Data Privacy Framework Notice

ZeroEyes, Inc. ("ZeroEyes") complies with the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework (the “DPF”) as set forth by the U.S. Department of Commerce. ZeroEyes has certified to the U.S. Department of Commerce that it adheres to the Principles of the DPF (the “DPF Principles”) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. Data Privacy Framework and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. Data Privacy Framework.

If there is any conflict between the terms in this Data Privacy Framework Notice and the DPF Principles, the DPF Principles shall govern. To learn more about the Data Privacy Framework program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

ZeroEyes processes personal data in connection with its AI-enabled firearm and weapon detection SaaS and related services. This may include customer and user account data (such as names, email addresses, phone numbers, and billing information), technical and usage data (such as IP addresses, browser and device details), mobile application data (which may include device identifiers and geolocation data), and detection-related images. ZeroEyes' analytics software is designed to detect the form factor of firearms and bladed weapons and does not store biometric identifiers.

ZeroEyes processes personal data to deliver its security monitoring and threat detection services, communicate with customers, provide customer support, manage accounts, comply with legal obligations, and improve its services. ZeroEyes processes only the minimum personal data necessary to deliver its services.

The personal data ZeroEyes receives in reliance on the DPF consists of personal data originating from the EU and UK that:

1. ZeroEyes customers provide to our SaaS services pursuant to written agreements. ZeroEyes customers are the controllers of that data, and ZeroEyes acts as processor on customers’ behalf;
2. ZeroEyes customers share with us in the course of negotiating and administering written agreements with them. ZeroEyes is the controller of that data.

When an entity acts as a controller, it decides how and why to collect, use and process personal data. When an entity acts as a processor, it processes personal data on behalf of and upon instruction from the controller.

When ZeroEyes processes personal data covered by this DPF Notice as a controller, individuals in the EU and UK have the right to obtain confirmation of whether ZeroEyes maintains personal data relating to them and to access that data. Individuals also have the right to request that their personal data be corrected, amended, or deleted where it is inaccurate or has been processed in violation of the DPF Principles. To exercise these rights, please contact us at privacy@zeroeyes.com.

When ZeroEyes receives personal data covered by this DPF Notice in our role as processor, ZeroEyes acts as a processor for our customers, and our customers are responsible for providing individuals with access to their personal data, and the right to correct, amend or delete that data where it is inaccurate or where they have been processed in violation of the DPF Principles, as appropriate. Accordingly, individuals should direct questions about their personal data the appropriate ZeroEyes customer. If an individual is unable to contact the appropriate customer, or does not obtain a response from the customer, ZeroEyes will provide reasonable assistance in forwarding the individual’s request to the customer.

When ZeroEyes acts as a controller, it will offer individuals the opportunity to choose (opt out) whether their personal data is(a) to be disclosed to a third party (other than a third party acting as an agent on our behalf), or (b) to be used for a purpose that is materially different from the purpose for which it was originally collected or subsequently authorized by the individual. For sensitive personal data, ZeroEyes will obtain affirmative express consent (opt in) if such data is to be disclosed to a third party or used for a purpose other than its original purpose.

When ZeroEyes acts as a processor of personal data transferred to us in the U.S. by, or on behalf of, one of our customers in the EU or the UK, our customer is responsible for providing certain choices to its employees, customers and users about the use of their personal data, including sensitive personal data. ZeroEyes will assist customers with their response to individuals who wish to exercise their choices regarding their personal data.

“Sensitive personal data” means personal data specifying medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or information specifying the sex life of the individual.

ZeroEyes may transfer personal data to third-party service providers that perform services on our behalf. Where we transfer personal data to a third party acting as an agent, we will enter into a written agreement requiring the agent to provide at least the same level of privacy protection as required by the DPF Principles. ZeroEyes shall remain liable under the DPF Principles if an agent processes personal data in a manner inconsistent with the Principles, unless ZeroEyes can demonstrate that it is not responsible for the event giving rise to the damage.

ZeroEyes may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. In connection with its threat detection services, ZeroEyes may disclose detection-related information to law enforcement and emergency responders where warranted for threat response and as required by law.

ZeroEyes takes reasonable and appropriate measures to protect personal data from loss, misuse, unauthorized access, disclosure, alteration, and destruction, taking into account the risks involved in the processing and the nature of the personal data.

When we act as a controller, weprocessonlytheminimumpersonaldatathatisrelevantandnecessarytodeliveritsservices.Wetake reasonable steps to ensure that personal data is accurate, complete, and current for its intended use.

With respect to personal data covered by this DPF Notice where we act as processor, we retain such data as instructed by our customers acting as controllers. This data may also be retained for a period of time necessary to comply with legal obligations and in accordance with our written policies.Where we act as processor, we will not use the data covered by this DPF Notice in a manner that is incompatible with the purpose for which it was originally collected, except as permitted by applicable law.

In compliance with the DPF Principles, ZeroEyes commits to resolve complaints about our collection or use of your personal data. EU and UK individuals with inquiries or complaints regarding this Data Privacy Framework Notice should first contact ZeroEyes at:

ZeroEyes, Inc.

Email:privacy@zeroeyes.com

555 E North Lane Suite 5050

Conshohocken, PA 19428

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, ZeroEyes commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF to JAMS, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://www.jamsadr.com/DPF-Dispute-Resolution for more information or to file a complaint. The services of JAMS are provided at no cost to you.

If your DPF privacy complaint cannot be resolved through the above channels, under certain conditions you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. For additional information, please visit https://www.dataprivacyframework.gov/framework-article/ANNEX-I-introduction.

ZeroEyes is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).

If you have any questions or concerns about this Data Privacy Framework Notice or our data practices, please contact us at:

ZeroEyes, Inc.

555 E North Lane Suite 5050

Conshohocken, PA 19428 Email: privacy@zeroeyes.com Web:https://www.zeroeyes.com

Effective Date: May 31, 2026

We may update this Data Privacy Framework Notice from time to time. Changes will be posted here with an updated effective date.