GLOBAL PRIVACY POLICY

Effective Date: 24 February 2026 | Version 2.0

This Privacy Policy (the "Policy") describes how the Snef group of companies ("Snef," "we," "us," or "our") collects, uses, discloses, transfers, retains, and protects personal data in connection with our websites (including snef.co and related domains), mobile applications, products, APIs, and services (collectively, the "Services").

The Services encompass:

• an e-commerce and social commerce marketplace serving consumers, creators, and brands (B2C);

• creator tools and monetisation features delivered as software-as-a-service ("SaaS");

• AI-powered content generation, recommendation, and commerce optimisation tools; and

• a business-to-business SaaS platform ("Snef OS") for brands, agencies, and enterprise customers.

This Policy is designed to comply with the Singapore Personal Data Protection Act 2012 (as amended) ("PDPA"), the Indonesia Personal Data Protection Law (Undang-Undang Nomor 27 Tahun 2022 tentang Pelindungan Data Pribadi) ("UUPD" or "PDP Law") and its implementing regulations, applicable United States state privacy laws including the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and generally accepted international data protection best practices.

Important: This is a unified global policy. Certain provisions apply only in specific jurisdictions or to specific product lines. If you are an enterprise or business customer using Snef OS, the terms of your master services agreement and any applicable Data Processing Addendum ("DPA") will govern to the extent of any conflict with this Policy.

Snef operates through three legal entities. The entity acting as data controller (or, under the CCPA/CPRA, the "business") with respect to your personal data depends on the entity that provides the Services to you. This is determined by your geographic location, the applicable terms of service you have accepted, or the contracting entity identified in an order form, invoice, or platform enrollment flow.

Singapore: SNEF PTE. LTD., 68 Circular Road #02-01, Singapore 049422, UEN: 202424026R

Indonesia: SNEF, Ideacentrum Office, Jl. Yusuf Adiwinata 32/34, Gondangdia, Menteng, Central Jakarta, DKI Jakarta 10350, NIB: 2608240079302

United States: Snef Inc., 447 Broadway, 2nd Floor Suite #2405, New York, NY 10013, USA, Delaware corporation (eff. 27 Nov 2023)

1.1 Controller and Processor Roles

• B2C marketplace, creator accounts, and consumer-facing products: The relevant Snef entity acts as the data controller for account data, platform operations, and marketplace transaction data.

• Snef OS (B2B SaaS): The business customer ("Customer") is the data controller for Customer Content (as defined below). Snef acts as a data processor (or "service provider" under CCPA/CPRA), processing personal data on behalf of and under the documented instructions of the Customer, subject to the terms of a DPA.

• Intra-group sharing: Snef entities may share personal data among themselves for operational, security, compliance, and service-delivery purposes. Intra-group transfers are governed by internal data-sharing agreements.

This Policy applies to the processing of personal data that occurs:

1. when you visit our websites, applications, or other digital properties;

2. when you create an account or interact with the Services as a consumer, creator, brand, partner, or developer;

3. when your organisation uses Snef OS and submits, connects, or generates data through the Services;

4. when you communicate with us through support, sales, onboarding, or compliance channels; and

5. when we collect data through cookies, analytics, or similar technologies.

Exclusions: This Policy does not govern personal data processed by third-party services you access through or in connection with the Services (e.g., social media platforms, independent payment processors, third-party analytics providers). Those services are governed by their own privacy policies. We encourage you to review those policies before sharing your data.

• "Personal Data" / "Personal Information": information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an identified or identifiable natural person.

• "Sensitive Personal Data": categories of personal data that receive heightened protection under applicable law, including government-issued identifiers, financial account credentials, precise geolocation, biometric data processed for identification purposes, health information, information revealing racial or ethnic origin, religious beliefs, trade union membership, and data concerning minors.

• "Customer Content": data (including personal data) submitted to, generated within, or connected to Snef OS by or on behalf of a business Customer, including data of the Customer’s end users, prospects, merchants, creators, or employees.

• "Processing": any operation or set of operations performed on personal data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

Depending on how you interact with the Services, we may collect the following categories of personal data:

4.1 Identifiers and Contact Information

• Full name, username or handle, email address, telephone number.

