Privacy policy — Etrovvo

etrovvo.com EzShopper Technologies Inc.

Effective Date: May 15, 2025 Version 1.0 Language: English

1. Introduction etrovvo.com ('etrovvo', 'we', 'us', or 'our') is a commerce platform operated by EzShopper Technologies Inc., a corporation incorporated under the laws of the State of Delaware, United States of America. This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our B2C marketplace and B2B merchant services (collectively, the 'Platform'). This Policy applies to all users of etrovvo.com globally. Depending on your location, jurisdiction-specific provisions in Section 11 apply to you. By accessing or using the Platform, you acknowledge that you have read and understood this Privacy Policy.

2. About etrovvo.com etrovvo.com is a dual-sided commerce platform providing: • B2C Services: A marketplace where consumers discover and purchase products. • B2B Services: Analytics, tools, and optimization services for merchants to manage their operations. The Platform is operated by EzShopper Technologies Inc., incorporated in Delaware, USA. All data collected through the Platform is used exclusively by etrovvo.com and its authorized processors. We do not sell personal information to third parties for their own commercial purposes.

3. Information We Collect 3.1 Information You Provide Directly • Account data: name, email address, username, password (hashed and never stored in plaintext). • Business information (merchants): company name, business address, tax identification number. • Communications: messages, support requests, feedback, product reviews.

3.2 Information We Collect Automatically • Usage data: pages visited, search queries, products viewed, session duration. • Transaction history: products purchased, order amounts, payment method type (not payment card numbers). • Device and technical data: IP address, browser type and version, operating system, device identifiers, referring URL. • Behavioral data: click patterns, navigation paths, purchase sequences, cart interactions.

3.3 Information from Third Parties • Social media platforms: if you connect your account or use social login. • Payment processors: transaction confirmation data (we never receive card numbers or bank details). • Analytics partners: aggregated performance metrics.

4. Legal Basis for Processing The legal basis for processing your personal information depends on your jurisdiction and is addressed in Section 11. In general, we process personal information based on: • Consent: for marketing communications and advanced personalization. • Contract performance: to deliver the Platform services you request. • Legal obligation: to comply with applicable tax, financial, and regulatory requirements. • Legitimate interests: to detect fraud, maintain security, and improve our services, where such interests are not overridden by your rights.

5. How We Use Your Information We use personal information to: • Provide, operate, and improve the Platform. • Process transactions and send related order and account communications. • Personalize your shopping experience and content recommendations. • Analyze Platform usage to develop new features and services. • Send marketing communications where you have consented or where otherwise permitted. • Comply with applicable laws, regulations, and legal processes. • Detect, investigate, and prevent fraudulent or illegal activity. • Train and improve our machine learning models (see Section 6).

6. Artificial Intelligence and Machine Learning Processing etrovvo uses machine learning ('ML') and artificial intelligence ('AI') technologies to analyze user purchasing behavior and enhance the shopping experience. This is a core feature of our Platform.

6.1 What We Analyze • Purchase pattern analysis: We analyze your transaction and browsing history to understand preferences. • Personalized recommendations: ML models suggest products relevant to your interests. • Experience optimization: Behavioral patterns inform Platform usability improvements.

6.2 AI Service Providers (Sub-Processors) To power these capabilities, we share relevant behavioral data with the following AI service providers, who act as data processors under our instructions. They are contractually prohibited from using your data for their own purposes: • Google LLC — Gemini AI (USA) • Anthropic PBC — Claude AI (USA) • OpenAI, L.L.C. (USA) • xAI Corp. (USA) Data processing agreements conforming to applicable law are in place with each provider.

6.3 Automated Decision-Making Some Platform features involve automated processing that influences the content or products displayed to you. Where processing constitutes automated decisions producing significant legal or similarly significant effects, we implement appropriate human oversight. You may exercise your right to object to automated processing as described in Section 11 for your jurisdiction.

7. Payment Processing etrovvo does not directly collect, store, or process payment card numbers, bank account details, or other financial credentials. All payment processing is handled exclusively by trusted third-party processors, including Stripe, Inc. and PayPal Holdings, Inc. These processors are independently responsible for the security of your payment information under their own privacy policies and applicable payment industry standards (PCI-DSS).

