Privacy and Data Protection Policy

Schedule 1 — EU/UK GDPR

1. Important Information and Who We Are

1.1 Who We Are

AgriDex Ltd., registered at Suite 406 Audley House, 13 Palace Street, London, England, SW1E 5HX, and operating under company number 13184186, acts as the controller of personal data processed through the AgriDex platform and shared with us via Bridge.xyz. We are responsible for ensuring compliance with applicable data protection regulations such as the EU GDPR, UK GDPR, and other relevant laws in the jurisdictions we operate.

1.2 Data Protection Officer (DPO)

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing compliance with this privacy policy. Should you have any questions about how your data is processed or wish to exercise your rights, please contact the DPO using the details provided in Section 10.

1.3 Changes to This Privacy Policy

We regularly review and may update this privacy policy. When significant changes are made, such as changes in processing activities, legal requirements, or your rights, we will notify you through email, website notifications, or similar means. You will not be required to check our website periodically for updates; any substantial changes will be clearly communicated.

2. The Types of Personal Data We Collect About You

2.1 Data Categories

The personal data we collect about you depends on your interactions with the AgriDex platform. Below are the categories of data we may collect:

• Identity Data: first name, last name, username, gender, title, date of birth, and national identification number.
• Contact Data: billing address, delivery address, email address, and telephone numbers.
• Financial Data: bank account information, payment card details, wallet addresses, and transaction histories.
• Transaction Data: payments, product orders, blockchain transaction records, trade activities, certifications, and legal agreements.
• Technical Data: IP address, browser type, device information, time zone settings, and usage data collected through cookies and similar tracking technologies.
• Profile Data: username, purchase history, preferences, survey responses, and any feedback provided.
• Sustainability Data: environmental and sustainability certifications, compliance with the EU's Sustainable Finance Disclosure Requirements (SFDR), and product origin tracking.
• KYC (Know Your Customer) Data: proof of identity, proof of address documentation, and other verification documents required for legal compliance.
• Wallet Verification Data: verification of ownership and risk assessments of wallets used on the platform, particularly for fraud detection and sanctions checks.
• Geolocation Data: data about your location when accessing our services.
• Interaction Data: information about how you interact with the AgriDex platform (clicks, navigation, etc.).

2.2 Data from Third Parties

We may receive personal data about you from third-party sources, including:

• Identity verification services.
• Payment and financial service providers.
• Analytics providers, including cookies and other technical data from analytics platforms (e.g., Google).
• Publicly available sources, such as government databases or business directories.

2.3 Sensitive Personal Data

In cases where we collect and process sensitive personal data, we will implement additional security measures to protect this data. Processing of such sensitive personal data will only occur under strict legal bases as provided by the GDPR (e.g., explicit consent, vital interests, or legal requirements).

3. Legal Basis for Processing Your Data

3.1 Legal Grounds

In accordance with data protection regulations such as the EU GDPR and UK GDPR, we only process your personal data if we have a legal basis for doing so. The legal grounds we rely on include:

• Performance of a Contract: processing your personal data to fulfil our obligations under a contract with you — verifying transactions, facilitating payments, and certifying product sustainability.
• Compliance with Legal Obligations: processing necessary for compliance with legal obligations, including anti-money laundering (AML) laws, fraud detection, and trade regulations.
• Legitimate Interests: processing data for legitimate business interests such as improving the AgriDex platform, ensuring security, and performing risk assessments. We ensure these interests do not override your fundamental rights.
• Consent: in certain cases we request your explicit consent, particularly for sending marketing communications or sharing your data with third parties for non-essential purposes. Consent can be withdrawn at any time (see Section 9).

3.2 Response Timeframes for User Rights Requests

We are committed to responding to your data subject rights requests (including access, correction, erasure, restriction, objection, data portability, and withdrawal of consent) without undue delay, and in any event within one month of receipt of the request. This timeframe may be extended by two further months where necessary, taking into account the complexity and number of requests. We will notify you of any such extension within one month of receiving your request.

3.3 Third-Party Compliance

Where we share your personal data with third parties (e.g., service providers, business partners), we ensure that these third parties are contractually obligated to process your data securely and in compliance with GDPR. We conduct regular audits and assessments to ensure that third-party data processors meet our high standards of data protection.

