This Privacy Notice (“Privacy Notice”) describes how Sphere Laboratories, Inc., together with its subsidiaries, affiliates, and related entities (including Symmetry Financial Technologies, LLC and Arcadia Financial Technologies, LLC) (collectively, “Sphere”, “we”, “us”, or “our”) collects, uses, and discloses personal information in connection with our website at https://spherelabs.co and https://spherepay.co (together, the “Sites”), our applications, application programming interfaces (“APIs”), embedded services, and any other online or offline products, services, tools, and features (collectively, the “Services”).

References to “Sphere” in this Privacy Notice include all entities that are controlled by, under common control with, or that control Sphere Laboratories, Inc., whether directly or indirectly. Depending on the nature of the processing activity and the jurisdiction in which it takes place, each such entity may act as a data controller, joint controller, or processor with respect to your personal information. Where a specific Sphere entity is your contracting party under a customer or user agreement, that entity will be the primary data controller for the personal information processed under that agreement.

For purposes of this Privacy Notice, “you” and “your” mean any individual whose personal information we process, including visitors to the Sites, account holders, representatives of our business customers, employees and beneficial owners of those customers, job applicants, event attendees, and end users, counterparties, cardholders, wallet holders, payees, payers, and other individuals whose personal information we process because they are transacting with, receiving services from, or otherwise interacting with one of our customers who uses our infrastructure or embedded services.

Please read this Privacy Notice in full. By using any of the Services, you acknowledge that you have read this Privacy Notice and have been informed of Sphere’s collection, use, and disclosure of your personal information as described herein. If you do not understand or agree to this Privacy Notice, please do not use or access the Services.

Our U.S. Consumer Financial Privacy Notice (set forth in Section 12 below) applies to nonpublic personal information we collect about U.S. individuals who seek, apply for, or obtain our financial products and services for personal, family, or household purposes.

Contact and Data Protection Representatives

For questions about this Privacy Notice or our privacy practices, or to exercise any of your rights described below, please contact us at privacy@spherepay.co. You may also contact us or our appointed representatives at the addresses below:

EEA Representative: Adam Brogden, Office 2, 12A Lower Main Street, Lucan, Co. Dublin, K78 X5P8, Ireland; via the EEA portal; or contact@gdprlocal.com.

UK Representative: Adam Brogden, 1st Floor Front Suite, 27–29 North Street, Brighton, England, BN1 1EB, United Kingdom; via the UK portal; or contact@gdprlocal.com.

U.S. Data Protection Officer: 8 The Green, #22219, Dover, DE 19901, USA; privacy@spherepay.co.

1. Scope and Updates to This Privacy Notice

This Privacy Notice applies to personal information processed by us in compliance with applicable data protection laws, including, but not limited to, the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR and UK Data Protection Act 2018 (“UK DPA”), the Swiss Federal Act on Data Protection (“FADP”), the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”), the U.S. Gramm-Leach-Bliley Act (“GLBA”), the Singapore Personal Data Protection Act (“SG PDPA”), the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados, “LGPD”), the South African Protection of Personal Information Act (“POPIA”) and other applicable U.S. state and non-U.S. privacy and financial services laws (each a “Data Protection Law” and collectively, the “Data Protection Laws”). Where there is any inconsistency or conflict between Data Protection Laws that apply to a given processing activity, the Data Protection Law offering the greater protection to the individual will apply to the extent required by law.

Terms not otherwise defined in this Privacy Notice have the meaning given in the applicable Data Protection Laws.

Changes to This Privacy Notice

We may modify this Privacy Notice from time to time. If we make changes, we will update the “Last Updated” date at the top of this Privacy Notice. If we make material changes to how we collect, use, or disclose personal information, we will use reasonable efforts to notify you (for example, by emailing the last email address you provided us, by posting notice on the Services, or by other means consistent with applicable law) and will take additional steps as required by applicable law. Your continued use of the Services after the updated Privacy Notice takes effect constitutes your acknowledgement of the updated Privacy Notice.

2. Personal Information We Collect

The categories of personal information we collect depend on how you interact with us and the Services, the nature of the product or feature you use, and the requirements of applicable law. We collect information you provide to us directly, information collected automatically when you use the Services, and information we receive from other sources, as described below.

