Introduction

This Privacy Policy (“Policy”) is meant to explain to you (the “End User”) how your information is used by your advisor and Clariata, LLC (“we”, “us” or “our”) in providing services to you directly and how we collect and share end user information in our possession to operate, improve, develop, and protect our services, and as otherwise outlined in this Policy. We encourage you to become familiar with the terms and conditions of both this Policy and the Terms of Use. By accessing and using the System, or any part thereof, you agree that you have read and understand this Policy, and that, in exchange for access to the System and/or services offered by us, you accept and consent to the privacy practices (and any uses and disclosures of information about you) that are described in this Policy. The Policy only applies to information Clariata collects, uses, and shares about end users (“End User Information”) through our websites that link to this policy (the “Websites”) which include but are not limited to: https://arc.clariata.com and https://www.clariata.com/, and any mobile applications associated with the Websites (the “Mobile Applications”) and all other online offerings that post a link to this Policy, whether accessed via computer, mobile device or other technology or any associated content, material, or functionality contained on the Websites or Mobile Applications (the “Services” and, together with the Websites and the Mobile Applications, collectively, the “System”), as well as information collected from you offline in connection with the services we provide to you. Please note that this Policy does not apply to information about you collected (i) by third party services, applications or websites, or advertisements associated with, linked to or otherwise accessible from the Services (including by a third party payment processor) or (ii) by third party individuals, financial institutions or financial advisors or companies with which you conduct transactions or communications facilitated through use of the Services. The information collected and received by such third parties is subject to their privacy policies and under no circumstance are we liable for the third party’s compliance therewith. We encourage you to review the privacy policies or notices of the applicable providers or those third parties for information about their practices.​

Children Under the Age of 13

The System is not intended for children under 13 years of age. Consistent with the Children’s Online Privacy Protection Act, we do not knowingly collect personal information from children under 16. If we learn we have collected or received personal information from a child under 16 without verification of parental consent, we will delete that information. If you are under the age of 13, you must ask your parent or guardian to assist you in using the System. Furthermore, we may restrict entries to promotions to entrants who are at least 18 years of age.​

Information We Collect and How We Use It

Information We Collect. Clariata may collect identifying information from or about you in connection with your use of, or your submissions to, the System and other types of End User Information (collectively, the “Collected Information”). We may also collect information when you give it to us, when you give us permission to obtain it (such as when you give us permission to access your personal information including, but not limited to, your account custodian, other advisers or websites with your information), or when we obtain it from other sources such as from the business partners or third parties that makes our services available to you or from commercially available third-party sources. We will not collect social security numbers, credit card information, financial institution and/or bank account information. We may combine information we receive from commercially available third party sources with the personal andother information we have collected about you pursuant to this Policy. We also collect technical information when you use our products and services. Collected Information includes both Personal Information and information about how you interact with our System. We may collect information that can be used to identify you (“Personal Information”). Personal information that we collect depends on the product or service you have with us or access through us, and may include, without limitation: name, date of birth, contact information, professional or employment-related information, or financial goals. Information We Receive From Your Devices. When you use your device to connect to the System, we may receive identifiers and electronic network activity information about that device, including pages you view, links you click or hover over, selections you make on the Websites, your web browser’s HTTP referrer header, features you use, preferences you set, your web browser type and version, the operating system type and version of the device you are using to access the System, the Internet protocol (IP) address of the device you are using to access the System (or any portion thereof), general physical location, Internet service provider, in addition to any other information collected as further described in this Policy. The System may also use tracking technologies to collect usage data and to help Clariata provide and improve our services (“System Data”). We use cookies and similar tracking technologies to track the activity on our System. Cookies are files with a small amount of data which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your device. Other tracking technologies are also used such as beacons, tags and scripts to collect and track information and to improve and analyze the System. Most web browsers allow some control of most cookies through the browser settings. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them please visit http://www.allaboutcookies.org/. “Do Not Track” Disclosures. Your browser or device may include Do Not Track functionality. The Services are not built to respond to “Do Not Track. That means that, even if your browser is set to “Do Not Track,”

our information collection and disclosure practices will operate in accordance with the standards set out in this Policy. Information We Receive About You From Other Sources. We also receive identifiers and commercial information about you directly from the applicable provider or other third parties, including our service providers and identity verification services. For example, the applicable provider may provide information such as your full name, email address, or phone number. We do not collect information about your financial accounts or account transactions from providers. Inferences We Derive From The Data We Collect. We may use the information we collect about you to derive inferences for the Services. For example, we may infer your location or your annual income based on the information we have collected about you from you or other sources to provide such services.

