Privacy Policy

1.1 About Squire Squire ("we," "us," "our," or "Squire") is a legal technology company committed to the highest standards of privacy and data protection. This Privacy Policy explains how we collect, use, store, protect, and process personal information - including information collected through cookies and similar technologies - in connection with our legal AI platform, website at www.squire.law, and related services (collectively, the "Services"). 1.2 Legal Framework This Privacy Policy is designed to comply with the Protection of Personal Information Act 4 of 2013 ("POPIA") of the Republic of South Africa, the Draft Data Protection Bill, 2023 of the Republic of Namibia to the extent applicable, the Consumer Protection Act 68 of 2008 of South Africa, applicable data protection laws of other jurisdictions as specified in Section 14, and industry best practices for legal technology and AI service providers. 1.3 Scope of Application This Privacy Policy applies to all personal information processed through our Services; all users, clients, and visitors to our platform ("Data Subjects"); all processing activities conducted by us or on our behalf; all cookies and similar tracking technologies used in connection with our Services; and all jurisdictions in which we operate or where our Services are accessed. 1.4 Our Core Commitments • No Training Use: Your personal information and any data uploaded to our platform will never be used to train, develop, or improve any artificial intelligence models, machine learning algorithms, or similar technologies. • No Third-Party Sharing: We do not sell, rent, lease, or otherwise transfer personal information to any third parties for their own purposes, marketing, or commercial gain. • No Advertising Tracking: We do not use cookies or tracking technologies to build advertising profiles, track you across different websites, or serve targeted advertising. • Processor Restrictions: Any third-party processors engaged by us are contractually bound to the same standards and are prohibited from using data for any purpose other than providing services to us.

2.1 Key Definitions For the purposes of this Privacy Policy: • "Personal Information" means information relating to an identifiable, living, natural person, and where applicable, an identifiable, existing juristic person. This includes information relating to race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language, and birth; information relating to education, medical, financial, criminal, or employment history; any identifying number, symbol, email address, physical address, telephone number, location information, online identifier, or other particular assignment; biometric information; personal opinions, views, or preferences; correspondence of a private or confidential nature; and the name of the person if it appears with other personal information. • "Processing" means any operation or activity concerning personal information, including collection, receipt, recording, organisation, collation, storage, updating, modification, retrieval, consultation, use, dissemination, merging, linking, blocking, degradation, erasure, or destruction. • "Responsible Party" means the entity that determines the purpose and means of processing personal information, being Squire. • "Operator" means any person or entity processing personal information on behalf of the Responsible Party. • "Data Subject" means the person to whom personal information relates. • "Information Officer" means the person designated in terms of section 55 of POPIA. • "Special Personal Information" means personal information concerning a data subject's religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information, or criminal behaviour. • "Children's Personal Information" means personal information of any person under the age of 18 years. • "Cookies" means small text files placed on your device when you visit our website or use our platform, as further described in Section 12 of this Policy.

3.1 Information Officer In compliance with section 55 of POPIA, Squire has designated an Information Officer responsible for ensuring compliance with this Privacy Policy and applicable data protection laws. Information Officer: • Name: Francois Paul • Email: contact@squire.law 3.2 Deputy Information Officer Data Subjects may also contact the Information Regulator of South Africa directly: • Physical Address: JD House, 27 Stiemens Street, Braamfontein, Johannesburg, 2001 • Postal Address: P.O. Box 31533, Braamfontein, Johannesburg, 2017 • Email: inforeg@justice.gov.za • Website: www.inforegulator.org.za

