Privacy Policy

Effective date: January 1, 2025

(1) Overview

We value the trust that you place in us by sharing your personal data with us. CORTO takes your privacy seriously and is committed to handling your personal data in a way that is fair and worthy of that trust. CORTO will take all reasonable steps to protect your information from misuse and to keep it secure.

We encourage you to read this privacy policy ("Policy"), which describes our privacy practices and the rights and choices you have regarding your personal data.

This Policy provides you with information about how we collect, use and disclose your personal information. This Policy also describes your choices regarding use, access, deletion, and correction of your personal information. By submitting your personal information to us, you acknowledge and agree to the processing of your personal information as set out in this Policy. If you do not agree to this Policy, you should not use the Services.

If you use our Services as part of an entity or organization that has an agreement with us (such as your employer), the terms of that organization's contract with us for the Services apply to our collection or use of your personal information through the Services and may restrict processing further than as set out in this Policy.

(2) About this Privacy Policy

This Policy applies to all personal data we collect, use, disclose, or otherwise process about you including when: (i) you create a CORTO account, (ii) you visit or use our websites, mobile applications, or AI-powered platforms or other services of CORTO, (iii) you participate in or otherwise interact with us regarding CORTO hosted or sponsored events, promotions, or campaigns, or (vi) you interact with us through social media or otherwise on or offline (collectively the "Services"). Unless otherwise specified, this Policy also applies to the personal data we collect about business customers, vendors or partners.

This Policy may be supplemented by additional privacy statements, terms or notices provided to you. We will indicate within the registration processes of our products and services and other registration forms what types of personal information are required and those that are requested. You may choose not to submit the requested information, but that may limit or prohibit the services that CORTO is able to provide to you.

(3) Who we are

Depending on where you live or which of our Services you use, one or more of either CORTO AI Inc., or CORTO Pty Ltd (ACN 670 818 292),or any of our parents, subsidiaries, affiliates or related bodies corporate ("Affiliated Companies") will be the responsible controller for the personal data we collect. An overview of the applicable Affiliated Companies who may process your personal data, as well as their representatives can be found here. The Affiliated Companies will be referred to hereafter as 'CORTO' or "we" or "our".

(4) Personal Data We Collect and How We Use It

When you use or access our Services or otherwise interact with us, we may collect a variety of information about you that contains information that identifies you or may be combined with other information to identify you (your personal information). We may collect this personal information from you or others acting on your behalf (e.g., your employer), from third parties, or automatically through use of the Services.

From you or someone acting on behalf of you (e.g., your employer):

From others:

Automatically:

Where permitted by applicable law and our obligations in contracts with our clients, we may aggregate your non-personally identifiable data and use this data to analyze or improve our Services.

When we act as a service provider, or a sub-processor, we will process personal information in compliance with the instructions of the client, or the processor, as the case may be, who act as either data controller or processor of such personal information.

(5) How We Share Your Personal Data

Where permitted by applicable law, we share your personal information for third parties to deliver the Services or in our legitimate interest. These third parties include:

• Our Affiliated Companies and offices, which are generally located in the United States, Canada, European Economic Area, United Kingdom, Ireland, Poland, Australia, and New Zealand.

• Our professional advisors, such as our auditors, accountants, and lawyers.

• Third-party service providers who perform services on our behalf in connection with our Services. The services provided by such third parties include:

  • software suppliers that provide elements of our Services;

  • billing and processing payments;

  • marketing communications providers;

  • maintenance and support of the Services;

  • hosting and backup of the Services;

  • security of the Services;

  • improvement of the Services; and

  • analytics and reports on the Services.

• Any other third party where you have provided your consent.

• Other third parties in connection with corporate activities such as a mergers or acquisitions or refinancing.

We may disclose personal information to regulatory authorities and other third parties to comply with a regulatory or legal obligation, to enforce our rights, or where we have a good faith belief that it is necessary for the protection of a legitimate or vital interest such as the safety of a person or property, to the extent permitted by applicable law.

(6) Data Privacy Framework

CORTO AI INC complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce. CORTO AI INC has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/

CORTO AI INC may be liable in accordance with the EU-U.S. DPF Principles and the UK extension to the EU-US DPF for onward transfers of personal data governed by the DPF program to third parties processing personal data on our behalf.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, CORTO AI INC commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit JAMS Data Privacy Framework Dispute Resolution Website at https://www.jamsadr.com/dpf-dispute-resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, CORTO AI INC commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, should first contact us at privacy@ati-global.com.

CORTO AI INC is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC) with regard to compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

Under certain conditions, as set forth in Annex I of the EU-U.S. DPF Principles, individuals may invoke binding arbitration for complaints regarding compliance with the DPF Principles that have not been resolved by any of the other DPF mechanisms.

