Certn is an information technology company that provides a wide range of products and services in the sphere of background screening and verification identity (“Services”). This privacy policy (“Policy”) describes how Certn Holdings Inc. and its affiliates, including Certn (Canada) Inc., Certn (USA) Inc., Certn UK Ltd. and any other wholly owned subsidiary (collectively “Certn” or “we” or “our”), collects, uses, discloses, and processes Personal Information in connection with websites owned by Certn (“Website(s)”), as well as its Services.

This Policy applies to you if you are whether:

1. A “Candidate”: An individual applying at Certn.
2. A “Consumer”: An individual about which we have received information for the purpose of using our Website(s) or performing our Services.
3. A “Client”: An individual representing an organization or an individual using our Services.
4. A “Prospect”: An individual representing an organization or an individual we are contacting in order to know your interest in using our Services.
5. A “Website Visitor”: An individual, a Consumer or a Client of legal age accessing our Websites.

Please note that we do not knowingly solicit information from anyone under the age of thirteen (13). If you become aware of any Personal Information shared by or on behalf of a child, please contact us using the contact information provided in the relevant section below.

For the purposes of this Policy, “Personal Information” is any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable individual.

Personal Information does not include business information, such as our Clients’ business address and telephone number.

We process only the Personal Information required in the course of providing our Services. “Processing” (or “processes” or “processed”) includes any operation or set of operations which is performed on Personal Information, or on sets of Personal Information, whether or not by automated means. This includes the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, transfer, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Information.

Some information, including criminal records, credit information, and biometric data, may be considered sensitive or may be subject to special protections in some jurisdictions. Such information will not be collected in every case, and will not be collected where prohibited by law, and where permitted, will only be collected and used in accordance with applicable law.

We do not make decisions about you, automated or otherwise, and we do not attempt to analyze or predict your behavior, preferences, interests, health, or other personal characteristics. However, we may carry out automated processing on our Client’s instructions.

By using our Website or our Services, you consent to the processing of your Personal Information subject to the provisions of this Policy. If you do not agree with this Policy or do not wish to provide your Personal Information to us, please do not use our Website or Services.

If you choose to provide us with a limited scope of Personal Information, we may not be able to provide our full range of Services or deliver the best experience on our Website.

Broadly speaking, we process your Personal Information (i) to provide our Services, (ii) to communicate with you, (iii) for security and fraud prevention, and (iv) to comply with the law. We may also use Personal Information for other purposes, subject to your consent. We will not process your Personal Information unless we have the legal right to do so.

To process your Personal Information lawfully, we rely on at least one legal basis as set forth by applicable law. Depending on your relationship with us, the legal basis to process your Personal Information may include, among other things, your consent, the requirement to process data for the performance of a contract with you, to comply with a legal obligation, or on the basis of legitimate interest.

If our legal basis for collecting and using Personal Information is your consent, you can withdraw or modify your consent for future collection or use of your Personal Information at any time, and we will explain the consequences of doing so. If we use your Personal Information for sales or marketing purposes, you can ask us to stop at any time and we will do so.

Our Clients such as your employer or your landlord, may ask you to use our Services for background screening or identity verification related purposes. In these circumstances, please note that Certn acts a “processor” in the processing of your Personal Information. This means that we act only on behalf of our Clients as a service provider when processing your personal information.

When we provide Services to Clients:

• The Client provides instructions on what Personal Information to collect, and how to collect it;
• If appropriate, the Client ensures that Consumers are notified of, or provide consent for, the collection and processing of their Personal Information in accordance with applicable laws;
• The Client ensures that Personal Information is collected and processed lawfully, fairly and in a transparent manner, consistent with the identified purposes;
• The Client confirms that Personal Information is accurate and, when necessary, kept up to date, rectified or erased; and
• The Client ensures that appropriate safeguards are in place to protect Personal Information;

We are generally responsible for the following aspects of collection and processing of Personal Information:

• We carry out the Services requested by our Client or Consumer, in accordance with their instructions;
• We protect Personal Information in our custody against loss, theft, or any unauthorized access, disclosure, copying, use or modification, in a way that is appropriate to how sensitive it is, and in accordance with our Client’s instructions, and applicable laws;
• We comply with any legal obligations we may have as a data processor, custodian, service provider or similar under applicable laws.