4.1 Information You Provide Directly We collect personal information that you voluntarily provide when registering for or using our Services. • Account Registration: We collect your full name, email address, organisation name and your role within the organisation. • Service Usage: We collect documents and files you upload to the platform, queries and inputs you submit to our AI systems, communications with our support team, feedback and survey responses, and your user preferences and settings. • Billing and Payment: We collect your billing address, payment method details (processed by PCI-DSS compliant payment processors), VAT or tax registration numbers, and purchase history. 4.2 Information Collected Automatically • Technical Information: We automatically collect IP address (anonymized where possible), browser type and version, operating system, device identifiers, access timestamps, pages visited and features used, and session duration and interaction patterns. • Security Information: We collect records of login attempts and authentication events, security logs and audit trails, and geographic location at country or region level only. • Cookie and Tracking Data: We collect information through cookies and similar technologies as described in Section 12 of this Policy. This includes session identifiers, preference settings, and anonymized usage statistics. 4.3 Information from Third Parties We may receive personal information from your employer or organisation (with appropriate authorisation), professional regulatory bodies (for verification purposes), and publicly available sources (for due diligence and compliance). 4.4 Categories We Do NOT Collect We expressly do not collect Special Personal Information unless strictly necessary and with explicit consent; Children's Personal Information, as our Services are not intended for users under 18; or financial account details, as all payment processing is handled by certified third-party processors.

5.1 Primary Purposes • Service Provision (Performance of Contract): To provide, maintain, and improve our legal AI platform and Services, including authenticating users and enabling core functionality such as session management and secure access. • Account Management (Performance of Contract): To create and manage user accounts, authenticate users, and provide customer support. • Security and Fraud Prevention (Legitimate Interest): To protect our systems, detect unauthorised access, prevent fraud, and ensure the integrity of our Services. • Legal Compliance (Legal Obligation): To comply with applicable laws, regulations, and legal processes. • Service Improvement (Legitimate Interest): To analyse usage patterns and improve user experience using anonymized, aggregated data only. • Communication (Consent or Legitimate Interest): To send service-related notifications and, where consented, marketing communications. 5.2 Specific Processing Activities • AI Service Processing: Your queries and inputs are processed solely to generate responses. No personal information is retained in AI model training. All processing occurs within our secure, sovereign infrastructure. Session data is automatically deleted after 30 days unless you elect to save specific outputs. • Analytics and Improvement: We use anonymized, aggregated data for service improvement. Individual user data is never used for analytics without explicit consent. Analytics cookies collect only non-identifiable information, as further described in Section 12. 5.3 Consent Requirements Where we rely on consent as a legal basis, consent must be freely given, specific, and informed. You may withdraw consent at any time without affecting the lawfulness of prior processing. Withdrawal of consent may limit certain Service features.

6.1 Rights Under POPIA • Right to be Notified (Section 18): You have the right to be notified that your personal information is being collected, including the nature of the information, the name and address of the Responsible Party, the purpose of collection, whether provision is voluntary or mandatory, the consequences of failure to provide information, any authorised recipients, whether we intend to transfer information cross-border, and your rights regarding your personal information. • Right of Access (Section 23): You have the right to request confirmation of whether we hold personal information about you and to request access to such information. • Right to Rectification (Section 24): You have the right to request the correction of inaccurate, irrelevant, excessive, out-of-date, incomplete, misleading, or unlawfully obtained personal information. • Right to Erasure (Section 24): You have the right to request the deletion or destruction of personal information that is no longer necessary for the purpose for which it was collected, for which you have withdrawn consent, that has been unlawfully processed, or that must be deleted to comply with a legal obligation. • Right to Object to Processing (Section 11): You have the right to object to the processing of your personal information at any time on reasonable grounds relating to your particular situation. • Right to Object to Direct Marketing (Section 69): You have the right to object at any time to the processing of your personal information for direct marketing purposes, to not have your personal information processed for direct marketing by unsolicited electronic communications, and to register a pre-emptive block with the Direct Marketing Association of South Africa. • Right Not to Be Subject to Automated Decision-Making (Section 71): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal consequences concerning you or similarly significantly affects you. • Right to Lodge a Complaint: You have the right to lodge a complaint with the Information Regulator regarding alleged interference with the protection of your personal information. • Right to Judicial Remedy: You have the right to institute civil proceedings regarding alleged interference with the protection of your personal information. 6.2 Exercising Your Rights To exercise any of your rights, please contact us by email at contact@squire.law. We will respond to all requests within 30 days of receipt as required by POPIA. We may require proof of identity before processing your request to ensure security. We will not charge for a first request, but may charge a reasonable fee for repeated or manifestly unfounded requests.

