PRIVACY POLICY

1. Introduction

ZORRZ Financial Inc. ("ZORRZ," "we," "us," or "our") operates AEGIS, an autonomous financial decision engine delivered as a mobile application and related web services (collectively, the "Services"). This Privacy Policy explains how we collect, use, disclose, protect, and otherwise process personal information when you access our website at aegis.zorrz.com, join our waitlist, download or use the AEGIS mobile application, or otherwise interact with the Services.

We take your privacy seriously. AEGIS is a financial product — the information you share with us is sensitive, and we treat it accordingly. Please read this Privacy Policy carefully. By using the Services, you acknowledge that you have read and understood this Privacy Policy.

If you do not agree with any part of this Privacy Policy, you must not use the Services.

2. Who we are

ZORRZ Financial Inc. is a Delaware C-Corporation (Entity ID: 10501789), formed February 6, 2026, registered with the Delaware Division of Corporations and classified under NAICS code 522291 (Consumer Lending).

For the purposes of the European Union General Data Protection Regulation ("GDPR") and the United Kingdom GDPR, ZORRZ Financial Inc. is the data controller of your personal information processed in connection with the Services.

3. Scope of this Privacy Policy

This Privacy Policy applies to personal information we collect through:

• The AEGIS marketing website at aegis.zorrz.com;
• The AEGIS waitlist signup and related email communications;
• The AEGIS mobile application for iOS and Android (when made available);
• Any connected account integrations you authorize (including financial account linking through Plaid);
• Any other ZORRZ-operated service that links to or references this Privacy Policy.

This Privacy Policy does not apply to third-party websites, applications, or services — including your bank, Plaid, payment processors, or merchants whose services you access through AEGIS. Those third parties operate under their own privacy policies, and we encourage you to review them.

The ZORRZ BlueAccess credit card product is governed by a separate privacy policy available at zorrz.com/privacy-policy-usa.

4. Information we collect

We collect personal information in three ways: information you provide to us directly, information collected automatically when you use the Services, and information received from third parties you authorize.

4.1 Information you provide to us

Waitlist signup

• Email address
• Any voluntary information you include in subsequent email correspondence with us

Account registration (when the app launches)

• Full legal name
• Date of birth
• Residential address
• Telephone number
• Email address
• Social Security Number or Taxpayer Identification Number (required for identity verification and regulatory compliance under the USA PATRIOT Act and the Bank Secrecy Act)
• Government-issued identification documents (driver's license, passport, state ID) for identity verification ("Know Your Customer" compliance)
• A selfie or biometric photograph for identity matching (processed through a third-party identity verification provider; biometric data is not retained by ZORRZ)

Subscription and payment

• Billing name and address
• Payment card information (processed by Apple In-App Purchase or Google Play Billing; we do not store card numbers)
• Subscription tier, effective date, renewal date, and billing history

Communications

• Support requests, feedback, survey responses, and correspondence with our team

4.2 Information collected automatically

Device and usage data

• Device identifiers (iOS IDFA, Android Advertising ID — only where you have provided consent)
• Device type, operating system, operating system version, device model
• IP address, approximate geographic location derived from IP address
• App version, session duration, features used, screens viewed, in-app actions
• Error and crash diagnostics

Website analytics

• Pages viewed, referring URL, time on page, device type, browser type
• We use Plausible Analytics, a privacy-preserving analytics service that does not use cookies and does not collect personal data

Cookies and similar technologies

• Essential cookies required for the website to function
• No advertising cookies, no cross-site tracking cookies, no third-party marketing pixels

4.3 Information from third parties — Plaid integration

When you use the AEGIS mobile application, you may choose to connect your financial accounts to AEGIS through Plaid Inc. ("Plaid"), a third-party data provider. If you do so, Plaid transmits to us the financial information you authorize, which may include:

• Account identifiers and account type (checking, savings, credit card, loan, investment)
• Account balances (current and available)
• Transaction history, including merchant name, amount, date, and category
• Account holder name as registered with your financial institution
• Routing and account numbers (only if required to initiate funds transfers you expressly authorize)
• Interest rates, fees, credit limits, and due dates associated with your accounts

Important: Plaid collects and processes your financial institution login credentials directly — we do not see, store, or have access to your bank username or password. The connection between your bank and AEGIS is read-only by default. AEGIS can only initiate money movement through explicit, per-transaction authorization from you.

