VNDLY, INC.

User Privacy Policy - Services

Last Revised: December 1, 2021

PLEASE READ THIS PRIVACY POLICY CAREFULLY BEFORE USING THE SERVICES

VNDLY, Inc. (“VNDLY” or “we”), recognizes the importance of your privacy. This Privacy Policy outlines the types of Personally Identifying Information we gather when you use any electronic service made available by VNDLY with this Privacy Policy, such as the Vendor Management System, Hosted SaaS Environment, and website (collectively, the “Service(s)”), and how we use that information. It is important to review this Privacy Policy in its entirety and it should be read in conjunction with our User Terms of Use, into which this Policy is incorporated by reference. When you use our Services as an employee of a VNDLY customer, your use of the Services and the information processed may also be subject to the policies and other requirements of your employer, as well.

As part of the operation of our Services, certain pieces of information are gathered about the users (individually, “you” or a “User” and collectively, “Users”). This Privacy Policy contains explanations regarding the types of information collected, what is done with such information, and how to correct or change the information. This Policy may change from time to time (see below, “Changes to this Policy”). Your continued use of our Services after we make changes is deemed to be acceptance of those changes, so please check the Policy periodically for updates.

This Policy applies to information we collect from the Services or in emails and other electronic messages between you and the Services, and information gathered when you interact with our advertising on third-party websites if such advertisements include links to this Policy. This Policy does not apply to information collected by us offline or through any other means, including on any other website operated by VNDLY or any third party, or information collected by any third party through any application or content (including advertising) that may link to or be accessible from the Services (for further information, see below, “Third-party Websites”).

The Information We Collect

Information You Provide to VNDLY. We collect Personally Identifying Information that you provide to VNDLY. “Personally Identifying Information” is information that individually identifies you, such as your

• first and last name;
• physical address;
• phone number;
• e-mail address;
• comments or messages provided in free-form text fields;
• resume or C.V.;
• citizenship and work authorization status; and
• any other information that would allow someone to identify or contact you.

You may provide us Personally Identifying Information when you:

• request information;
• schedule a demonstration;
• submit an employment application; or
• subscribe to our emails.

VNDLY asks for your Personally Identifying Information so that it can provide recruiting services. The information that you provide in each case will vary and we may ask you to create a username and password that should only be known to you. Of course, you may choose not to provide VNDLY with Personally Identifying Information. However, this choice may prevent VNDLY from providing you with any recruiting services or otherwise helping to facilitate placement for a job or project.

Information Provided by Third Parties. VNDLY neither creates information about job seekers, such as background checks or consumer reports, nor does VNDLY receive information about job seekers and companies from third parties. However, a Company (as defined herein) may upload such information on their own candidates in the Service.

Sensitive Information. Even though you may provide us Personally Identifying Information, you should still exercise discretion in the information you choose to provide, such as in free-form text fields. In particular, you should not provide your social security number or protected health information (“PHI”) as covered by the Health Insurance Portability and Accountability Act.

Information We Collect Automatically When You Use our Services

When you access or use our Services, we may automatically collect information about you using automated tools that are detailed below. These tools may collect information about your behavior and your computer system, such as your internet address (IP Address), the pages you have viewed, and the actions you have taken while using our Services. Some of the tools we use to automatically collect information about you may include:

1. Cookies. A “cookie” is a small data file transmitted from a website to your device’s hard drive. Cookies are usually defined in one of two ways, and we may use both of them:
   1. session cookies, which do not stay on your device after you close your browser, and
   2. persistent cookies, which remain on your device until you delete them or they expire.

   We use the following categories of cookies on our Services.

   1. Strictly Necessary Cookies. These cookies are essential in order to enable you to move around our Services and use its features. Without these cookies, services you have requested, such as maintaining a record of your purchased items (e.g. a shopping cart), cannot be provided.
   2. Performance Cookies. These cookies collect anonymous information on how people use our Services to help us understand how you arrive at our site, browse or use our Services and highlight areas where we can improve, such as navigation. The data stored by these cookies never shows personal details from which your individual identity can be established.
   3. Functionality Cookies. These cookies remember choices you make such as the country from which you visit our Services, your preferred language, and your search parameters. This information can then be used to provide you with an experience more appropriate to your selections and to make your visits to our Services more tailored to your preferences. The information in these cookies may be anonymized. These cookies cannot track your browsing activity on other websites.
   4. Google Analytics. We may share your information with Google Analytics, a web analysis service provided by Google. The Service sends aggregated, non-Personally Identifying Information to Google Analytics for the purpose of providing us with the ability to conduct technical and statistical analysis on the Service’s performance. For more information on how Google Analytics supports our Services and uses information sent from our Services, please review Google’s privacy policy available at https://policies.google.com/technologies/partner-sites.

