GDPR Commitment

Last Updated: March 17, 2026

1. Our Commitment to GDPR

At PlanPal, we take the protection of personal data seriously. As a cloud-based equity compensation compliance platform, we handle sensitive financial and personal information on behalf of our customers and their employees. We have implemented comprehensive technical and organizational controls intended to support compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").

Our commitment extends beyond regulatory checkboxes. We believe that strong data protection practices build trust, and trust is the foundation of every relationship we have with our customers, their participants, and our partners.

2. PlanPal as Data Controller and Data Processor

Depending on the context, PlanPal may act as either a data controller or a data processor under the GDPR:

PlanPal as Data Controller

When you interact directly with PlanPal, such as visiting our website, creating an account, or contacting our sales or support teams, PlanPal acts as the data controller. In this capacity, we determine the purposes and means of processing your personal data, and we are committed to processing your data in a manner designed to align with GDPR requirements.

PlanPal as Data Processor

When our customers use the PlanPal platform to manage equity compensation data for their employees and participants, PlanPal acts as a data processor on behalf of the customer (the data controller). In this role, we process personal data strictly in accordance with our customers' instructions and applicable data processing agreements.

3. Lawful Basis for Processing

We only process personal data when we have a valid lawful basis to do so. The lawful bases we rely on include:

• Contractual Necessity: Processing that is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract. This includes providing you with access to the PlanPal platform and delivering the services you have engaged us to perform.
• Legitimate Interest: Processing that is necessary for the purposes of our legitimate interests, provided those interests are not overridden by your rights and freedoms. This includes improving our platform, ensuring security, and conducting analytics to enhance the user experience.
• Consent: Where required, we obtain your explicit consent before processing your personal data. You have the right to withdraw consent at any time, and doing so will not affect the lawfulness of processing carried out prior to withdrawal.
• Legal Obligation: Processing that is necessary to comply with a legal obligation to which PlanPal is subject, such as tax reporting requirements or regulatory mandates related to equity compensation.

4. Data Subject Rights

Under the GDPR, individuals whose personal data we process have a number of important rights. We are committed to facilitating the exercise of these rights in a timely and transparent manner.

Right of Access

You have the right to request confirmation of whether we process your personal data and, if so, to obtain a copy of that data along with information about how it is being processed. We will respond to access requests within 30 days.

Right to Rectification

If any personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct or complete it without undue delay.

Right to Erasure

Also known as the "right to be forgotten," you may request the deletion of your personal data where there is no compelling reason for us to continue processing it. Please note that this right is not absolute and may be subject to legal retention obligations, particularly in the context of equity compensation compliance records.

Right to Restrict Processing

You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data or when you have objected to processing pending verification of whether our legitimate grounds override yours.

Right to Data Portability

Where processing is based on consent or contractual necessity and is carried out by automated means, you have the right to receive your personal data in a structured, commonly used, and machine-readable format. You may also request that we transmit this data directly to another controller where technically feasible.

Right to Object

You have the right to object to processing of your personal data based on legitimate interests or for direct marketing purposes. Where you object to processing for direct marketing, we will cease such processing immediately.

Rights Related to Automated Decision-Making

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significant effects concerning you. PlanPal does not currently engage in solely automated decision-making that produces legal or similarly significant effects. If this changes, we will provide meaningful information about the logic involved and offer you the opportunity to contest such decisions.

5. Data Processing Agreements

For our enterprise customers, PlanPal offers Data Processing Agreements (DPAs) that govern the processing of personal data on their behalf. Our DPAs are designed to align with the requirements of Article 28 of the GDPR and include:

• A clear description of the subject matter, duration, nature, and purpose of processing
• The types of personal data processed and categories of data subjects
• Obligations and rights of the data controller
• Commitments regarding confidentiality, security measures, and sub-processor management
• Provisions for data subject rights assistance, data breach notification, and data return or deletion upon termination

If you require a DPA, please contact us at hello@planpal.io.

