Privacy Policy

Tilled, Inc. (“Tilled,” “we” or “us”) is committed to protecting and respecting your privacy. We provide
tools and services to businesses and platforms to integrate, conduct and complete online payment
transactions. Please read this Privacy Policy (this “Privacy Policy”) before accessing or using the website
located at www.tilled.com or any successor website (the “Site”) or any applications, products, services,
features, tools, application programming interfaces and software accessed through the Site (collectively,
the “Services”).

Our Services may provide links to or make available integrations with third-party websites or applications (“Third-Party Sites”). This Privacy Policy does not apply to Third-Party Sites, even if you access such Third-Party Sites through the Site or the Services. Such Third-Party Sites are outside our control and not covered by this Privacy Policy. Tilled is not liable for any information, content, products, services, software, or other materials available on or through Third-Party Sites. The use of a Third-Party Site or any information or other content found on Third-Party Sites is subject to and governed by the terms and conditions of such Third-Party Sites. Please consider the privacy policies of such third parties carefully.

PLEASE READ THIS PRIVACY POLICY CAREFULLY TO UNDERSTAND HOW WE HANDLE YOUR PERSONAL DATA. IF YOU DO NOT AGREE TO THIS PRIVACY POLICY, PLEASE DO NOT ACCESS THE SITE, ENGAGE US FOR OUR SERVICES, OR OTHERWISE USE OUR SERVICES.

By accessing or using the Site or the Services, you agree to this Privacy Policy. This Privacy Policy may
change from time to time (see Changes to Our Privacy Policy below). Your continued use of the Site or
the Services after we make changes is deemed to be acceptance of those changes, so please check the
Privacy Policy periodically for updates.

What This Policy Covers

This Privacy Policy describes what information Tilled collects through the Services, how this data is used
and shared, your rights, and how you can contact us about our privacy practices. 

This Privacy Policy applies to the Personal Data that we collect from users of our Services, which also
includes personal data about individuals who use the products and services of our users (“individual
person”). Generally, we will not collect Personal Data directly from an individual person unless such
individual person visits our Site or uses our Services. Please note that in most instances, Tilled acts as a
“data processor” or “service provider” to users of our Services and other third parties such as Partner
Platforms (as defined below). As a result, you may have to contact the “controller” of your data, or refer
to their privacy policies, for any inquiry regarding your Personal Data.

“Personal Data” means information relating directly or indirectly to an identifiable individual, except as
may be set forth in applicable law.

How We Collect Your Personal Data

We collect information about you and the information you and others provide to us as set forth below
and through the means discussed below. Please note that we need certain types of information so that
you can access our Services or so we can provide the Services you request. If you do not provide us with
the required information or ask us to delete it, you may no longer be able to access or use our Services.

You may not provide us information that is obscene, defamatory, infringing, malicious, or that violates
any law. If you provide Personal Data of a third party, you are responsible for providing any notices and
obtaining any consents necessary for us to collect and use such Personal Data as described in this
Privacy Policy.

Personal Information Provided Directly to Us

We collect information that you provide directly to us. For example, we collect information from you
through:

• browsing the Site;
• your requests for information from us or from your other communications with us;
• opening a Sandbox Account;
• requests for customer support or technical assistance with the Services; and
• details of transactions you carry out through our Site and Services.

This information may include:

• Personal and online identifiers (such as first and last name, email address, billing addresses or
• unique online identifiers, dates of birth, government identifiers (e.g., social security numbers,
• tax number, or Employer Identification Number) telephone numbers, and postal addresses);
• Recordkeeping information (such as bank account number, credit card number, debit card
• number, CVC numbers, or any other financial information);
• Commercial or transaction information (such as records of products or services purchased,
• obtained, or considered, and user’s account credentials); and
• Information relevant to fraud or security investigations (such as source IP address, user-
• agents/browser type, and device information).

