AGREEMENTS

Privacy Policy

Content last updated: May 23, 2018

This privacy policy (“Policy”) describes how eShares, Inc. DBA Carta, Inc., and its related companies (“Company” or “Carta”) collect, use, disclose, and share personal information of consumer users of this website, www.Carta.com (the “Site”). This Policy also applies to any of our other websites that post this Policy.

What we collect

We get information about you in a range of ways.

Information You Give Us.

We may collect your‎ name, postal address, email address, phone number, username, password, demographic information (such as your occupation), social security number, tax id number, bank account information, as well as other information you directly give us on our website.

For customers who have paid software services, we collect your billing details such as credit card information, banking information, and/or billing address.

Information We Get From Others.

We may get information about you from other sources, such as your employer when they issue you options or shares. We may add this to information we get from this website.

Information Automatically Collected.

We may collect information about the devices accessing our website and application. Some examples are: type of device, what operating system is used, application information, unique device identifiers and crash data. The type of information we collect depends on the type of device used and its settings.

We may automatically log information about you and your computer. For example, when visiting our website, we log your computer operating system type, browser type, browser language, pages you viewed, how long you spent on a page, location, access times and information about your use of and actions on our website.

Use of personal information

We use your personal information as follows:

  • We use your personal information to operate, maintain, and improve our site, products, and services.
  • We use your personal information to respond to comments and questions and provide customer service.
  • We use your personal information to send information including confirmations, invoices, technical notices, updates, security alerts, and support and administrative messages.
  • We use your personal information to communicate about promotions, upcoming events, and other news about products and services offered by us.
  • We use your personal information to link or combine user information with other personal information.
  • We use your personal information to protect, investigate, and deter against fraudulent, unauthorized, or illegal activity.
  • We use your personal information to provide and deliver products and services customers request.

Third party data

Carta may receive data about organizations, industries, website visitors, marketing campaigns, and other matters related to our business from affiliates, subsidiaries, partners, or others that we use to make our own information better or more useful. This data may be combined with other information we collect and might include aggregate level data. One example is to help our customers know how many stakeholders have accepted their securities on our platform.

Use of personal information

We may use personal information as follows:

  • We use your personal information to operate, maintain, and improve the website, products, and services. This includes use of other information to support delivery of our services under contract, assist with service request, monitor for errors, remedy security or technical issues, analyze website and application performances.
  • We use your personal information to respond to comments and questions, verify permission access, and provide customer service.
  • We use your personal information to send information including confirmations, invoices and billing, technical notices, updates, security alerts, and administrative messages.
  • We use your personal information to communicate system updates, upcoming events, and other news about products and services offered by us. We may contact you to inform you about important services-related notices, such as privacy and policy update notices or changes in our terms of service. These communications are strictly necessary and you may not opt out of them.
  • We use your personal information to link or combine user information with other personal information. An example is when we combine the information a company has provided about their shareholders with the information entered by shareholders in their personal portfolios to improve the user experience.
  • We use your personal information to protect, investigate, and deter against fraudulent, unauthorized, or illegal activity.
  • We use your personal information to provide and deliver products and service customers requests. An example is when an employee exercises their stock options and we may provide a tax form to the company for their IRS reporting requirements.

Sharing of personal information

We may share personal information as follows:

  • We may share information per our customers’ instructions.
  • We may share personal information in compliance with any applicable law.
  • We may share personal information when we do or negotiate a business deal involving the sale or transfer of all or a part of our business or assets in which a successor or purchaser will be operating a similar business. These deals can include any merger, acquisition, or bankruptcy transaction or proceeding. Any such successor or purchaser (or recipient of information during negotiation or due diligence) will be required to comply with reasonable confidentiality restrictions with respect to personal information.
  • We may share personal information for legal, protection, information security, and safety purposes. Examples include enforcing contracts or policies, reporting on security breaches, or assisting with investigating and preventing fraud or security issues.
  • We may share customer and user access on the customer’s account. Equity administrators for the customer, authorized users and other designated representatives may be able to add, modify or restrict access. An example is the company administrator designates a legal administrator to issue new securities on behalf of the company.
  • We may share information to comply with laws and regulatory requests. Examples include responding to lawful requests and legal or regulatory processes.
  • We may share information to protect the rights and property of Carta, our agents, customers, and others. This includes enforcing our agreements, policies, and terms of use.
  • We may share information with those who need it to do work for us. An example is granting a Carta employee the necessary access in order to perform his/her duties.
  • We may share aggregated or anonymized data. We may disclose or use aggregated or anonymized data for any purpose. An example would would be for marketing, analytics or research purposes.
  • We will not share personal information with investors of the Company beyond any personal information that such investors are entitled to for customary legitimate business purposes.
  • We may share other information with consent with third parties when we have consent to do so. We may engage third party companies or individuals as service providers to process information and support our services. An example would be cloud services for data center colocation and storage services.
  • Customers may authorize access to customer data to third parties. An example is when a company grants their financial auditors access for annual audits.