• Business name, role, title, and organisational affiliation.

• Government-issued identification numbers where required for identity verification, regulatory compliance, fraud prevention, or payout processing.

4.2 Account, Profile, and Marketplace Data

• Account credentials (hashed and salted; we do not store passwords in plaintext), preferences, and settings.

• Creator profiles, storefront configurations, product listings, catalogues, pricing, and related commerce metadata.

• Brand onboarding information, partnership details, and campaign configurations.

4.3 Transaction and Financial Data

• Billing contact details, transaction history, order records, invoices, and tax-related information.

• Payment instrument details are processed by our PCI DSS-compliant payment processors. Snef typically receives only limited tokenised references, transaction confirmations, and metadata—not full payment card numbers.

4.4 Device, Technical, and Usage Data

• IP address, device identifiers, browser type and version, operating system, screen resolution.

• Log data, timestamps, pages and screens viewed, clickstream and interaction data, referral URLs.

• Approximate geographic location derived from IP address; precise geolocation only where you explicitly enable it and applicable law permits.

4.5 Content, Communications, and Support Data

• Messages, support tickets, call or video recordings (where legally permitted and with prior notice), and feedback you provide.

• Content you upload, create, or generate through the Services (e.g., images, product descriptions, marketing copy, videos).

• Community posts, comments, and collaborative content shared in public or shared areas of the platform.

4.6 AI-Related Inputs and Outputs

• Prompts, instructions, queries, and other inputs you provide to AI-enabled features.

• Outputs generated by AI features, together with operational metadata necessary to deliver, secure, monitor, and improve those features.

4.7 Creator Content, Intellectual Property, and Licensing Data

• Original creative works, brand assets, and intellectual property uploaded to or created within the platform.

• Licensing terms, usage rights configurations, attribution preferences, and content distribution metadata.

• Revenue, royalty, and compensation data associated with creator content.

4.8 Sensitive Personal Data

We process sensitive personal data only where strictly necessary and where we have a lawful basis to do so. Examples include:

• Government-issued identifiers for identity verification, Know Your Customer (KYC) compliance, or payout processing.

• Financial account details for creator or merchant payouts (primarily handled through regulated payment processors).

• Precise geolocation data (only with your active consent or enablement).

• Biometric identifiers only where explicitly disclosed and consented to under applicable law.

We collect personal data from the following sources:

• Directly from you: through account registration, forms, onboarding flows, support interactions, and your use of the Services.

• Automatically: through cookies, server logs, SDKs, analytics tools, and similar technologies when you access or use the Services.

• From integrations you enable: where you connect third-party services (e.g., social media accounts, e-commerce platforms, CRM tools, email marketing services), data may flow between those services and Snef in accordance with your configuration.

• From business Customers: for Snef OS, Customer Content is provided by or on behalf of the Customer.

• From partners and service providers: such as payment confirmation data, fraud detection signals, identity verification results, and publicly available business information.

6.1 Providing and Operating the Services

• Creating, administering, and securing user accounts.

• Enabling marketplace transactions, order fulfilment, and creator-brand workflows.

• Providing AI-powered features, content generation, recommendations, and automation you request.

• Processing payments, settlements, and payouts through payment partners.

• Authenticating users and enforcing platform terms and policies.

6.2 Improving, Securing, and Maintaining the Services

• Debugging, performance monitoring, load balancing, and infrastructure operations.

• Security monitoring, threat detection, vulnerability management, access controls, and audit logging.

• Product analytics, A/B testing, and feature development.

• Training and improving AI models (subject to the limitations described in Section 12).

6.3 Communications

• Service-related notices, security alerts, and administrative messages.

• Customer support, onboarding guidance, and technical assistance.

• Responding to inquiries, complaints, and data subject rights requests.

6.4 Marketing and Personalisation (Subject to Consent and Choices)

• Sending product updates, newsletters, promotional offers, and event invitations (with opt-out available).

• Personalising content and recommendations where permitted by applicable law.

• Measuring and attributing the effectiveness of marketing campaigns.

6.5 Legal, Compliance, and Business Operations

• Complying with applicable legal obligations, tax and accounting requirements, and regulatory mandates.