8. Data Sharing and Disclosure We may share your personal information in the following circumstances: • Service Providers: Third-party companies performing services on our behalf (AI providers, cloud hosting, analytics, email delivery). These parties access only the data necessary for their specific function. • Business Partners: Marketplace merchants, to the extent necessary to fulfill your purchase or service request. • Legal Authorities: When required by applicable law, court order, or to protect the rights, property, or safety of etrovvo, our users, or the public. • Business Transfers: In connection with a merger, acquisition, reorganization, or sale of all or part of our business. We will provide notice before your personal information is transferred and becomes subject to a different privacy policy. We do not sell your personal information to third parties for their own marketing or commercial purposes.

9. International Data Transfers EzShopper Technologies Inc. is headquartered in the United States. Your personal information may be transferred to and processed in the US and other countries where our service providers and AI processors operate. Such countries may have data protection laws different from those of your home jurisdiction. Where required by applicable law, we implement appropriate safeguards for international transfers. For UK and EEA users, this includes Standard Contractual Clauses (SCCs) approved by the European Commission and, post-Brexit, the UK International Data Transfer Agreement (IDTA) or UK Addendum to SCCs as appropriate. Jurisdiction-specific transfer mechanisms are further addressed in Section 11.

10. Data Retention We retain personal information for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Specific retention periods: • Account data: retained while your account is active, plus 3 years after account closure. • Transaction records: 7 years (to comply with tax and accounting requirements). • Behavioral and analytical data: 2 years from date of collection. • Marketing preferences and consents: retained until withdrawal or account closure. • Support communications: 2 years from the date of resolution. Upon expiry of applicable retention periods, we securely delete or anonymize your personal information.

11. Your Privacy Rights by Jurisdiction Find the section that corresponds to your country or region. If more than one section applies, you benefit from all relevant rights listed.

11.1 United States California (CCPA / CPRA) If you are a California resident, the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), grants you the following rights: • Right to Know: Request disclosure of the categories and specific pieces of personal information we collect, use, disclose, and share. • Right to Delete: Request deletion of your personal information, subject to certain exceptions. • Right to Correct: Request correction of inaccurate personal information. • Right to Opt-Out of Sale/Sharing: Opt out of the sale of your personal information or its sharing for cross-context behavioral advertising. To exercise this right, email privacy@etrovvo.com with the subject line 'Do Not Sell or Share My Personal Information.' • Right to Limit Use of Sensitive Personal Information: Direct us to limit our use of sensitive personal information to purposes necessary to perform the requested services. • Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights. To submit a rights request, email privacy@etrovvo.com. We will verify your identity before processing the request and respond within 45 days (with a possible 45-day extension).

Other US States Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Texas (TDPSA), Oregon (OCPA), Montana (MCDPA), and other states with comprehensive privacy laws have similar rights to those described above. Contact privacy@etrovvo.com to exercise your rights under applicable state law.

11.2 Canada Federal (PIPEDA) Canadian residents have the following rights under the Personal Information Protection and Electronic Documents Act (PIPEDA): • Right of Access: Request access to personal information we hold about you. • Right to Withdraw Consent: Withdraw consent to our processing of your personal information, subject to legal and contractual restrictions. • Right to Correct: Request correction of inaccurate, incomplete, or outdated personal information. • Right to Challenge: Challenge our compliance with PIPEDA. Contact us at privacy@etrovvo.com. We respond within 30 days.

Quebec (Law 25 — Act respecting the protection of personal information in the private sector) Quebec residents have additional rights under Law 25: • Right to Data Portability: Request that your personal information be communicated to you in a technological format, or transferred to another organization where technically feasible. • Automated Decision-Making Disclosure: You have the right to be informed when a decision based exclusively on automated processing of personal information is made that affects you, and to request that a human review that decision. • Right to De-indexation: Request that the hyperlinks giving access to information about you be de-indexed from search engines, in certain circumstances. To exercise these rights: privacy@etrovvo.com.

11.3 United Kingdom If you are located in the United Kingdom, the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 apply. You have the following rights: • Right of Access (Art. 15 UK GDPR): Obtain a copy of your personal data. • Right to Rectification (Art. 16): Correct inaccurate or incomplete data. • Right to Erasure / 'Right to be Forgotten' (Art. 17): Request deletion in certain circumstances. • Right to Restriction of Processing (Art. 18): Limit how we use your data in certain circumstances. • Right to Data Portability (Art. 20): Receive your data in a structured, machine-readable format. • Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing. • Rights Related to Automated Decision-Making (Art. 22): Not be subject to solely automated decisions with significant effects. Our legal bases for processing include: legitimate interests (personalization and analytics), contract performance (service delivery), consent (marketing), and legal obligation (compliance). You may lodge a complaint with the Information Commissioner's Office (ICO) at www.ico.org.uk or by calling 0303 123 1113. For UK-to-third-country data transfers, we rely on the UK International Data Transfer Agreement (IDTA) or equivalent mechanisms approved by the ICO.