6. Sub-processors

PlanPal engages carefully vetted third-party sub-processors to assist in delivering our services. We take the following steps with the goal of ensuring that all sub-processors meet our high standards for data protection:

• We conduct thorough due diligence on all prospective sub-processors before engagement
• We enter into written agreements with each sub-processor that impose data protection obligations no less protective than those set out in our own commitments
• We regularly review and audit our sub-processors to verify ongoing adherence to data protection standards
• We maintain an up-to-date list of sub-processors and notify customers of any changes, providing them with the opportunity to object

Customers who wish to receive our current list of sub-processors or be notified of updates may contact us at hello@planpal.io.

7. Cross-Border Data Transfers

As a global platform, PlanPal may transfer personal data outside the European Economic Area (EEA). When we do, we strive to put appropriate safeguards in place to protect your data in a manner designed to align with GDPR requirements:

• Adequacy Decisions: Where the European Commission has determined that a third country provides an adequate level of data protection, we may rely on that adequacy decision as a basis for transfer.
• Standard Contractual Clauses (SCCs): For transfers to countries without an adequacy decision, we use the European Commission's Standard Contractual Clauses with the intent of providing personal data with equivalent protection during and after transfer.
• Supplementary Measures: Where necessary, we implement additional technical and organizational measures to supplement the safeguards provided by SCCs, including encryption in transit and at rest, access controls, and data pseudonymization.

8. Data Protection Officer

PlanPal has designated a Data Protection Officer (DPO) to oversee our efforts to align with GDPR requirements and serve as a point of contact for data protection inquiries. Our DPO is responsible for:

• Monitoring our alignment with the GDPR and other applicable data protection laws
• Advising on data protection impact assessments
• Cooperating with supervisory authorities
• Serving as a contact point for data subjects regarding their rights

You can reach our Data Protection Officer at dpo@planpal.io.

9. Data Breach Notification

PlanPal maintains a comprehensive incident response plan to address personal data breaches promptly and effectively. In the event of a breach:

• We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach that is likely to result in a risk to the rights and freedoms of individuals, as required by Article 33 of the GDPR.
• Where a breach is likely to result in a high risk to the rights and freedoms of affected individuals, we will notify those individuals without undue delay, as required by Article 34 of the GDPR.
• For customers whose data we process as a data processor, we will notify the relevant data controller without undue delay upon becoming aware of a breach, enabling them to fulfill their own notification obligations.
• All breaches are documented internally, including their effects and the remedial actions taken, regardless of whether notification to a supervisory authority is required.

10. Privacy by Design

The PlanPal platform is built with GDPR principles in mind. We strive to incorporate data protection principles at every stage of product development and service delivery:

• Data Minimization: We collect and process only the personal data that is necessary for the specified purpose.
• Purpose Limitation: Personal data is processed only for the purposes for which it was collected, unless a compatible purpose is identified.
• Storage Limitation: We retain personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by law.
• Security by Default: Our platform implements encryption, access controls, audit logging, and other technical measures to protect personal data from unauthorized access, alteration, or destruction.
• Regular Assessments: We conduct data protection impact assessments for processing activities that are likely to result in a high risk to individuals' rights and freedoms.

11. Cookie Consent

PlanPal uses cookies and similar technologies on our website. We are working to meet GDPR standards by providing you with clear information about the cookies we use and obtaining your consent where required by the GDPR and the ePrivacy Directive.

When you visit our website, you will be presented with a cookie consent mechanism that allows you to accept or decline non-essential cookies. Strictly necessary cookies, which are required for the basic functioning of our website, do not require consent.

For detailed information about the cookies we use, their purposes, and how to manage your preferences, please refer to our Privacy Policy.

12. How to Exercise Your Rights

We strive to make it straightforward for you to exercise your data protection rights. You may submit a request through any of the following channels:

• Email: Send your request to hello@planpal.io or directly to our Data Protection Officer at dpo@planpal.io.
• Written Correspondence: You may also send your request by post to the address listed on our Contact page.

When submitting a request, please provide sufficient information to allow us to verify your identity and locate your data. We will respond to all valid requests within 30 days. In exceptional circumstances where a request is particularly complex or we have received a large number of requests, we may extend this period by an additional 60 days, and we will inform you of any such extension within the initial 30-day period.

If you are not satisfied with how we have handled your request, you have the right to lodge a complaint with a supervisory authority in the EU member state of your habitual residence, place of work, or the place of the alleged infringement.