Summary of categories of personal information we collect:

A. Personal Information You Provide to Us Directly

Account, Onboarding, and KYC/KYB Information: We and our service providers collect personal information in connection with your application for, and creation and maintenance of, a Sphere account or your use of the Services, including Know Your Customer and Know Your Business (“KYC/KYB”) information, such as your name, your business’s name, state or country of incorporation, entity type, registered and mailing addresses, employer tax identification number (or comparable number issued by a government), Social Security or national insurance number, and personal identification information for all material beneficial owners and authorized representatives of your business. We may also collect bank account numbers, payment card primary account numbers (“PAN”), tax identification numbers, government-issued identification numbers (and copies of the documents bearing them), nationality, and biometric information (such as facial recognition data) processed by third-party identity verification service vendors.

Transaction Information: We collect information about transactions made on or through the Services, including wallet addresses of senders and recipients, counterparty names and identifiers, account balances, payment history, currency amounts, currency preferences, payment methods, dates, timestamps, and related memos or references.

Financial, Blockchain, and Wallet Information: When you use the Services, you may choose to link bank, brokerage, asset, or other financial accounts. If you do so, we will collect the account number, balance, and related account details. The Services may also enable you to: (a) store information about digital assets and currencies on decentralized blockchains (each, a “Blockchain”) that Sphere, in its sole discretion, elects to support (each, a “Supported Digital Asset”); (b) initiate or facilitate on-chain transactions; and (c) monitor deposits, view balances, and, where available, stake Supported Digital Assets. Sphere will collect information related to such Supported Digital Assets, including wallet addresses, transaction hashes, block heights, and related on-chain data.

Payment Information: When you pay for, or receive payments through, the Services, we collect bank account, credit or debit card details, and billing address. We use this information to process your payment and to provide the Services, as required to perform our contract with you.

Your Communications with Us: We collect personal information you provide when you request information about Sphere or the Services, register for our newsletter, request support, report a problem, or otherwise communicate with us. This may include your name, company name, contact details, and the content of your communications.

Job Applications: If you apply for a job with us, we collect the information you include in your application, resume, CV, cover letter, references, and any other information you provide. We use applicant information to evaluate your candidacy and, where permitted, may retain it for consideration for future roles.

Events, Conferences, and Business Development: We may collect personal information from individuals when we attend or host conferences, trade shows, and other events, and from individuals and third parties in the course of assessing and pursuing potential business opportunities, investments, or strategic partnerships.

Interactive Features and User Content: We and others who use the Services may collect personal information that you submit or make available through our interactive features (e.g., social media pages, community forums, support chats). Any information you provide through public-facing features of the Services will be considered “public”, unless otherwise required by applicable law, and is not subject to the privacy protections referenced in this Privacy Notice.

AI-Powered Tools: Any information you choose to input into our AI-powered tools (“Input”) is used to generate and return new information or content (“Output”) as part of the Services. We may also use Input and Output to operate, monitor, debug, and improve the Services, including by evaluating, and where appropriate training or fine-tuning, the AI models that power such tools, in each case consistent with applicable law and any more specific notices we provide in the Services.

Financial Crime, Fraud, and Sanctions Data: We collect personal history, account information, contact information, and criminal history information as part of our financial crime programs, including anti-fraud, AML, CTF, and sanctions screening procedures (for example, matches against OFAC, EU, UK, and UN sanctions lists). We process this information in connection with our legal obligations and for the detection and prevention of fraud, money laundering, terrorist financing, sanctions evasion, and other illegal activity.

B. Personal Information Collected Automatically

We and third parties who provide content or functionality on the Services may use cookies, pixel tags, web beacons, SDKs, and other tracking technologies (collectively, “Technologies”) to automatically collect information when you use the Services. Such information includes Internet protocol (IP) address, user settings, MAC address, cookie identifiers, mobile carrier, mobile advertising and other unique identifiers, browser or device information, location information (including approximate location derived from IP address), Internet service provider, device token, mobile network information, and time zone. We also automatically collect information regarding your use of the Services, such as pages you visit before, during, and after using the Services; items you search for; the links you click; the types of content you interact with; the frequency and duration of your activities; and other information about how you use the Services.

