This policy and applicable supporting procedures are designed to provide Pave with a
documented and formalized process for protecting individuals’ privacy. Respect for the
privacy of personal and other information is fundamental to us. This privacy policy
describes our collection of personal information from users of our Web site (“Website” or
“Site”), our Platform, as well as all related applications, widgets, software, tools, and other
services provided by us and on which a link to this Policy is displayed (collectively,
together with the Website, our “Service”). This Policy also describes our use and disclosure
of such information. By using our Service, you consent to the collection and use of
personal information in accordance with this policy.

This policy and supporting procedures cover the privacy of all data collected by Pave in its
interaction with individuals in its business operations.

Pave is a Business-to-Business service and thus does not engage with individual customers
directly. Instead, Pave processes data on behalf of other businesses and companies that
use our service. In other words, all personal data received has been processed by our
customer prior to the use of our service. Therefore, our customers are responsible for
understanding the risks of sharing personal information with third-parties like Pave.

When mentioning ‘you’ throughout this policy we are referencing the individual user that
accesses the Pave API on behalf of their ‘company’ or ‘enterprise’.

The following roles and responsibilities are to be developed and subsequently assigned to
authorized personnel within Pave regarding privacy practices:
• Chief Executive Officer: Responsibilities include providing overall direction, guidance,
leadership, and support on methods and tools for the implementation of a security and
privacy-related program. The Chief Executive Officer will conduct resource and investment
planning to implement the management, operational, technical, and privacy requirements
of the program.
• Oversight Committee: Responsibilities include approving and monitoring adherence to this
policy, analyzing the organization’s environment, and the legal requirements with which it
must comply. Additional responsibilities include:
 - Execute the privacy operations of the firm, including monitoring the system used to
solicit, evaluate, and respond to individual privacy complaints and problems.
 - Evaluate implemented privacy controls;
 - Assessing existing policies and procedures that address privacy areas;
 - Working with appropriate departments to ensure compliance with privacy policies
and procedures;
 - Recommending and monitoring, in conjunction with the relevant departments, the
development of internal systems and controls to carry out the organization’s privacy
objectives;
 - Report to the Chief Executive Officer on the effectiveness of the privacy
controls/program in meeting applicable regulatory requirements and standards.

“Personal Information,” as used in this policy, is information that specifically identifies an
individual, such as an individual’s name, social security number, telephone number, or e-
mail address. Personal information also includes information about an individual’s activities,
such as information about his or her activity on the Site or credit history, and demographic
information, such as date of birth, gender, address, geographic area, and preferences,
when any of this information is linked to personal information that identifies that individual.

Personal information does not include “aggregate” or other non-personally identifiable
information. Aggregate information is information that we collect about a group or
category of products, services, or users that is not personally identifiable or from which
individual identities are removed. We may use and disclose aggregate information, and
other non-personally identifiable information, for various purposes.

When you use the Service, some information may be automatically collected, such as your
IP address, browser type, system type, the content and pages that you access on the Site,
“referring URL” (i.e., the page from which you navigated to the Site), the pages you
navigate to on the Site, and from which you leave the Site, as well as the time you spend
on the Site.

We collect this information passively using technologies such as standard server logs,cookies, and clear GIFs (also known as “Web beacons”). We use passively-collectedinformation to administer, operate, and improve the Site and our other services andsystems, and to provide services and content that are tailored to you. If we link orassociate any information gathered through passive means with personal information, wetreat the combined information as personal information under this policy. Otherwise, weuse information collected by passive means in a non-personally identifiable form only.

Also, please be aware that third parties may set cookies on your hard drive or use othermeans of passively collecting information about your use of their services or content. Wedo not have access to, or control over, these third-party means of passive data collection.

We may collect personal and transactional information that our users provide to us in avariety of ways through our Service. For instance, when you use our API, requestinformation about our services, or otherwise communicate with us, we collect theinformation that is provided to us. We may collect personal information such as name, e-mail address, city, state, country, other demographic information, certain informationcollected by automated means, such as cookies, web beacons and web server logs, yourinterests and preferences in these manners, and any data you upload via our API.

