Global Data Protection and Privacy Notice

Scope

This Data Protection and Privacy Notice (this “Notice”) sets out how Safety Holdings, Inc., American Driving Records, Inc., Instructional Technologies, Inc., Collision Management Systems Limited, and Samba Holdings Canada Inc. (collectively, “we”, “our”, or “us”) collect, handle, share and use, and otherwise process the personal data, personal information, or personally identifiable information (collectively, “personal data”) of individual data subjects (collectively, “you”) in the circumstances described below. Capitalized terms are defined in the chart of Definitions at Schedule 1, below.

Depending on where you are resident, we may be required to process your personal data in accordance with the EU General Data Protection Regulation, the UK General Data Protection Regulation, the Swiss Federal Act on Data Protection, and related data protection and e-privacy laws in Europe (such laws, collectively, the "GDPR") or relevant U.S. state laws such as the California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act of 2020 (“CPRA”) (together with the GDPR, collectively referred to as “Data Protection Laws”).

When We Act as a Controller

This Notice applies only when we act as a controller in the processing of personal data of individuals:

• who visit or interact with publicly available sections of our Website (“Website Visitors”);

• who are Personnel at our Business Partners, Service Providers, or Professional Advisors (collectively, “Business Data Subjects”); or

• who receive electronic or postal marketing communications from us (such as if you are Personnel at a potential Customer) (“Prospective Customers”).

If you are one of our Business Partners, Service Providers, Professional Advisors, or Customers, please provide this Notice to your Personnel who have dealings with us.

When We Act as a Data Processor

As noted above, for purposes of this Notice, we only process your personal data as a controller only when you are a Website Visitor, Business Data Subject, or Prospective Customer. In all other circumstances, we act as a data processor when processing personal data and this Notice does not apply to those processing activities. Instead, in those cases, we will process the personal data in accordance with the terms of the contract we have in place with the relevant controller. For example, we process personal data as a data processor when we provide driver risk management services to our Customers, and when we process Telematics Data and personal data of data subjects who visit or interact with:

• sections of our Website available only to our Customers; and/or

• our mobile applications, including our mobile applications available on Android and iOS platforms.

If you wish to obtain information about how your personal data is processed when we are acting as a data processor, please refer to the privacy notice of the applicable data controller (for example, the privacy notice of your employer or the privacy notice of the Customer with whom you have the direct relationship). More information is set out below in section 10 for data subjects based on their jurisdiction of residence.

We also act as a controller when we process personal data of job applicants and related persons, but that processing is not subject to this Notice. Rather, job-applicant related processing is subject to a separate data protection and privacy notice available upon request.

In this section, we set out the types of personal data we may collect and the potential sources of that information. We may also receive any or all the types of personal data referred to in this section from our Affiliates.

What personal data do we collect when you visit publicly available sections of our Website (Website Visitors)?

Personal Data You Provide

You may provide to us (whether by uploading, email, telephone, post or otherwise) the following types of personal data through your use of publicly available sections of the Website, which we may then collect, use, store and/or transfer in accordance with this Notice:

• Contact and Professional Data

• Marketing and Communications Data

• Voluntarily Provided Data

Automatically Collected Personal Data

The following types of personal data may be automatically collected or logged when you access and use publicly available sections of the Website, which we may then collect, use, store and/or transfer in accordance with this Notice:

• Cookie and Technical Data

• Usage Data

What personal data do we collect from individuals who receive electronic or postal marketing communications from us (i.e., Prospective Customers)?

• Contact and Professional Data

• Voluntarily Provided Data

What personal data do we collect from Personnel at our Business Partners, Service Providers, and Professional Advisors (i.e., Business Data Subjects)?

• AML/KYC Data

• Contact and Professional Data

• Government-Issued Data

• Marketing and Communications Data

• Voluntarily Provided Data

Special Categories of Personal Data

We do not generally request any special categories of personal data from you with respect to the data processing activities covered by this Notice (this includes details about race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information concerning health, and genetic and biometric data). However, you may provide these types of personal data to us as Voluntarily Provided Personal Data. We will rely on “conditions” (including explicit consent) provided for in the Data Protection Laws to process such special category data.

Criminal Convictions and Offences Personal Data

We do not request any personal data relating to criminal convictions and offences with respect to the data processing activities covered by this Notice. However, such personal data may be provided to us as Voluntarily Provided Personal Data. We will rely on “conditions” provided for in the Data Protection Laws to process such criminal convictions and offences data.