      Of course, if you do not wish to have cookies on your devices, you may turn them off at any time by modifying your internet browser’s settings. However, by disabling cookies on your device, you may be prohibited from full use of the Service’s features or lose access to some functionality.

2. Web Beacons. A Web Beacon is an electronic image. Web Beacons can track certain things from your computer and can report activity back to a web server allowing us to understand some of your behavior. If you choose to receive emails from us, we may use Web Beacons to track your reaction to our emails. We may also use them to track if you click on the links and at what time and date you do so. Some of our third-party marketing partners may use Web Beacons to track your interaction with online advertising banners on our Services. This information is only collected in aggregate form and will not be linked to your Personally Identifying Information. Please note that any image file on a webpage can act as a Web Beacon.
3. Embedded Web Links. Links provided in our emails and, in some cases, on third-party websites may include tracking technology embedded in the link. The tracking is accomplished through a redirection system. The redirection system allows us to understand how the link is being used by email recipients. Some of these links will enable us to identify that you have personally clicked on the link and this may be attached to the Personally Identifying Information that we hold about you. This data is used to improve our service to you and to help us understand the performance of our marketing campaigns.
4. Social Media Features and Widgets. Our Services includes social media features and widgets. These features may collect your IP address, which page you are visiting through our Services, other information, and may set a cookie to enable the feature to function properly. Social media functions are either hosted by a third party or hosted directly through our Services. Your interactions with these features are governed by the privacy policy of the company providing them.

Your Choices and Selecting Your Privacy Preferences

We want to provide you with relevant information that you have requested.

In the event we provide subscription-based services, such as email newsletters or other informational updates, we will allow you to make choices about what information you provide at the point of information collection or at any time after you have received a communication from us while you are subscribed. Any transactional or service-oriented messages are usually excluded from such preferences, as such messages are required to respond to your requests or to provide goods and services, and are not intended for the purposes of marketing.

We will not intentionally send you email newsletters and marketing emails unless you consent to receive such marketing information. After you request to receive these emails, you may opt out of them at any time by selecting the “unsubscribe” link at the bottom of each email. Please note that by opting out or unsubscribing you may affect other services you have requested we provide to you, in which email communication is a requirement of the service provided.

Any such communications you receive from us will be administered in accordance with your preferences and this Policy. In addition, under the Privacy Shield Principles, you have the right to opt out of uses of your personal information or disclosures of your personal information to third parties. You may submit an opt-out request via email to privacy@vndly.com.

Using the Information

Use in General. We may use your information for a variety of purposes, including to:

• Provide, operate, maintain and improve our Services;
• Comply with the terms of any applicable contract with a Company;
• Respond to your comments, questions, and requests and to provide customer service and support;
• Conduct research;
• Facilitating the recruiting, staffing, and searching process to help job seekers find projects and assignments appropriate for their skills and companies find qualified applicants for such assignments;
• Prevent potentially illegal activities;
• Fulfill your requests for our Services;
• Provide information that is relevant to you;
• Monitor and analyze trends, usage, and activities in connection with our Services; and
• For other purposes about which we notify you.
• Use of Aggregate or De-Identified Information. In addition to the individual data use described in this Privacy Policy, we may aggregate information about you and other individual users together, or otherwise de-identify the information about you, so that the information does not identify you personally. We may use information in these forms for a variety of purposes, including for research and analysis, administration of our Services, and advertising.

Sharing and Disclosure of Information

We will not share Personally Identifying Information about you with any third parties except as described in this Privacy Policy. We will share your Personal Information with the following third parties in order to fulfill the service that they provide to us. These third-parties are under contract to keep your Personal Information secure and not to use it for any reason other than to fulfill the service we have requested from them.

• Potential employers. If you are a job seeker, we may share your Personally Identifying Information with potential employers to provide staffing and recruiting services. In connection with such services, we may need to disclose certain data about your previous employment including, without limitation, your resume and corresponding information to the extent permitted by law.
• Service Providers. We may share your Personally Identifying Information with third-party vendors, Contractors, and other service provides who are working on behalf of VNDLY and require access to your Personally Identifying Information to carry out that work.
• Company. Use of the Services and any user information associated with those Services may also be subject to the terms of separate written agreements between VNDLY and its clients (“Company”). If you have a relationship with a Company, we may share your Personally Identifying Information with that Company, as required under such contracts.
• Compliance with Laws. We may disclose your Personally Identifying Information to a third party if (1) we believe that disclosure is reasonably necessary to comply with any applicable law, regulation, legal process or governmental request, (2) to enforce our agreements, policies, or Terms of Use, (3) to investigate and help prevent security threats, fraud, or other malicious activity, (4) to protect the rights or personal safety of VNDLY’s employees, or (5) to respond to an emergency which we believe in good faith requires us to disclose such information to assist in preventing the death or serious bodily injury of any person.
• Business Transfers. We may share or transfer information we have collected under this Privacy Policy in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
• Affiliates. We may share information we have collected under this Privacy Policy with affiliates of VNDLY for use as otherwise described in this Privacy Policy.