In that regard, please keep in mind that while we may interact directly with you in the course of the Services requested by our Clients, we do it on behalf of our Clients, and that any information or inquiries shared with us may be communicated to our Clients whenever it is necessary for providing the Services.

II.1.1. Permissible Purpose for processing

Our Clients must certify that they have a Permissible Purpose before we can process Personal Information for the purposes of providing the Services. “Permissible Purpose” includes employment purposes, tenancy purposes or in accordance with the written instructions of the Consumer with whom the Client intends to contract with.

We will not reuse Personal Information for any other purpose other than the one for which it was collected, unless one or more of the following is true:

• the new use is compatible with the original one, meaning you should reasonably expect it;
• we have notified you of the new use and given you an opportunity to object to it; or
• the new use is otherwise permitted or required by law.

We collect, use, and disclose Consumer Personal Information when the Consumer is aware of the Permissible Purpose for which the information will be processed, and has given his or her consent to such processing, except where the processing of Personal Information without consent is permitted or required by law. Subject to regulatory requirements, operating our Services in certain jurisdictions requires us or our Clients to obtain additional or specific consents in the form of additional consent form/s, telephone call/s, through an online platform or other methods. Where the Consumer does not provide such consent or specific consent directly to us, but to our Clients, we require our Clients to obtain the Consumer’s consent prior to providing us with the Consumer’s Personal Information subject to verification for any of our Services. The Consumer may withdraw such consent previously granted at any time by contacting us. Withdrawing such consent does not affect the lawfulness of any processing based on the consent before the withdrawal.

You can find more information on the types of Services our Clients may ask you to use in the relevant section of this Policy. Please note that, depending on the type of checks you are required to perform by our Clients, we may not process all the Personal Information listed in this section. You can refer to the name of the check you are required to do to in the policy to obtain more information about the processing of your Personal Information.

There are situations where Certn does not act on behalf of its Clients when it processes your Personal Information. This may occur in the following circumstances:

• When you directly require us to provide you with our Services or when you navigate on our Website.
• When you consent to be contacted by us for marketing purposes.
• When you apply for a job at Certn.

In these circumstances we act as “Controllers” under the applicable data protection laws. This has implications for you as when we are Contollers, we are notably the first responsible to ensure that your rights regarding your personal information are respected, and that your personal information is adequately protected under the applicable data protection laws.

In these circumstances, subject to your consent or applicable legal basis and in compliance with applicable laws, we may need to process your Personal Information for the following purposes:

• To provide you with the requested Services
• If you are applying at Certn, to process your application or contact you about job opportunities
• To monitor the performance of our Services and Websites
• To comply with applicable laws and regulations
• To improve our Services
• Quality assurance and quality controls
• To train our employees
• To ensure the security of our Services, Websites and assets
• To detect and combat fraud

More information relating to call recordings: We may record calls for training and quality assurance purposes. While we rely on our legitimate interest to do so, we also make sure that you are informed beforehand of such recordings. In the event you don’t want your call to be recorded, you can use our chat agent or contact us via email at [email protected].

More information relating to quality assurance and controls: Our processes for collecting and transcribing Personal Information are automated to the extent possible and are subject to rigorous quality controls. Information that is found to be inaccurate, either through our own audits or following your request for correction, is updated.

To ensure that our processes and systems are effective and efficient, we frequently audit them. These audits may involve the processing of your Personal Information (e.g.: to ensure that the checks performed are accurate).