7.1 Retention Periods We retain personal information only for as long as necessary to fulfill the purposes for which it was collected. The following periods apply: • Account Information: for the duration of your account plus 3 years, to meet contract performance and legal obligations. • Uploaded Documents: for the duration of your subscription plus 30 days, for service provision and user convenience. • AI Query History: 30 days, for service improvement and troubleshooting. • Payment Records: 7 years, to satisfy tax and accounting legal requirements. • Communication Records: 3 years, for customer service and dispute resolution. • Security Logs: 1 year, for security monitoring and incident response. • Marketing Consent Records: until consent is withdrawn plus 3 years, for legal compliance and proof of consent. • Analytics Cookie Data: between 90 days and 2 years depending on the specific cookie, for statistical analysis purposes. 7.2 Deletion Procedures Upon expiration of the applicable retention period or upon receipt of a valid deletion request, personal information is permanently deleted from active systems. Backups are purged in accordance with our backup retention schedule within a maximum of 90 days. Anonymized, aggregated statistical data may be retained indefinitely where individual identification is impossible. 7.3 Exceptions to Deletion We may retain personal information where required by law or legal obligation; where necessary for legal proceedings or for establishing or defending legal claims; where required for historical, statistical, or research purposes in anonymized form; or where consent has been given for extended retention.

8.1 Technical Safeguards In compliance with section 19 of POPIA, we implement appropriate, reasonable technical and organisational measures to prevent loss of, damage to, or unauthorised destruction of personal information, and to prevent unlawful access to or processing of personal information. Our technical safeguards include: • AES-256 encryption for data at rest • TLS 1.3 encryption for data in transit • Multi-factor authentication for all accounts • Role-based access controls • Regular security patching and updates • Intrusion detection and prevention systems • Network segmentation and firewalls • Regular vulnerability assessments and penetration testing • Secure cookie attributes including HTTPS-only transmission, HttpOnly flags, and SameSite protections 8.2 Organisational Safeguards Our organisational measures include: • Comprehensive information security policies • Regular staff training on data protection • Confidentiality agreements with all personnel • Incident response and business continuity plans • Regular security audits and compliance assessments • Physical security controls at data processing facilities 8.3 Data Minimisation and Privacy by Design We adhere to the principle of data minimisation and collect only personal information that is necessary for specified purposes. Privacy considerations are integrated into system development from the outset, default settings favour maximum privacy protection, and privacy impact assessments are conducted for new processing activities. 8.4 Breach Notification In the event of a personal information breach, we will notify the Information Regulator within 72 hours of becoming aware. We will notify affected Data Subjects without undue delay where the breach is likely to result in high risk to their rights and freedoms. We will document all breaches, including the facts, effects, and remedial actions taken.

9.1 Use of Operators We engage Operators to process personal information on our behalf. All Operators are contractually bound by written agreements that ensure: • Compliance with POPIA and this Privacy Policy • Prohibition of use of personal information for any purpose other than providing services to us • Implementation of appropriate security measures • Immediate notification of any data breaches • Deletion or return of personal information upon termination of the relationship • Prohibition of subcontracting without our prior written consent • Explicit prohibition of use of data for AI model training or improvement 9.2 Current Operator Categories We currently engage the following categories of Operators: • Infrastructure Hosting: A cloud provider that processes all platform data within approved jurisdictions. • Payment Processing: A PCI-DSS certified processor that handles payment information. • Email Delivery: An email service provider that processes email addresses for transactional and service communications. • Analytics: An analytics provider that processes only anonymized usage data for platform improvement. 9.3 Prohibited Activities Our Operators are expressly prohibited from: • Using personal information for their own purposes • Selling or transferring personal information to third parties • Using personal information for marketing or advertising • Training AI models or machine learning systems using our data • Retaining personal information beyond the termination of services