There are circumstances where VNLDY may decide to buy, sell, or reorganize its business in selected countries. Under these circumstances, it may be necessary to share or receive Personally Identifying Information with prospective or actual partners or affiliates. In such circumstances, VNDLY will ensure your information is used in accordance with this Policy.

Your California Rights

Pursuant to California Civil Code Section § 1798.83, we will not disclose or share your Personally Identifying Information with third parties for the purposes of third-party marketing to you without your prior consent.

Other than as disclosed in this Policy, the Website does not track users over time and across third-party websites to provide targeted advertising. Therefore, the Website does not operate any differently when it receives Do Not Track (“DNT”) signals from your internet web browser.

If you are a California consumer as defined by the California Consumer Privacy Act of 2018 (“CCPA”), you may be afforded additional rights with respect to your “Personal Information” as that term is explicitly defined under California law. Any Personal Information we collect is collected for the commercial purpose of effectively operating our Services, communicating with you, as well as enabling you to learn more about, and benefit from, our services.

Under the CCPA, you may be able to exercise any of the following rights, once your identity is properly verified. If you have an existing relationship with a VNDLY customer, or Company, please direct any such requests to the Company, as VNDLY is required to comply with any such Company directions under the CCPA.

Prohibit Data Sharing. When applicable, you may prohibit the sharing of your Personal Information by submitting a request via email to privacy@vndly.com. In your email, please explain how you wish us to prohibit the sharing of your personal data, and which categories of third parties you want to prohibit from receiving your Personal Information. When such prohibitions are not possible to provide our services to you, we will advise you accordingly. You can then choose to exercise any other rights under this Policy.

Portability. Upon request and when possible, we can provide you with copies of your Personal Information. You may submit a request via email to privacy@vndly.com. When such a request cannot be honored, we will advise you accordingly. You can then choose to exercise any other rights under this Policy.

Deletion. If you should wish to cease use of our Service and have your Personal Information deleted from our Service, then you may submit a request by emailing us at privacy@vndly.com. Upon receipt of such a request for deletion, we will confirm receipt and will confirm once your Personal Information has been deleted. Where applicable, we will ensure such changes are shared with trusted third parties.

We do not sell your Personal Information. If we ever decide to sell Personal Information, we will provide you notice and update this Privacy Policy. In addition, we will post a link entitled “Do Not Sell My Personal Information” by which you can opt out of any such selling of your Personal Information.

In addition, if a California resident exercises his or her rights under California law, including the CCPA, we shall not discriminate against that California resident by denying our goods or services, charging different prices or rates to similarly situated consumers, providing a different level or quality of our goods or services, or taking any other adverse action.

For Website Visitors in the European Union (“EU”)

Under the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016, or “GDPR”), individuals in the EU are afforded specific rights with respect to their Personal Information, or “personal data” as defined under the GDPR. For the purposes of this Policy, VNDLY operates as a data processor. Any personal data we collect from you, on behalf of a Company, is processed in the United States, unless otherwise set forth in the Master Service Agreement, and under the terms of this Policy.

Any personal data we collect from you is processed in the legitimate interest of our business and providing our services to you as the lawful means of such processing. You may always withdraw your consent to our use of your personal data as described below. We will only retain your personal data for the time necessary to provide you the information and services to which you have consented, to comply with the law and in accordance with your rights below.

The Data Processor is:

VNDLY, Inc.