Legal Requirements

To help the government fight the funding of terrorism and money laundering activities, federal law requires all financial institutions to obtain, verify, and record information that identifies each person who opens an account. What this means for you: we will ask for your name, address, date of birth, and other information that will allow us to identify you. We may also ask to see your driver’s license or other identifying documents.

Age Limitations

To the extent prohibited by applicable law, Carta does not allow use of our services and Site by anyone younger than 18 years old. If you learn that anyone younger than 18 has unlawfully provided us with personal data, please contact us and we will takes steps to delete such information.

Information choices and changes

Our marketing emails tell you how to “opt out.” If you opt out, we may still send you non-marketing emails. Non-marketing emails include emails about your accounts and our business dealings with you that are necessary for fulfilling our obligations to our customers.

You may send requests about personal information to our Contact Information below. You can request to change contact choices, opt-out of our sharing with others, and update your personal information.

You can typically remove and reject cookies from our website with your browser settings. Many browsers are set to accept cookies until you change your settings. If you remove or reject our cookies, it may affect how our website works for you.

We strive to provide you the tools to update your personal information. If you are unable to correct inaccurate information on your own, you may request our assistance to update such information by contacting privacy@Carta.com.

Notice for Residents of the European and Swiss Economic Areas, Privacy Shield and Contractual Terms

Carta is committed to subjecting all personal data received from European Union (“EU”) member countries and Switzerland, in reliance on the Privacy Shield Framework (“Privacy Shield”), to the Privacy Shield’s applicable Principles. To learn more about the Privacy Shield Framework, and to view our certification page, please visit: https://www.privacyshield.gov

Carta is responsible for the processing of personal data we receive, and subsequently transfers to a third party acting as an agent on our behalf. Carta abides by the Privacy Shield Principles for all onward transfers of personal data from the EU and Switzerland, including, unless we prove that we are not responsible for the event giving rise to the damage, the onward transfer of liability provisions.

Carta is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, Carta may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

EU or Swiss residents with inquiries or complaints regarding this Privacy Policy should first contact Carta at privacy@Carta.com. Please allow a reasonable amount of time to respond to your request. If you do not receive timely acknowledgement of your complaint, if your complaint is not satisfactorily addressed by Carta, or if you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.

If these processes do not result in a resolution, you may then contact your local data protection authority, the U.S. Department of Commerce, and/or the Federal Trade Commission for assistance.

Please be advised that the arbitrator(s) may only impose individual-specific, non-monetary, equitable relief necessary to remedy any violation of the Privacy Shield Principles with respect to the resident.

Carta may transfer your Personal Data to countries other than the one in which you live. We deploy the following safeguards if Carta transfers Personal Data originating from the European Union or Switzerland to other countries not deemed adequate under applicable data protection law.

These frameworks were developed to enable companies to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States.

Carta offers European Union Model Clauses, also known as Standard Contractual Clauses, to meet the adequacy and security requirements for our Customers that operate in the European Union, and other international transfers of Customer Data. A copy of our standard data processing addendum, incorporating Model Clauses, is available upon request to privacy@Carta.com.

Contact information

We welcome your comments or questions about this Privacy Policy. You may also contact us at our address:

eShares, Inc. DBA Carta, Inc. 195 Page Mill Road, Suite 101 Palo Alto, California 94306

Changes to this Privacy Policy

We may change this privacy policy. If we make any substantive changes related to how we collect or use data, we will change the content last updated date above. Other changes including grammar or spelling corrections will automatically update the timestamp at the bottom of this document.

eShares, Inc. DBA Carta, Inc. is a transfer agent registered with the U.S. Securities and Exchange Commission. The services and information described in this communication are provided to you “as is” and “as available” without warranties of any kind, expressed, implied or otherwise, including but not limited to all warranties of merchantability, fitness for a particular purpose, or non-infringement. Neither eShares, Inc. DBA Carta, Inc. nor any of its affiliates will be liable for any damages, including without limitation direct, indirect, special, punitive or consequential damages, caused in any way or arising from the use of the services or reliance upon the information provided in this communication or in connection with any failure of performance, error, omission, interruption, defect, delay in operation or transmission, computer virus or line or system failure. Transfer Agent services for DTC-eligible registered companies provided by Philadelphia Stock Transfer, a Carta affiliate. Carta Securities LLC is a broker-dealer and a member of FINRA and SIPC. Contact: eShares, Inc. DBA Carta, Inc., 195 Page Mill Road, Suite 101, Palo Alto, CA 94306.

© 2018 ESHARES, INC. DBA CARTA, INC.