10.1 Data Sovereignty Commitment We are committed to data sovereignty and to maintaining personal information within the jurisdictions where our Data Subjects reside, wherever feasible and legally permissible. 10.2 South Africa For personal information collected from Data Subjects in South Africa, all personal information is primarily processed and stored within the Republic of South Africa. Cross-border transfers may occur only where: • The recipient is subject to a law or contract that upholds principles substantially similar to POPIA • The Data Subject has consented to the transfer • The transfer is necessary for the performance of a contract between the Data Subject and the Responsible Party • The transfer is necessary for the conclusion or performance of a contract in the interest of the Data Subject • The transfer is for the benefit of the Data Subject and consent cannot be obtained Where transfers are necessary, we implement Standard Contractual Clauses approved by the Information Regulator, adequacy decisions where applicable, Binding Corporate Rules for intra-group transfers, and additional technical safeguards such as encryption and access controls. Cookie data transferred outside South Africa is subject to the same safeguards. 10.3 Namibia As Namibia's Data Protection Bill, 2023 is not yet in force, we apply POPIA-equivalent standards to all processing of Namibian Data Subjects' personal information. We will update our practices to comply with the Namibian Data Protection Act once enacted. 10.4 Other Jurisdictions For Data Subjects in other jurisdictions, we will comply with applicable local data protection laws, implement appropriate transfer mechanisms including Standard Contractual Clauses and adequacy decisions, and provide jurisdiction-specific privacy notices where required.

11.1 Special Personal Information We generally do not process Special Personal Information as defined in section 26 of POPIA, which includes information concerning religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life, biometric information, or criminal behaviour. Such information may be processed only where: • Processing is carried out in the course of legitimate activities with appropriate safeguards • The information has been made public by the Data Subject • Processing is necessary for the establishment, exercise, or defence of a legal right or obligation • Processing is for historical, statistical, or research purposes with appropriate safeguards • Explicit consent has been obtained from the Data Subject 11.2 Children's Personal Information Our Services are not intended for children under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected personal information from a child, we will take immediate steps to delete such information. If you believe we have inadvertently collected such information, please contact us immediately at contact@squire.law.

12.1 What Are Cookies? Cookies are small text files placed on your device - computer, smartphone, or tablet - when you visit our website or use our platform. They are widely used to make websites work efficiently, remember your preferences, and provide website operators with anonymized information about usage patterns. In addition to cookies, we may use web beacons (small graphic images that allow us to monitor website usage), local storage (browser-based storage for preferences), session storage (temporary storage that is deleted when you close your browser), and pixel tags. We use first-party cookies set directly by Squire and a limited number of third-party cookies set by service providers engaged by us. We minimise the use of third-party cookies and only engage processors who comply with our data protection standards. 12.2 Types of Cookies We Use • Strictly Necessary Cookies: These cookies are essential for the operation of our Services and cannot be disabled. They enable core functionality including security, network management, and account access; maintain your session state during navigation; enable load balancing for consistent performance; and remember your privacy consent preferences. Because they are strictly necessary for the provision of the service you have requested, they do not require your consent under POPIA. • Preference and Functional Cookies: These cookies enable our Services to provide enhanced functionality and personalisation. They remember your language and region preferences, store your display preferences such as dark mode settings, remember form inputs to save you time, and store your preferred document templates. They collect preference settings only and do not collect personally identifiable information or track you across websites. We request your consent before placing these cookies, and you may opt out while retaining access to the core Services. • Analytics Cookies: These cookies help us understand how visitors interact with our Services by collecting information anonymously. They are used to count visits and traffic sources, measure which pages and features are most popular, identify technical issues and errors, and inform development priorities. All analytics data is anonymized before storage - IP addresses are truncated or masked, individual users cannot be identified, and data is used for aggregated statistical analysis only. We use Google Analytics (with IP anonymization enabled) and internal usage statistics tools. We request your consent before placing analytics cookies, and you may opt out without affecting your ability to use the Services. • Marketing Cookies: We do not use marketing cookies or tracking for advertising purposes. We do not track you across different websites, build advertising profiles, share data with advertising networks, or use retargeting or remarketing cookies. This aligns with our commitment to privacy and data protection. 12.3 Cookie Consent and Management When you first visit our Services, a cookie banner will appear requesting your consent for non-essential cookies. You may accept all cookies, customise your selection by category, or reject all non-essential cookies and allow only strictly necessary cookies. You can change your preferences at any time by clicking the "Cookie Settings" link in our website footer, by adjusting your browser settings to block or delete cookies, or by contacting us at contact@squire.law. We respect browser "Do Not Track" signals - when this signal is enabled, we disable analytics cookies. You may also withdraw consent for non-essential cookies at any time by the same methods above. Withdrawal of consent does not affect the lawfulness of processing that occurred before withdrawal. 12.4 Cookie Retention Periods • Strictly necessary cookies are retained for the duration of your session up to a maximum of one year. • Preference and functional cookies are retained for up to one year. • Analytics cookies are retained for between 90 days and two years depending on the specific cookie. All cookie data retention is subject to our general data retention policy set out in Section 7.