Children’s Personal Data

Our Website and our services (including our mobile applications) and the other data processing operations covered by this Notice are not intended for children. We do not knowingly collect personal data from children under the age of 18. Parents or guardians of a child under the age of 18 who believe such child has disclosed personal to us should contact us using the contact details at Section 12 (How to Contact Us) below. A parent or guardian of a child under the age of 18 may review and request deletion of such child’s personal data as well as prohibit the use thereof. By accessing and using our Website, the users represent that they are at least 18 years of age.

We set out below the purposes of our data processing activities, the relevant categories of personal data relating to such purposes, and the relevant legal basis and condition for processing. In certain circumstances, more than one legal basis for processing may be applicable. We provide more detail with respect to each of the legal bases and condition in Schedule 1 to this Notice.

If you have provided consent to processing and subsequently withdraw that consent, we may still process your personal data where we have another lawful basis for doing so, provided that you have not expressly asked us to stop processing your personal data in accordance with section 5 (Marketing).

Where we need to collect personal data by law or under the terms of a contract that we have with you, and you fail to provide that personal data when requested, we may not be able to perform the contract we have with you (for example, to provide access to the Website or our services).

Your personal data may be disclosed both internally and externally to third parties (as set out below) to the extent necessary for us to successfully complete the purposes of the processing as set out in the table above. Specifically, your personal data may be disclosed to our Personnel who have a business need to use such personal data.

We disclose or otherwise make available personal data with the following categories of third parties (each defined in Schedule 1 (Definitions) section C (Third party data sources and recipients)):

• Advertising Networks and Advertising Partners

• Affiliates

• Business Partners

• Governmental Authorities

• Professional Advisors

• Service Providers

• Other third parties: subject to your consent, may disclose your personal data to other third parties (including publicly), such as your testimonials or feedback

In addition, in the United States, we may disclose personal data to third parties, such as legal advisors, Governmental Authorities, and law enforcement:

• in connection with the establishment, exercise, or defense of legal claims;

• to comply with laws or to respond to lawful requests and legal process;

• to protect our rights and property and the rights and property of our agents, customers, and others, including to enforce our agreements, policies, and terms of use;

• to detect, suppress, or prevent fraud;

• to reduce credit risk and collect debts owed to us;

• to protect the health and safety of us, our customers, or any person; or

• as otherwise required by applicable law.

Please also see section 7 below for information on international data transfers.

We may send Prospective Customers marketing communications (including newsletters) if they have requested such communications from us or if we are otherwise allowed to do so under applicable law.

If you do not wish to receive marketing information from us, you can opt out by contacting us using the contact details at section 12 below or by clicking the opt-out link in our electronic marketing communications. You cannot opt-out of service-related email communications (such as, account verification, transaction confirmation, or service update emails).

Please refer to our Cookie Policy (available at: https://sambasafety.com/cookies-policy/) for more information about our use of cookies.

Personal data may therefore be transferred, stored, and accessed within the country or region you are located in, and transferred to, stored in, and accessed from different countries to fulfil the purposes described in this Notice. The recipients of personal data identified under Section 4 (Sharing of Personal Data) may be established in countries outside Europe (such as the United States of America) and such country may have a different or lower standard of data privacy rights and protections than provided for under the GDPR. Notably, our Website and servers are hosted in the United States by Amazon Web Services.

Where personal data will be transferred outside any country in Europe and where there is not a European Commission/UK/Swiss adequacy decision in place, the transfers will be in accordance with Chapter V of the GDPR, and in line with the recommendations of the European Data Protection Board and/or the UK Information Commissioner’s Office, as applicable. Such transfers will occur subject to the data protection safeguards afforded under the EU Standard Contractual Clauses, Swiss, and/or UK equivalent of such clauses. For more information on the transfer mechanisms used, and/or to obtain a redacted copy of such appropriate safeguards, you may contact us as provided for under Section 12 (How to Contact Us).

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, regulatory requirements, the potential risk of harm from unauthorized use or disclosure of the personal data, the purposes for which we process the personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Depending on your jurisdiction of residence, applicable Data Protection Laws may allow you to request specific retention periods by emailing us at the email addresses set out in section 12 below.

We do not use your personal data to research, develop, train and/or otherwise improve our AI tools. Your personal data will not be provided to any providers of general-purpose AI models to improve or train such models.

Data controllers

We act as controllers of your personal data.

Lawful basis for processing

Our lawful bases for processing your personal data are explained in the table in section 3 above.

Your GDPR rights

If you are a resident in Europe, you may have the following rights under the GDPR in relation to your personal data:

• request access to your personal data;

• request correction of the personal data that we hold about you;

• request erasure of your personal data;

• object to processing of your personal data;

• request restriction of processing of your personal data;

• request the transfer of your personal data to you or to a third party; and

• withdraw consent at any time where we are relying on consent to process your personal data.

