EVENHAND LLC — PRIVACY POLICY

Effective Date: May 21, 2026 Last Updated: May 21, 2026

Reader's Note

This Privacy Policy applies to the Evenhand platform (the "Platform"), operated by Evenhand LLC, a Washington limited liability company ("Evenhand," "we," "us," or "our"). It is incorporated into our Terms of Service available at https://evenhandhq.com/terms (the "Terms"). Capitalized terms not defined in this Policy have the meanings given in the Terms.

We have written this Policy to be readable. Words have specific legal meanings where indicated. Where applicable law gives you greater rights than this Policy, that law controls.

1. Who This Policy Covers and Scope

This Policy applies to:

• Users of the Platform — Broker Users, Brokerage Administrators, Brokerage Managers, Buyers, Sellers, Service Providers, Post-Close Observers, and Direct Sellers;
• Visitors to evenhandhq.com and evenhand.co who do not create accounts;
• Third Parties whose information we receive in connection with Platform operations, including financing issuers who confirm prequalification documents and references named in buyer background information; and
• Communications recipients (the people we email through Platform-driven notifications).

This Policy does not apply to third-party services we link to or integrate with under your authorization (e.g., your QuickBooks Online account, your Google Calendar). Those services have their own privacy practices, and your use of them is governed by your agreement with their providers.

By creating an account, accessing the Platform, or providing personal information to us, you acknowledge that you have read this Policy.

2. Information We Collect

We collect information from four sources: (i) information you provide directly; (ii) information generated through your use of the Platform; (iii) information we receive from third-party services that help us operate the Platform; and (iv) information we collect from third parties who interact with us at your direction (e.g., financing issuers).

2.1 Information You Provide

2.1.1 Account and Identity Information

• Full name
• Email address
• Password (stored only in hashed form by our authentication provider)
• Phone number (optional)
• Professional title and role
• Company or brokerage name and address
• Professional credentials, license numbers, and areas of specialization (Service Providers)
• Profile photo (optional)

Authentication credentials, including multi-factor authentication seeds, are held by our authentication sub-processor (Clerk) and are not visible to Evenhand staff.

2.1.2 Brokerage Information (Broker Users and Brokerage Administrators)

• Brokerage firm legal name, doing-business-as name, address, and contact information
• Business license, registration numbers, or other regulatory identifiers
• Names and email addresses of team members invited to the Platform
• Brokerage billing contact, billing address, and tax identification (if required by your jurisdiction)
• Brokerage-level configuration data (commission structure templates, NDA templates, document-prep templates, integration credentials)

2.1.3 Deal Data

"Deal Data" is the information you submit, generate, or transmit through the Platform in connection with a specific transaction. Depending on your role, this may include:

• Seller Preferences: preferred deal terms across categories including purchase price, deal structure, payment mix, working capital, timelines, employee retention, non-compete terms, and other transaction parameters, including designation of which terms are hard requirements;
• Buyer Offers (Letters of Intent): proposed deal terms, including all the categories above, plus revision history;
• Buyer Background Information: prior acquisition experience, industry background, funding sources, and references provided as part of an offer package;
• Buyer Financing Prequalifications: uploaded prequalification documents, issuer contact information, amount ranges, expiration dates, and any verification artifacts (issuer confirmation responses; PDF metadata extracted for forgery signals; see Section 2.4);
• Buyer Offer Attestations: the version of the attestation text accepted, timestamp, IP address, user agent, and a cryptographic hash of the attestation body (see Section 2.2.5);
• Financial Data: profit and loss statements, balance sheets, tax returns, bank statements, accounts receivable and payable aging reports, customer revenue breakdowns, vendor spend data, and other financial documents uploaded for quality of earnings analysis and due diligence;
• Accounting Connection Snapshots: when a Seller authorizes a direct connection to a QuickBooks Online, Xero, or NetSuite account, snapshots of the resulting financial data (P&L, balance sheet, cash flow, A/R aging, customer revenue, vendor spend) along with a cryptographic hash of the provider payload for tamper-evidence;
• Due Diligence Materials: data requests, document submissions, checklists, and progress updates across the financial and seven non-financial QoE categories (commercial, operational, legal, human resources, IP/IT, real estate, regulatory);
• QoE Analyses: outputs generated by the Platform based on uploaded financial data, including trend analyses, normalization adjustments, ratio calculations, anomaly detection results, proof-of-cash reconciliation, customer concentration analysis, accounts receivable and payable aging analysis, and findings;
• Documents: any files you upload through the Platform or through authorized third-party document-storage adapters (Firmex, iDeals, Google Drive, Dropbox Business);
• Structured Comments and Questions: content of structured comments and broker-mediated buyer questions exchanged through the Platform;
• Closing Workflow Data: purchase agreement drafts and rounds, closing condition status, escrow and holdback arrangements, holdback releases, closing timeline events, transition plans, and earnout/seller-note structures;
• Seller Confidentiality Register Entries: seller-maintained records of confidential disclosures (visible only to the seller; broker sees aggregate counts only); and
• Communications related to Deals: messages routed through Platform features.

2.1.4 Subscription, Billing, and Payment Information

If you subscribe to a paid plan (a Brokerage Subscription or a Buyer Self-Serve QoE Subscription), our payment processor (Stripe, Inc.) collects your payment card or bank account information directly. Evenhand does not receive or store your full payment card number, CVV, or bank account number. We receive from Stripe only what is needed to manage your subscription: card brand, last four digits, expiration date, billing address, transaction history, refund history, and subscription state.

