Bank AI Privacy Policy

This Privacy Policy explains how Stolen Orbit LLC ("Stolen Orbit," "we," "us," or "our"), the developer and operator of the mobile application and related services marketed as Bank AI (the "Services"), collects, uses, discloses, transfers, and otherwise processes personal data about you ("you," the "user").

Because Bank AI processes sensitive financial data and uses artificial intelligence to analyze it, we have written this Policy to satisfy the European Union General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the United Kingdom General Data Protection Regulation together with the Data Protection Act 2018 ("UK GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), other U.S. state privacy laws, Canada's Personal Information Protection and Electronic Documents Act ("PIPEDA") and Quebec Law 25, Australia's Privacy Act 1988, Brazil's Lei Geral de Protecao de Dados ("LGPD"), and equivalent or overlapping frameworks worldwide.

If you do not agree with any part of this Policy, please do not use the Services.

The data controller (or the equivalent concept under local law - for example, "business" under CCPA/CPRA) is:

You may contact us at that address at any time to ask a question about this Policy or to exercise your rights.

This Policy applies to personal data we process when you:

• download, install, register for, access, or use the Bank AI mobile application, websites, APIs, widgets, or related software;
• connect bank, payment, card, brokerage, investment, pension, or other financial accounts through our aggregation partners;
• purchase, sell, swap, or otherwise interact with digital assets through our crypto partners;
• use our artificial intelligence features (AI chat, insights, summaries, suggestions, alerts);
• communicate with us (support, feedback, surveys);
• respond to our marketing or consent prompts;
• otherwise interact with us.

At launch, availability is geo-restricted to users located in the European Economic Area ("EEA") and the United Kingdom. Availability may expand to additional jurisdictions - including the United States, Canada, Australia, and other markets - in the future. Wherever you access the Services from, this Policy applies.

3.1 Services we do not operate

Bank AI is a software platform. Several activities you can carry out through the app - bank data aggregation, investment-execution information, crypto on-ramp/off-ramp, custody, wallets, and identity verification - are provided by independent third parties. Those third parties are separate controllers (or joint controllers, as applicable) of your personal data for the services they provide to you, and their own privacy policies apply to those activities in addition to this Policy.

The Services are for adults only. You may not use the Services if you are under 18, or under the age of majority in your jurisdiction, whichever is higher.

We do not knowingly collect personal data from children. If we learn we have collected personal data from a child, we will delete it without undue delay. If you believe we hold personal data about a minor, contact admin@stolenorbit.com.

The full terms are below; at a glance:

• We collect identity information you provide, financial account data you authorize us to fetch through providers such as Powens, data about digital-asset transactions initiated through partners such as MoonPay and Ramp Network, your interactions with AI features, device and usage data, and marketing/attribution data.
• We use this to operate the Services, to power AI-generated insights, to keep the Services secure, to comply with law, and - with your consent - for analytics, advertising, and attribution.
• To generate insights and answer AI chat, we transmit financial data (including raw transaction-level data) to third-party AI providers such as OpenAI, Anthropic, and Google. Commercial API tiers offered by those providers generally do not use your content to train their generative models by default.
• Your bank transactions may reveal sensitive categories of data (health, religion, politics, sexual orientation, trade-union membership). We treat these as special category data under GDPR/UK GDPR and rely on your explicit consent.
• AI output is advisory and non-binding. It is not regulated financial, investment, tax, or legal advice. You decide.
• We do not sell personal data for money.
• You have strong rights over your data. You can withdraw consent or delete your account at any time.

If anything below conflicts with this summary, the full text governs.

We group the data we process as follows.

6.1 Identity and account data

Name, date of birth, country of residence, preferred language, email address, phone number, profile photo (optional), authentication credentials (passwords in hashed form, OAuth tokens, passkeys, multi-factor factors), account settings, and anything else you submit when creating or managing your account.

6.2 Financial account data (via Powens and similar aggregators)

When you connect a bank, card, payment, brokerage, investment, pension, or other financial account through Powens (Budget Insight SA) or another aggregation partner we integrate with in the future, we receive and process:

• the name and identifier of the financial institution;
• the account type, account identifier (IBAN, masked account number), currency, and ownership details;
• balances, available credit, overdraft, credit limits, and similar metadata;
• transaction data - date, amount, currency, counterparty name and identifier, merchant, merchant category code (MCC), description, reference, and any other field returned by the institution;
• standing orders, direct debits, and scheduled transfers;
• for brokerage, investment, and pension accounts: positions, holdings, valuations, cost basis (where available), performance, dividends, interest, corporate actions, and transaction history;
• authentication tokens or session artifacts needed to refresh the connection.