4. How We Use Your Personal Data

4.1 Purpose of Data Use

We use the personal data collected through the AgriDex platform for the following purposes:

• Transaction Verification: using AI and blockchain technology to process transaction data to ensure compliance with regulatory standards, including sustainability certifications, legal auditing, and traceability.
• Fraud Detection and Risk Assessment: AI-powered tools to verify documents, identify fraudulent activities, and assess the risks associated with transactions. Wallet ownership is verified to detect links to illegal activities or sanctions.
• Sustainability Reporting: processing sustainability data to meet reporting requirements related to environmental, social, and governance (ESG) standards, including compliance with the EU's SFDR.
• Compliance with Legal Obligations: processing your personal data to comply with national and international regulations, including the EU GDPR, UK GDPR, AML, and trade laws. This may include sharing your data with regulators or law enforcement authorities.
• Direct Marketing and Profiling: with your consent or based on legitimate interests, we may use your personal data to send personalised marketing communications or product recommendations. You can manage your marketing preferences at any time.
• Customer Support: your data is used to provide customer support, resolve issues, and improve the user experience.

5. Data Retention Periods

We retain personal data for specific periods based on the type of data and the purpose for which it was collected. For instance:

• Transaction data related to blockchain will be retained permanently to maintain transparency and comply with legal obligations.
• KYC and certification data will be retained for a minimum of 5 years following the termination of the contractual relationship to comply with anti-money laundering (AML) regulations.
• Other personal data will be retained in accordance with business needs or legal obligations. Full details on retention periods for each data category are available upon request.

6. International Data Transfers

Your personal data may be transferred outside of the European Economic Area (EEA) or the United Kingdom (UK), where privacy laws may not provide the same level of protection. However, we ensure that any transfers comply with data protection laws by using appropriate safeguards, such as:

• Standard Contractual Clauses (SCCs): approved by the European Commission or UK authorities.
• Binding Corporate Rules (BCRs): for transfers within our group of companies.
• Adequacy Decisions: transfers to countries deemed to have adequate levels of protection by relevant regulatory authorities.

For more information or to request details about these safeguards, please contact us (see Section 10).

7. Data Security

We have implemented industry-standard security measures to protect your personal data:

• Blockchain Security: all transaction data recorded on the blockchain is immutable and cannot be altered once added, ensuring transparency and data integrity.
• Encryption: we use advanced encryption protocols (block-level storage encryption — AES-256, TLS) to secure personal data during storage. Backups are regularly taken and stored in an encrypted S3 bucket.
• Fraud Prevention: we employ AI-based fraud detection systems to continuously monitor transactions for suspicious activity and provide automated alerts for any risks.
• Access Controls: only authorised personnel have access to personal data, and all access is logged and monitored. Our DevOps team has configured a suite of monitoring tools that notify the tech team whenever irregular or suspicious activities occur.
• We are committed to obtaining and maintaining SOC 2 certification to ensure the highest level of operational and data security.

8. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. This includes:

• Blockchain Transaction Data: stored permanently to maintain transparency and for compliance purposes.
• KYC and Certification Data: retained for the duration of legal and regulatory obligations, such as AML requirements.
• Other Personal Data: retained based on business needs or legal obligations, or until you withdraw your consent (where applicable). If you request the deletion of your personal data, we will honour the request unless we are required to retain the data to comply with legal requirements.

9. Your Legal Rights

Under data protection laws (GDPR), you have the following rights regarding your personal data:

• Access: you can request a copy of the personal data we hold about you.
• Correction: you can ask us to correct inaccurate or incomplete data.
• Erasure: you can request the deletion of your personal data under certain circumstances.
• Restriction: you can request the suspension of certain processing activities.
• Objection: you can object to processing based on legitimate interests, such as direct marketing.
• Data Portability: you can request a structured, machine-readable copy of your personal data for transfer to another controller.
• Withdrawal of Consent: you can withdraw consent for processing at any time where consent is the legal basis for processing.

To exercise any of these rights, contact our DPO (see Section 10).

10. Contact Details

If you have any questions or wish to exercise your rights regarding your personal data, please contact:

Email: anna.kennedy@agridex.com

Postal Address: AgriDex Ltd., Suite 406 Audley House, 13 Palace Street, London, England, SW1E 5HX.

11. Complaints

If you believe that your data protection rights have been violated, you have the right to lodge a complaint with the relevant supervisory authority, such as the Information Commissioner's Office (ICO) in the UK, or the equivalent data protection authority in your jurisdiction.

In addition to the ICO, you have the right to lodge a complaint with a supervisory authority in the EU member state where you reside, work, or where an alleged infringement of data protection laws has occurred.

12. Changes to the Privacy Policy

We will notify you of any significant updates to this privacy policy. You can access previous versions of this policy by contacting us.