4900 Parkway Drive, Suite 125, Mason, OH 45040

privacy@vndly.com

You can exercise any of the following rights, subject to verification of your identity, by notifying us as described below:

• Automated Processing and Decision-Making. You may email us at privacy@vndly.com to request that we stop using your personal data for automated processing, such as profiling. In your email, please explain how you wish us to restrict automated processing of your personal data. When such restrictions are not possible, we will advise you accordingly. You can then choose to exercise any other rights under this Policy, to include withdrawing your consent to the processing of your personal data.
• Correction or Rectification. You can correct what personal data our Website database currently contains by accessing your account directly, or by emailing us at privacy@vndly.com to request that we correct or rectify any personal data that you have provided to us. We may not accommodate a request to change information if we believe the change would violate any law or legal requirement or cause information to be incorrect. Where applicable, we will ensure such changes are shared with trusted third parties.
• Restrict Processing. When applicable, you may restrict the processing of your personal data by submitting a request via email to privacy@vndly.com. In your email, please explain how you wish us to restrict processing of your personal data. When such restrictions are not possible, we will advise you accordingly. You can then choose to exercise any other rights under this Policy, to include withdrawing your consent to the processing of your personal data. Where applicable, we will ensure such changes are shared with trusted third parties.
• Object to Processing. When applicable, you have the right to object to the processing of your personal data by submitting a request via email to privacy@vndly.com. When such objections are not possible, we will advise you accordingly. You can then choose to exercise any other rights under this Policy, to include withdrawing your consent to the processing of your personal data. Where applicable, we will ensure such changes are shared with trusted third parties.
• Portability. Upon request and when possible, we can provide you with copies of your personal data. You may submit a request via email to privacy@vndly.com. When such a request cannot be honored, we will advise you accordingly. You can then choose to exercise any other rights under this Policy, to include withdrawing your consent. Where applicable, we will ensure such changes are shared with any trusted third parties.
• Withdraw Consent. At any time, you may withdraw your consent to our processing of your personal data through this Website by notifying us via email at privacy@vndly.com. Using the same email address associated with your Website account, simply type the words “WITHDRAW CONSENT” in the subject line of your email. Upon receipt of such a withdrawal of consent, we will confirm receipt and proceed to stop processing your personal data. Where applicable, we will ensure such changes are shared with trusted third parties.
• Erasure. If you should wish to cease use of our Website and have your personal data deleted from our Website, then you may submit a request by emailing us at privacy@vndly.com. Upon receipt of such a request for erasure, we will confirm receipt and will confirm once your personal data has been deleted. Where applicable, we will ensure such changes are shared with trusted third parties.

Submit Complaints or Questions. If you wish to raise a complaint on how we have handled your personal data, you can contact us as described below under “Accountability, Compliance and Contact.” If you reside in a European Union member state, you may also lodge a complaint with the supervisory authority in your country.

EU-U.S. Privacy Shield Framework

VNDLY participates in and complies with the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the United Kingdom, and Switzerland to the United States. VNDLY has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. VNDLY is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit the Department of Commerce’s Privacy Shield website.

Please direct any inquiries or complaints regarding our compliance with the Principles to privacy@vndly.com. If VNDLY does not resolve your complaint, you may submit your complaint free of charge for resolution to JAMS, VNDLY’s designated independent Privacy Shield dispute resolution provider. Under certain conditions specified by the Principles, you may also be able to invoke binding arbitration to resolve your complaint. If VNDLY shares EU Data with a third-party service provider that processes the data solely on VNDLY’s behalf, then VNDLY may be held liable for that third party’s processing of EU Data in violation of the Principles, unless VNDLY can prove that it is not responsible for the event giving rise to the damage.

Users Located in Australia

If you are a User who accesses our Service in Australia, this section applies to you. We are subject to the operation of the Privacy Act 1988 ("Australian Privacy Act"). Here are the specific points you should be aware of:

• We will not use or disclose Personal Information for the purpose of our direct marketing to you unless:
• you have consented to receive direct marketing;
• you would reasonably expect us to use your personal details for marketing; or
• we believe you may be interested in the material but it is impractical for us to obtain your consent.

You may opt out of any marketing materials we send to you through an unsubscribe mechanism. If you have requested not to receive further direct marketing messages, we may continue to provide you with messages that are not regarded as "direct marketing" under the Australian Privacy Act, including changes to our terms, system alerts, and other information related to your account as permitted under the Australian Privacy Act and the Spam Act 2003 (Cth).

• Our servers are located in the United States. In addition, we, or our subcontractors, may use cloud technology to store or process Personal Information, which may result in storage of data outside Australia. It is not practicable for us to specify in advance which country will have jurisdiction over this type of offshore activity. All of our subcontractors, however, are required to comply with the Australian Privacy Act in relation to the transfer or storage of Personal Information overseas.
• We may also share your Personal Information outside of Australia to our business operations in other countries. While it is not practicable for us to specify in advance each country where your Personal Information may be disclosed, typically we may disclose your Personal Information to the United States, Canada and the European Union.
• You may access the Personal Information we hold about you. If you wish to access your Personal Information, you may do so by emailing us at privacy@vndly.com. We will respond to all requests for access within a reasonable time.