The legal relationship that authorizes Powens (or the relevant aggregator) to access your data at your bank is governed by Powens' and your bank's own terms and privacy notices under PSD2, open banking, and open-finance frameworks. We receive data from the aggregator on your instruction.

6.3 Digital-asset and crypto-partner data

When you buy, sell, swap, send, receive, or custody digital assets through our integrated partners - including MoonPay, Ramp Network, and, in the future, embedded-wallet providers such as Privy, Magic, Dynamic, or equivalents - we may receive, generate, or pass through:

• the type, amount, and currency of the asset or fiat;
• payment-method metadata (card brand, last four digits, bank name), but not full card numbers, which are handled directly by the partner or its processors;
• wallet addresses (yours and counterparties'), transaction hashes, network identifiers, gas fees, spreads, and settlement status;
• identity-verification status and, in some flows, KYC outcome indicators returned to us by the partner;
• error codes and partner-specific identifiers.

Certain data you submit during crypto flows - government-issued ID documents, selfies, proof of address, and equivalent KYC inputs - are submitted directly to the third-party partner, which acts as the controller for that processing. We do not receive or store those documents unless a partner expressly shares them with us and we have a lawful basis to hold them.

6.4 AI interaction data

When you use AI features, we process:

• your prompts, questions, instructions, and chat messages;
• the financial context assembled to answer you, which in most cases includes raw or lightly transformed transaction-level data, balances, holdings, and categorizations derived from them;
• the AI-generated output;
• conversation history;
• interaction metadata (timestamps, session identifiers, model selected, length, error states, feedback such as thumbs-up/down).

To generate answers, we transmit the above to third-party AI providers (Section 10). Your financial data used to answer an AI prompt is sent to those providers.

6.5 Device, technical, and usage data

IP address, approximate location derived from IP (country/region), device identifiers, device model and manufacturer, operating system and version, application version, language and locale, time zone, screen resolution, crash logs, diagnostic logs, performance metrics, feature usage events, screens viewed, clicks and taps, session duration, and referral source.

6.6 Communications and support data

Emails, in-app messages, support tickets, feedback forms, attachments, metadata, and any recordings of calls where you have consented and we have notified you.

6.7 Marketing, advertising, and attribution data

Advertising identifiers (IDFA on iOS where available and consented, Android Advertising ID where available and consented), install-attribution data, click IDs, campaign and creative identifiers, event-level conversion data (sign-up, first bank connection, first crypto purchase), consent status, and segment or audience membership for marketing purposes.

6.8 Data you voluntarily provide

Anything you choose to share - in support messages, feedback, user-research participation, referrals, or beta programs.

6.9 Data we infer or derive

Categorizations of your transactions, budget categories, computed spending metrics, computed net-worth and cash-flow metrics, risk and behavior signals, AI-generated summaries and recommendations, engagement scores, and similar derived data.

Bank transactions routinely contain information that, when read together or in context, constitutes special category data under Article 9 GDPR / UK GDPR - for example, payments to healthcare providers, pharmacies, hospitals, religious institutions, political parties, trade unions, or venues associated with sexual orientation.

We do not seek out this information, but it will be incidentally present in the transaction streams you authorize us to import.

7.1 Our approach

We treat this data as sensitive and apply the following safeguards:

• Explicit consent. Our legal basis for processing special category data incidentally contained in your transactions - and for transmitting it to AI providers to generate insights - is your explicit consent under Article 9(2)(a) GDPR / UK GDPR. We obtain this consent separately and clearly at onboarding and at the point you enable AI features.
• No marketing use. We do not use special category data (or inferences from it) for marketing, advertising, audience building, attribution, or lookalike modeling.
• No sharing with ad or attribution vendors. We do not transmit transaction-level data containing special category signals to advertising networks, attribution SDKs, or marketing analytics tools.
• Withdrawal. You can withdraw your consent at any time, with effect for the future, by disconnecting accounts, disabling AI features, or deleting your account. Withdrawal does not affect processing carried out before withdrawal.
• Deletion. On your instruction, we delete transactions and derived categorizations as described in Section 14.
• Minimization in AI prompts. Where technically practical, we reduce the amount of special category information sent to AI providers (for example, by limiting the transaction window to what is relevant). Because you have chosen an AI chat experience that can discuss any aspect of your finances, we cannot guarantee that such information is excluded in every case.