13.1 Consent Requirement In compliance with section 69 of POPIA, we will not use your personal information for direct marketing by means of unsolicited electronic communications unless you have provided your consent, or you are an existing customer and the marketing relates to our similar products or services. 13.2 Your Rights and Opt-Out You have the right to: • Object to direct marketing at any time • Withdraw consent for marketing communications • Register on our internal do-not-contact list All marketing communications from Squire will clearly identify Squire as the sender, provide a clear and easy opt-out mechanism, and be sent only during reasonable hours between 08:00 and 20:00 local time.

14.1 South Africa This Privacy Policy is drafted in compliance with POPIA. All Data Subjects in South Africa enjoy the full protections set out in this Policy and in POPIA. 14.2 Namibia Pending enactment of the Data Protection Bill, 2023, we apply POPIA-equivalent standards to all processing of Namibian Data Subjects' personal information. 14.3 Future Jurisdictions As we expand to additional jurisdictions, we will: • Assess applicable data protection requirements • Implement jurisdiction-specific privacy notices where required • Maintain this Privacy Policy as our primary data protection document

15.1 Policy Updates We may update this Privacy Policy from time to time to reflect: • Changes in our processing activities or cookie practices • Changes in applicable laws and regulations • Changes in our business operations • Feedback from Data Subjects and regulators 15.2 Notification of Changes Material changes to this Privacy Policy will be notified by: • Email to registered users • Prominent notice on our website • In-app notification where applicable Changes will take effect 30 days after notification unless immediate compliance with legal requirements is necessary. 15.3 Continued Use Continued use of our Services after changes take effect constitutes acceptance of the updated Privacy Policy.

16.1 Internal Complaint Process If you believe we have not complied with this Privacy Policy or applicable data protection laws, please follow the steps below: 1. Contact our Information Officer at contact@squire.law. 2. Provide details of your complaint, including relevant dates and supporting documentation. 3. We will acknowledge receipt within 5 business days. 4. We will investigate and respond within 30 days. 5. If you are not satisfied with our response, you may escalate to the Information Regulator. 16.2 External Recourse You have the right to lodge a complaint with the Information Regulator of South Africa at: • Email: inforeg@justice.gov.za • Website: www.inforegulator.org.za 16.3 Alternative Dispute Resolution We are committed to resolving disputes amicably. Where appropriate, we may offer mediation or other alternative dispute resolution mechanisms.

For any questions, concerns, or requests regarding this Privacy Policy, our cookie practices, or our data protection practices generally: Privacy and Data Protection: • Email: contact@squire.law Information Officer: • Email: contact@squire.law General Inquiries: • Email: contact@squire.law • Website: www.squire.law