual arrangements.

DPA Cross-Reference: The DPA addresses Australian data residency options (where commercially viable) and cross-border transfer safeguards for Australian Personal Information.

E.5 Your Rights Under Australian Privacy Law

Under the Privacy Act and the APPs, Australian individuals have the following rights:

Access (APP 12): You may request access to the Personal Information we hold about you.
Correction (APP 13): You may request correction of Personal Information that is inaccurate, out-of-date, incomplete, irrelevant, or misleading.
Complaint: You may make a complaint about CurrentWare’s handling of your Personal Information. We will respond to complaints within a reasonable time and, if you are not satisfied with our response, you may escalate to the Office of the Australian Information Commissioner.
Anonymity and Pseudonymity (APP 2): Where lawful and practicable, you have the option of not identifying yourself, or of using a pseudonym, when dealing with us.

E.6 Direct Marketing (APP 7)

CurrentWare will only use Personal Information for direct marketing purposes where the individual would reasonably expect it, or with the individual’s consent. You may opt out of receiving direct marketing communications at any time by contacting us or using the unsubscribe mechanism in our communications.

E.7 Notifiable Data Breaches Scheme

In the event of an eligible data breach involving Personal Information, CurrentWare will comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act, including notifying the Office of the Australian Information Commissioner and affected individuals as required.

E.8 Supervisory Authority

Office of the Australian Information Commissioner (OAIC) GPO Box 5218, Sydney NSW 2001 Telephone: 1300 363 992 Website: https://www.oaic.gov.au