If you do not want us to process your special category data, do not connect accounts that contain such transactions, or use the Services without enabling AI features. You may also contact admin@stolenorbit.com to discuss configuration.

7.2 Sensitive personal information under U.S. state laws

Several U.S. state privacy laws (including CCPA/CPRA) define "sensitive personal information," which includes, for example, account log-in credentials, precise geolocation, and financial account numbers combined with access credentials. We limit our use of such data to purposes permitted by those laws (providing the Services you requested, security, fraud prevention, and the other limited purposes recognized by CCPA/CPRA). We do not use sensitive personal information to infer characteristics for targeted advertising.

We collect personal data:

• Directly from you - registration, configuration, account connection, AI interactions, crypto flows, support, marketing, and other interactions.
• From financial institutions via aggregation partners - when you authorize a bank, broker, or other institution to share data with Powens, which in turn shares that data with us on your instruction.
• From crypto partners - when you initiate a crypto on-ramp, off-ramp, swap, custody, or wallet interaction through MoonPay, Ramp Network, embedded-wallet providers, or their successors.
• From your device - automatically when you use the Services.
• From third-party analytics, advertising, attribution, fraud, and identity providers - ad networks, attribution SDKs, analytics SDKs, device-fingerprinting services, and sanctions-screening vendors.
• From publicly available sources - sanctions lists, public registers, and information you publish on public profiles or forums.
• From other users and third parties - referrals, invitations to shared features, or complaints that involve you.

For EEA and UK users, we process personal data only where a valid legal basis applies. The table summarizes main purposes, main data categories involved, and legal bases. Where more than one basis applies, the primary basis appears first.

Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of prior processing. Where we rely on legitimate interests, you have a right to object (Section 15). On request, we will share our balancing-test summary.

9.1 Consent architecture

We obtain consent granularly, so you can keep one feature and disable another:

• Bank/account connection consent - covers aggregation and storage of financial account data required for core features.
• AI consent - separately covers transmission of your financial context and prompts to third-party AI providers.
• Special category / sensitive data consent - explicit consent to process data that may reveal health, religion, political views, sexual orientation, or trade-union membership, as incidentally contained in your transactions.
• Marketing / analytics / advertising consent - covers non-essential cookies, SDKs, and trackers, including attribution and advertising pixels.
• Location consent - where we process precise location beyond what is needed for security.

You can manage consents in the app's privacy settings.

AI is central to Bank AI. This Section explains how it works.

10.1 What AI does

AI features can:

• summarize your finances, spending, budget, and investments;
• categorize and explain transactions;
• generate insights, alerts, and suggestions;
• answer free-form questions about your financial situation;
• produce projections, scenarios, and comparisons.

10.2 We are an AI integrator, not an AI developer

We do not train or operate our own foundation models. We send prompts and financial context to third-party AI model providers (the "AI Providers") and display their responses. Current or reasonably anticipated AI Providers include:

• Anthropic, PBC (Claude models)
• OpenAI, L.L.C. (GPT models)
• Google LLC / Google Cloud EMEA Limited (Gemini models)

We may add, replace, or route among AI Providers and their underlying models, including additional providers not listed above. We will update this Policy for material changes.

10.3 What data is sent

To answer your requests, we transmit:

• your prompts, messages, and chat history;
• relevant financial context assembled from your account - in most cases, raw or lightly transformed transaction-level data, balances, holdings, and categorizations;
• metadata (timestamps, model selected, session identifiers).

This means your financial data, including data that may qualify as special category data under GDPR/UK GDPR, is transmitted to AI Providers that typically operate from the United States (and possibly other jurisdictions). See Section 12 on international transfers.

10.4 How AI Providers use the data

We use AI Providers on commercial API or enterprise tiers. Those tiers, under the AI Providers' current standard terms, generally provide that:

• content submitted via the API is not used to train or improve the provider's generally available models by default;
• content may be temporarily retained for limited purposes such as abuse monitoring, safety review, and incident response - commonly up to 30 days at the provider level, subject to the provider's policy;
• providers act as processors or service providers in respect of the personal data you submit, subject to their standard data-processing terms.