Categories of uses of Technologies

• Operationally Necessary – Technologies that allow you to access the Services, or that are required to identify irregular behavior, prevent fraudulent activity, improve security, or allow you to make use of our functionality.
• Performance-Related – Technologies used to assess the performance of the Services, including as part of our analytic practices to help us understand how individuals use the Services.
• Functionality-Related – Technologies that allow us to offer you enhanced functionality, such as identifying you when you sign in or keeping track of your specified preferences, interests, or past items viewed.
• Advertising- or Marketing-Related – Where permitted, Technologies used to deliver, measure, and improve marketing communications and interest-based advertising, subject to your consent where required.

Analytics, including Google Analytics

We use analytics Technologies and other third-party tools, including Google Analytics, to understand how our Services are used and to continually improve and personalize them. For more information about how Google uses personal information collected through sites and apps that use its services, please read “How Google uses information from sites or apps that use our services.” To learn more about how to opt out of Google Analytics, please click here.

Do Not Track

Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. The Sites are not designed to respond to or honor DNT signals or similar mechanisms transmitted by web browsers.

C. Information We Receive from Other Sources

We obtain information about you from outside sources, including information we collect directly from third parties and information third parties share with us at your direction or on our behalf. This includes: (i) financial account, payment, and asset data from partnering financial institutions or from providers that facilitate linking your financial or third-party account to the Services; (ii) analytics data from providers such as Google Analytics, which we use in our legitimate interests to improve the Sites and Services; (iii) information from career websites (such as LinkedIn) for recruiting purposes; (iv) information from consumer marketing databases and data enrichment companies, which we use in our legitimate interests to customize advertising and marketing; (v) identity verification, credit reporting, sanctions, politically exposed persons (“PEP”), adverse media, and fraud prevention information from third-party compliance service providers; (vi) information our customers submit to us relating to their own end users, cardholders, wallet holders, payers, payees, or transaction counterparties, in order for those customers to use the Services; and (vii) information that is openly available on the Internet, including public records and public blockchain data.

Information we receive from outside sources will be treated in accordance with this Privacy Notice. We are not responsible for the accuracy of information provided to us by third parties, nor for any third party’s policies or practices.

D. De-identified and Aggregated Information

We may de-identify or aggregate personal information such that it cannot reasonably be used to infer information about, or otherwise be linked to, a particular individual, and we may also collect information that has already been de-identified or aggregated. We may use, disclose, and retain such information for any purpose permitted by applicable law, including research, analytics, product development, and the development and evaluation of AI models.

3. How We Use Your Personal Information

We use your personal information for a variety of business purposes, including to provide and improve the Services, for administrative and compliance purposes, to market our products and services, and for other purposes permitted by law, as described below.

A. Providing the Services

• Managing your information, account(s), and our relationship with you;
• Providing access to the features and functionality of the Services, including processing, facilitating, settling, and reconciling payments and transfers;
• Facilitating the connection of third-party services or applications to the Services, including via APIs and embedded integrations;
• Responding to your requests for customer or technical support;
• Communicating with you about your account, activity on the Services, policy changes, and other service-related notices; and
• Processing applications for a job with us.

B. Administrative, Security, and Compliance Purposes

• Pursuing our legitimate interests, such as direct marketing, research and development (including marketing research), network and information security, and fraud prevention;
• Verifying the identity of our customers, their representatives, and beneficial owners (including through KYC/KYB processes);
• Performing real-time fraud, financial risk, sanctions, and balance checks for transactions, and investigating and responding to suspected or actual fraudulent, deceptive, or illegal activity;
• Monitoring, detecting, investigating, and preventing violations of our terms of service and other Sphere policies;
• Measuring interest and engagement in the Services;
• Improving, upgrading, enhancing, and developing new Services and features;
• Ensuring internal quality control and safety;
• Authenticating and verifying individual identities, including in connection with requests to exercise rights under this Privacy Notice;
• Debugging to identify and repair errors with the Services;
• Auditing our interactions, transactions, and other compliance activities, and investigating, managing, and resolving disputes and chargebacks; and
• Complying with our legal and regulatory obligations, including AML, CTF, sanctions, market abuse, tax, financial reporting, the Markets in Crypto-Assets Regulation (“MiCA”), and “travel rule” requirements. For example, when you use our digital-asset or payments services, we are required to collect, use, retain, and share personal information (including identity and transaction data) to comply with these obligations across the jurisdictions in which we operate.