More information relating to the provision of our Services: When you subscribe to our Services, you may be asked to enter your full name, e-mail, business name, business address, phone number, billing address, card address, and other information provided by customer through custom fields, if any. Financial information, such as data related to your payment method (e.g., valid credit card number, card brand, expiration date) is never collected by us either through our Website or otherwise. Upon processing payments, you are transferred to a secure page on the Website of Stripe or some other PCI DSS-certified payment service provider. That page may be dressed in our “livery”, but it is not managed by us. All financial information is processed by our payment processor, and you are encouraged to review their privacy policy and contact them directly for responses to your questions.

More information related to the monitoring of the performance of our Services and Websites: When we monitor the performance of our Services and Websites, we use information that can’t directly identify you, notably by aggregating it or by using other de-identification and anonymization techniques.

Please also note that we may log your operating system name and version, device identifier, browser type, operating system, Internet Protocol (IP) address, screen resolution, the pages you viewed on our Websites, how long you spent on a page, access times, general location information such as city, state or geographic area, and information about your use of and actions on our Website/s. We can use this information for fraud prevention and security purposes.

Collection of Personal Information for security purposes is done based on our legitimate interest and legal obligation to ensure Personal Information in our custody is protected.

II.2.1. Things to know when you use MyCertn Wallet

MyCertn Wallet is designed to give you greater control over your Personal Information. It allows you to order specific checks and decide when, to whom, and for how long you want to share the results of these checks.

Here are some key points you need to be aware of when using MyCertn Wallet:

• As we operate under your instructions, it is your responsibility to ensure that you know and authorize the recipient before sharing your Personal Information via MyCertn Wallet. We recommend you consult the recipient’s privacy policy before disclosing your personal information.
• You can access the results of the checks, request their deletion, dispute or correct any inaccuracies associated with your Personal Information within the MyCertn Wallet app.
• You can find more information on how we process your Personal Information depending on the checks you order via MyCertn Wallet in the relevant section of this policy.

II.2.2. Certn’s use of artificial intelligence

We utilize artificial intelligence technologies to automate and optimize our internal processes and service delivery. This includes the use of AI agents such as AI-powered chatbots and AI voice agents. We do not employ AI for making automated decisions that would produce legal effects or similarly significantly affect you. Our AI implementation is designed to enhance operational efficiency while maintaining full human oversight.

Our Website uses cookies and other similar technologies to provide functionality, analyze traffic and personalize some of your web content.

II.2.3.1. What are cookies?

Cookies are small text data files that are sent to your computer or mobile device by a Website while browsing.

There are different kinds of cookies with different functions:

• Session cookies: these are only stored on your computer during your web session. They are automatically deleted when the browser is closed. They usually store an anonymous session ID allowing you to browse a Website without having to log in to each page. They do not collect any information from your computer.
• Persistent cookies: a persistent cookie is one stored as a file on your computer, and it remains there when you close your web browser. The cookie can be read by the Website that created it when you visit that Website again.
• First-party cookies: the function of this type of cookie is to retain your preferences for a particular Website for the entity that owns that Website. They are stored and sent between Certn’s servers and your computer’s hard drive. They are not used for anything other than for personalization as set by you. These cookies may be either session or persistent cookies.
• Third-party cookies: the function of this type of cookie is to retain your interaction with a particular Website for an entity that does not own that Website. They are stored and sent between a third-party’s server and your computer’s hard drive. These cookies are usually persistent cookies.

First-party cookies are necessary for the proper operation of our Website. Our Website also allows for the use of third-party cookies, which can be read externally by other organizations. As such, we cannot be responsible for third party cookies, i.e., cookies that are not initiated by us. Our service platforms, which we use to collect information from Consumers and Clients, do not use third-party cookies.

II.2.3.2. Using cookies

Necessary Cookies: By using our Website, you agree that we can store and access necessary cookies on your device. These cookies do not gather information about you that could be used for marketing or remembering where you have been on the internet.