To exercise any of the rights set out above, please contact us using the contact details provided in section 12 below. There are exceptions and exemptions that apply to some of the rights, which we will apply in accordance with the applicable data protection laws. We may need to request specific information from you to help us confirm your identity and your right to access the personal data (or to exercise any of the other rights).

We do not make decisions based solely on automated processing of personal data including profiling, which produce legal effects concerning individuals or similarly significantly affects individuals. We ensure that such decisions involve meaningful human involvement, and/or consideration of all relevant factors and information regarding the individuals, as appropriate.

In addition to the above rights, you have the right to lodge a complaint with a supervisory authority in the country of residence in Europe.

Your U.S. Privacy Rights (Except California)

Depending on your state of residency and subject to certain legal limitations and exceptions, you may be able to exercise some or all of the following rights. If you are resident of California, your rights and more information are set out in the next two subsections.

• Right to Know/Access & Portability: The right to obtain access to the personal data we have collected about you and, where required by law, the right to obtain a copy of the personal data in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the data to another entity without hindrance.

• Right to Request Categories of Third Parties: For Delaware and Maryland residents, the right to request a list of the categories of third parties to which we have disclosed your personal information.

• Right to Specific List of Third Parties: For Minnesota and Oregon residents, the right to request a list of the specific third parties to whom we have disclosed personal data.

• Right to Correction: The right to correct inaccuracies in your personal data, taking into account the nature of the personal data and the purposes of the processing of the personal data.

• Right to Deletion: The right to have us delete personal data we maintain about you.

• Right to Opt-Out of Targeted Advertising: The right to direct us not to use or share personal data for certain targeted advertising purposes.

• Right to Opt-Out of Sales: The right to direct us not to sell personal data to third parties.

• Right to Withdraw Consent: Where applicable, the right to withdraw your consent where you may have provided consent for processing your data.

Depending on your U.S. state of residency, you may also have the right to not receive retaliatory or discriminatory treatment in connection with a request to exercise the above rights. However, the exercise of the rights described above may result in a different price, rate or quality level of product or service where that difference is reasonably related to the impact the right has on our relationship or is otherwise permitted by law.

Special Notice for Residents of California

This section applies only to California residents and the terms used have the same meaning as set out in the CCPA as amended by the CPRA.

Personal Data Collected. Below is a summary of the personal data categories that we collect, the reason we collect your personal data, where we obtain the personal data we collect about you, and the third parties with whom we share your personal data. For more information about the personal data we collect, please refer to “Personal Data We Collect.”

• Identifiers: We may collect identifiers such as a name, address, unique personal identifiers, email, phone number, your device’s IP address, software, and identification numbers associated with your devices and other similar identifiers.

• Commercial information: We may collect commercial information such as records of products or services purchased, obtained, or considered by you.

• Internet or other electronic network activity information: We may collect information regarding your browsing history, search history, your interaction with our services, your interaction with an internet website, the web page visited before you came to our website, length of visit and number of page views, locale preferences, your mobile carrier, date and time stamps associated with transactions, and system configuration information.

• Geolocation data: We may collect information that is sufficient to identify your general location, such as your IP Address. For the avoidance of doubt this does not currently include precise geolocation data.

• Inferences: We may collect information about your preferences, characteristics, behavior, and attitudes.

• Sensitive Personal data: We may collect this information the extent you provide it to us with Voluntarily Provided Personal Data. We do not sell or share (as such terms are defined by the CCPA) this information.

We collect the above information for the purposes described in the full Notice above as well as any other purposes separately notified to you. Further, we share the personal data described above with the parties identified in the “Sharing of Personal Data” section of this Notice.

Your California Privacy Rights

California residents have the following rights. Certain rights are not absolute, such as your right to know and right to deletion, and are subject to certain exceptions. For instance, we cannot disclose specific pieces of personal data if the disclosure would create a substantial, articulable, and unreasonable risk to the security of the personal data, your account with us, or the security of the business’s systems of networks.

• Right to Know. You have the right to know what personal data about you we have collected, used, disclosed, sold, and shared, if applicable, during the preceding 12 months. You have the right to request in writing from us a copy of the categories of personal data we have collected about you, the categories of sources from which we collected that information, why we collected information about you, and the business or commercial purpose for selling, sharing, or disclosing your personal data (if applicable), the categories of third parties with whom we disclosed, sold, or shared your personal data, and the categories of personal data that we disclosed, sold, or shared about you for a business purpose. We are only required to respond twice per calendar year to your right-to-know requests.