Plaid's own privacy practices are governed by the Plaid End User Privacy Policy, available at plaid.com/legal/#end-user-privacy-policy. We encourage you to review it.

4.4 Information we do not collect

AEGIS is designed with data minimization as a core principle. We do not collect:

• Biometric templates (biometric verification is performed by our identity provider and not retained by ZORRZ)
• Precise geolocation data (GPS coordinates) unless you explicitly enable it for a specific feature
• Contacts, photos, microphone data, or camera data from your device
• Advertising identifiers for the purpose of serving advertisements (we do not serve advertisements)
• Information from children under 18 (see Section 14)

5. How we use your information

We use your personal information for the following purposes:

5.1 To provide and operate the Services

• Create and maintain your AEGIS account
• Connect your financial accounts through Plaid and retrieve the data you authorize
• Generate financial recommendations and execute decisions you approve
• Produce explainability records, audit logs, and signed receipts for every action
• Process subscription payments and manage your subscription status, including the founding member rate lock

5.2 To verify your identity and comply with law

• Perform Know Your Customer (KYC) and anti-money-laundering (AML) checks required by the USA PATRIOT Act, the Bank Secrecy Act, and applicable state laws
• Detect, investigate, and prevent fraud, security incidents, and unauthorized activity
• Respond to legal requests, court orders, and regulatory inquiries

5.3 To communicate with you

• Send transactional messages relating to your account, decisions, or subscription
• Send waitlist updates, launch announcements, and product notices
• Respond to your support requests and feedback
• With your consent, send marketing communications (which you can unsubscribe from at any time)

5.4 To improve the Services

• Analyze usage patterns in aggregate to improve features, performance, and reliability
• Train and evaluate our decision models, using de-identified data wherever possible
• Conduct research on the effectiveness of autonomous financial decision-making

5.5 Legal bases for processing (EU/UK residents)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases to process your personal information:

• Performance of a contract: to provide you with the Services you have requested;
• Legal obligation: to comply with applicable laws, including anti-money-laundering and tax reporting requirements;
• Legitimate interests: to secure our Services, prevent fraud, improve our product, and communicate with you about your account (where these interests are not overridden by your rights);
• Consent: for marketing communications and any optional processing you explicitly authorize (which you can withdraw at any time).

6. How we share your information

We do not sell your personal information. We do not rent it. We do not share it for cross-context behavioural advertising. The only circumstances in which we share your information are described below.

6.1 Service providers

We share personal information with third-party service providers that help us operate the Services. These providers are contractually bound to use your information only for the purposes we specify and to protect it to at least the same standard we do. Categories of providers include:

• Financial data aggregation: Plaid Inc.
• Identity verification: third-party KYC/AML providers
• Cloud infrastructure and hosting: Amazon Web Services, Google Cloud Platform (US regions)
• Email and transactional messaging: our email service provider
• Payment processing: Apple In-App Purchase (iOS), Google Play Billing (Android)
• Customer support tooling
• Security, fraud prevention, and monitoring services
• Analytics: Plausible Analytics (privacy-preserving, no personal data)

6.2 Bank and financial partners

When you authorize AEGIS to execute a transaction (such as a transfer between your accounts or a payment to a merchant), we share the information necessary to complete that transaction with the relevant financial institution, payment network, or processor.