Statistic cookies: These are anonymous and cannot be used to identify you. Statistic cookies help us improve our Website functions and collect information on how you use the Website (such as how often you visit our Website, the links you clicked on, the pages you prefer most). Consenting to those cookies will allow us to produce anonymous statistical reports for Website improvement purposes.

Preferences cookies: In order to remember the choices you have previously made (such as selected language or saved username and password), to allow for quicker browsing, and provide enhanced features we need to enable preference cookies. The information these cookies collect is usually anonymized.

Marketing cookies: These may be set across Websites by third parties. They do not store personal information but identify your browser and your internet device to help advertisers in showing you relevant advertisements.

Website log data: Certn’s web servers log the following information during visits to our Website: IP addresses, type of operating system, time and duration of visit, web pages visited and browser type. We do not link server log information to any other information in a way that would enable the identification of Website Visitors to our Website. Apart from analyzing such logs to provide you with a better experience on our Website, server logs may be reviewed for security purposes and if necessary, to detect unauthorized activity on our Website. In such cases, server log data, containing IP addresses, would be shared with law enforcement bodies in order that they may identify users in connection with their investigation of the unauthorized activities.

II.2.3.3. How can I manage my Cookie preferences?

You will be presented with information about our cookies and an option to accept all cookies or customize your cookie preferences when you first visit our Website and occasionally from the cookie banner thereafter. You can consent to or refuse all cookies at any time while browsing the Website. You can choose and manage all of your cookies at any time through your browser settings. If you disable cookies, you may be unable to access or fully use certain parts or functionalities of the Website.

All of our checks require us to process the following minimal identification-related personal information:

• Full name, including maiden name and aliases
• Date of birth
• Address history
• Phone number and email.

This information, coupled with the information required to any identity verification check, is used to ensure we conduct the verification on the right person. If you are requested to conduct multiple checks, you can use the titles below to obtain more information about which Personal Information we need to process by checks, the reasons of such processing, the source of the information, and for how long we retain your Personal Information. Please note that each check is unique and that we may not need to process all the Personal Information listed below. Depending on your personal situation, we may also need to process your Personal Information from different jurisdictions (e.g.: if you’ve worked or lived in various countries).

The list below is not exhaustive and may not contain the information related to the check you are performing. For example, in some countries, like the United States, Certn can offer the possibility to conduct drug tests, or in the United Kingdom, we may offer Right to Work checks. To obtain more information about how we process your Personal Information in these specific checks, please refer to the related consent form and documentation or contact us.

II.3.1. OneID

II.3.2. Identity Verification

II.3.3. Canadian Criminal Record Check

II.3.4. International Criminal Check

II.3.5. Employment Verification

II.3.6. Education Verification

II.3.7. Credit Report (Canada)

II.3.8. Income Verification

II.3.9. Adverse Media Check

II.3.10. Politically Exposed Persons (PEP) Check

II.3.11. Global Sanctions and Watchlists

II.3.12. Questionnaire

At Certn, we are committed to protecting your privacy and Personal Information. We have implemented a comprehensive framework that outlines our objectives and principles for processing Personal Information and settles our privacy governance as an organization. This framework is based on the following key principles:

• Accountability: We take responsibility for protecting your Personal Information. We’ve implemented a privacy office to oversee our privacy practices and ensure we follow all relevant laws.
• Identifying Purposes: We have processes in place to ensure that the purposes for which your Personal Information is collected are identified beforehand.
• Legal Basis including Consent: We only collect and use your information when the law allows us to, or when you give us your consent. We’ll make sure you understand what you’re agreeing to.
• Limiting the processing of Personal Information: We only collect the Personal Information necessary for the purposes we’ve identified.

We also ensure that we minimize the Personal Information needed during its whole lifecycle. This is notably done by implementing strict retention delays. You can find more information regarding our retention practices in the relevant sections of this policy.