(7) Changes to this Policy

We may update this Policy from time to time for reasons such as operational or regulatory changes. If we make any changes, we will notify you by posting the revised Policy on this page, revising the "Effective Date" at the top of this Policy and, in some cases, we may provide you with additional notice such as within our Services or by sending an email. We encourage you to review our Policy regularly for any changes.

(8) Children

Our website and Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from individuals under the age of 18. If you become aware that an individual under the age of 18 has provided us with personal information, please contact us by using the details contained in the "How to Contact Us" section of this Policy. If we become aware that an individual under the age of 18 has provided us with personal information, we will take steps to delete such information. We may process the personal information of children in the course of delivering Services when information is provided by a user of the Services.

(9) Transfer of Personal Data Between Countries

Please be informed that we transfer and process any personal data you provide to us to countries/regions other than your country/regions of residence. The laws of these countries/regions may not provide an equivalent level of protection to your personal data as the laws in your home country/region. CORTO will therefore seek to ensure that adequate safeguards are in place and that applicable laws and regulations are complied with in connection with such transfer.

For personal data transferred from the European Economic Area or United Kingdom to countries outside the European Economic Area /United Kingdom that do not provide an adequate level of protection, CORTO is a signatory of an Intra-Group Data Transfer Agreement based on the EU Standard Contractual Clauses adopted by the European Commission ("Standard Contractual Clauses") and other local legal transfer provisions. With respect to transfers from the European Economic Area and United Kingdom to parties outside the Affiliated Companies, CORTO will base the transfer on appropriate safeguards, such as the Standard Contractual Clauses or other approved data transfer or certification mechanisms, together with binding and enforceable commitments by the recipient. In each instance, CORTO will assess the transfer and ensure that any additional technical and organizational measures are put in place to ensure that an adequate level of protection is provided.

(10) How we protect your personal information

We are committed to ensuring that your information is secure. To prevent unauthorized access or disclosure of personal information we have put in place suitable physical, electronic, and managerial procedures to ensure the security of personal information we hold and process. Some examples of the measures we take include:

• the use of suitable password protection measures and access privileges to monitor and control access to our IT systems;

• we do not generate paper files;

• requiring any third parties engaged by CORTO to provide appropriate assurances to handle personal information in a manner consistent with applicable law; and

• taking reasonable steps to securely destroy or de-identify personal information after it is no longer required.

However, the internet is not a secure environment, and we cannot warrant that the personal information you share will be completely secure. When you share personal information with us, you do so at your own risk, and we recommend that you take security precautions to protect your personal information on the internet. It is your responsibility to keep your password to our Services safe. You should notify us as soon as possible using the details contained in the "How to Contact Us" section of this Policy if you become aware of any misuse of your password, or compromise of the security of the Services, and immediately change your password within the Services.

(11) Storage of personal information

When you cease engaging with us or using the Services, we will store your personal information in identifiable form for the period permitted by applicable laws while we have a legitimate purpose for doing so.

(12) Links to other websites or third-party applications

Our website may contain links to other websites of interest. You should note that we do not have any control over external websites or their privacy procedures. You should exercise caution and review the privacy statement of any website before providing your personal information.

(13) Your rights in relation to your personal information

You have the option to not share information with us. If you choose not to share your personal information with us this may mean you are unable to create a user account or take advantage of some features in our Services. Please note, some information may still be collected about you automatically through your use of our Services.

For personal information that we process on behalf of our clients, we do so on the instructions of the client as a controller. If we process your information on behalf of a client and you wish to exercise any of your data protection rights under applicable law, please contact the relevant client directly.

You have rights under applicable laws regarding your personal information, including to access or request correction of your personal information under applicable privacy or data protection laws . Privacy and data protection laws in certain jurisdictions require that we provide additional information to data subjects. Please review below for your jurisdiction (if applicable) for additional information about our information practices and your rights, as required by applicable privacy laws.

Information for the United Kingdom

Subject to certain limitations and exceptions under the European General Data Protection Regulation or the UK Data Protection Act 2018 ("Data Protection Laws") residents in the United Kingdom have additional privacy rights. You may submit a request to exercise most of your privacy rights by contacting us using the details contained in the "How to Contact Us" section of this Policy. We will respond to your request as required under applicable Data Protection Law. These additional privacy rights may include the rights listed below (as applicable):

• the right to request information regarding our processing of your personal information and access to the personal information which we hold about you.

• the right to request that we correct the personal information we hold about you if it is inaccurate or incomplete.

• the right to request the deletion of your personal information in certain circumstances.

• the right to object to, and requesting that we restrict, our processing of your personal information in certain circumstances.

• the right to request transfer of your personal information directly to a third party where this is technically feasible.

To submit a request regarding our processing of your personal information, please contact us via the details outlined in "How to Contact Us" section of this Policy . We may require additional information from you to verify your identity or understand your request before providing additional information or actioning your request.