6.3 Legal and safety

We may disclose your personal information when we believe in good faith that disclosure is necessary to:

• Comply with a subpoena, court order, warrant, or other legal process
• Respond to a request from law enforcement, regulators, or government authorities
• Enforce our Terms of Service or other agreements
• Protect the rights, property, or safety of ZORRZ, our users, or the public
• Detect, prevent, or investigate fraud, security threats, or illegal activity

6.4 Business transfers

If ZORRZ is involved in a merger, acquisition, financing, reorganization, sale of assets, or bankruptcy, your personal information may be transferred as part of that transaction. We will notify you by email or a prominent notice on our Services before your information is transferred and becomes subject to a different privacy policy.

6.5 With your consent

We may share your information for any other purpose that we disclose to you and for which you provide explicit consent.

7. Plaid end user disclosure

This section is provided pursuant to Plaid's end user disclosure requirements.

AEGIS uses Plaid to securely connect your financial accounts. When you choose to connect an account through AEGIS:

• You provide your bank credentials directly to Plaid. We do not see, store, or have access to your bank username or password.
• Plaid encrypts the credentials in transit and at rest using industry-standard encryption (AES-256 and TLS 1.2 or higher).
• Plaid then retrieves the data you authorize (account balances, transactions, account metadata) and transmits it to AEGIS.
• You can view and revoke AEGIS's access to any connected account at any time through the Plaid portal at my.plaid.com, or from within the AEGIS application.

Plaid's handling of your information is governed by the Plaid End User Privacy Policy (plaid.com/legal/#end-user-privacy-policy), which you accept when you use Plaid through AEGIS.

8. How we protect your information

We implement technical, organizational, and administrative safeguards designed to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These safeguards include:

• Encryption of data in transit using TLS 1.2 or higher
• Encryption of data at rest using AES-256
• Access controls limiting employee access to personal information on a need-to-know basis
• Multi-factor authentication for all internal systems that access personal information
• Continuous monitoring for unauthorized access, intrusion, and anomalous activity
• Regular security reviews and penetration testing by independent third parties
• A documented incident response and breach notification procedure
• Cryptographic signing and immutable logging of every financial decision executed by AEGIS

No security measure is perfect. We cannot guarantee absolute security. If we become aware of a data breach affecting your personal information, we will notify you and applicable regulators in accordance with applicable law.

9. How long we keep your information

We retain your personal information for as long as necessary to provide the Services and to comply with our legal and regulatory obligations.

After the applicable retention period expires, we will delete or de-identify the information such that it can no longer be associated with you.

10. Your privacy rights (general)

Depending on where you live, you may have certain rights regarding your personal information. Some of these rights are guaranteed by US state law, some by GDPR, and some by ZORRZ's voluntary commitment. Regardless of jurisdiction, you always have the following rights:

• Access: request a copy of the personal information we hold about you;
• Correction: request that we correct inaccurate or incomplete information;
• Deletion: request that we delete your personal information, subject to our legal retention obligations;
• Portability: receive your personal information in a machine-readable format;
• Withdraw consent: withdraw any consent you have previously given, including for marketing communications;
• Opt out of marketing: unsubscribe from marketing emails through the link at the bottom of every marketing email.

To exercise any of these rights, email privacy@zorrz.com. We will respond within 30 days (or 45 days for requests covered by CCPA/CPRA). We may need to verify your identity before processing your request.

11. California privacy rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA") grants you specific rights regarding your personal information.

11.1 Categories of personal information collected

In the 12 months preceding the effective date of this Privacy Policy, we have collected the following categories of personal information, as defined by CCPA/CPRA:

• Identifiers (name, email, postal address, telephone number, IP address, account identifier)
• Personal information categories listed in California Civil Code § 1798.80(e) (including SSN/TIN and government ID for identity verification)
• Commercial information (subscription status, transaction history initiated through AEGIS)
• Financial information (account balances, transaction records, received via Plaid with your authorization)
• Internet or other electronic network activity (device data, app usage, website usage)
• Professional or employment-related information (only if voluntarily provided)
• Inferences drawn from the above to produce decision recommendations

11.2 Sources of personal information

• Directly from you when you sign up, register, or communicate with us
• From Plaid, with your authorization, when you connect a financial account
• Automatically from your device and browser when you use the Services
• From identity verification providers during KYC checks

11.3 Business purposes for collection

We collect personal information for the purposes described in Section 5 of this Policy: to provide and operate the Services, to verify identity and comply with law, to communicate with you, and to improve the Services.

