Cari Rewards Privacy Notice and Notice at Collection

Overview

Cari Rewards, Inc. (collectively, “Cari,” “we,” “our,” or “us”) is an online business-to-business (“B2B”) platform designed for the hospitality industry, enabling restaurants and vendors to manage vendor payments, earn rewards, and strengthen B2B relationships. Cari provides commercial charge cards, ACH and card-based payment solutions, and a vendor CRM and loyalty engine. The Platform operates exclusively in a business-to-business capacity and does not issue cards directly to consumers.

For purposes of this Privacy Notice (“Notice”), “Platform” refers to our B2B platform found at usecari.com and all associated services we provide.

This Notice describes how Cari collects, uses, retains, and discloses personal information about individuals who interact with us as representatives, owners, or authorized users of our business customers, as well as vendors and contractors (collectively, “you”), in connection with your use of our websites, applications, and business services. It also explains our practices for maintaining, protecting, and managing that information.

Please read this Notice carefully to understand our policies and practices regarding your information and how we treat it. By interacting with our Platform or providing us with your information, you agree to the collection, use, and sharing of the information as described in this Notice.

This Notice may change from time to time (see Changes to this Privacy Notice). Your continued use of the Platform after we make changes as described here is acceptance of those changes, so please check the Notice periodically for updates.

By using our Platform, you acknowledge and accept the practices described in this Notice.

This Notice applies only to information we collect in connection with:

• your business' use of Cari's Platform;
• your creation or administration of a business account;
• communications with Cari (including email, phone, and support);
• participation in Cari's Rewards program(s); and
• integrations with approved third-party partners which provide services related payments, hosting, communications, identify verification, transactional and internal usage analytics.

This Notice does not apply to:

• information collected outside our Platform or by third parties, including through websites, applications, or content that may link to or be accessible from our Platform;
• individual consumers using Cari for personal or household purposes; or
• anyone under the age of 18.

In the future, we might provide additional or different privacy notices that are specific to certain Cari features, services, or activities.

We collect only the minimum information necessary to operate our B2B Platform, including:

1. Business and Account Information

   • Business name, business address, Employer Identification Number (EIN)
   • Names and contact details of business owners or authorized representatives, including information required for identity verification (such as date of birth or last 4 digits of Social Security Number, as required by law for “Know Your Customer”/ “Know Your Business” compliance).
   • Account credentials (email address, hashed password, information for two-factor authentication)

2. Payment and Transaction Data

   • Invoice details, payment terms, transaction history, and payment methods

3. Rewards and Loyalty Data

   • Points earned, points redeemed, and related redemption activity

4. Session and Security Data

   • IP address, device ID, cookies, and usage logs

5. Analytics Metadata

   • Payment timeliness, vendor interactions, and aggregated usage statistics

We do not intentionally collect sensitive personal information, except as required by law for business verification (e.g., we collect the last 4 digits of Social Security Number or government ID from beneficial owners). We do not store full Social Security Numbers or driver's license numbers.

We do not collect biometric data, health data, or data about minors.

We also collect:

• Statistical or Aggregated Information. We may generate and use aggregated or de-identified data that does not identify any individual, such as statistics on Platform usage, payment timeliness, or vendor interactions. For example, we may aggregate data to calculate the percentage of users accessing a specific Platform feature.
• Technical Information. We collect limited technical data related to your use of our Platform, such as your IP address, device identifier, browser type, operating system, and usage activity (e.g., login times, session duration, and navigation within our platform). This information helps us maintain security, improve our Platform, and ensure reliable operation of our Platform.

If we combine aggregated or technical data with information that directly or indirectly identifies an individual, we treat the combined information as personal information and protect it accordingly.

Directly From You
When you register, administer your company's account, or communicate with us.

Automatically Through Our Platform
We automatically collect certain technical and usage information when you interact with our Platform. This information is collected to ensure secure access, maintain the integrity of our Platform, and improve our Platform for business users. The technologies we use for this automatic data collection include:

• Cookies: Small files placed on your device to support secure login, session management, and basic usage analytics. You may refuse or disable cookies through your browser settings, but this might affect your ability to use certain features of our Platform.
• Web Beacons: Small electronic files in certain emails or parts of our Platform that help us understand usage patterns and verify system integrity.

The information collected may include your IP address, device identifier, browser type, operating system, access times, and usage activity within our platform (such as login times, session duration, and navigation within our Platform).

We do not use these technologies for cross-site tracking, behavioral advertising, or profiling, and we do not allow third-party advertisers or ad networks to collect data through our Platform.