• Accuracy: We keep your information accurate and up to date, notably, by implementing rigorous technical and quality controls and audit processes. We make it easy for you to correct any mistakes or inaccuracies.
• Safeguards: We protect your information with strong security measures, including physical, technical, and administrative safeguards. We also make sure anyone who handles your information is properly trained.
• Transparency: We’re open about how we collect, use, and protect your Personal Information. We make sure that our documentation related to the processing of your Personal Information is written in clear and understandable form.
• Individuals’ Rights: You have rights regarding your Personal Information, including the right to access, correct, or delete it. We make it easy for you to exercise these rights.
• Challenging Compliance: We have a process for you to make complaints or ask questions about our privacy practices. We also regularly check our own compliance with privacy laws.

We take great care to ensure that your personal information is processed in a manner that is consistent with these principles.

Moreover, in accordance with our privacy framework, our Services are designed to pursue these three main objectives:

• Confidentiality: We implement state-of-the-art security measures to protect personal information and train our Workforce Members on best practices.
• Manageability: We design our Services to give individuals control over their personal information, including the ability to modify, delete, or selectively disclose it.
• Predictability: We maintain transparent practices that allow individuals to make reliable assumptions on how we process their Personal Information.

In accordance with our Retention Policy, we will retain your information for as long as needed to provide you with our Services and/or as necessary to comply with our contractual and legal obligations, resolve disputes, and enforce our agreements.

Data required to establish proof of a right or a contract will be stored for the duration provided by applicable law. Upon your request to terminate your account, we will deactivate or delete your account and information from our active databases. However, some information may be retained in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our terms and/or compliance with legal requirements.

In relation to Consumer Personal Information, unless records have been subject to a deletion request or subject to a different retention period instructed by our Clients, the retention and disposal schedule shall be no more than three (3) years. You can find more specific information about our retention periods depending on the checks we conduct in the relevant section of this policy. Exceptions may exist for specific data sets as governed by regulatory or third-party data providers’ retention requirements. For example, we will store your biometric data 30 days following the completion of your identity verification via OneID. Where required, we may keep general information as a log and for auditing purposes.

If you are a Candidate, we keep your Personal Information for no more than XXX years.

We are SOC2, SOC3 and ISO27001 certified and maintain advanced technical, administrative, and physical security controls that comply with those standards and protect your Personal Information from unauthorized access, loss, misuse, interference or alteration during its collection, use, disclosure, and

storage. We perform security audits, vulnerability scans, and penetration tests on a regular basis to ensure compliance with industry security practices and standards.

All our staff, suppliers and contractors are security vetted prior to taking up employment. All staff are data protection trained and are aware of their responsibilities. Such training is conducted repeatedly on a regular or random basis, but at least once a year.

We limit access to Personal Information to individuals with a legitimate business need consistent with the reason and purpose for which the information was provided. We implement a variety of security measures to maintain the safety of your Personal Information when orders are placed or when you enter, submit, or access your Personal Information. For example, we use encryption at rest and in transit. All supplied sensitive information is transmitted via Transport Layer Security (TLS) technology and then stored in our database and only accessed by those authorized with special access rights to our systems, who are required to keep the information confidential.

In addition, we have processes in place to encourage our Clients to comply with applicable privacy laws and security standards. Such processes include but are not limited to entering into binding agreements with our Clients and conducting mutual random audits of each other’s internal procedures and practices to ensure that regulatory standards and security levels are mutually met and exceeded at all times.

IV.1. Does Certn process Personal Information across borders?

Certn operates globally and may need to transfer your Personal Information across borders in the course of its operations. Notably, we rely on storage infrastructures within Canada, as well as the United States, the United Kingdom, and Australia. We may also need to process your personal information across borders for the purposes of providing you the Services such as verifying your work or education history. When we transfer you Personal Information, we notably rely on the following elements:

• Adequacy decisions
• Appropriate safeguards, including contractual safeguards
• Your consent
• Other jurisdictional considerations.