11.4 Sale or sharing of personal information

We do not sell your personal information. We do not share your personal information for cross-context behavioural advertising. This includes any disclosure of personal information for monetary or other valuable consideration to a third party for advertising purposes.

11.5 Sensitive personal information

We collect sensitive personal information (as defined by CPRA), including Social Security Number, government identification, account credentials (via Plaid, not stored by us), and precise financial data. We use sensitive personal information only for the purposes specifically permitted by CPRA — namely, to provide the Services you requested, to verify your identity, to prevent fraud, and to comply with law. We do not use sensitive personal information to infer characteristics about you beyond what is necessary to deliver the Services.

11.6 Your California rights

• Right to know: request information about the categories and specific pieces of personal information we have collected, the sources of that information, the business purposes for collecting it, and the categories of third parties with whom we share it;
• Right to delete: request deletion of your personal information, subject to exceptions for legal compliance and fraud prevention;
• Right to correct: request that we correct inaccurate personal information;
• Right to portability: receive a copy of your personal information in a portable, machine-readable format;
• Right to opt out of sale/sharing: although we do not sell or share your personal information, you retain the right to direct us not to;
• Right to limit use of sensitive personal information: direct us to limit the use of your sensitive personal information to purposes necessary for the Services;
• Right to non-discrimination: we will not discriminate against you for exercising any of these rights.

11.7 How to submit a California request

To submit a request, email privacy@zorrz.com with "California Privacy Request" in the subject line. We will respond within 45 days (extendable once by a further 45 days if reasonably necessary). We recognize the Global Privacy Control (GPC) signal as a valid opt-out-of-sale/share request.

11.8 Authorized agents

You may designate an authorized agent to make a request on your behalf. The agent must provide written authorization signed by you, and we may require you to verify your identity directly.

11.9 Shine the Light

California Civil Code Section 1798.83 permits users who are California residents to request certain information regarding our disclosure of personal information to third parties for direct marketing purposes. We do not disclose personal information to third parties for direct marketing purposes, so this law does not result in any disclosure to report.

12. Additional state privacy rights

Residents of certain other US states have additional privacy rights under state law. ZORRZ honors the following rights regardless of which state you live in:

Residents of these states generally have the right to: (a) confirm whether we are processing their personal information; (b) access and receive a copy; (c) correct inaccuracies; (d) delete personal information; (e) opt out of targeted advertising, sale, or profiling that produces legal or similarly significant effects (we do none of these, but the right exists); and (f) appeal any denial of a rights request. To exercise these rights, email privacy@zorrz.com.

13. European and United Kingdom privacy rights (GDPR / UK GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have additional rights under the General Data Protection Regulation and equivalent UK legislation:

• Right of access (Article 15): obtain confirmation that we process your personal data and receive a copy.
• Right to rectification (Article 16): have inaccurate personal data corrected.
• Right to erasure (Article 17): request deletion, subject to legal retention requirements.
• Right to restriction (Article 18): request that we restrict processing in certain circumstances.
• Right to data portability (Article 20): receive your personal data in a structured, commonly used, machine-readable format.
• Right to object (Article 21): object to processing based on our legitimate interests or for direct marketing.
• Rights related to automated decision-making (Article 22): AEGIS includes automated decision-making features. You have the right to request human review of any AEGIS decision that produces legal or similarly significant effects, and to contest that decision. Every AEGIS decision includes an explainability record to support this right.
• Right to lodge a complaint: with your local data protection authority. In Spain, this is the Agencia Española de Protección de Datos (aepd.es). In the UK, this is the Information Commissioner's Office (ico.org.uk).