All automatically collected information is used solely for:

• securing your account and our Platform,
• monitoring performance and usage to improve our Platform,
• ensuring compliance with our security standards and legal obligations.

From Business Partners and Service Providers
We may also receive information about you, your business or your employer from service providers and partners which support our operations. For example, we may receive information from:

• Sponsor banks and payment processors (for payment settlement and card transactions)
• Compliance vendors (for business and beneficial owner verification)
• Cloud and email providers (for secure hosting and communications)
• Analytics and security vendors (for internal analytics and platform security)

We use information obtained from our business partners or service providers only as necessary to operate and improve our Platform and comply with our legal obligations. We do not acquire personal information from data brokers or collect personal information from third parties for marketing purposes.

We use your information solely to operate, secure, and improve our B2B Platform, and to comply with our legal and regulatory obligations. Specifically, we use your information to:

• Provide and Maintain Our Platform: to deliver, operate, and manage our Platform; validate your business and authorized users; enable payments and rewards; and process transactions related to your use of the Platform.
• Communicate with You: to send you service-related communications, including account notices, technology-related or service updates, security alerts, and responses to your inquiries.
• Improve and Secure Our Platform: to monitor, troubleshoot, and enhance the Platform; analyze usage and performance; address technical issues; and ensure the security and integrity of the Platform.
• Prevent and Investigate Security and Fraud Issues:to detect, investigate, and mitigate risks, suspicious activity, unauthorized transactions, or breaches of our policies or any applicable legal requirements.
• Rewards Management: to determine your business's eligibility for, and facilitate participation in, our rewards and loyalty programs.
• Compliance with Legal Obligations: to fulfill our legal, regulatory, recordkeeping and contractual obligations, including those related to anti-money laundering (AML), Know Your Customer/Know Your Business (KYC/KYB).
• Internal Analytics and Aggregation: to generate aggregated or de-identified data for internal analytics, product improvement, and business reporting. Aggregated data does not identify individual users or businesses.
• At Your Direction: to fulfill any other purpose at your direction, such as when you request software integration with approved third-party software.
• With Your Consent: for any other purpose that we communicate to you and for which you provide consent.

We do not use your information for targeted advertising, external marketing, or personalization unrelated to your use of our Platform.

We may use de-identified or aggregated information for any lawful purpose.

Maintaining your trust is essential to our business. We share information only as necessary to operate our Platform, comply with the law, and fulfill our obligations to you and our partners. We do not sell your personal information or share it for others' advertising or marketing purposes.

We may share your information with:

• Service Providers: third-party companies and individuals who perform services on our behalf, such as cloud infrastructure providers (e.g., Amazon Web Services), website hosting, payment processors (e.g., Finix, Lithic), compliance vendors (e.g., Middesk, LendAPI, Socure for KYC/KYB), email communication providers (e.g., SendGrid), and analytics and security vendors (for internal analytics and Platform security). We contractually require these third parties to use your information only as necessary to provide their services to us and must maintain appropriate security measures.
• Sponsor Banks and Financial Partners: to facilitate payment processing, card issuance, and credit facilities, we may share information with our sponsor banks and other financial partners as required by law and our agreements.
• Compliance and Legal Requirements: we may disclose your information if necessary to comply with applicable laws, regulations, legal processes, or government requests, including anti-money laundering (AML) and KYC/KYB requirements.
• Business Transfers: if Cari Rewards is involved in a merger, acquisition, reorganization, sale of assets, or bankruptcy, your information might be transferred as part of that transaction, as permitted by law. We will notify you of any such transfer when and as required by applicable law.
• At Your Direction: we may share information with third parties when you explicitly request or authorize it, such as when you choose to integrate software with approved third-party software.
• With Your Consent: for any other purpose disclosed to you and to which you consent.

We may also use and share aggregated or de-identified information (which does not identify you or your business) for internal analytics, reporting, or other lawful business purposes.

We do not share your information with:

• Data brokers
• Advertising networks or platforms
• Third parties for their own marketing purposes, for referrals, or for joint marketing purposes

We retain your information for as long as necessary to fulfill the purposes described in this Notice - including maintaining our Platform, complying with legal and regulatory obligations (such as anti-money laundering and recordkeeping requirements), resolving disputes, and ensuring security and fraud prevention - or as otherwise required by applicable law, including applicable U.S. banking and financial regulations.

Please note that our legal and regulatory obligations may require us to retain certain information after your business relationship with Cari ends or your account is closed. In some cases, these obligations may limit your ability to request deletion of your personal information.