In cases where our Client is located in, or the Consumer is residing or has resided in, the state of California, the province of Quebec, the UK, Australia, the EU, and/or the EEA, specific requirements may apply to the transfer of Personal Information.

We take all measures reasonably necessary to ensure that your Personal Information is treated securely and in accordance with this Policy, and we will not transfer Personal Information to an organization or a country unless there are adequate controls in place to ensure the security of your data.

If you have any questions as to whether your information will be Processed overseas, and/or if you have any restrictions or conditions regarding the release of your information across borders, please contact us as soon as possible so we may discuss your specific requirements.

IV.2. Third Parties

We only share your Personal Information to third parties upon your consent, or when permitted or required by applicable.

In addition to the third parties listed in the section relating the types of checks, we may need to share or disclose your Personal Information to the following third parties in the course of our business operations:

• Auditors for the performance of contracted or statutory compliance audits;
• Certn affiliates and partners who are participating in the delivery of our Services; and
• Third parties that perform services for us or on our behalf, including but not limited to payment processing, marketing or advertising services, data analysis, email delivery, Software as a Service Providers, Infrastructure as a Service Providers, or Platform as a Service Providers.

When we provide Services to a Client, the Consumer Personal Information is processed and reported through our secure platform. Apart from our Clients and in addition to authorized Certn personnel who may access your Personal Information for the purposes outlined in this Policy, we may provide your Personal Information to authorities or partner companies that provide services to help us with our business activities such as offering customer service or processing your payment. For more information on the third-party companies who provide such services to us, please click here.

Finally, please note that we do not sell or disclose your Personal Information to governments, marketing or advertising services, other Clients, or anyone else except as outlined in this Policy or as required by law.

IV.3. Governmental entities

In exceptional circumstances, we may be requested to communicate Personal Information with law enforcement agencies, national security agencies, courts, or other similar institutions as required by law. If in receipt of a production order, subpoena, warrant, or other enforceable demand, we will act in compliance as required by the applicable laws.

V.1. Your rights

Certn is committed to ensuring that your rights regarding your Personal Information are respected across all jurisdictions it operates.

Regardless of your jurisdiction, we extend the following rights to individuals whose Personal Information we process. If you reside outside the jurisdictions outlined below, please consult the details provided to exercise your rights.

Regardless of your place of residence, we will review any privacy request free of charge and take steps to support you in exercising your privacy rights to:(i) be informed, (ii) access, (iii) rectification, (iv) erasure, (v) processing restrictions, (vi) data portability, (vii) withdraw consent and object processing, (viii) not be subject to a decision based solely on automated processing, and (ix) file a complaint.

If you are not a resident of the jurisdictions outlined below, you can contact our Privacy Office at [email protected] to exercise your privacy rights. If you are a resident of one of these jurisdictions, please use the contact details provided in section that applies to your situation.

Upon receipt of a written request, and after verifying you as the data owner, we respond to privacy right requests, disputes, and complaints as soon as practicable, and in any event, within the time limits prescribed by law. However, where we refuse to do so, we will give you a written notice setting out the reasons within 30 days of the receipt of your request.

For the purposes of compliance and where required by law or contract, prior to actioning any privacy right request, we will inform the Client connected to such request, if any, as well as any other third parties who may have processed your Personal Information. Upon their instructions, we will reply to your request accordingly. You can contest their decision by directly reaching out to them or contacting your local data protection or privacy authority.

V.1.1. Right to be informed

You have the right to be informed on the nature of the processing of your Personal Information. You have the right to know what Personal Information we process, the third parties it may be shared with, and how long we will keep it.

V.1.2. Right to access

Subject to applicable laws’ exceptions, you have the right to access the Personal Information Certn holds about you or on behalf of its Clients. You can request us to provide you with your Personal Information using

the contact details provided in this Policy or the tools and forms we make available to you across our various Services.