C. Processing Personal Information of End Users and Counterparties

In certain circumstances, Sphere processes personal information of individuals who are not Sphere’s direct customers. This occurs where Sphere provides infrastructure, embedded services, payment, wallet, custody, card issuing, or compliance services to its customers, and those customers use the Services to interact with other individuals (for example, cardholders, wallet holders, transaction counterparties, payees, payers, merchants, or recipients of transfers).

Depending on the product and how Sphere’s functionality is made available, these individuals may interact directly with Sphere’s systems and accept our end-user terms, or we may process their personal information solely because they are transacting with or receiving funds from our customer without any direct interaction with us. In such cases, we process this personal information on the basis of: (i) compliance with legal and regulatory obligations (including AML, CTF, sanctions screening, and travel rule requirements); (ii) the legitimate interests of our customers and of Sphere in enabling the secure and compliant provision of the Services and product features; and/or (iii) the performance of our contractual obligations to our customers.

D. Marketing

We may use your personal information to send you marketing communications about Sphere products and services that may be of interest to you, subject to your communications preferences and applicable law. You can opt out of marketing communications at any time using the mechanisms described in Section 7 below.

E. With Your Consent

We may use personal information for other purposes that are clearly disclosed to you at the time you provide personal information or with your consent.

F. Other Purposes

We also use your personal information for other purposes requested by you or permitted by applicable law.

G. Information Made Available on the Blockchain Network

Notwithstanding anything to the contrary in this Privacy Notice, information you make available on a Blockchain network through the Services, including wallet addresses and on-chain transaction data, may be shared with third parties, made publicly visible, and/or recorded on the Blockchain. In these situations, the information you share may not be capable of being modified or deleted due to the immutable nature of the Blockchain. The foregoing disclosure may be made for purposes related to facilitating activities or transactions on the Blockchain, including making payments to Sphere.

H. Automated Decision-Making

In connection with providing the Services, we may use automated systems to process your personal information for purposes such as fraud detection, sanctions screening, risk scoring, and transaction monitoring. In some cases, these automated processes may result in decisions that affect your ability to use the Services or to complete a transaction (for example, blocking or flagging a transaction that our systems identify as potentially fraudulent or in violation of applicable sanctions). Where such decisions are made solely by automated means and produce legal or similarly significant effects concerning you, you have the right to request human review of the decision, to express your point of view, and to contest the outcome, except where such automated processing is authorized by applicable law, necessary for the performance of a contract, or based on your explicit consent. To request human review or contest an automated decision, please contact us using the details in Section 14.

4. How We Disclose Your Personal Information

We disclose your personal information to third parties for a variety of business purposes, including to provide the Services, to protect Sphere and others, and in the event of a business transaction such as a merger, sale, or asset transfer, as described below.

A. Disclosures to Provide the Services

Affiliates and Corporate Group: We may disclose personal information to our affiliates and other entities within our corporate group, including Symmetry Financial Technologies, LLC and Arcadia Financial Technologies, LLC, as a matter of our legitimate interests in efficiently operating our business and providing the Services, and, for GLBA purposes, for the affiliates’ everyday business purposes related to your transactions and experiences with us.

Service Providers and Vendors: We disclose personal information to third-party service providers and vendors that assist us with the provision of the Services, including providers of IT and hosting, payment processing and orchestration, customer service, third-party electronic identity verification (including those that process biometric information), KYC/KYB, AML/CTF transaction monitoring, sanctions screening, tax reporting, data hosting, security and fraud investigation, analytics, marketing and promotions, telecommunications (including SMS delivery), document repository, chatbot, and related services.

Financial Institutions, Networks, and Payment Partners: We disclose personal information to financial institutions, card networks, exchangers, custodians, banking partners, and payment processors that facilitate transactions you request through the Services, including as required to process, route, reconcile, and settle payments and transfers.

API and Embedded-Services Partners: We disclose personal information to our networked partners that connect to the Services via APIs or embedded integrations, where those partners may receive information about you that we, you, or others share with them, in each case to enable the product or feature you or our customer has requested.