Schedule 2 — United States (California and Other U.S. Privacy Laws)

2.1 CCPA and CPRA Compliance

For California residents, Agridex adheres to the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA), which grant the following rights:

• Right to Know: you have the right to know the categories and specific pieces of personal information we collect, the sources of this information, and the purposes for collecting it. This includes information shared or sold.
• Right to Access: you can request access to the personal information we have collected about you, including data portability rights.
• Right to Delete: you can request the deletion of personal information, subject to specific legal exceptions.
• Right to Correct: you have the right to request corrections to inaccurate personal information we maintain.
• Right to Opt-Out: you can opt out of the sale or sharing of your personal information and opt out of cross-context behavioural advertising.
• Right to Limit Use of Sensitive Personal Information: you can limit the use or disclosure of sensitive personal information to specified purposes.
• Right to Non-Discrimination: we will not discriminate against you for exercising any of these rights.

2.2 CalOPPA Compliance

As required by CalOPPA, Agridex provides this Privacy Policy that:

• Identifies the types of personal information collected.
• Describes how we respond to "Do Not Track" signals and if other parties may collect PII about users' online activities across different websites or services.
• Provides instructions for users to review and request changes to their information.
• Notifies users of privacy policy updates and provides the policy's effective date.

2.3 Data Collection and Minimisation

Agridex limits the collection of personal information to what is necessary for specified, legitimate business purposes and complies with requirements to delete personal information when it is no longer needed. We also implement reasonable security procedures to safeguard personal information.

2.4 Notification and Consent

We provide clear and comprehensive notices regarding our data collection practices, including privacy policies and notices at the point of data collection. User consent is obtained where required, and consumers can withdraw consent at any time.

2.5 Responding to Consumer Rights Requests

California residents can exercise their rights by contacting us using the information in Section 10 of Schedule 1. We have procedures to verify, process, and respond to these requests within the legally mandated timeframe.

2.6 Other U.S. State Laws

For residents of other U.S. states — including Colorado, Connecticut, Utah, and Virginia — Agridex complies with relevant privacy laws by granting:

• Rights to access, correct, and delete personal information.
• Rights to opt-out of data processing for targeted advertising, sale, or profiling.
• Notification and consent requirements, as applicable.

2.8 Data Security and Breach Notification

Agridex implements reasonable security procedures to protect personal information and complies with California's data breach notification statutes, including notifying the affected individuals and authorities promptly in case of unauthorised access or data breach.

Schedule 3 — Australia

3.1 Compliance with the Privacy Act 1988 (Cth) and APPs

Agridex complies with the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs), which provide guidelines for the handling, use, and disclosure of personal information. We ensure:

• Collection: personal information is collected only for lawful and business-related purposes.
• Data Minimisation: we collect the minimum amount of data necessary and retain it only as long as needed for business purposes.
• Access and Correction: individuals can request access to their personal information and seek correction if the information is incorrect or outdated.
• Overseas Disclosure: if we disclose personal information outside Australia, we take reasonable steps to ensure compliance with the APPs.

3.2 Employee Records Exemption

Where applicable, Agridex may collect and use employee records under the employee records exemption of the Privacy Act. Employee information is used solely for employment-related purposes, such as managing recruitment, performance, and workplace conduct.

3.3 Data Breaches

We comply with Australia's Notifiable Data Breaches (NDB) scheme. If a data breach occurs involving personal information that could cause serious harm, we will notify affected individuals and the Office of the Australian Information Commissioner (OAIC).

3.4 Workplace Policies

Agridex has policies covering workplace conduct, diversity and inclusion, recruitment, and whistleblowing. For more information, employees should refer to our internal policies or contact the HR department.

Schedule 4 — Rest of the World

If you are a resident of a jurisdiction not specifically covered in this Privacy Policy, Agridex applies globally recognised privacy standards to protect your data, including:

• Access Rights: the right to request access to your personal data.
• Correction and Deletion Rights: the right to correct inaccurate data and request the deletion of personal information under certain conditions.
• Objection and Data Portability: the right to object to processing and request the transfer of data to another service provider.
• We manage your data in line with the above laws applicable to the jurisdictions stated.

4.1 Contact Us

For questions, concerns, or to exercise your privacy rights, please contact:

Agridex Building Limited

Address: 21750 Hardy Oak Blvd, Ste 104 PMB 77950, San Antonio, Texas 78258-4946.

Email: privacy@agridex.com

Complaints: to make a complaint about how your personal information has been handled, contact us using the details above. If you are not satisfied with our response, you may lodge a complaint with the OAIC (Australia) or the California Privacy Protection Agency (CPPA) in the U.S.

4.2 Updates to This Privacy Policy

Agridex may update this Privacy Policy to reflect changes in legal requirements or our privacy practices. We will notify you of any significant changes via email or on our platform.