We rely on the AI Providers' public documentation and contractual terms. Provider terms and settings can change. We configure AI features to the strictest practicable settings available to us (including, where supported, zero-retention configurations and disabling of optional training). We cannot guarantee provider behavior and are not responsible for actions of AI Providers that breach their own terms.

10.5 AI output is advisory and non-binding

AI output is generated automatically. It may be incomplete, out of date, biased, wrong, or unsuitable for you. AI output is not:

• regulated financial advice;
• investment advice or a recommendation to buy, sell, or hold any financial instrument or digital asset;
• tax, legal, accounting, or other professional advice;
• a fiduciary recommendation;
• a suitability assessment.

You are solely responsible for verifying AI output and for your decisions. Do not rely on AI output for time-sensitive, irreversible, or high-value decisions without consulting a qualified professional.

10.6 Automated decision-making and profiling (Art. 22)

We profile you in the GDPR/UK GDPR sense: we analyze your data to categorize spending, generate insights, and personalize content. However, we do not use automated processing, including profiling, to take decisions that produce legal effects concerning you or similarly significantly affect you under Article 22 GDPR / UK GDPR. AI output is decision- support; a human (you) remains in the loop.

Where automated processes are used for fraud, sanctions, or security decisions (for example, blocking a suspicious login), human review is available on request where required by law.

10.7 Transparency for AI interactions

Where legally required - including under the transparency obligations of the EU AI Act - we identify AI-generated outputs as such and inform you that you are interacting with an AI system.

10.8 Your controls

You can:

• enable or disable AI features at any time;
• delete AI chat history;
• export your data (Section 15);
• withdraw consent to AI processing, which disables AI features going forward;
• request human review of any consequential outcome driven by automated processing.

We share personal data only with the categories of recipients below, and only to the extent necessary for the purposes described. We require recipients acting as our processors to handle personal data in line with this Policy and applicable law, and we rely on their terms and safeguards where they act as independent controllers.

11.1 Financial account aggregation partners

Powens (Budget Insight SA) - and any successor or additional aggregation partner - facilitates connections to banks, brokers, and other institutions. Powens is a separate controller for open-banking and open-finance data acquisition and may act as our processor for onward delivery of that data to us.

11.2 Crypto on-ramp, off-ramp, and wallet partners

MoonPay (MoonPay USA LLC, MoonPay UAB, and affiliates), Ramp Network (Ramp Swaps Ltd and affiliates), and future embedded-wallet providers including Privy, Magic, Dynamic, or equivalents. These partners are independent controllers (or joint controllers, as applicable) for the regulated crypto services they provide to you - KYC, AML, sanctions screening, payment processing, execution, settlement, custody where applicable, and wallet infrastructure. Their privacy notices govern those activities.

11.3 AI Providers

Anthropic, OpenAI, Google, and other AI Providers as described in Section 10.

11.4 Cloud, hosting, and infrastructure providers

Providers of cloud hosting, storage, databases, content delivery, authentication, key management, secrets management, monitoring, logging, and backup services, including major hyperscalers (AWS, Google Cloud, Microsoft Azure) and specialized providers.

11.5 Analytics, crash reporting, and product telemetry

Providers such as Google Firebase (Analytics, Crashlytics, Cloud Messaging) and comparable services that help us measure product usage, diagnose crashes, and operate push notifications.

11.6 Mobile attribution and marketing

Providers such as AppsFlyer (or comparable mobile measurement partners) to measure install attribution and post-install events, and advertising networks such as Meta (Facebook/Instagram), TikTok, Google Ads, X/Twitter, Reddit, Snap, LinkedIn, and similar platforms for marketing campaigns, conversion tracking, remarketing, and audience measurement. These partners may act as independent controllers, joint controllers, or processors depending on the configuration and jurisdiction. Where required by law, these SDKs activate only after valid consent.

11.7 Identity, fraud, sanctions, and compliance providers

Providers that help us (and our partners) verify identity, detect fraud, monitor transactions, screen against sanctions lists, and comply with AML/CTF obligations.