Information We Collect Through Our Services

• Customers of our Partner Platforms: If you access the Services through a software platform,
  marketplace, payment facilitator, or other business that has an integration with Tilled (“Partner
  Platform”), we receive information about you from the Partner Platform, such as information
  about your business, its owners and officers, transactions made by or with your business, and
  your customers and vendors.
• Customers of our Merchants: If you are making a payment to a merchant that uses our Services
  to process your payment, we may, directly or through the merchant or Partner Platform
  providing services to the merchant, collect, process, and store financial and transaction related
  Personal Data about you and your transaction, such as personal and online identifiers,
  transaction information, financial account information, and device and usage information.
• Service Providers: We may receive information about you from our third-party service
  providers, such as companies that manage risk and fraud or market the Services, card networks,
  payment processors, referral partners, identity verification

Personal Data We Automatically Collect from Our Website

When a user or any other person visits our website, we collect information associated with that visit. Our wWhen you use the Services, we collect and analyze some information via a variety of technologies that
automatically collect information about the Services. This information includes, but is not limited to, a
user’s device and usage information, IP address, browser type(s), location (including IP address and
latitude and longitude), browser language, operating system, referring and exit pages and URLs, error
log data, and other similar information. We use this information to track the use of the Site and Services
and to assist us in maintaining, evaluating, and improving the Site and Services and products we sell.

When a user or any other person visits our Site, we collect information associated with that visit. Our
Site uses cookies. A cookie is a data file sent by our website to your web browser that will allow our Site
to recognize your browser or remember your information or settings. The cookie holds information our
Site may need to personalize or enhance your experience and to gather statistical data, such as which
pages are visited, the Internet provider’s domain name and the addresses of the sites visited
immediately before coming to and immediately after leaving our Site. The information in the cookie lets
us trace “clickstream” activity (i.e., the paths taken by visitors to our Site as they move from page to
page) to enable us to better serve our customers by revealing which portions of our Site are the most
popular. We may link the anonymous visitor ID from your cookie to a user ID in our database to help us
analyze web traffic and statistics. From time to time, other companies may help us with data research
and analysis, but they will be prohibited from using that data for any other purpose. You may disable
cookies on your browser. Please review your browser’s instructions for doing so. Note that certain
features of the Site may not be available if you delete or reject cookies.

We may use pixel tags (also called web beacons or clear gifs) on our Site. They can help us analyze what
our customers like to do on our Site and the effectiveness of our features and advertising. They can also
help us customize your browsing experience. We may use information collected through pixel tags or
tracked links in combination with your Personal Data. We may also combine the Personal Data you
provide to Tilled with other Personal Data (such as purchase history and demographic information). If
we work with other companies to help us track, collect and analyze this information, they will be
prohibited from using this information for any other purpose.

The Site and Services, including our service providers, may also use other technologies such as
JavaScript. We may use local storage (HTML5). We may also permit third parties to use cookies, web
beacons, JavaScript and eTags on our Site. We also utilize other technologies that may collect
information when visiting our Site. Information that may be collected from these technologies include
browser and device data, such as an IP address or operating system.

If your browser supports an opt-out preference signal, you may opt out of the sharing or sale of your
Personal Data by properly configuring the opt-out preference signal. If you subsequently delete cookies,
change your browser settings, or use a different browser, you will need to turn the opt-out signal on
again.

Recruiting and Candidate Information

If you choose to apply to work with or for Tilled through our Site or by otherwise contacting us regarding
opportunities to become an employee, agent, or contractor for us, we may collect the following:

• Identification data, such as your name, date of birth, social security number, and other government identifiers.
• Contact information, such as your first and last name, email and mailing addresses, phone number, emergency contact information, professional title or profession, and company name, if applicable.
• Application information regarding qualifications, skills, employment or education history, or other related information provided voluntarily in response to questions and during any interviews.
• Reference information, such as name and contact details of your references.
• Social media information, such as if you provide us a link to or other access to a social media account, we may collect or access any information you permit to be shared through or from your social media account and other information depending on the social media platform.
• Background check information, subject to applicable law.
• Compensation information, such as financial account information, and any other compensation information that you voluntarily provide, which may depend on your region and applicable laws and regulations.
• You are responsible for the accuracy of the Personal Data you provide or make available to us. Some information is provided directly to Tilled for internal use, while other information may be shared directly with a service provider who handles specific aspects of Tilled’s operations. Some information is mandatory to provide because it enables Tilled to perform mandatory employee-hiring processes, like issuing your paycheck or verifying your eligibility for employment. All Personal Data you provide, particularly in connection with our recruiting activities, must be truthful, accurate and not misleading in any way.