When the applicable retention period has elapsed and we are no longer required to retain your information, we will securely delete, destroy, or de-identify your personal information in accordance with our policies and applicable law.

We use third party analytics services, such as Google Analytics, to help us understand how business users access and use our website and Platform. These analytics tools help us monitor performance, improve our Platform, and enhance security. The information collected may include technical details such as your device's IP address, browser type, other device identifiers and usage patterns.

We do not use analytics or tracking technologies for advertising, cross-site tracking, or profiling.

We do not work with ad networks or third-party advertisers, and we do not place interest-based or targeted ads on other websites or services.

We use cookies and similar technologies to support secure login, session management, and usage analytics. For more information about how we use cookies and your choices, please see our Cookie Notice.

We design our systems with your security and privacy in mind.

• We use encryption protocols and software to protect your information during transmission and at rest.
• We implement technical, physical, and organizational safeguards, including role-based access controls (RBAC), multi-factor authentication (MFA), and continuous monitoring of our systems.
• All data is hosted in secure, SOC 2 and ISO 27001 certified infrastructure.
• We conduct regular vendor due diligence, vulnerability scanning, and penetration testing.
• Our security procedures may require proof of identity before we disclose personal information to you.

However, no security measure or method of data transmission over the Internet is 100% secure. Although we strive to use industry-standard means to protect your personal information, we cannot guarantee absolute security. You are responsible for protecting your password(s), limiting access to your devices, and signing out of the Platform and all websites after your sessions.

Access, Correction, or Deletion: Business users may access, correct, or request deletion of their information via the Cari Rewards portal or by contacting our Privacy Officer (see How to Contact Us). We might need to retain some data when required by law.

Cookies and Analytics: You can set your browser to refuse all or some browser cookies or to alert you when cookies are being sent. But note that disabling cookies may affect your ability to use certain features of our Platform.

Our Platform is not intended for, and we do not knowingly collect any personal information from children under the age of 18. As explained above, we also do not knowingly "share" or "sell" (as those terms are defined under the CCPA/CPRA) the personal information of minors under 16. If you are a parent or guardian and believe we have violated this provision, please contact us at the address stated under the How to Contact Us section below.

The Services and our business operations may change from time to time. As a result, it may be necessary for us to update or modify this Privacy Notice. We reserve the right to do so at any time.

For material changes, such as expanding how we use or share your personal information, we will provide you with prominent notice (for example, by posting a notice on our website or platform, sending an email, or through other appropriate means) before those changes take effect, as required by applicable law.

For non-material changes, we will update the “Last Updated” date at the top of this notice and post the revised notice on our website or platform.

If you have an existing relationship with us, we may also provide notice through your account or by using your contact information. If you do not have an account, we will provide notice by posting the updated notice on our website.

We encourage you to review this Privacy Notice periodically to stay informed about our information practices. Your continued use of our Services after any changes become effective constitutes your acceptance of those changes.

We are committed to ensuring this Privacy Notice is accessible to individuals with disabilities. If you wish to access this Privacy Notice in an alternative format, please contact us as described below.

Contact Us:

To exercise your rights or ask questions or comment about this Notice or our privacy practices, contact our Privacy Office:

or via our toll-free number:

Cari Rewards operates exclusively as a B2B service provider. Our Platform is not intended for personal or household use, and we are generally not subject to consumer privacy laws such as the California Consumer Privacy Act (CCPA, as amended by the California Privacy Rights Act), Nevada, or Virginia privacy laws, except as they may have limited applicability to business contact information.

Additionally, all personal information is processed and stored in the United States. We do not transfer personal information outside the U.S., nor do we receive it from non-U.S. jurisdictions, except as required for specific U.S.-based vendor integrations.

NOTICE AT COLLECTION FOR CALIFORNIA RESIDENTS

To the extent the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), applies to business contact information, we provide the following notice:

The categories of personal information we collect, the purposes for which we use this information, and our retention practices are described in this Privacy Notice. We do not “sell” or “share” personal information as those terms are defined under the CCPA.

We retain personal information only as long as necessary to fulfill the purposes for which it is collected, as described in the How Long We Keep Information section above, or as otherwise required by law. If we cannot specify an exact retention period for a category of personal information, we use criteria such as the type of information, our legal and regulatory obligations, and our business needs to determine how long we retain it.

Summary of Categories Collected and Retention Criteria:

If you have questions about our data practices or your rights under California law, please contact our Privacy Officer at support@usecari.com.