11.4 Australia If you are located in Australia, the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) govern how we handle your personal information. • APP 12 — Access: Request access to the personal information we hold about you. • APP 13 — Correction: Request correction of inaccurate, out-of-date, incomplete, irrelevant, or misleading personal information. • APP 7 — Direct Marketing: Request that we stop using your information for direct marketing. We comply with the cross-border disclosure requirements of APP 8. Before disclosing your personal information to overseas recipients (including our AI sub-processors located in the US), we take reasonable steps to ensure those recipients comply with the APPs or are subject to a law or binding scheme that is at least substantially similar in effect. Complaints may be lodged with the Office of the Australian Information Commissioner (OAIC) at www.oaic.gov.au or by calling 1300 363 992.

11.5 New Zealand If you are located in New Zealand, the Privacy Act 2020 applies. You have the right to: • Request access to personal information we hold about you (Information Privacy Principle 6). • Request correction of inaccurate personal information (Information Privacy Principle 7). We notify the New Zealand Privacy Commissioner of privacy breaches that are likely to cause serious harm, as required by the Privacy Act 2020. Complaints may be lodged with the Office of the Privacy Commissioner at www.privacy.org.nz.

12. Cookies and Tracking Technologies We use cookies, pixel tags, web beacons, and similar tracking technologies to operate, secure, and improve the Platform. Categories of cookies we use: • Strictly Necessary: Required for the Platform to function (e.g., authentication, shopping cart). Cannot be disabled. • Functional: Remember your preferences (e.g., language, region). May be disabled at some loss of functionality. • Analytics: Understand how users interact with the Platform (e.g., Google Analytics). Disabled by default where consent is required. • Personalization / Marketing: Power recommendations and targeted experiences. Disabled by default where consent is required. You can manage cookie preferences through your browser settings and, where applicable, through our in-platform cookie consent manager. Note that disabling certain cookies may impair Platform functionality. For users in jurisdictions requiring prior consent for non-essential cookies (e.g., UK, EU), we present a consent mechanism before non-essential cookies are set.

13. Children's Privacy The Platform is intended exclusively for users aged 18 and over. We do not knowingly collect, use, or disclose personal information from individuals under the age of 18. If you believe we have inadvertently collected information from a minor, please contact us immediately at privacy@etrovvo.com and we will promptly delete such information.

14. Data Security We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. Our security measures include: • Encryption of data in transit using TLS/SSL and encryption of data at rest. • Role-based access controls and multi-factor authentication for administrative access. • Regular security assessments, penetration testing, and vulnerability management. • Contractual security requirements imposed on all third-party processors. • Incident response procedures and breach notification protocols. No information system is entirely secure. If you have reason to believe your interaction with us is no longer secure, please notify us immediately at privacy@etrovvo.com.

15. Security Breach Notification In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authorities and, where required, affected users, in accordance with applicable law and within the timeframes prescribed: • UK GDPR: 72 hours to the ICO; without undue delay to affected users where high risk. • Australia (Privacy Act): As soon as practicable to the OAIC and affected individuals where serious harm is likely. • New Zealand (Privacy Act 2020): As soon as reasonably practicable to the Privacy Commissioner and affected individuals. • Canada (PIPEDA): As soon as feasible to the Privacy Commissioner and affected individuals where real risk of significant harm. • US states: In accordance with applicable state breach notification laws.

16. Changes to This Privacy Policy We may update this Privacy Policy periodically to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will notify you of material changes by: • Posting the updated Policy on the Platform with a revised 'Effective Date.' • Sending an email notification to your registered email address, where required by law. • Displaying an in-Platform notification, where appropriate. Continued use of the Platform after the effective date of any changes constitutes acceptance of the revised Policy. We encourage you to review this Policy periodically.

17. Contact Us For questions about this Privacy Policy, to exercise your privacy rights, or to report a potential privacy issue:

etrovvo.com Privacy Team EzShopper Technologies Inc. Incorporated in Delaware, United States of America Email: privacy@etrovvo.com We aim to respond to all requests within 30 days. For UK/EEA users, we respond within the timeframes required by applicable GDPR.