How We Use Your Personal Data

We, or our service providers working on our behalf, may use your Personal Data for various purposes
depending on the types of information we have collected from you in order to:

• Provide the Services, which may include, but are not limited to,
  • Process transactions, such as financial transactions;
  • Verify your identity and/or evaluate your eligibility for the Services;
  • Prevent or investigate fraud, illegal or prohibited activities, and security issues or breaches; and
  • Enforce our terms and any other agreements between you and us.
• Respond to your requests for information and provide you with more effective and efficient customer service. For example, we use your information to respond to your requests for information about our Services and, if you are a current customer and submit a request for customer service, to identify you as a current customer, provide more accurate and personalized customer service;
• Maintain, secure, and improve current and future Services. For example, our Services may collect your information through forms that you submit and may collect information automatically about your use of the Services to inform us about Services performance, areas of improvement, and Services updates and changes we may decide to evaluate;
• Comply with any procedures, laws, and regulations which apply to us or our processing. For example, we comply with subpoenas and other court orders to process data where we have determined there is a legal requirement for us to do so;
• Establish, exercise, or defend our legal rights. We may process your Personal Data in connection with establishing, exercising, or defending our legal rights where it is necessary for our legitimate interests or the legitimate interests of others or for fraud prevention. For example, we may process information you provide to identify any fraudulent, harmful, unauthorized, unethical, or illegal activity, such as use of another individual’s identity, and we may use your information as necessary to defend ourselves in litigation or enforce our rights or agreements with others;
• Conduct recruiting and hiring activities for opportunities with Tilled. If you apply to work with or for Tilled, we will review the information you submit to determine if your qualifications and experience match any available opportunities a Tilled, to verify the information you provide, communicate with you regarding any opportunities, improve our recruiting processes, process your onboarding if hired, and comply with applicable labor and employment laws;
• Other legitimate purposes as required or permitted by applicable law. We may process your information for other purposes consistent with those in this Privacy Policy and as may be permitted or required by applicable law.

How We Share Your Personal Data

Tilled may use and disclose your Personal Data that is collected through our Site and Services to run
our everyday business and in accordance with applicable law and this Privacy Policy. We may share
Personal Data with:

• Financial service providers. Tilled shares your Personal Data with financial service providers, such as the institutions identified in your processing agreements, banks, card networks, and other service providers that help us with processing payments.
• Service providers. Tilled may share your Personal Data with companies that provide tools, support, audits, or otherwise help to enhance or maintain the Services (such as email companies, fraud prevention companies, identity verification services, consumer reporting services, information storage companies, legal service firms, and information security companies). Third-party service providers have access to your personal information to perform these services but are prohibited from using your information for other purposes. Tilled will enter into data protection agreements with service providers that have access to your personal information, which will prohibit them from using or disclosing your personal information except for the purpose of providing the Site and Services. Tilled will not sell any personal information to third parties.
• Partner Platforms and Merchants. If you access the Services through a Partner Platform or make a payment to a merchant using our Services, Tilled shares information about you with the Partner Platform and merchant, as applicable, including your Personal Data.
• Referral partners. Where a business is referred to Tilled by a referral partner, Tilled may share business information, including, for example, name, transaction volume, and business status, with the referral partner as necessary to administer the referral arrangement, including to calculate fees, determine the business’s continued eligibility for the referral program and any preferred pricing, and servicing and managing the business’s account.
• Protection of Tilled and Others. Tilled may disclose the information we collect and maintain about you if required to do so by law or in a good faith belief that such access, retention or disclosure is reasonably necessary to: (a) comply with legal process (e.g., a subpoena or court order); (b) enforce this Privacy Policy, or other contracts with you, including investigation of potential violations thereof; (c) respond to claims that any content violates the rights of third parties such as rights of privacy or intellectual property; (d) respond to your requests for customer service; and/or (e) protect the rights, property or personal safety of Tilled, its agents and affiliates, its users and/or the public. This includes exchanging information with other companies and organizations for fraud protection, spam/malware prevention, and similar purposes.
• User Authorized Parties. Tilled shares your Personal Data with third parties when a user of our Services or an individual person has given us authorization.
• For the Purpose for Which You Provide It: We may share information you provide for the purpose for which you provide it.
• Intracompany: We may share your information with any affiliates and subsidiaries to operate our business.

