Last Updated: September 9th, 2025

WHO WE ARE Integrate, LTD (“Integrate,” “we,” “us,” “our”) provides automation, e‑commerce, and marketing services and a platform to business clients. This Privacy Policy explains how we collect, use, disclose, and protect personal information as a controller for our own operations and as a processor/service provider when acting on behalf of Clients.

SCOPE This Policy applies to:

Our websites, apps, and the Integrate Platform (including white‑labeled implementations).

Our marketing and communications.

Client accounts and related services we provide.

Controller vs. Processor:

When you interact with our websites, billing, support, and marketing, Integrate is the controller.

When you load personal data into the Platform or instruct us to process it for your campaigns and automations, you (the Client) are the controller and Integrate is your processor/service provider. Clients must provide their own privacy notices and obtain required consents from end users, leads, and customers.

INFORMATION WE COLLECT We collect the following categories of information, depending on your interactions and configuration:

Account & Profile: name, company, role, email, phone, billing and payment details (tokens), login identifiers, audit logs of account changes.

Platform Usage: project/workspace details, pipeline and CRM records, calendars, campaign settings, automations, user roles/permissions, support tickets and call/chat recordings where applicable.

Communications Data: message routing and delivery metadata (timestamps, sender/recipient, status), and message content provided/initiated by Client (subject to law and provider rules). For voice, this may include call logs and recordings if enabled.

Website/Device: IP address, device and browser identifiers, cookie IDs, analytics data, referral source, pages visited, session telemetry, approximate geolocation (derived from IP).

Integrations & Third‑Party Data: data received from or sent to connected tools (e.g., Google, Meta, Microsoft, payment gateways, telephony providers, email delivery, calendars) according to your configuration and permissions.

Payments: limited transaction metadata and tokens (we do not store raw card numbers or CVV); billing address; tax information where required.

Support/Feedback: content you submit to support, surveys, NPS/feedback, and incident reports.

Security & Fraud Signals: authentication, device fingerprint or risk signals from our security providers, and suspicious activity indicators.

SOURCES

Directly from you (forms, onboarding, support).

Automatically through the Platform and websites (cookies, SDKs, logs).

From Clients about their users/leads/customers (when we act as processor).

From integrated third‑party services per your authorization.

HOW WE USE INFORMATION We use personal information as controller to:

Provide, maintain, secure, and improve the Platform and Services.

Process payments, invoice, and manage accounts.

Provide customer support, onboarding, and training.

Monitor, detect, investigate, and prevent fraud, abuse, and security incidents.

Analyze usage to improve features, performance, and user experience.

Send administrative messages and, where permitted, marketing communications (you may opt out).

Comply with legal obligations and enforce our Terms.

We use personal information as processor/service provider to:

Configure and operate automations, communications, and integrations solely per Client’s instructions and the applicable

Data Processing Addendum (DPA).

Deliver Client campaigns (email/SMS/voice), maintain suppression lists, and handle opt‑outs per configuration.

Provide implementation and managed services under a Client’s SOW.

LEGAL BASES (EEA/UK and similar jurisdictions) Where required, we rely on:

Contract performance (to provide Services you request).

Legitimate interests (e.g., product improvement, security, fraud prevention, B2B marketing to business contacts with opt‑out, and intra‑group administration) balanced against your rights.

Consent (e.g., non‑essential cookies/analytics, certain marketing, call recording, and where required for SMS/email outreach).

Legal obligations (e.g., tax, accounting, regulatory retention).

COOKIES AND TRACKING

We use cookies, pixels, and similar technologies for functionality, authentication, analytics, and, where applicable, advertising/retargeting.

You can manage cookies via your browser/device and, where required, our consent banner. We only set non‑essential cookies in jurisdictions requiring prior consent after you opt in.

Do Not Track/Global Privacy Control (GPC): Where applicable (e.g., under CPRA), we recognize and honor GPC signals for opt‑out of sale/sharing or targeted advertising.

COMMUNICATIONS AND MARKETING

Platform communications are configured by Clients; Clients must ensure lawful messaging consents (e.g., TCPA, PECR, CAN‑SPAM/CASL).

Integrate’s own marketing to prospects/customers follows applicable laws (e.g., UK GDPR/PECR, CAN‑SPAM, CPRA). You can opt out via the link in our emails or by contacting us.