We may receive information about you, including personal information, from third parties,and may combine this information with other personal information we maintain about you.If we do so, this policy governs any combined information that we keep in a personally-identifiable format.

We use personal voluntarily provided information to provide services and information that
you request; to enhance, improve, operate, and maintain the Site and Service, our
programs, services, website, and other systems; to prevent fraudulent use of our Site and
Service; to tailor your user experience; to maintain a record of our dealings with you, and
for other administrative purposes.

We may also use the voluntarily provided information you provide to contact you regarding our products and services. We allow you to opt-out from receiving marketing
communications from us as described in the “Choice” section below.

We will not disclose your personal information or voluntarily provided information to third
parties without your consent, other than as described in this policy.

We may disclose this information to third-party service providers (e.g., data storage and processing facilities) that assist us in our work. We limit the information provided to these service providers to
that which is reasonably necessary for them to perform their functions.

We may also disclose information if we believe that doing so is legally required or is in our
interest to protect our property or other legal rights (including, but not limited to,
enforcement of our agreements), or the rights or property of others.
In addition, information about our users, including personal information, may be disclosed
as part of any merger, acquisition, debt financing, sale of company assets, or similar
transaction, as well as in the event of an insolvency, bankruptcy, or receivership in which
personal information could be transferred to third parties as one of our business assets.

We do not disclose the personally identifiable data of our enterprise customers’ clientele at
any point during the term of our agreement.

If you receive commercial email from us, you may unsubscribe at any time by following the
instructions contained within the email. You may also opt-out from receiving commercial
email from us by sending us an email or by writing to us at the address given at the end of
this policy.

Our enterprise customers have the ability to choose the data that they share with us and
are not required at any point to share the personally identifiable information of their
clientele.

For your convenience, the Site may contain links to other Web sites, products, or services that we do not own or operate. If you choose to visit or use any third-party products or services, please be aware that this policy will not apply to your activities or any information you disclose while using third-party products or services or otherwise interacting with third parties.

Children’s safety is important to us, and we encourage parents and guardians to take an active interest in the online activities of their children. We do not knowingly collectpersonal information from children under the age of 13 without obtaining parental consent.

Our Site and Service is hosted in the United States and is generally intended for UnitedStates visitors. If you visit from the European Union or other regions with laws governing data collection and use that may differ from U.S. law, please be aware that you are transferring personal information to the United States. The United States does not have the same data protection laws as the European Union and some other regions. By providing personal information to us, you consent to the transfer of it to the United States and theuse of it in accordance with this policy.

Pave protects the Information it collects with reasonable and appropriate physical,electronic, and procedural safeguards. We use reasonable security measures that aredesigned to protect personal information from loss, misuse, and unauthorized access,disclosure, alteration, or destruction. Please note, however, that no data security measurescan be guaranteed to be completely effective. Consequently, we cannot ensure or warrantthe security of any personal information or other information. You transmit information tous at your own risk.

We may occasionally update this Policy. When we do, we will also revise the “last updated”date at the beginning of the policy. Your continued use of this Service after such changeswill be subject to the then-current policy. We encourage you to periodically review thispolicy to stay informed about how we collect, use, and disclose personal information.

If you have any questions, comments, or concerns about this privacy policy or yourpersonal information, please contact us at soc2@pave.dev. If you have a complaint that wehave breached these privacy principles and attempted in good faith to resolve thecomplaint through our customer service process, but the complaint was not resolved by uswithin a reasonable amount of time, then you may enforce these privacy principles againstus.

The Policy Owner owns this Policy and is responsible for reviewing the Policy for updates
annually, or following major changes to Pave ‘s compliance environment. The Policy
Approver retains approving authority over this Policy.

Pave periodically monitors adherence to this Policy to help ensure compliance withapplicable laws, requirements, and contractual agreements that apply to Client &Consumer Data. Pave may also establish enforcement mechanisms, including disciplinaryactions, to help ensure compliance with this Policy.

• Information Security Policy
• Data Protection and Handling Policy