Tilled may also share or exchange deidentified, anonymized, or aggregated information to the extent permissible under applicable laws and regulations.

We require all parties with whom we share data to respect the security of your Personal Data and to treat it in accordance with the law.

Retention of your Personal Data

We will store the Personal Data we collect for as long as reasonably necessary for purposes for which it
was collected, subject to legal limitation periods, statutory or regulatory retention requirements, and
legitimate business requirements, or as permitted by law.

The length of time for which we retain information depends on the purposes for which we collected and
used it, requirements of applicable laws, the amount, nature, and sensitivity of the information, the
potential risk of harm from unauthorized use or disclosure of the information, the resolution of any
pending or threatened disputes, and enforcement of our agreements.

When we no longer require the Personal Data, we will either delete or deidentify it, or if this is not
possible, securely store it in accordance with this Privacy Policy and cease use of the Personal Data until
deletion is possible. If we deidentify your Personal Data (so that it can no longer be associated with you
and thus is no longer considered Personal Data under relevant laws), we may retain this information for
longer periods.

How We Protect Your Personal Data

We take reasonable measures to protect all Personal Data in our possession. Our measures are meant to
ensure the appropriate organizational and technical safeguards are in place to prevent the loss, misuse,
unauthorized access, disclosure, alteration, or destruction of Personal Data. However, no electronic
transmission or storage system of data is guaranteed to be error-free and completely secure.

The safety and security of your information also depends on you. Where we have given you (or where
you have chosen) a password for access to certain parts of our Services, you are responsible for keeping
this password confidential. Do not share your password with anyone.

Unfortunately, the transmission of information via the internet is not completely secure. Although we
use measures to protect your Personal Data, we cannot guarantee the security of your Personal Data
transmitted to our Services.

Cross-Jurisdictional Transfers

By providing your data to us, you acknowledge and agree that the Personal Data may be transferred to
other jurisdictions for processing and storage, including in servers located across Canada and in the
United States, where laws regarding the protection of Personal Data may be different than the laws in
your jurisdiction. Further, Personal Data may be accessible to law enforcement, national security
authorities, and the courts of such jurisdictions. Where necessary to make such transfers, we will comply
with our legal and regulatory obligations in relation to the Personal Data. If you have any questions
regarding our policies and practices relating to our storage and processing of Personal Data in other
jurisdictions, please contact us as set forth in Section 12 below.

Rights and Choices

Please note that, in most instances, Tilled acts as a “data processor” or “service provider” to third-party
companies such as Partner Platforms and merchants. As a result, these third-party companies are
responsible for honoring their customers’ privacy rights and making appropriate disclosures. If you are
such a customer, please refer to the privacy policies or notices of the relevant Partner Platform or
merchant for information regarding their privacy practices.

In relation to the Personal Data for which we act as “data controller”, and subject to certain exceptions
and applicable laws, you may have the following rights in relation to the Personal Data that we hold
about you:

• Right to Know What Personal Data is Being Collected (Right to Access): You have the right to request the following information:
  • Categories of Personal Data collected about you.
  • Categories of sources from which the Personal Data is collected.
  • The business or commercial purpose for collecting, selling, or sharing your Personal Data.
  • Categories of third parties to whom Tilled discloses your Personal Data.
  • The specific pieces of Personal Data we have collected about you.
• Right to Delete Personal Data: You have the right to request that Tilled delete any Personal Data about you that Tilled has collected from you.
• Right to Correct Inaccurate Personal Data: You have the right to request that Tilled correct your inaccurate Personal Data if we maintain inaccurate Personal Data about you.
• Right to Know What Personal Data is Sold or Shared and to Whom: You have the right, if Tilled sells, shares your information, to request that Tilled disclose to you the following:
  • The categories of Personal Data that Tilled collected from you.
  • The categories of Personal Data that Tilled sold or shared about you and the categories of Personal Data for each category of third parties to whom the Personal Data was sold or shared.
  • The categories of Personal Data that Tilled disclosed about you for a business purpose and the categories of persons to whom it was disclosed for a business purpose.
• Right to Opt Out of Sale or Sharing of Personal Data: You have the right to direct Tilled, if we sell or share your Personal Data to third parties not to sell or share your Personal Data.
• Right to Limit Use and Disclosure of Sensitive Personal Data: You have the right to direct Tilled to limit the use of your sensitive Personal Data to the use which is necessary to perform the Services.
• Right of No Retaliation Following Opt Out or Exercise of Other Rights: Tilled may not discriminate against you if you exercise any of your rights as described above.
• Right to Data Portability: You have the right to obtain your Personal Data in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the data to another entity without hindrance.

Please contact us as set forth in Section 12 below, if you wish to exercise any of your rights under the applicable laws. In your request, please specify which right you are seeking to exercise and the scope of the request. We may require specific information from you to help us verify your identity and process your request. If we are unable to verify your identity, we may deny your request. You can designate an authorized agent to submit requests on your behalf. However, we will require written proof of the agent’s permission to do so and verify your identity directly.

When you submit a request, do not send us, directly or indirectly, any sensitive or special categories of Personal Data (e.g., social security numbers or other national or state identifiers, health information, biometric data or genetic characteristics, and so on).

We will evaluate and respond to your request to the extent required by law (or in our discretion if not required by law) in the time required by law and as permitted by our contracts, confidentiality obligations, and applicable laws and regulations. We may not be able to provide all of the information requested or fulfill your request due to certain exceptions enumerated under applicable law. In such a case, we will inform you of the reasons we cannot fulfill all or part of your request. If the request submission methods above do not enable you to submit your request, please contact us as set forth below and specify which right you wish to exercise.

California residents are entitled to contact us to be informed about our disclosure of Personal Data to third parties for third parties’ direct marketing purposes. In order to submit such a request, please contact us at marketing@tilled.com.

Use of Our Services by Children

We do not knowingly collect Personal Data from children under the age of 13, in accordance with our
obligations under the Children’s Online Privacy Act. If you are under the age of 13, please do not submit
information to us. If we have reason to believe that we have collected any information from a child
under the age of 13, we will take all reasonable steps to delete such information.

Business Transfers

As we continue to develop our business, we may buy, merge, or partner with other companies. In such
transactions user information may be among the transferred assets. If a portion or all of our assets are
sold or transferred to a third party, customer information (including information processed in
accordance with this Privacy Policy) may be one of the transferred business assets. If such transfer is
subject to additional mandatory restrictions under applicable laws, we will comply with such
restrictions. Any third party to which we transfer or sell our assets will have the right to continue to use
your information in the manner set out in this Privacy Policy.

Changes to This Privacy Policy

We reserve the right to amend this Privacy Policy at any time to reflect changes in the law, our data
collection and use practices, our Services, advances in technology, and for other purposes. We will make the revised Privacy Policy accessible through the Services and encourage you to review the Privacy Policy periodically. Any changes will be effective immediately upon the posting of the revised Privacy Policy. The “last updated” date included at the top of this Privacy Policy will indicate when it was last updated. If we make a material change to the Privacy Policy, you will be provided with appropriate notice by email or post on our Site or in accordance with other legal requirements. Your continued use of the Services following the notice of such changes indicates that you have read, understood, and agreed to be bound by the latest version of the new policy. This Privacy Policy is not intended to, nor does it, create any contractual or legal right in or on behalf of any party, including you.

Contacting Us

If you have any questions regarding this policy, please feel free to contact us at marketing@tilled.com.