PAYMENTS AND PCI

Card payments are processed by third‑party providers (e.g., Authorize.net as gateway; Butterfield Bank as acquirer). We store payment tokens and limited billing data but do not store raw card numbers or CVV.

We and our providers adhere to applicable PCI‑DSS obligations. If you embed or host payment forms on your own domains/systems, you are responsible for PCI compliance of those implementations.

SHARING AND DISCLOSURE We do not sell personal information. We may share:

Service Providers/Processors: hosting, cloud infrastructure, analytics, communications (SMS/email/voice carriers), payment processing, support tooling, security and fraud prevention, and professional advisors, bound by confidentiality and processor terms.

Integrations: Data flows you configure with third‑party platforms (e.g., Google, Meta, Microsoft, telephony, email, calendars, CRMs, payment services) are governed by those providers’ terms and privacy policies. We disclose only per your configuration and instructions.

Legal/Compliance: To comply with law, lawful requests (e.g., subpoenas), or to protect rights, safety, property, and to enforce agreements or policies.

Business Transfers: In mergers, financing, insolvency, or sale of assets, personal information may be transferred subject to appropriate safeguards and continued protections.

With Your Direction: Where you instruct us or consent to sharing.

INTERNATIONAL TRANSFERS

We may process data globally. Where required, we implement appropriate safeguards for cross‑border transfers, including:

EU Standard Contractual Clauses (SCCs) with Transfer Impact Assessments.

UK International Data Transfer Addendum (IDTA) or UK Addendum to SCCs.

Cayman Data Protection Act (2017) transfer principles.

We take reasonable steps to ensure recipients provide an adequate level of protection. Details may be found in our DPA and/or Subprocessor List: [subprocessor list URL].

DATA SECURITY

We maintain administrative, technical, and physical safeguards, including encryption in transit and at rest where appropriate, access controls, MFA for privileged access, network segmentation, vulnerability management, logging and monitoring, and employee training.

No system is 100% secure. You are responsible for safeguarding credentials, configuring role‑based access, enabling MFA, and managing user access in your account.

Incident Response: We notify affected Clients without undue delay after becoming aware of a confirmed personal data breach affecting Client data, providing information reasonably available for compliance obligations.

DATA RETENTION

We retain personal information for as long as necessary to provide Services, comply with legal obligations, resolve disputes, enforce agreements, and for security/fraud prevention.

As processor, we retain Client data per the DPA and Client’s instructions. Following termination and settlement of the account, we will make available a standard export for a limited period (per the MSA), after which data may be deleted or archived per our retention schedule unless we are legally required to retain it.

YOUR PRIVACY RIGHTS Depending on your location, you may have rights to:

Access, know, or obtain a copy of personal information.

Correct (rectify) inaccurate data.

Delete/erase data, subject to exceptions.

Object to or restrict processing.

Port data to another provider.

Withdraw consent where processing is based on consent.

Opt out of certain processing (e.g., targeted advertising, sale/sharing under CPRA).

Appeal a decision (where required by U.S. state laws).

To exercise rights, contact [email protected]. We may verify your identity, including via authorized agents (where permitted, e.g., CPRA). We will respond within timelines required by applicable law. As processor, we will forward or follow Client instructions for end‑user requests.

U.S. STATE-SPECIFIC DISCLOSURES (CPRA and similar)

Categories Collected: Identifiers; commercial information; internet/network activity; geolocation (approximate); inferences (limited, for security/anti‑fraud); professional information; audio (support calls if recorded); and other information you provide.

Purposes: As described above under “How We Use Information.”

Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes other than those permitted by law (e.g., to provide the services).

Sale/Sharing: We do not sell personal information. We do not “share” personal information for cross‑context behavioral advertising as defined by CPRA, except where Clients configure third‑party ad integrations; in those cases we act as processor per Client instructions.

Non‑Discrimination: We will not discriminate against you for exercising your rights.

MARKETING COMMUNICATIONS AND TELECOM COMPLIANCE

Clients are responsible for obtaining, recording, and honoring valid consent for SMS/email/voice outreach and complying with applicable laws and guidelines, including TCPA, TSR, CTIA/A2P 10DLC, CAN‑SPAM, UK GDPR/PECR, CASL, Cayman and Jamaican telecom requirements, and similar local rules. Clients must maintain suppression lists and promptly honor STOP/UNSUBSCRIBE requests and quiet hours where applicable.