11.8 Customer support and communications

Helpdesk, ticketing, CRM, transactional email, SMS, and in-app messaging providers.

11.9 Professional advisors

Lawyers, auditors, accountants, insurers, and consultants under appropriate confidentiality obligations.

11.10 Affiliates and corporate transactions

Our current and future affiliates, subsidiaries, and parent entities. In a merger, acquisition, financing, reorganization, insolvency, or sale of all or part of our business or assets, personal data may be transferred to or accessed by counterparties, advisors, and successors, subject to appropriate safeguards.

11.11 Government, regulators, and law enforcement

When legally required, compelled, or reasonably necessary to comply with law, respond to lawful requests, enforce our terms, or protect the safety, rights, or property of any person.

11.12 Other users and counterparties

Where you initiate a transaction involving a counterparty, certain information may be shared with that counterparty or visible on a public blockchain.

11.13 No sale of personal data

We do not sell personal data in exchange for money. Certain disclosures of personal data to advertising and analytics partners may, however, constitute a "sale" or "sharing" under U.S. state privacy laws (notably CCPA/CPRA) because of how those laws define those terms. We address this in Section 17 and honor opt-out signals including the Global Privacy Control ("GPC").

The Services are operated from the United States, and we use service providers and partners located in multiple jurisdictions. Personal data you provide will therefore be transferred to, stored in, or processed in countries other than your country of residence, including the United States, the EEA, the United Kingdom, and others. Some of those jurisdictions may not provide the same level of data protection as your home jurisdiction.

12.1 Transfers out of the EEA, UK, and Switzerland

When we transfer personal data out of the EEA, the UK, or Switzerland to a country that has not been recognized as providing an adequate level of data protection, we rely on appropriate safeguards, including:

• the European Commission's Standard Contractual Clauses adopted under Commission Implementing Decision (EU) 2021/914, together with the UK International Data Transfer Addendum or the UK International Data Transfer Agreement ("IDTA") for UK transfers, and equivalent mechanisms for Swiss transfers;
• the EU-U.S. Data Privacy Framework (and the UK Extension and Swiss-U.S. framework) for transfers to U.S.-based recipients that are self-certified under the framework;
• other lawful transfer mechanisms recognized under applicable law, including derogations under Article 49 GDPR where strictly necessary.

Where appropriate, we carry out transfer impact assessments and implement supplementary technical, contractual, and organizational measures.

You may contact admin@stolenorbit.com for information about the safeguards in place for specific transfers.

12.2 Transfers from other jurisdictions

For transfers from other regions (Canada, Australia, Brazil, and other jurisdictions with cross-border transfer rules), we rely on mechanisms available under local law, including consent where permitted, contractual safeguards, and certifications.

We implement technical and organizational measures designed to protect personal data, including:

• encryption of data in transit (TLS) and at rest (AES-256 or equivalent);
• access controls, least-privilege principles, role-based access, and multi-factor authentication for personnel;
• network segmentation, firewalls, intrusion detection, and logging;
• secret and key management;
• secure software development, code review, dependency scanning, and vulnerability management;
• regular backups and disaster-recovery planning;
• vendor security reviews;
• data minimization, pseudonymization, and aggregation where practical;
• incident-response procedures.

No system is perfectly secure. If we become aware of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority and you in accordance with applicable law (under GDPR/UK GDPR, generally within 72 hours for authority notifications).

We strongly recommend enabling all security features available in the Services (biometric login, strong passcode, device encryption) and keeping credentials private.

We retain personal data only as long as necessary for the purposes described in this Policy or as required by law.

14.1 General rule

We retain personal data for the duration of your account. When you delete your account, or when we close your account pursuant to our Terms of Service, we delete or anonymize your personal data, subject to the limited exceptions below.

14.2 Specific retention

• Financial account and transaction data - retained for the life of the account and deleted upon account closure, except where retention is required by law or necessary for compliance or defense of legal claims.
• AI interaction data - retained for the life of the account; you may delete individual chats or the full chat history at any time. Aggregated or anonymized metrics may be retained longer.
• Crypto transaction records - retained by our partners according to their retention policies, which may be longer due to AML/CTF and other regulatory obligations. On-chain data is inherently permanent and outside anyone's control.
• Identity-verification outcomes - retained as long as reasonably necessary for compliance and fraud prevention.
• Support communications - retained for the period necessary to resolve the issue plus a reasonable period thereafter for quality assurance and legal defense.
• Logs and security telemetry - retained for periods typically ranging from 30 days to 24 months, depending on the system and purpose.
• Marketing data - retained until consent is withdrawn or you object, and for a reasonable additional period to document the withdrawal.
• Backups - rolling overwrite; deletion requests are propagated to backups through normal rotation (typically within 90 days).

