This Policy sets out what Personal Data we might collect, how we process and protect that data, the lawful grounds for that processing, and your related rights. We always seek to comply with the data protection laws applicable to our processing of personal data. 'Personal Data' covers legally defined terms like 'personally identifiable information' or 'personal information' in various jurisdictions, including the EU, UK, and the US. Essentially, Personal Data means any information relating to an identified or identifiable natural person. This Policy and our processes are based upon General Data Protection Regulation ('GDPR') principles, as it is a global standard for data protection. Note for Residents of the European Economic Area, Switzerland and the United Kingdom: The EU GDPR and UK GDPR may apply directly to our processing. Please see the section below titled 'Your Rights Under GDPR' for specific details on your rights. We will update this policy from time to time by posting a new policy on the Website. It is your responsibility to check for changes.

We have identified six general categories of processing activities for which we collect Personal Data as part of our operations: Threat & Alerting Data, Client Platform Data, Marketing Data, Website Improvement Data, Technology Collected Data, and Recruiting Data. Controller: We are the 'controller' for Marketing Data, Website Improvement Data, Technology Collected Data, and Recruiting Data as we determine the purposes and essential means of processing. Processor: We are the 'processor' of Threat & Alerting Data and Client Platform Data as the client remains the 'controller' of this data, and we only process it to fulfil our contract with them and on their instructions.

We collect or are provided Personal Data in the normal course of business. While providing data is never a requirement, not providing the necessary data may prevent us from responding to your query or providing Services to you. We use Personal Data to provide, secure, manage, and improve our Services and to meet any binding contractual or legal obligations. The lawful grounds for processing are typically: Legitimate Interests — Necessary for our legitimate interests in carrying out our business (e.g., to maintain, improve and market our products and services). Contract — Necessary to perform a contract with you. Legal Obligation — Necessary to comply with our legal obligations. Consent — When processing is based on your consent, which you can withdraw. Sharing Your Personal Data: We will not give, sell, or rent your Personal Data to third parties for their marketing purposes. We do not accept advertising from third parties on the Website. However, we may share Personal Data in limited circumstances to comply with a law or legal request, or if we enter negotiations for the sale or purchase of all or part of our business.

Below is an aggregated overview of the information required by GDPR for the general types of processing activities. Threat & Alerting Data — Names of client employees/contractors, contact information, location data when near a threat, and platform access credentials. Purpose: To provide threat data, tailored alerts, secure two-way communication, and emergency response services. Lawful Basis: Legitimate Interests or Contract. Client Platform Data — Names of client employees or contractors, email address, username, and password, or data entered into the Services to access deliverables. Purpose: To respond to enquiries and provide Services. Lawful Basis: Legitimate Interests or Contract. Marketing Data — Name, email address, telephone number, business title, professional information, and interests/preferences. Purpose: To market our Services by email or through social media. Lawful Basis: Legitimate Interests or Consent. Website Improvement Data — IP address, pages visited, and Service usage information. Purpose: To analyse and improve the Website and Services. Lawful Basis: Legitimate Interests, Contract or Consent. Technology Collected Data — Online identifiers (IP address, email address), browsing history, and geolocation data collected by cookies. Purpose: To personalize content, provide social media features, and analyze our Website traffic. Lawful Basis: Legitimate Interests or Consent. Recruiting Data — CV, education records, professional or other employment history data, criminal history, and financial data. Purpose: To manage our recruitment activities. Lawful Basis: Legitimate Interests.

We generally do not collect 'special categories of personal data' (GDPR), except when provided by you as part of Recruiting Data, or as described below. Threat & Alerting Data: We collect sensitive data, such as Geolocation, to meet our contractual obligations to clients who have legal or other obligations to provide appropriate communication and security to their personnel. Financial Data: We do not collect or process any bank, debit, or credit card data through our websites or Services.

Our Website servers and data processing facilities may be located in other countries. The servers that host our client platform are located in Ireland and the United Kingdom, and may be accessed from other countries. By using any portion of the Website or Services, you are consenting to the transfer of your Personal Data to these facilities and those third parties with whom we share it as described in this Privacy Policy. To govern transfers of Personal Information from the EU/EEA to recipients outside the EU/EEA, we have entered into Standard Contractual Clauses adopted by the European Commission.

Retention: We will only retain Personal Data for any statutory retention period, then a reasonable period necessary for the above purposes. Our clients determine the retention period for the Client Platform data. Security: We take appropriate technical and organisational measures to protect your Personal Data. We may create anonymised data from Personal Data, which is no longer subject to this Privacy Policy.

Under the UK and EU GDPRs, you have the following rights: Access — Know if we process your data and, if so, receive a copy of that data. Rectification — Ask us to remove or correct inaccurate data. Object — Object to certain processing, including for direct marketing. Withdraw Consent — Withdraw any consent you may have given us. Restriction — Ask us to restrict processing certain data. Erasure — Ask us to erase your personal data. Portability — Ask us to 'port' certain of your personal data to you or another provider.

If you have any questions or wish to exercise any of your rights, you can contact us: Email: contact@crowdthreat.com Mail: Privacy Policy Administrator, Crowd Threat, 15A Cobalt Business Park, Quick Silver Way, Newcastle Upon Tyne, NE27 0QQ We will send an initial acknowledgement within ten (10) business days and will typically complete your request within forty-five (45) days of receipt.