How We Use Your Information

We use your End User Information for a number of business and commercial purposes, including to operate, improve, and protect the services we provide, and to develop new services. More specifically, we use your End User Information:

• To operate, provide, and maintain our services;

• To notify you about changes to our policies;

• To improve, enhance, modify, add to, and further develop our services;

• To protect you, the applicable providers, our partners, Clariata, and others from fraud, malicious activity, and other privacy and security-related concerns;

• To develop new services;

• To provide customer support to you or to the applicable providers, including to help respond to your inquiries related to our service;

• To administer a survey or other System features;

• To investigate any misuse of our service, including violations of the End User License Agreement or the applicable SAAS Agreement, criminal activity, or other unauthorized access to our services;

• To comply with contractual and legal obligations under applicable law; and

• To notify you about our products and services that may be of interest to you with your consent.

We may also use the information we collect as otherwise disclosed to you at the point of collection or for any other purposes with your consent. Applicable law may require not only that we disclose the types of third parties with whom we may share personal information but also that we separately identify the categories of personal information we share with third parties for business purposes. These categories could include any or all of the following: personal identifiers; device and online identifiers and related information; demographic information; financial Information; government identifiers; legally protected classification characteristics; Internet, application, and network activity; location data; audio data; and professional or employment-related information.​

Our Lawful Bases for Processing

(EEA and UK End Users Only) For individuals in the European Economic Area (“EEA”) or the United Kingdom (“UK”), our legal basis for processing your End User Information will depend on the information concerned and the context in which we collected or processed it. We will normally only collect and process End User Information where:

• We need to fulfill our responsibilities and obligations in any contract or agreement with you (example, to comply with the EULA);

• To comply with our legal obligations under applicable law;

• Processing is necessary for our legitimate interests and not overridden by your data protection interests or fundamental rights and freedoms (for example, to safeguard our services; to communicate with you; or to provide or update our services); and

• You have given your consent to do so.

To the extent we rely on consent to collect and process End User Information, you have the right to withdraw your consent at any time per the instructions provided in this Policy.​

Disclosure of Your Information

We may disclose aggregated information about our users, and information that does not identify any individual or device, without restriction. In addition, we may disclose personal information that we collect or you provide:

• Between and among Clariata and our current and future affiliates, subsidiaries and other companies under common control or ownership;

• To our data processors, service providers, and other third parties we use to support our business and who are bound by contractual obligations to keep personal information confidential and use it only for the purposes for which we disclose it to them;

• To the applicable provider and as directed by that provider (such as with another third party if directed by you);• To enforce our rights arising from any contracts entered into between you and us, including the EULA, and for billing and collection under provider agreements;

• If we believe in good faith that disclosure is appropriate to comply with applicable law, regulation, or legal process (such as a court order or subpoena);

• To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of Clariata's assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by Clariata about our System users is among the assets transferred;

• As we believe reasonably appropriate to protect the rights, privacy, safety, or property of you, the applicable providers, our partners, Clariata, and others; or

• For any other notified purpose with your consent.