14.3 Legal retention exceptions

We may retain data beyond account closure where necessary to:

• comply with tax, accounting, AML/CTF, sanctions, consumer-protection, or other legal obligations;
• establish, exercise, or defend legal claims;
• resolve disputes, enforce agreements, or prevent fraud and abuse;
• honor suppression lists (for example, to avoid re-contacting a user who has opted out).

After the applicable retention period, we delete, anonymize, or aggregate the data.

Depending on where you live, you have certain rights over your personal data. This Section describes rights under GDPR/UK GDPR; Section 17 covers region-specific rights.

15.1 Rights under GDPR / UK GDPR

You have the right to:

• Access - confirm whether we process your data and receive a copy;
• Rectification - have inaccurate or incomplete data corrected;
• Erasure - have your data deleted in certain circumstances;
• Restriction - request that we limit processing in certain circumstances;
• Data portability - receive personal data you have provided in a structured, commonly used, machine-readable format, and have it transmitted to another controller where technically feasible;
• Object - object to processing based on our legitimate interests (including profiling) and to processing for direct marketing at any time;
• Withdraw consent - at any time, without affecting the lawfulness of prior processing;
• Not be subject to solely automated decisions producing legal or similarly significant effects (Section 10.6);
• Lodge a complaint with a supervisory authority (Section 19).

15.2 How to exercise your rights

Contact admin@stolenorbit.com or use in-app privacy tools. We may need to verify your identity. We respond within the statutory time frames (generally one month under GDPR/UK GDPR, extendable by two further months for complex requests).

We will not discriminate against you for exercising your rights.

Some rights are subject to limits under applicable law. We will explain any refusal and the options for redress.

The Services use cookies, software development kits (SDKs), pixels, beacons, mobile identifiers, local storage, and similar technologies to operate, secure, measure, and - where you consent - advertise the Services.

We classify them as:

• Strictly necessary - required to operate the app (authentication, session management, security, fraud prevention, load balancing, consent management). These cannot be disabled.
• Functional / preference - remember settings (language, theme, preferences). Used on the basis of legitimate interest or consent depending on jurisdiction.
• Analytics - measure product performance, feature usage, and crashes (for example, Firebase Analytics and Crashlytics). Used on consent where required.
• Attribution - measure installs and post-install events across acquisition channels (for example, AppsFlyer). Used on consent where required.
• Advertising - marketing campaigns, conversion tracking, remarketing, and audience measurement (for example, Meta Pixel / Meta SDK, TikTok Pixel / TikTok SDK, Google Ads tags, and similar). Used only with consent where required.

See the separate Bank AI Cookie Notice for detail on specific technologies, purposes, recipients, and retention.

16.1 Consent management

In the EEA, UK, and other jurisdictions requiring prior consent for non-essential trackers, we present a consent interface on first use and whenever necessary. You can change your choices at any time in the app's privacy settings or, where applicable, through your device's OS controls.

16.2 Apple App Tracking Transparency (ATT)

On iOS, where we or our partners engage in "tracking" as defined by Apple, we present the App Tracking Transparency prompt and respect your choice. If you decline, we do not access your IDFA and configure our SDKs to limit cross-app/ cross-site tracking.

16.3 Global Privacy Control and other signals

We honor the Global Privacy Control ("GPC") signal where legally required. We also honor Do Not Track, opt-out preference signals, and other automated signals where required by applicable law.

17.1 EEA, Switzerland, and United Kingdom

The full Policy applies. Our lawful bases are in Section 9. Transfer mechanisms are in Section 12. You may lodge a complaint with your local supervisory authority (Section 19).