If you think the information we hold about you is inaccurate, out of date, incomplete, irrelevant, or misleading, we will take reasonable steps, consistent with our obligations under the Australian Privacy Act, to correct that information upon your request. If you find that the information we have is not up to date or is inaccurate or incomplete, please contact us in writing at privacy@vndly.com, so we can update our records. We will respond to all requests for correction within a reasonable time.

If you are unsatisfied with our response to a privacy matter, you may consult either an independent advisor or contact the Office of the Australian Information Commissioner for additional help. We will provide our full cooperation if you pursue this course of action.

Location of VNDLY’s Services

VNDLY’s Corporate headquarters is based in the State of Ohio within the United States. VNDLY provides access to their Products and Services within the United States, Australia, Canada, European Union, United Kingdom, and Mexico. Users acknowledge that VNDLY does not warrant or represent that this Policy, or the Products and Services use of Personal Information, complies with the laws of any other jurisdiction. Further, Users acknowledge that Personal Information will be obtained and processed in accordance with this Policy, irrespective of where such information may otherwise be stored.

Safeguards

VNDLY protects your Personally Identifying Information by using safeguards that it has determined are appropriate to the sensitivity of the information. Unfortunately, neither VNDLY’s network nor data transmission over the Internet can be guaranteed to be 100% secure. You have a responsibility, as well, to safeguard your information through the proper use and security of any online credentials used to access your Personally Identifying Information, such as a username and password. If you believe your credentials have been compromised, please change your password. Please also notify us of any unauthorized use.

Accuracy

You have the right to update, modify, amend, or correct errors in your Personally Identifying Information by contacting VNDLY. We strive to maintain and process your information accurately. We have processes in place to maintain all of our information in accordance with relevant data governance frameworks and legal requirements. We employ technologies designed to help us maintain information accuracy on input and processing.

Where we can provide you access to your Personally Identifying Information in our possession, we will always ask you for a username and password to help protect your privacy and security. We recommend that you keep your password safe, that you change it periodically, and that you do not disclose it to any other person or allow any other person to use it.

To view and change the Personally Identifying Information that you have provided to us, you can log in to your account and follow the instructions on that webpage, or contact us directly for assistance.

Third-Party Websites

On occasion, our Services are connected by “hyperlinks” to other third party’s websites. Please note that VNDLY does not endorse these websites and is not responsible in any way for the privacy practices of other websites and suggests that you review the privacy policies of those other companies’ websites before using them.

Accessing Your Personally Identifying Information Once Given

If you believe your Personally Identifying Information is inaccurate, you may contact VNDLY to amend or delete your Personally Identifying Information. You have the right to request information about the existence, use, and disclosure of your Personally Identifying Information and to challenge the accuracy and completeness of your Personally Identifying Information, and to have your Personally Identifying Information amended where inaccurate or deleted from VNDLY’s database. To do so, simply e-mail VNDLY at the e-mail address set forth in this Privacy Policy.

Minors

Our Services are not intended for people under the age of 18. Further, we do not knowingly collect Personally Identifying Information from children under the age of 18. If you are a parent or guardian of a child under the age of 13 and believe he or she has disclosed Personally Identifying Information to us, please contact us at the e-mail address set forth in this Privacy Policy and VNDLY will delete such Personally Identifying Information.

Changes to This Policy

Please note this Privacy Policy is subject to change from time to time. We will notify you of material changes to this Privacy Policy by either sending you an e-mail or by including prominent notice of such change on the Service, such as a date change in the “Last Revised” block above.

Accountability, Compliance and Contact

VNDLY takes our responsibility to protect your information very seriously. VNDLY reassures our compliance with this Privacy Policy and applicable legal standards to keep your information secure. For additional questions or inquiries, please direct in the following manner:

Located in the United States, Australia, Canada, and Mexico. All questions and inquiries can be directed to a VNDLY representative at privacy@vndly.com.

Located within the European Union. We have appointed IT Governance Europe Limited to act as our EU Representative. If you wish to exercise your rights under the EU General Data Protection Regulation (GDPR), or have any queries in relation to your rights or privacy matters generally, please email our Representative at eurep@itgovernance.eu or post your request or query to:

EU Representative, IT Governance Europe, Third Floor, The Boyne Tower, Bull Ring, Lagavooren, Drogheda, Co. Louth, A92 F682

When contacting our Representative please ensure you include our company name in any correspondence.

Located within the United Kingdom. All questions and inquiries can be directed to our UK representative at privacyuk@vndly.com.