V.1.3. Right to rectify, correct or update your Personal Information

You have the right to request us to correct, rectify or update your Personal Information that is not accurate, complete or up to date. Upon the presentation of the relevant evidence, we will take reasonable steps to correct this information or if necessary, discuss alternative actions with you.

V.1.4. Right to erasure or deletion

You have the right to request for the deletion or erasure of your Personal Information. Such a right is performed in accordance with applicable laws, and may be limited depending on the nature, scope and the laws applicable to your request. Certn may keep some of your Personal Information when it is required or permitted under applicable laws. For example, we may need to keep your Personal Information to demonstrate our compliance with data protection or privacy laws. If you request the deletion of your Personal Information, we need to keep some information related to fact that you did ask for your data to be deleted and that we comply with your request.

V.1.5. Right to portability

You have the right to obtain your Personal Information in a structured, commonly used and machine-readable format and require us to transmit it to another third party that is qualified under applicable laws. This right is limited to the Personal Information you directly provided to us.

V.1.6. Right to withdraw your consent and right to object

Subject to the exceptions outlined in applicable laws, you have the right to withdraw your consent if we rely on it to process your Personal Information. By doing so, please note that we may not be able to deliver the Services anymore. If the Services are requested for a Client’s Permissible Purpose like employment or tenancy, this may affect the related processes. Whenever possible, we encourage you to contact the tenant, employer, or the organization that requested the check to gather additional information regarding the implications of withdrawing your consent.

You have the right to object to specific processing activities of your Personal Information depending on the legal framework that applies to your situation. For example, you have the right to object to processing of your Personal Information for direct marketing purposes, including profiling.

V.1.7. Right to restriction of processing

Under the circumstances provided by applicable laws, you have the right to ask us to restrict the processing of your Personal Information.

V.1.8. Right to not be subject to a decision based solely on automated processing

Certn does not use your Personal Information to render decisions based solely on automated processing.

V.1.9. Right to file a complaint

If you have any concerns regarding our data protection practices or the management of your Personal Information, we encourage you to submit a complaint by reaching out to our Privacy Office. You can find the necessary contact details in this Policy.

V.2. Canada residents

You can find detailed information about our policies and processes relating to the protection and retention of your Personal Information in the relevant sections of this Policy.

As stated in the sections above, please note that Certn may transfer your personal information outside Canada, including, outside the province of Quebec, whenever it is necessary for the purposes for which it has been collected.

V.2.1. Personal Information Agent (Quebec)

Certn is a registered Personal Information Agent in Quebec. In that regard, please note that:

• We hold Personal Information of other persons.
• We may communicate credit reports bearing on your character, reputation or solvency to our Clients or other co-contractors, and we may receive such information from our co-contractors such as our partners our service providers.
• You are entitled to request access or rectification of your Personal Information by following the process outlined in this Policy.
• Certn ensures that your Personal Information is up to date and accurate by implementing strong technical controls such as automated processes, and internal quality controls and audits. Certn also provides a way for you to challenge or correct the information we collect about you from you directly or from our Clients and partners.

V.2.2. Who to contact?

For any questions, complaints or inquiries regarding this Policy you can contact our appointed Privacy Officer at:

CANADA
Certn (Canada) Inc.

1006 Fort St
Unit 300
Victoria, BC V8V 3K4
+1-844-987-0690
[email protected]

V.3. United States residents

V.3.1. Your rights under the Fair Credit Reporting Act

As a resident of the United States, please note that some Personal Information processed by Certn might be subject to the Fair Credit Reporting Act (“FCRA”), and that the privacy law of your state may be pre-

empted. Unless you applied for a position at Certn, we do not make any decisions relating to your employment. To have more information about the FCRA, your rights under this law and how it may apply to your situation, please contact your employer.

V.3.2. California residents

For purposes of the California Consumer Privacy Act (“CCPA”), we do not “sell” Consumer Personal Information to third parties for direct marketing purposes. Personal Information processed for the purposes of delivering a background check is exempt from CCPA.