For Integrate’s own marketing, you may opt out at any time.

CHILDREN’S PRIVACY Our Services are not intended for children under 16 (or as defined by local law). We do not knowingly collect data from children. If you believe a child has provided personal data, contact us to remove it.

THIRD‑PARTY LINKS AND INTEGRATIONS Our Services may include links or integrations with third‑party sites/services we do not control. Their privacy practices are governed by their own policies. Review those policies before enabling integrations or sharing data.

DATA CONTROLLERS, CONTACT, AND DPO

Controller: Integrate, LTD.

EU/UK Representatives (if appointed): [Details or “not applicable”].

Data Protection Officer (if appointed): [DPO/contact if appointed] or privacy contact below.

Contact: For privacy questions or requests, contact [email protected].

JURISDICTION‑SPECIFIC DISCLOSURES

Cayman Islands: We process personal data in accordance with the Data Protection Act, 2017, including the data protection principles and applicable legal bases; we honor data subject rights (access, rectification, erasure, objection including to direct marketing, portability, and restriction); we apply appropriate safeguards for overseas transfers; and you may lodge a complaint with the Ombudsman. See: Cayman Ombudsman overview and principles and guidance on international transfers (Data Protection overview; Principles; International transfers).

United Kingdom / EEA: We rely on the lawful bases described above. For cross‑border transfers, we use the EU Standard Contractual Clauses with Transfer Impact Assessments, and for UK transfers the UK IDTA or the UK Addendum to the SCCs. You may lodge a complaint with the UK ICO (UK) or your local supervisory authority (EEA). See: ICO guidance on IDTA/Addendum and Transfer Risk Assessments (IDTA/Addendum; TRA) and European Commission SCCs resources (SCCs; SCCs Q&A).

United States: For California residents, see our CPRA disclosures. Similar rights and opt‑outs (e.g., targeted advertising, “sale,” and certain profiling) apply under other state privacy laws now in force (including VA, CO, CT, UT, OR, TX, and others). We act as a “service provider”/“processor” for Client data, do not “sell” or “share” personal information as defined by CPRA, and we honor applicable opt‑out signals (such as Global Privacy Control).

Canada: For commercial electronic messages we comply with CASL (consent/identification/unsubscribe). We handle personal information per PIPEDA and applicable provincial laws (including Quebec Law 25), with appropriate safeguards and cross‑border transparency.

Jamaica: We comply with the Data Protection Act, 2020 (principles, rights, security, and transfer restrictions). Electronic messaging requires valid consent, clear sender identification, and opt‑out, subject to telecom and consumer protection requirements.

YOUR RESPONSIBILITIES WHEN YOU ARE THE CONTROLLER (WHITE‑LABEL/GHL CONTEXT)

Notices & Consents: You must provide required privacy notices and obtain/maintain valid consent for messaging (email/SMS/voice) and tracking where required.

Lawful Use: You must comply with telecom and marketing laws (TCPA, CAN‑SPAM, CASL, UK GDPR/PECR, CTIA/A2P rules, and local rules), maintain records of consent/opt‑out, and configure campaigns accordingly.

Integrations: You are responsible for your configurations and any third‑party terms you accept.

End‑User Requests: You are responsible for responding to your end users’ data rights requests; we will support you under the DPA.

AUTOMATED DECISION‑MAKING AND PROFILING

We do not make decisions producing legal or similarly significant effects based solely on automated processing without human involvement in our controller capacity.

Clients may configure automations within the Platform; Clients are responsible for providing required notices and obtaining consents for such uses where applicable.

RETENTION DETAILS AND DELETION

We maintain a retention schedule aligning with statutory requirements and business needs. Where retention periods expire or data is no longer needed, we delete or de‑identify data in a secure manner.

Backups and logs are purged on rolling schedules; deletion requests may take effect after backup windows elapse.

CHANGES TO THIS POLICY We may update this Privacy Policy from time to time. The “Last Updated” date reflects the latest changes. Material changes will be communicated as appropriate (e.g., via the Platform or email). Continued use after the effective date indicates acceptance of the updated Policy.

CONTACT For privacy questions or requests, contact:

Email: [email protected]

Postal: 30982 Seven Mile Beach, Grand Cayman, KY1-1204