Information for the United States

Pursuant to the California Consumer Privacy Act, Colorado Privacy Act, Connecticut Data Privacy Act, Montana Consumer Data Privacy Act, Oregon Consumer Privacy Act, Texas Privacy and Data Security Act, Utah Consumer Privacy Act, and Virginia Consumer Data Protection Act and their respective implementing regulations (collectively, "US Privacy Laws"), residents of certain states have additional privacy rights under the US Privacy Laws.

Personal Information Collected, Processed and Disclosed

We collect and disclose the following categories of personal information:

• Identifiers such as a real name, alias, postal address, telephone or mobile contact number, unique personal identifier, online identifier, Internet Protocol address, email address, account name, and other similar identifiers.

• Personal information as defined in applicable customer records law, such as name, contact information, education, employment, employment history, and financial information.

• Characteristics of protected classifications under applicable state or federal law, such as gender, age and marital status.

• Commercial information, such as transaction information, purchase history, financial details, and payment information.

• Internet or other electronic network activity information, such as browsing history, search history, online behavior, interest data, and interactions with our and other websites, applications, systems, and advertisements.

• Geolocation data, such as approximate device location.

• Professional or employment-related information, such as job title, work history, and experience.

• Inferences drawn from any of the personal information listed above to create a profile or summary about, for example, a consumer's preferences and characteristics.

• Sensitive personal information, such as personal information that reveals a consumer's driver's license number, state identification number, passport number, racial or ethnic origin, and account log-in and password.

We collect this personal information from you and from other categories of sources such as: our affiliates; our customers; public and publicly available sources; our third-party resellers and referral partners, data suppliers and service providers; partners with which we offer co-branded services or engage in joint event or marketing activities; social networks; news outlets and related media; and the organization with which you are employed or affiliated.

We may use this personal information to operate, manage, and maintain our business, to provide our products and services, to communicate with you, for our vendor management purposes, and to accomplish our business purposes and objectives, including, for example, using personal information to: develop, improve, repair, and maintain our products and services; process or fulfill a request or other transactions submitted to us; personalize, advertise, and market our products and services; conduct research, analytics, and data analysis; maintain our facilities and infrastructure; undertake quality and safety assurance measures; conduct risk and security control and monitoring; prevent, detect and investigate fraud or other illegal actions; perform identity verification; perform accounting, audit, and other internal functions; comply with law, legal process, and internal policies; maintain records; exercise and defend legal claims; and fulfill legal obligations.

We disclosed this personal information to our affiliates; customers; service providers, agents, and representatives; business and joint venture partners; and other parties where required by law or to protect our rights.

Subject to your consent where required by applicable law, we may use sensitive personal information specifically for the following purposes: perform our services or provide products or services as requested by you; prevent, detect and investigate security incidents or malicious, deceptive, fraudulent or other illegal actions; short-term, transient use such as displaying first party, non-personalized advertising; perform services on our own behalf, such as maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, or providing analytic services, storage or similar services for the business; and activities relating to quality and safety control or product improvement.

Retention of personal information

We retain your personal information for as long as necessary to provide our products and services to you and fulfill the transactions you have requested, or for other essential purposes such as complying with our legal obligations, maintaining business and financial records, resolving disputes, maintaining security, detecting, and preventing fraud and abuse, and enforcing our agreements. The criteria used to determine retention periods includes the legal limitation of liability period, agreed contractual provisions, applicable regulatory requirements, and industry standards.

Consumer Rights

• You may request to know whether we process your personal information and to access such personal information.

• If you are a California resident you may request that we disclose to you the following information: (i) the categories of personal information we collected about you and the categories of sources from which we collected such information; (ii) the business or commercial purpose for collecting or sharing personal information about you; (iii) the categories of personal information about you that we shared and the categories of third parties to whom we shared such information; and (iv) the categories of personal information about you that we otherwise disclosed, and the categories of third parties to whom we disclosed such personal information.

• If you are an Oregon resident you may request that we disclose to you (i) the categories of personal information we process about you and (ii) the third parties to which we have disclosed your personal information. You may request to receive a copy of your personal information, including specific pieces of personal information, including, where applicable, to obtain a copy of your personal information in a portable, readily usable format.

• You may request that we delete your personal information, subject to certain exceptions. If you are a California or Utah consumer, this applies to personal information we collected from you.

• You may request to correct inaccuracies in your personal information.

• You may request to opt-out of the sale of your personal information to third parties, as defined by applicable law. If you are a Colorado, Connecticut, Montana, Oregon, Texas or Virginia consumer, you may request to opt out of the processing of your personal information for purposes of profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

We will not unlawfully discriminate against you because you exercise any of your rights under the US Privacy Laws.