• Responding to lawful governmental and regulatory requests.

• Resolving disputes, enforcing agreements, and protecting the rights, property, and safety of Snef and others.

• Supporting due diligence, corporate restructuring, financing, and merger and acquisition activities (see Section 17).

Our lawful bases for processing personal data depend on the applicable jurisdiction, the nature of the data, and the context of the processing. They may include:

• Consent: for marketing communications where required, the use of non-essential cookies, processing of certain sensitive personal data, and opt-in AI features. Where consent is relied upon, you may withdraw it at any time; withdrawal does not affect the lawfulness of prior processing.

• Contractual necessity: where processing is necessary to perform or enter into a contract with you, such as providing the Services, processing transactions, and maintaining your account.

• Legitimate interests: (or equivalent legal concepts in applicable jurisdictions) such as security, fraud prevention, product improvement, and business operations, balanced against your fundamental rights and freedoms.

• Legal obligation: where processing is necessary to comply with applicable laws, including tax, accounting, anti-money laundering, and regulatory reporting requirements.

• Vital interests: in rare circumstances, to protect someone’s life or physical safety.

Indonesia-specific: Under the PDP Law, we rely on applicable legal grounds for processing including the data subject’s consent, contractual necessity, legitimate interests, and compliance with legal obligations. We will obtain explicit consent where required for the processing of sensitive (specific) personal data.

8.1 Within the Snef Group

We share personal data among Snef entities as necessary for operational coordination, security, compliance, and delivery of the Services, subject to internal data-sharing agreements and consistent with this Policy.

8.2 Service Providers and Subprocessors

We engage carefully selected third-party vendors ("subprocessors") to support our operations, including:

• Cloud hosting and infrastructure providers.

• Payment processing and financial services providers.

• Analytics, monitoring, and observability platforms.

• Customer support and communication tools.

• Identity verification and fraud prevention services.

• AI model hosting and inference providers.

Subprocessors are authorised to process personal data only to the extent necessary to perform services on our behalf, under written agreements imposing confidentiality, security, and data protection obligations no less protective than those set out in this Policy. Enterprise Customers may request a current list of subprocessors and may receive advance notice of new subprocessor appointments as provided in their DPA.

8.3 Marketplace and Commerce Counterparties

In connection with marketplace transactions:

• Buyers may receive limited creator or merchant information necessary for order fulfilment, shipping, support, and regulatory compliance.

• Creators and merchants may receive buyer information necessary to fulfil orders, process returns, provide support, and comply with applicable law.

The scope of shared data is limited to what is reasonably necessary for the relevant transaction.

8.4 Third-Party Integrations

If you connect or enable third-party integrations (e.g., social media accounts, e-commerce platforms, CRM systems), personal data may be exchanged between Snef and those services in accordance with your configuration. We are not responsible for the privacy practices of those third parties.

8.5 Legal and Safety Disclosures

We may disclose personal data where we believe, in good faith, that disclosure is reasonably necessary to:

• comply with applicable law, regulation, legal process, or enforceable governmental request;

• protect the rights, property, or safety of Snef, our users, or the public;

• investigate or prevent fraud, security incidents, or technical issues; or

• enforce our terms of service and other applicable agreements.

8.6 CCPA/CPRA: Sale and Sharing Disclosure

We do not sell personal information for monetary consideration. Certain data-sharing activities (e.g., the use of advertising cookies, analytics identifiers, or similar technologies shared with advertising partners) may constitute a "sale" or "sharing" as those terms are broadly defined under the CCPA/CPRA.

California residents may opt out of such activities by submitting a request through the methods described in Section 13.4 or by enabling a recognised opt-out preference signal (e.g., Global Privacy Control).

We do not have actual knowledge that we sell or share the personal information of consumers under 16 years of age.

Snef operates across Singapore, Indonesia, and the United States, and utilises global cloud infrastructure and third-party vendors. As a result, your personal data may be transferred to, stored in, or accessed from jurisdictions other than where you reside. These jurisdictions may have data protection laws that differ from those in your jurisdiction.

We implement cross-border data transfer safeguards appropriate to the context, which may include:

• Intra-group data transfer agreements imposing obligations consistent with applicable data protection law.