Business Partners and Joint Offerings: We may share personal information with business partners, including banks, with whom we jointly offer products or services, in order to provide the Services you have requested.

Fraud Prevention and Industry Partners: We disclose personal information to agencies and organizations working to prevent fraud, money laundering, and other financial crime in financial services.

Professional Advisors: We may disclose personal information to our professional advisors, such as auditors, law firms, and accounting firms, as a matter of our legitimate interests to assess, protect, enforce, and defend our rights and to comply with our legal and regulatory obligations.

Third Parties at Your Direction: We may disclose personal information to third parties to whom you request or direct us to disclose it, for example through your use of social media widgets, login integrations, or account-connection features, with your consent or to perform our contract with you.

Marketing Partners: We may share personal information with third parties for their own marketing purposes only where you have consented to such sharing.

B. Disclosures to Protect Sphere or Others

We may access, preserve, and disclose any information we store about you if we, in good faith, believe doing so is required or appropriate to: comply with applicable law, law enforcement, or national security requests and legal process (such as a court order, subpoena, production order, or regulatory inquiry); cooperate with regulators and supervisory authorities; protect your, our, or others’ rights, property, or safety; enforce our policies or contracts; collect amounts owed to us; or assist with the investigation or prosecution of suspected or actual illegal activity, including fraud, market abuse, money laundering, terrorist financing, or sanctions evasion.

C. Disclosure in the Event of Merger, Sale, or Other Asset Transfers

If Sphere is involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, purchase or sale of assets, or transition of service to another provider, your personal information may be sold, transferred, or otherwise disclosed as part of such a transaction, as permitted by applicable law and/or contract.

5. Legal Bases for Processing (EEA, UK, and Switzerland)

If you are located in the European Economic Area (“EEA”), the United Kingdom, or Switzerland, the GDPR, UK GDPR, or FADP (as applicable) require that we have a valid “legal basis” for processing your personal information. The legal bases we rely on include:

• Consent – where you have consented to the use of your personal information for one or more specific purposes (for example, for certain cookies, certain marketing communications, or processing of special categories of personal information). You may withdraw your consent at any time.
• Contractual Necessity – where processing is necessary to perform a contract to which you are a party or to take steps at your request before entering into a contract, including verifying your identity, onboarding you to the Services, and processing transactions.
• Compliance with a Legal Obligation – where processing is necessary for us to comply with a legal or regulatory obligation, including AML, CTF, sanctions, tax, accounting, record-keeping, and financial-crime reporting obligations.
• Legitimate Interests – where processing is necessary for the legitimate interests pursued by Sphere or a third party, except where such interests are overridden by your interests or fundamental rights and freedoms. We rely on legitimate interests for purposes such as operating and improving the Services, detecting and preventing fraud and abuse, information and network security, product development, internal analytics, and limited direct marketing.
• Vital Interests and Public Interest – in limited circumstances, where processing is necessary to protect the vital interests of a natural person, or where it is necessary for a task carried out in the public interest or required by law.

Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms. You have the right to object to that processing, as further described in Section 7 below. For more information about the legal basis relied on for a specific processing activity, please contact us using the details in Section 14.

6. International Transfers of Personal Information

Sphere operates globally. Personal information processed by us may be transferred to, stored, and processed anywhere in the world, including in the United States and other countries whose data protection laws may differ from, and in some cases offer a lower level of protection than, the laws of your country of residence. We take steps designed to safeguard your personal information consistent with the requirements of applicable Data Protection Laws.

Where we transfer personal information that originates in the EEA, the United Kingdom, or Switzerland to a country that has not been recognized as providing an adequate level of protection under applicable data protection laws, we rely on appropriate safeguards, which may include the European Commission’s Standard Contractual Clauses, the UK International Data Transfer Agreement or UK Addendum, the Swiss FADP-equivalent mechanism, other approved contractual mechanisms, or, where available, reliance on adequacy decisions or applicable derogations. Where required, we also conduct transfer impact assessments in connection with such transfers.