To exercise any of these rights, email privacy@zorrz.com. We will respond within 30 days.

13.1 International data transfers

ZORRZ is established in the United States. If you access the Services from outside the United States, your personal information will be transferred to, stored, and processed in the United States. Where required by applicable law, we implement appropriate safeguards for such transfers — including Standard Contractual Clauses approved by the European Commission (or the UK equivalent) — to ensure your personal data receives an equivalent level of protection.

14. Financial privacy (Gramm-Leach-Bliley Act)

ZORRZ is a financial services company. Certain personal information you provide to us is "nonpublic personal information" ("NPI") under the federal Gramm-Leach-Bliley Act ("GLBA"). This section supplements the rest of this Privacy Policy by addressing how we handle NPI.

14.1 Information we collect

NPI we collect about you may include:

• Information we receive from you on applications or other forms (name, address, Social Security Number, income);
• Information about your transactions with us, our affiliates, or others (account balances, payment history, transaction records);
• Information we receive from a consumer reporting agency (credit history, as authorized).

14.2 Information we disclose

We disclose NPI only as described in Section 6 of this Privacy Policy — to service providers under confidentiality obligations, to financial partners when you initiate a transaction, to regulators and law enforcement as required by law, and with your consent. We do not disclose NPI to nonaffiliated third parties for their own marketing purposes.

14.3 Your right to opt out

GLBA gives you the right to opt out of certain disclosures of your NPI. Because we do not share your NPI with nonaffiliated third parties for their marketing purposes, no opt-out is required. If this practice ever changes, we will provide you with advance notice and a meaningful opportunity to opt out.

14.4 Safeguards

We maintain administrative, technical, and physical safeguards to protect your NPI in accordance with the GLBA Safeguards Rule (16 CFR Part 314).

15. Children's privacy

The Services are intended for adults 18 years of age or older. We do not knowingly collect personal information from children under 18. If we become aware that we have inadvertently collected personal information from a child under 18, we will delete it promptly. If you are a parent or guardian and believe that your child under 18 has provided us with personal information, please email privacy@zorrz.com and we will take immediate action.

The Services are not directed to children under 13, and we comply with the Children's Online Privacy Protection Act ("COPPA").

16. Cookies and similar technologies

Our website uses a minimal set of technologies to function and to measure aggregate usage.

16.1 Cookies we use

• Strictly necessary: cookies required for the website to function (for example, to remember your cookie preferences and to support secure form submission). These cannot be turned off.
• Analytics: we use Plausible Analytics, which is cookieless and privacy-preserving. Plausible does not use cookies and does not collect personal data.

16.2 Cookies we do not use

• No advertising cookies
• No cross-site tracking cookies
• No third-party marketing pixels
• No social media tracking (we do not embed Facebook Pixel, TikTok Pixel, or similar)

16.3 Do Not Track and Global Privacy Control

Our website honors the Global Privacy Control (GPC) signal. Because we do not sell or share personal information for cross-context behavioural advertising, the GPC signal does not change how we process your data — but we recognize and respect it as a valid privacy preference.

17. Third-party services

The Services integrate with or reference third parties, including Plaid, Apple, Google, and your bank. When you interact with those third parties — even through AEGIS — their own privacy policies govern that interaction. We are not responsible for the privacy practices of those third parties. We encourage you to review their policies.

18. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email or through a prominent notice in the Services at least 30 days before the changes take effect. The "Last Updated" date at the top of this Policy always reflects the most recent revision. Your continued use of the Services after changes take effect constitutes your acceptance of the updated Policy.

19. Contact us

If you have questions about this Privacy Policy, wish to exercise a privacy right, or have a complaint, please contact us.

We aim to respond to all privacy inquiries within 30 days (45 days for CCPA/CPRA requests).

‍