How to Make a Request

You may make a request described above by contacting us using the details contained in the "How to Contact Us" section of this Policy. We may require additional information from you to verify your identity or understand your request before providing additional information or actioning your request. You may designate an authorized agent to make a request on your behalf subject to proof of identity and written authorization.

Special Information for Canada

If you are a resident of Canada, the following additional clauses apply to our processing of your personal data. In case of any discrepancies between this section and the main body of the Policy, this section shall prevail.

In this section, "controller" means the person or entity that collects, uses, communicates, holds, or otherwise processes personal data (for its own purposes) for the personal data we collect. One or more of the Relevant CORTO companies will be the controller of your personal data. In this section, "personal data" includes information about an identifiable individual (whether identified directly or indirectly).

CORTO collects, uses, and discloses personal data for the purposes described in this Policy or as otherwise required or authorized by applicable law. Unless otherwise allowed by the laws applicable in your province or territory of residence, we will only collect, use, communicate or disclose your personal data with your consent. For the purpose of the Policy, personal data collected under the heading "Personal Data We Collect and How We Use It" and "How We Share your Personal Data" are all collected, used and disclosed with your consent in accordance with applicable law.

CORTO may use cookies, tracking and marketing techniques with your consent, in accordance with applicable law. We do not engage in automatic collection of your personal data in Canada except as expressly permitted by applicable law.

Marketing

Subject to obtaining consent in accordance with applicable law, we may send you marketing communications. You may revoke your consent for receiving marketing communications at any time, free of charge by following the instructions in the marketing communication.

Data Transfer

Please be informed that we transfer and process any personal data you provide to us to countries or jurisdictions other than your jurisdiction of residence. Your personal data may be subject to access by foreign authorities in accordance with applicable law. We will transfer your personal data in accordance with requirements under applicable laws, and we will ensure that adequate safeguards are in place so that your personal data will receive an adequate degree of protection in the recipient jurisdiction.

Accuracy

We will make reasonable efforts to ensure that personal data we collect, use, or disclose is accurate and complete. In some cases, we rely on you to ensure that certain information, such as your address or telephone number, is current, complete, and accurate.

If you demonstrate the inaccuracy or incompleteness of personal data, we will amend the information as required. If appropriate, we will send the amended information to third parties to whom the information has been disclosed.

When a challenge regarding the accuracy of personal data is not resolved to your satisfaction, we will annotate the personal data under our control with a note that the correction was requested but not made.

Right To Access/Correction And Other Rights

You have the right to request access to your personal data and to request correction of any inaccurate data (subject to come limitations). You have the right to withdraw your consent to our use or communication of your personal data at any time, subject to legal, contractual and other restrictions. Your withdrawal of consent will be effective on the date of the withdrawal. If you withdraw your consent that may impact our ability to provide our Services to you.

Quebec Residents

If you are a resident of Quebec, you have the following rights in relation with your personal data, in addition to the rights identified above:

• You have the right to receive all such personal data that we hold relating to you in a structured, commonly used and machine-readable format, and also to require us to transmit it to another party you designate where this is technically feasible.

• You may (in certain circumstances) require that we cease disseminating your personal data, or that we de-index any hyperlink attached to your name that provides access to your personal data.

Information For Australia and New Zealand

Subject to the Privacy Act 1988 (Cth) for Australian residents and the Privacy Act 2020 (NZ) for New Zealand residents you agree that we may transfer and process any of your personal data and personal information as described in the "Transfer of Personal Data Between Countries" section of this Policy. We may transfer and process this data in countries including the United Kingdom and the United States of America. In New Zealand your personal data and personal information may also be collected and processed in Australia by CORTO when you use any of our Services.

You agree that all claims and disputes concerning any of your personal information collected by CORTO will remain subject to the exclusive jurisdiction of the Courts of New South Wales, Australia.

(14) Marketing communications

You can opt-out of receiving certain marketing communications from us at any time, by clicking the unsubscribe link in the email communications we send, or by contacting us using the details contained in the "How to Contact Us" section of this Policy. We may continue to send you non-promotional communications, such as service-related emails, billing information, and certain product updates via email.

(15) How to Contact Us

If you have questions about this Policy, or how we collect, use, or otherwise process your personal information, including the transfer or onward transfer of your personal information outside your jurisdiction of residence, or you believe that we have not complied with our obligations under this Policy or applicable data protection law please contact the Privacy Officer at:

If you have any questions about these Terms, please contact us by email at: privacy@ati-global.com

Phone:

• For Australia: 1800 007 709

• For Europe: (44) 845 683 2517

• For Canada: (437) 900 2140

• For the US: (844) 702 5327

Post: Level 8, 207 Kent Street Sydney NSW, Australia 2000

We would appreciate the opportunity to help you resolve any concerns you may have regarding our processing of your personal information, but if we are unable to assist you with your issue or you wish to make a complaint, you may have the right to make a complaint to an authority responsible for data protection in your jurisdiction.