Your account is stored by Sphere on secure servers maintained and operated by Sphere and by third-party service providers who are bound by and adhere to relevant data processing agreements in compliance with applicable Data Protection Laws. To request a copy of the safeguards we use for international transfers of your personal information, please contact us using the details in Section 14.

7. Your Privacy Choices and Rights

A. Your Privacy Choices

Email Communications: If you receive an unwanted marketing email from us, you can use the unsubscribe link at the bottom of the email to opt out of future marketing emails. You will continue to receive transaction-related and administrative communications regarding the Services you have requested, and other non-promotional communications (for example, communications regarding our Terms or this Privacy Notice), which you will not be able to opt out of.

Cookie Choices: You may stop or restrict the placement of Technologies on your device, or remove them, by adjusting your preferences as your browser or device permits. Where required by applicable law, we will request your consent to certain cookies via a cookie banner or in-product control. If you adjust your preferences, the Services may not work properly. Cookie-based opt-outs are not effective on mobile applications; you may, however, opt out of personalized advertisements on some mobile operating systems through their device settings. You must separately opt out in each browser and on each device.

B. Your Privacy Rights

Subject to applicable Data Protection Laws and to any applicable exceptions and limitations, you may have the following rights in relation to your personal information:

• Right to Know and Access. You may request confirmation of whether we are processing your personal information and, if so, access to or a copy of that information, including the categories of personal information we have collected, the categories of sources, our business or commercial purposes for collecting it, and the categories of third parties to whom we have disclosed it.
• Right to Data Portability. You may request to receive your personal information in a structured, commonly used, and machine-readable format, or to have it transmitted directly to another controller where technically feasible.
• Right to Correction. You may request correction of your personal information where it is inaccurate, incomplete, or out of date.
• Right to Deletion / Erasure. You may request deletion of your personal information, subject to exceptions provided by law (including our legal obligations to retain certain information for AML, tax, sanctions, audit, and other purposes).
• Right to Restrict or Object to Processing. You may request that we restrict the processing of your personal information or object to such processing, including to object to direct marketing communications and to certain processing based on our legitimate interests.
• Right to Withdraw Consent. Where we rely on your consent to process your personal information, you may withdraw that consent at any time. Your withdrawal will only take effect for future processing and will not affect the lawfulness of processing conducted prior to the withdrawal.
• Right to Limit Use of Sensitive Personal Information. You may request that we limit our use of sensitive personal information to those uses necessary to perform the Services or for other permitted business purposes.
• Right to Restrict Automated Decision-Making. You may have the right to request that we refrain from making decisions about you that are based solely on automated processing and that produce legal or similarly significant effects, subject to applicable exceptions.
• Right to Lodge a Complaint. You may have the right to lodge a complaint with your local data protection or supervisory authority. We hope you will contact us first so we can try to resolve your concerns.

C. How to Exercise Your Rights

To exercise any of these rights, please contact us at privacy@spherepay.co or using the contact details in Section 14. We will process requests in accordance with applicable Data Protection Laws. For your protection, we may take steps to verify your identity before fulfilling any request. We will not discriminate against you for exercising your privacy rights.

8. Data Security

We take appropriate technical and organizational measures designed to protect your personal information against loss, misuse, unauthorized access, disclosure, alteration, or destruction. These measures include encryption of data in transit and at rest, access controls, network security controls, vulnerability management, employee training, and vendor due diligence, and, where applicable to cardholder data, adherence to the Payment Card Industry Data Security Standard (PCI DSS), managed in partnership with our card issuing partners and processors.

Despite our efforts, no security measures are impenetrable, and we cannot guarantee “perfect security.” Any information you send to us electronically, while using the Services or otherwise interacting with us, may not be secure while in transit. We recommend that you do not use unsecure channels to send us sensitive or confidential information.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority without undue delay and, where required by applicable Data Protection Laws, within the timeframes prescribed by those laws. Where the breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly, unless an exception under applicable law applies. We maintain incident response procedures designed to support timely detection, investigation, containment, and notification of personal data breaches.