• Right to Deletion. You have the right to request that we delete any personal data we have collected from you or maintain about you. We honor such requests unless an exception applies, such as when the information is necessary to complete the transaction or contract for which it was collected or when information is being used to detect, prevent, or investigate security incidents, comply with laws or legal obligation, identify and repair bugs, or ensure another consumer’s ability to exercise their free speech rights or other rights provided by law.

• Right to Opt-Out of the Sale of Your Personal Data. If a business sells your personal data, you have the right to opt-out. We will not sell any of your personal data unless we first notify you separately in writing. You may opt out of the sale of your personal data by utilizing the “do not sell or share my personal data” banner on our website.

• Right to Information on Personal Data Sharing. You may have the right to request information from us regarding whether we share certain categories of your personal data with third parties for the third parties’ direct marketing purposes, including the categories of information we disclosed to third parties for the third parties’ direct marketing purposes during the preceding calendar year; the names and addresses of third parties that received such information, or if the nature of their business cannot be determined from the name, then examples of the products or services marketed. To the extent we participate in such sharing, you are entitled to receive a copy of this information in a standardized format and the information will not be specific to you individually.

• Right to Opt-Out of the Sharing of Your Personal Data. You have the right to opt out of a business sharing your personal data with third parties. We may engage in “sharing” under the CCPA, which is broadly defined as disclosing personal data for purposes of cross-context behavioral advertising, including instances where companies target advertising based on personal data obtained from a consumer’s activity across distinctly branded websites or services. We share information as outlined in the “Our Disclosure of Personal Data” section of this Notice. You may opt out of the “sharing” of your personal data by utilizing the “do not sell or share my personal data” banner on our website.

• Right to Correct Inaccurate Personal Data. You have the right to request that we correct inaccurate personal data. We will use commercially reasonable efforts to correct your personal data as directed by you, or provide you with instructions on how you can correct your information. In some instances, you may be able to correct your information via your Services account.

• Right to Non-Discrimination. We will not discriminate against you for exercising your rights. Specifically, we will not deny you services, charge you different prices or rates for services, or provide you a different level or quality of services, because you elected to exercise your rights.

• Right to Limit the Use of Sensitive Personal Data. The CCPA allows you to limit certain uses and disclosures of your sensitive personal data to certain purposes specified by law (e.g., providing you with services you request or preventing fraud, or for other purposes that don’t involve deriving your attributes). Because of our limited use of your sensitive personal data, we are not required to offer you this opt-out right.

You may exercise your rights as outlined under “How to Contact Us” at section 12 below.

Our Website may contain links to other websites. These websites may have separate privacy and data collection practices, independent of our practices, and your use and access to such sites is subject to those terms and policies. We have no responsibility or liability for these independent policies or actions, and we are not responsible for the privacy practices or the content of such websites.

To ask any questions regarding this Notice, or to exercise any of your rights relative to us, please contact us using the following contact details:

Address: 5445 DTC Parkway, Suite 950 Greenwood Village, CO 80111

Email: dataprivacyoffice@sambasafety.com

Verifying Identity of Privacy Rights Requests – United States

To process your rights request, we may need to verify your identity and confirm you are a resident of a jurisdiction that offers the requested right(s). We may ask you to verify personal data we already have on file for you. If we cannot verify your identity from this information, we may request additional information, which will only be used for the to verify your identity, and for security or fraud-prevention purposes.

In some instances, we may seek for you to identify at least three pieces of your personal data maintained by the business and submit a signed declaration under penalty of perjury that you are the resident whose personal data is the subject of the request. We will provide an initial response to your request within the timeline prescribed by the relevant Data Protection Law.

In certain circumstances, we may decline or limit your request, particularly where we are unable to verify your identity or locate your information in our systems, or where you are not a resident of one of the eligible regions with Data Protection Laws affording these rights.

Submitting Authorized Agent Requests – United States

In certain jurisdictions, you are permitted to use an authorized agent to submit requests on your behalf through the designated methods set forth above where we can verify the authorized agent’s authority to act on your behalf. To verify the authorized agent’s authority, we generally require evidence of either (i) a valid power of attorney or (ii) a signed letter containing your name and contact information, the name and contact information of the authorized agent, and a statement of authorization for the request. Depending on the evidence provided and your jurisdiction of residency, we may still need to separately reach out to you to confirm the authorized agent has permission to act on your behalf and to verify your identity in connection with the request.

Appealing Privacy Rights Decisions – United States

Depending on your jurisdiction of residency, you may be able to appeal a decision we have made in connection with your privacy rights request. All appeal requests should be submitted by replying to the communication resolving your original request.

This Notice may be revised from time to time. We display a “Last Updated” date at the bottom of this Notice, so it is clear when there has been a change.

LAST UPDATED: January 20, 2026