• Contractual data protection clauses with vendors and subprocessors, including commitments regarding security, audit rights, and incident notification.

• Technical safeguards including encryption in transit (TLS 1.2 or higher) and at rest, access controls based on least-privilege principles, and audit logging.

• Transfer impact assessments and supplementary measures where required by applicable law.

• Recognised transfer mechanisms (e.g., standard contractual clauses or equivalent instruments) where required and available.

Indonesia-specific: Where personal data of Indonesian data subjects is transferred outside Indonesia, we will ensure that the receiving jurisdiction provides an adequate level of personal data protection or that appropriate safeguards are in place, in accordance with the PDP Law and its implementing regulations. Where required, we will obtain consent for such transfers.

Enterprise Customers using Snef OS may address cross-border transfer terms, subprocessor restrictions, and data residency preferences in their DPA.

We retain personal data only for as long as reasonably necessary to fulfil the purposes described in this Policy, unless a longer retention period is required or permitted by applicable law. Our retention practices are guided by the following principles:

• Account data: retained for the duration of your active account, plus a reasonable post-closure period (generally not exceeding 24 months, unless otherwise required) for account recovery, audit trail integrity, fraud prevention, dispute resolution, and regulatory compliance.

• Transaction and billing records: retained for the period required by applicable tax, accounting, and financial regulations (typically 5–7 years depending on jurisdiction).

• Security and audit logs: retained for a period appropriate for security monitoring, incident investigation, and forensic analysis (generally 12–24 months), unless a specific incident requires longer retention.

• Marketing data: retained until you withdraw consent or opt out, after which we will cease marketing processing within a reasonable period (not exceeding 30 days) and retain only the minimum information necessary to honour your opt-out preference.

• Customer Content (Snef OS): retained in accordance with the Customer’s contract and documented instructions. Upon termination or expiry of the agreement, Customer Content will be returned or deleted in accordance with the applicable DPA, subject to any legal retention obligations.

• AI interaction data: prompts and outputs associated with your use of AI features are retained for the period necessary to deliver, secure, and (where permitted) improve those features, after which they are deleted or anonymised.

Where personal data is no longer required for its original purpose, we will securely delete, anonymise, or aggregate it. Anonymised and aggregated data that cannot reasonably be used to identify any individual is not subject to this Policy.

We maintain a comprehensive information security programme designed to protect personal data against unauthorised access, alteration, disclosure, or destruction. Our security measures include, but are not limited to:

• Role-based access controls and least-privilege policies for all personnel and systems.

• Encryption of personal data in transit (TLS 1.2+) and at rest using industry-standard algorithms.

• Network segmentation, intrusion detection, and continuous monitoring.

• Audit logging, anomaly detection, and automated alerting.

• Vendor and subprocessor risk assessment and ongoing monitoring.

• Secure software development lifecycle (SDLC) practices, including code review and vulnerability testing.

• Employee security awareness training and background checks for personnel with access to personal data.

• Business continuity and disaster recovery procedures.

No system is completely secure. You are responsible for maintaining the confidentiality of your account credentials, using strong and unique passwords, and implementing appropriate security practices on your devices. If you become aware of any unauthorised access to your account, you must notify us immediately.

12.1 AI-Powered Features

Certain Services incorporate artificial intelligence and machine learning capabilities, including content generation, product recommendations, commerce optimisation, image analysis, and workflow automation. When you use these features, we process your inputs (such as prompts, instructions, and content), relevant contextual data, and the resulting outputs.

12.2 AI Model Training and Improvement

We may use certain interaction data from AI features to improve the reliability, safety, accuracy, and performance of our AI systems, subject to:

• applicable law and regulatory requirements;

• contractual commitments (particularly for enterprise Customers under a DPA); and

• available controls and choices provided within the Services.

Enterprise / Snef OS default: Customer Content processed through Snef OS is not used for generalised model training unless the Customer has provided explicit, documented consent. This default is reflected in our standard DPA.