9. Data Retention

We retain your personal information for as long as is reasonably necessary for the purposes specified in this Privacy Notice, or for longer where required or permitted by applicable law. When determining the length of time to retain your information, we consider criteria including whether we need the information to continue providing you the Services; to resolve a dispute; to enforce our contractual agreements; to prevent harm; to promote safety, security, and integrity; to meet legal, tax, accounting, and financial-crime recordkeeping requirements; or to protect our rights, property, or products. In particular, we retain certain categories of your information as follows:

• your account data for as long as you keep your account open or as needed to provide you with the Services;
• if you contact us, we will keep your communications and related data for 60 months after you contact us;
• your technical usage information for 60 months;
• data on your use of the Services for 60 months; and
• records relating to transactions or activity subject to U.S. sanctions review, including potential or confirmed OFAC list matches, for 120 months.

We undertake periodic reviews to ensure that personal information that is no longer needed is destroyed, deleted, or effectively de-identified in accordance with our data retention policy.

10. Children’s Information

The Services are not directed to children, and we do not knowingly collect personal information from children under 13 years of age (or such other age as required under local law). If we become aware that we have collected personal information from a child in violation of applicable law, we will make commercially reasonable efforts to delete such information and, if applicable, terminate the child’s account. If you are a parent or guardian and believe your child has provided us with personal information, please contact us using the details in Section 14.

11. Third-Party Websites, Links, and Social Features

The Services may contain links to, or integrations with, third-party websites, applications, and platforms, including financial institutions, cryptocurrency exchanges, and social networks (“Social Features”). These third-party services are not controlled by us. If you use Social Features or follow links to third-party sites or platforms, the third party may collect and use your information independently. Information you post or make accessible via Social Features may be publicly displayed. We encourage you to read the privacy notices, policies, and terms of each third-party website, application, or platform with which you interact. Providing personal information to third-party websites or applications is at your own risk. Our inclusion of such links does not, by itself, imply any endorsement of those third parties.

12. U.S. Consumer Financial Privacy Notice (Gramm-Leach-Bliley Act)

This section provides additional disclosures required under the U.S. Gramm-Leach-Bliley Act (“GLBA”) and its implementing regulations regarding how we collect, use, and share your nonpublic personal information (“NPI”) in connection with financial products and services we provide to U.S. individuals for personal, family, or household purposes.

Why We Provide This Notice

As a provider of financial products and services, Sphere is required under U.S. federal law to provide this notice describing our privacy policies and practices regarding your NPI.

Information We Collect

We collect NPI about you from the following sources:

• Information you provide to us in connection with your application for, or use of, the Services, such as your name, address, tax identification number, and financial account information (as described further in Section 2(A) above);
• Information about your transactions with us, our affiliates, or others, such as your account balance, transaction history, payment activity, and currency amounts (as described further in Section 2(A) above); and
• Information we receive from third parties, such as identity verification services, credit reporting agencies, and fraud prevention organizations.

Information We Disclose

We may disclose the NPI described above to the following categories of third parties, as permitted by law:

• Service providers that perform services on our behalf, such as payment processing, identity verification, AML/CTF transaction monitoring, sanctions screening, tax reporting, data hosting, and fraud prevention;
• Financial institution partners (including our banking and card issuing partners) as necessary to provide the Services and process your transactions;
• Affiliates for everyday business purposes related to your transactions and experiences with us; and
• Government agencies and law enforcement, as required or permitted by law, including in response to subpoenas, court orders, or regulatory inquiries.

We do not disclose your NPI to nonaffiliated third parties for the purpose of marketing their products or services to you. We do not sell your NPI.

Your Ability to Limit Sharing

Under U.S. federal law, you have the right to limit certain types of NPI sharing. The table below summarizes our sharing practices and your rights:

Because we do not share your NPI in ways that would trigger your right to opt out under the GLBA, no opt-out notice is required at this time. If our sharing practices change, we will update this notice and provide you with the opportunity to opt out as required by law.

How We Protect Your NPI

To protect your NPI from unauthorized access and use, we use security measures that comply with applicable U.S. federal and state . These measures include administrative, technical, and physical safeguards designed to protect the security, confidentiality, and integrity of your NPI, including encryption of data in transit and at rest, access controls, and employee training.

Protection of Former Customers’ Information

If you close your Sphere account or otherwise cease to be a customer, we will continue to treat your NPI in accordance with this U.S. Consumer Financial Privacy Notice and the rest of this Privacy Notice.