We may collect, use, and share End User Information in an aggregated, de-identified, or anonymized manner (that does not identify you personally) for any purpose permitted under applicable law. This includes creating or using aggregated, de-identified, or anonymized data based on the collected information to develop new services and to facilitate research. We do not sell or rent personal information that we collect.​

Retention of Your Information

We retain End User Information for no longer than necessary to fulfill the purposes for which it was collected and used, as described in this Policy, unless a longer retention period is required or permitted under applicable law. As permitted under applicable law, even after you stop using the System or terminate your account with a provider, we may still retain your information. However, your information will only be processed as required by law or in accordance with this Policy. Please refer to the “Your Data Protection Rights” section for options that may be available to you, including the right to request deletion of End User Information. You can also contact us about our data retention practices using the contact information below.​

International Data Transfers

We may transfer the information we collect about you across international borders for processing and storage. To the extent that the information we collect about you is transferred from the EEA to territories/countries for which the EU Commission has not made a finding that the legal framework in that territory/country provides adequate protection for individuals' rights and freedoms for their personal data, we may transfer such data consistent with applicable data protection laws based on prior assessment of the level of data protection afforded in the context of the transfer, including through the use of the EU Commission-approved standard contractual clauses, if necessary in combination with additional safeguards. You can ask for a copy of these standard contractual clauses by contacting us through the information provided below.​

Data Security

We have implemented measures designed to secure your personal information from accidental loss and from unauthorized access, use, alteration, and disclosure. The safety and security of your information also depends on you. Where we have given you (or where your provider has given you) a password for access to certain parts of our System, you are responsible for keeping this password confidential. We ask you not to share your password with anyone.Although we do our best to protect your personal information, we cannot guarantee the security of your personal information transmitted through our System. Any transmission of personal information is at your own risk. We are not responsible for circumvention of any privacy settings or security measures we provide.​

Your Data Protection Rights

International Users. Under applicable law, and subject to limitations and exceptions provided by law, if you are located in the EEA or UK, and in certain other jurisdictions, you may have certain rights in relation to the End User Information collected about you and how it is used, including the right to:

• Access End User Information collected about you;

• Request that we rectify or update your End User Information that is inaccurate or incomplete;

• Request, under certain circumstances, that we restrict the processing of or erase your End User Information;

• Object to our processing of your End User Information under certain conditions provided by law;

• Where processing of your End User Information is based on consent, withdraw that consent;

• Request that we provide End User Information collected about you in a structured, commonly used and machine-readable format so that you can transfer it to another company, where technically feasible; and

• File a complaint regarding our data protection practices with the relevant supervisory authority. California Users. If you are a California resident, California law may provide you with additional rights regarding our use of your personal information. California residents should be aware that this section does not apply to the following:

• Personal information covered by certain sector specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) and its implementing regulations, the California Financial Information Privacy Act (FIPA) and the Driver’s Privacy Protection Act of 1994; or

• Other information subject to an exception under the California Consumer Privacy Act (CCPA). Under the California Consumer Privacy Act (“CCPA”), and subject to certain limitations and exceptions, you may have the following rights with respect to End User Information we have collected about you that constitutes personal information under the CCPA:

• To request access to more details about the categories and specific pieces of personal information we may have collected about you in the last 12 months (including personal information disclosed for business purposes);

• To request deletion of your personal information;

• To opt-out of any “sales” of your personal information, if a business is selling your information; and

• To not be discriminated against for exercising these rights.

To exercise your access, deletion, or data protection rights, where applicable, you can submit a request by contacting Clariata as described in the “Contact Us” section below. You may be required to provide additional information necessary to confirm your identity before we can respond to your request. Responses to such requests will be completed within a reasonable period of time (and within any time period required by applicable law). Please note, however, that certain information necessary for compliance with our own legal obligations or to establish, exercise, or defend legal claims may be exempt from such requests.Changes to Our Privacy Policy We may update or change this Policy from time to time in accordance with applicable law. If we make any updates or changes, we will post the new policy on Clariata’s website and update the effective date at the top of this Policy. We will also notify the applicable providers of any material changes in accordance with our provider agreements. We expressly reserve the right to make any changes to this Policy at any time, without prior notice to you unless otherwise prohibited by applicable law. Our electronically or otherwise properly stored copies of this Policy shall each be deemed to be the true, complete, valid, authentic, and enforceable copy of the version of this Policy.​

Contact Us

If you have any questions or complaints about this Policy, or about our privacy practices generally, you can contact us at support@clariata.com:

1101 St. Gregory St. #225

Cincinnati, OH 45202