12.3 Automated Decision-Making

We may use automated systems to:

• detect and prevent fraud, abuse, or policy violations;

• prioritise support requests and security reviews;

• generate content and product recommendations;

• score, rank, or route workflows within Snef OS; and

• assess risk for compliance or onboarding purposes.

Where automated processing produces legal effects or similarly significant effects on individuals, and where required by applicable law (including the PDP Law and CCPA/CPRA), we will:

• provide meaningful information about the logic, significance, and envisaged consequences of such processing;

• implement appropriate safeguards, including the opportunity for human review; and

• offer the right to contest automated decisions and obtain an explanation.

Your rights with respect to personal data depend on your jurisdiction and the manner in which you use the Services. We may require verification of your identity before fulfilling requests, and we may decline or limit requests where permitted by applicable law (e.g., to protect the rights and freedoms of others, maintain security, or comply with legal obligations).

13.1 Rights Generally Available

• Access: Request confirmation of whether we process your personal data and obtain a copy of such data.

• Correction: Request correction of inaccurate or incomplete personal data.

• Deletion: Request deletion of your personal data, subject to legal and contractual retention requirements.

• Withdrawal of consent: Where processing is based on consent, withdraw that consent at any time (without affecting the lawfulness of prior processing).

• Objection: Object to processing based on legitimate interests, where applicable.

• Data portability: Receive your personal data in a structured, commonly used, machine-readable format, where technically feasible and required by applicable law.

• Restriction: Request restriction of processing in certain circumstances.

13.2 Singapore (PDPA)

If you are located in Singapore, you may exercise rights of access to and correction of your personal data under the PDPA. You may also withdraw consent for the collection, use, or disclosure of your personal data, subject to legal and contractual limitations. Withdrawal of consent may affect our ability to provide certain Services. Our Data Protection Officer can be contacted using the details in Section 19.

13.3 Indonesia (PDP Law)

If you are located in Indonesia, you may exercise rights recognised under UU PDP 2022 and its implementing regulations, including:

• the right to be informed about and access your personal data;

• the right to correct or update inaccurate data;

• the right to request deletion or destruction of data that is no longer necessary;

• the right to withdraw consent;

• the right to restrict or object to processing in certain circumstances;

• the right to data portability; and

• the right to lodge a complaint with the relevant supervisory authority.

13.4 United States (Including California CCPA/CPRA)

If you are a California resident, you have the following rights under the CCPA/CPRA:

• Right to Know: Request the categories and specific pieces of personal information we have collected, the sources, the purposes, and the categories of third parties with whom we share it.

• Right to Delete: Request deletion of your personal information, subject to statutory exceptions.

• Right to Correct: Request correction of inaccurate personal information.

• Right to Opt Out of Sale/Sharing: Opt out of the "sale" or "sharing" of your personal information (as those terms are defined under CCPA/CPRA). We honour recognised opt-out preference signals such as Global Privacy Control (GPC).

• Right to Limit Use of Sensitive Personal Information: Where applicable.

• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To submit a request, use the contact methods in Section 19. If you use an authorised agent, we may require written authorisation and direct verification of your identity.

Residents of other U.S. states with applicable privacy laws (e.g., Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana) may exercise rights available under their respective statutes using the same contact methods.

13.5 Response Timelines

We aim to respond to verifiable rights requests within the timeframes required by applicable law. For Singapore PDPA requests, we will respond as soon as reasonably possible and generally within 30 days. For CCPA/CPRA requests, we will respond within 45 days (extendable by an additional 45 days with notice). For Indonesian PDP Law requests, we will respond within the timeframes prescribed by applicable regulations.

We maintain incident response procedures to detect, investigate, contain, and remediate personal data breaches. In the event of a breach that is likely to result in significant harm to affected individuals or that is otherwise notifiable under applicable law, we will:

• notify the relevant data protection authorities within the timeframes required by applicable law (including, for Singapore, notification to the Personal Data Protection Commission within 3 calendar days of assessing that the breach is notifiable under the PDPA, and for Indonesia, notification in accordance with the PDP Law and its implementing regulations);

• notify affected individuals without unreasonable delay where required by applicable law;

• provide information about the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken or proposed to mitigate the impact; and

• cooperate with regulatory authorities as required.