13. Supplemental Notices by Jurisdiction

A. California Residents

This section provides additional disclosures required under California law, including the CCPA. Personal information collected, used, and disclosed for purposes of providing financial products and services subject to the GLBA is exempt from certain provisions of the CCPA; the CCPA disclosures in this section apply to personal information not otherwise exempt.

The categories of personal information we collect and the purposes for which we use this information are described in Sections 2 and 3 above. Consistent with Sections 3 and 4, we do not “sell” or “share” your personal information as those terms are defined under the CCPA. We may disclose the following categories of personal information for business purposes: identifiers; commercial information; financial information; internet or network activity information; geolocation data; professional or employment-related information; and, to the extent applicable, sensitive personal information.

California residents have the right to request access to, correction of, and deletion of their personal information; the right to know what personal information is collected and disclosed; the right to limit use of sensitive personal information; and the right to opt out of the sale or sharing of personal information. To exercise these rights, please contact us as set forth in “Contact Us” below. We will not discriminate against you for exercising your CCPA rights. California’s “Shine the Light” law also permits California residents to request and obtain from us, once a year and free of charge, a list of the third parties to whom we have disclosed their personal information (if any) for their direct marketing purposes in the prior calendar year, as well as the type of personal information disclosed to those parties.

B. Nevada Residents

If you are a resident of Nevada, you have the right to opt out of the sale of certain personal information to third parties who intend to license or sell that personal information. Please note that we do not currently sell your personal information as “sale” is defined in Nevada Revised Statutes Chapter 603A.

C. Other U.S. State Residents

Depending on your state of residence, you may have additional rights under state privacy laws (including those of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, Delaware, and other states with comprehensive privacy laws). These may include the rights to access, correct, delete, and port your personal information; to opt out of targeted advertising, sale, or certain profiling; and to appeal a denial of a privacy request. To exercise these rights, please contact us using the details in Section 14. If we deny your request, you may appeal our decision by replying to our response.

D. Users in the EEA, United Kingdom, and Switzerland

This section applies to users located in the EEA, the United Kingdom, or Switzerland and supplements the information in Sections 5, 6, and 7 above.

Our legal bases for processing your personal information are described in Section 5. If your personal information is subject to the GDPR, UK GDPR, or the Swiss FADP, you have the right to lodge a complaint with the competent supervisory authority if you believe that our processing of your personal information violates applicable law, including:

• EEA Data Protection Authorities (DPAs);
• UK Information Commissioner’s Office (ICO); and
• Swiss Federal Data Protection and Information Commissioner (FDPIC).

You may also contact our EEA or UK Representatives at the addresses set out at the beginning of this Privacy Notice.

E. Singapore Residents

If you are located in Singapore, we process your personal data in accordance with the Singapore Personal Data Protection Act (“SG PDPA”). You may contact our Data Protection Officer using the details in Section 14 to make access, correction, or withdrawal-of-consent requests, or to raise any concerns about our processing of your personal data. You may also lodge a complaint with the Personal Data Protection Commission of Singapore.

F. Brazil Residents

If you are located in Brazil, we process your personal data in accordance with the Lei Geral de Proteção de Dados (“LGPD”). The legal bases on which we rely include performance of a contract, compliance with a legal or regulatory obligation, legitimate interests, and, where applicable, your consent. You have the right to request confirmation of processing, access, correction, anonymization, blocking, or deletion of unnecessary or excessive data, data portability, information about third parties with whom your data is shared, and revocation of consent. To exercise these rights, please contact us using the details in Section 14. You may also file a complaint with the Autoridade Nacional de Proteção de Dados (ANPD).

G. Other Non-U.S. Users

Where you are located in a jurisdiction not specifically listed above, you may still have rights under your local Data Protection Laws. We process personal information of all individuals in accordance with applicable local law, regardless of where you are located.

14. How to Contact Us

Should you have any questions about our privacy practices or this Privacy Notice, or to exercise any of your rights described in this Privacy Notice, please email us at privacy@spherepay.co, or write to us at:

Sphere Laboratories, Inc.
Attn: Data Protection Officer
8 The Green, #22219
Dover, DE 19901, USA

EEA and UK Representatives are identified at the beginning of this Privacy Notice.

‍