To the extent that you are a California resident and in the event we may have processed categories of your Personal Information beyond the CCPA exemption in relation to delivering a background check, you have the right to access your Personal Information, delete it, have it disclosed, opt out of sales, and be free from discrimination. You can contact us to exercise any of these rights. For compliance purposes, we may require additional information from you in order to honor your request.

V.3.3. Nevada residents

We do not sell Consumer Personal Information to third parties for direct marketing purposes.

V.3.4. Who to contact?

For any questions, complaints or inquiries regarding this Policy you can contact our appointed Privacy Officer at:

UNITED STATES
Certn (USA) Inc.

Trust Center
1209 Orange Street
Wilmington, New Castle County, Delaware, 19801
+1-844-987-0690
[email protected] for any privacy-related questions

V.4. EU, EEA, Swiss and UK residents

Subject to the consideration that we occasionally process Personal Information of EU, EEA, Swiss and UK residents, we have taken measures to comply with those jurisdictional standards and ensure that all recipients of any such Personal Information provide an adequate level of data protection based on, but not limited to, commitments to standard contractual clauses and/or international data transfer agreement/s as applicable.

EU, EEA, Swiss and UK Consumers have certain rights regarding the processing of Personal Information. If you are an EU/EEA/UK resident, you have:

• the right to request details of the Personal Information we have about you;
• the right to ask that we update your information if it is inaccurate or incomplete;
• the right to ask that we delete your information in certain circumstances;
• the right to withdraw your consent to the use of your information where we are relying on that consent;
• in some circumstances, you have the right to receive some of your information in a usable format and/or request we transmit that data to a third party where this is technically feasible;
• the right to request that we restrict the processing of your Personal Information in certain circumstances; and
• the right to lodge a complaint with your local data protection authority if you think we have not been able to assist you.

If you would like to exercise your rights in relation to your consumer report, we will support your request in our capacity as a data processor and in alignment with our Client who ordered the report in their capacity as a controller. In such circumstances, please kindly note that our Clients are ultimately responsible for responding to your data subject request.

To log your request, please contact us. We will contact you if we need additional information from you in order to deliver the applicable information or undertake specific actions to honor your request in exercising your rights.

V.4.1. Who to contact?

For any questions or inquiries regarding this Policy you can contact our appointed Data Protection Officer at:

UNITED KINGDOM
Certn (UK) Limited

160 London Road
Sevenoaks, Kent, TN13 1BT
+44 (0)1732 748 900
[email protected] for general queries and [email protected] for privacy-related queries

V.5. Brazil

Brazilian residents may have certain rights to:

• confirm whether we process your Personal Information;
• request access to your Personal Information that is being processed by us;
• rectify incomplete, inaccurate or outdated Personal Information;
• request the anonymization, blocking or deletion of unnecessary or excessive information or information processed in noncompliance with the provisions of the LGPD (Lei Geral de Proteção de Dados Pessoais);
• request data portability;
• be informed about third parties with whom your Personal Information has been shared; and
• request a review of automated decisions that affect your interests.

To exercise your rights in relation to your consumer report, we will support your request in our capacity as a processor and in alignment with our Client who ordered the report in their capacity as a controller.

To log your request, please contact us by using our contact details provided below. We will contact you if we need additional information from you in order to deliver the applicable information or undertake specific actions to honor your request in exercising your rights.

V.6. Australia

Certn conducts checks in Australia via its affiliate InterCheck, for more information on how Intercheck processes your personal information, please visit: https://intercheck.com.au/privacy-policy/.

For any questions, complaints or inquiries regarding this Policy you can contact our appointed Privacy Officer at:

Australia

356 Collins Street
Melbourne, 3000, Victoria
+61 (03) 8820 4069
[email protected] for privacy-related questions or inquiries and [email protected] for any other questions.