Enterprise Customers using Snef OS will receive breach notification in accordance with the timelines and procedures specified in their DPA.

We may send you marketing communications about our products, services, events, and promotions where you have provided consent or where permitted by applicable law. You may opt out at any time by:

• using the unsubscribe link in marketing emails;

• adjusting your notification preferences in your account settings; or

• contacting us using the details in Section 19.

We will process your opt-out request without undue delay. Opting out of marketing communications does not affect transactional or service-related messages (e.g., security alerts, order confirmations, account notifications, legal notices), which we may continue to send as necessary.

Singapore Do Not Call Registry: Where applicable, we comply with Singapore’s Do Not Call provisions under the PDPA. We will not send marketing messages to Singapore telephone numbers registered on the Do Not Call Registry unless we have obtained your clear and unambiguous consent.

We use cookies, web beacons, pixels, local storage, and similar technologies on our websites and applications for the following purposes:

• Strictly Necessary / Essential: required for core site functionality, security, authentication, and fraud prevention. These cannot be disabled without affecting your ability to use the Services.

• Preferences and Functionality: to remember your settings, language preferences, and customisation choices.

• Analytics and Performance: to understand how users interact with the Services, measure performance, and identify areas for improvement. We use analytics providers that may set their own cookies.

• Security and Fraud Prevention: to detect suspicious activity, protect against attacks, and maintain platform integrity.

• Advertising and Attribution (where enabled): to measure marketing campaign effectiveness and, where permitted, serve relevant advertisements. These technologies may enable data sharing with advertising partners as described in Section 8.6.

Managing cookies: You can manage or disable cookies through your browser settings. Where available, we provide cookie consent tools that allow you to accept or reject non-essential cookies. Disabling certain cookies may affect the functionality and performance of the Services. We honour Global Privacy Control (GPC) signals where required by applicable law.

If Snef or any Snef entity is involved in a merger, acquisition, joint venture, corporate reorganisation, divestiture, financing round, sale of assets, or insolvency or bankruptcy proceeding, personal data may be disclosed to prospective counterparties, investors, and advisors as part of due diligence, and may be transferred as part of the transaction. Any such disclosure or transfer will be subject to appropriate confidentiality and security measures. Following the completion of a business transfer, the acquiring entity’s privacy policy may govern personal data, in which case we will provide notice as required by applicable law.

The Services are not directed to children. We do not knowingly collect personal data from children under the age of 16 (or such other age as may be prescribed by applicable law in your jurisdiction). If we become aware that we have collected personal data from a child without valid parental or guardian consent where required, we will take prompt steps to delete such data. If you believe that a child has provided personal data to us without appropriate consent, please contact us immediately using the details in Section 19.

For privacy inquiries, data subject rights requests, complaints, or questions about this Policy, please contact us:

Email: [email protected] (Attn: Data Protection Officer)

Postal Addresses:

Singapore: SNEF PTE. LTD., 68 Circular Road #02-01, Singapore 049422

Indonesia: SNEF, Ideacentrum Office, Jl. Yusuf Adiwinata 32/34, Gondangdia, Menteng, Central Jakarta, DKI Jakarta 10350

United States: Snef Inc., 447 Broadway, 2nd Floor Suite #2405, New York, NY 10013, United States

If you are dissatisfied with our response to your inquiry or complaint, you may have the right to lodge a complaint with the relevant data protection authority in your jurisdiction, including the Personal Data Protection Commission (Singapore), the supervisory authority under the PDP Law (Indonesia), or the California Attorney General (for CCPA/CPRA matters).

We may update this Policy from time to time to reflect changes in applicable law, our processing activities, technology, or business practices. When we make material changes, we will update the "Effective Date" at the top of this Policy and, where required by applicable law, provide additional notice (such as a prominent notice on our website or direct notification to your account). Where legally required, we will obtain your consent to material changes. We encourage you to review this Policy periodically.

This Policy is governed by the laws applicable in the jurisdiction of the Snef entity that acts as the data controller for your personal data. Any dispute arising out of or in connection with this Policy shall be subject to the exclusive jurisdiction of the courts in the relevant Snef entity’s jurisdiction of incorporation, unless mandatory law requires otherwise.