17.2 United States - California (CCPA/CPRA)

If you are a California resident, you have additional rights under CCPA/CPRA:

• Right to know the personal information we collect, sources, purposes, categories of recipients, and specific pieces.
• Right to delete personal information collected from you, subject to exceptions.
• Right to correct inaccurate personal information.
• Right to opt out of "sale" or "sharing" of personal information. We do not sell personal information for money, but certain disclosures to advertising and analytics partners may be "sales" or "sharing" for cross-context behavioral advertising under CCPA/CPRA. You may opt out through in-app privacy settings and by broadcasting the GPC signal.
• Right to limit use of sensitive personal information to purposes permitted under CCPA/CPRA.
• Right to non-discrimination for exercising your rights.
• Authorized agents may submit requests on your behalf, subject to verification.

Notice of collection. In the 12 months before this Policy's effective date (or, for new features, from their launch), we collect the categories of personal information described in Section 6, from the sources in Section 8, for the purposes in Section 9, and disclose them to the categories of recipients in Section 11.

Sensitive personal information. See Section 7.2.

Financial information exceptions. Certain financial information processed to provide the Services is subject to the Gramm-Leach-Bliley Act ("GLBA") or the California Financial Information Privacy Act and, to that extent, is exempt from CCPA/CPRA.

17.3 Other U.S. state privacy laws

If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, Iowa, Indiana, Kentucky, Rhode Island, or another state with a comprehensive privacy law, you may have equivalent rights of access, correction, deletion, portability, opt-out of targeted advertising, opt-out of sale, opt-out of profiling for decisions producing legal or similarly significant effects, and appeal of our decisions.

To exercise these rights, contact admin@stolenorbit.com. You may appeal a decision by replying to our response; if denied, you may contact your state attorney general.

17.4 Canada (PIPEDA and provincial laws)

If you are in Canada, PIPEDA and applicable provincial privacy laws (Quebec Law 25, Alberta PIPA, British Columbia PIPA) apply. You have rights of access and correction and - under Quebec Law 25 - additional rights to portability, information about automated decision-making, and to object to certain uses. Our Privacy Officer for PIPEDA purposes is reachable at admin@stolenorbit.com. You may complain to the Office of the Privacy Commissioner of Canada or the relevant provincial commissioner.

17.5 Australia

Australian Privacy Principles under the Privacy Act 1988 (Cth) apply to our processing of Australian residents' personal information. You have rights of access and correction and may complain to us or to the Office of the Australian Information Commissioner (OAIC).

17.6 Brazil

The LGPD grants you rights of confirmation, access, correction, anonymization, portability, deletion, information about sharing, and revocation of consent. Our DPO (Encarregado) for LGPD purposes is reachable at admin@stolenorbit.com. You may complain to the ANPD.

17.7 Other jurisdictions

If another jurisdiction's law applies to you, we will honor the rights granted to you under that law. Contact admin@stolenorbit.com.

With your consent where required, we may use your data to:

• send promotional emails, push notifications, in-app messages, and SMS about new features, offers, or content;
• deliver targeted advertising on third-party platforms (Meta, TikTok, Google, and similar);
• build audiences (including lookalike audiences) based on non-sensitive data;
• measure marketing-campaign performance through attribution partners.

We do not use special category data (Section 7) or sensitive personal information (Section 7.2) for marketing or advertising.

You can opt out of marketing communications at any time via the unsubscribe link, in-app settings, or by contacting admin@stolenorbit.com.

If you believe we have infringed your privacy rights, please contact us first at admin@stolenorbit.com so we can try to resolve the issue.

You also have the right to lodge a complaint with a supervisory authority:

• EEA users - the data protection authority of the country where you live, work, or where the alleged infringement took place.
• UK users - the Information Commissioner's Office (ICO), ico.org.uk.
• Swiss users - the Federal Data Protection and Information Commissioner (FDPIC).
• U.S. state residents - your state attorney general.
• Canada, Australia, Brazil - as set out in Section 17.

We may update this Policy from time to time. For material changes we will notify you through the Services, by email, or by other reasonable means and, where required, obtain your consent. The "Last updated" date at the top of this Policy indicates when it was last revised. Prior versions are available on request.

Bank AI is a trading name of Stolen Orbit LLC. References to third-party brands (Powens, MoonPay, Ramp Network, Privy, Magic, Dynamic, Anthropic, OpenAI, Google, Firebase, AppsFlyer, Meta, TikTok, and others) are for identification only and do not imply endorsement or partnership beyond any arrangements we may have in place from time to time. These companies are independent third parties subject to their own privacy notices and terms.