2.1.5 Communications With Us

• Emails or messages sent to our support, billing, legal, or security addresses
• Feedback, feature requests, and survey responses
• Contact-form submissions (rate-limited and verified via Cloudflare Turnstile)

2.1.6 Click-Through Agreement Acceptance

• Records of your acceptance of these Terms, this Policy, click-through Non-Disclosure Agreements (Buyer NDAs and Service Provider NDAs), buyer offer attestations, and any Acceptable Use Policy or Data Processing Addendum.

2.2 Information We Collect Automatically

2.2.1 Device and Browser Information

• Browser type and version
• Operating system
• Device type (desktop, tablet, mobile)
• Screen resolution
• Language preference
• Time zone

2.2.2 Usage Information

• Pages and features accessed
• Actions taken within the Platform (creating a deal, submitting an offer, viewing a comparison matrix, requesting a QoE snapshot, etc.)
• Time spent on pages and features
• Referring URL
• Date and time of access

2.2.3 Log and Network Data

• IP address (used for security monitoring, abuse prevention, geographic approximation, and the multi-role collision detector described in Section 2.2.6; not used for advertising)
• Server logs recording requests, responses, and error information
• Authentication events (login, logout, failed login attempts, multi-factor authentication challenges)
• API request logs for the public REST API, MCP server, and webhook outbox

2.2.4 Audit Trail Data

The Platform maintains an append-only, cryptographically hash-chained audit log of significant actions. The audit log records who accessed what data, when submissions were made or modified, when deal states changed, when documents were uploaded, when API calls and MCP tool calls were issued, and when integrations were authorized or revoked. Audit-log entries are generated automatically and cannot be modified or deleted by any User, including Brokerage Managers and Brokerage Administrators. Audit data is itself processed for security analysis.

2.2.5 Forensic and Integrity Metadata

To support the integrity of the multi-party transaction process, we collect:

• Offer Attestation Metadata: when a Buyer submits or revises an offer, we capture the IP address from which the submission originated, the user agent string, the timestamp, the version of the attestation text accepted, and a SHA-256 hash of the attestation body at the moment of acceptance.
• Prequalification Forgery Signals: for uploaded financing prequalification documents, we extract PDF metadata (author, producer, creator, creation/modification dates, page count, encryption flag, SHA-256 of the document) and compute advisory signals (e.g., consumer-editor producer; modification after issuance; issuer email on a free or disposable domain). We do not block on these signals; they surface to Brokers for human judgment.
• Issuer Confirmation Submissions: when an issuer confirms a prequalification via emailed link, we capture the issuer's submission IP and user agent (displayed redacted in product) and a server timestamp.
• Multi-Role IP Collision Indicators: we record the IP addresses associated with sign-in events in a separate table (user_login_ips) to detect when one IP is simultaneously associated with both a Broker User and a Buyer or Seller account. This is used to flag possible self-dealing or undisclosed conflicts of interest.

2.2.6 Cookies and Strictly Necessary Storage

See Section 7. We operate cookieless for analytics. Authentication, security, and bot-protection cookies are strictly necessary for the Platform to function.

2.3 Information We Receive From Third-Party Service Providers

We receive limited information from third-party services that help us operate the Platform — described in Section 5. None of these providers sells personal information back to us.

2.4 Information We Receive From Third Parties Acting at Your Direction

Several Platform workflows involve information collected from people or services that are not Users themselves. Where the information identifies a natural person, we treat it as personal information governed by this Policy. Examples:

• Financing Issuers: when a Buyer submits a financing prequalification and the inviting Broker triggers an issuer email confirmation, we send a tokenized link to the issuer's email address (a person at the issuing bank or lender). The issuer's confirmation submission, IP, user agent, and any text they provide are captured.
• References Named in Buyer Background Information: if a Buyer lists references (names, titles, contact information) in their background package, that information is stored as part of the offer record.
• Service Provider Invitees: when a Buyer, Seller, or Broker invites a Service Provider by email, the invitee's email address and name are recorded prior to account creation.
• OAuth-Authorized Third-Party Data: when you authorize the Platform to connect to a QuickBooks Online, Xero, NetSuite, Google Calendar, Microsoft Graph, Google Drive, or Dropbox Business account, we receive the data those services return under the scopes you grant. The data subjects of records in those systems (your customers, vendors, employees, calendar invitees) may have rights under applicable law that the Brokerage or User who initiated the connection is responsible for honoring.

We rely on the User who triggers each of these data flows to have the legal authority to do so (e.g., a legitimate interest in confirming financing with the named issuer; the right to share calendar or accounting data on behalf of an organization). The User's representations on this point are part of the contractual basis on which Evenhand operates.

2.5 Information We Do Not Collect

We do not knowingly collect:

• Government-issued identification numbers (Social Security Numbers, driver's license numbers, passport numbers), except where contained in user-uploaded documents (e.g., tax returns) which Evenhand processes only as opaque file contents
• Biometric information
• Precise geolocation (we approximate to city/region from IP)
• Health, genetic, sexual-orientation, religious, or ethnic-origin data
• Information about minors (see Section 12)
• Voice recordings or call recordings

If user-uploaded documents contain information in any of these categories (for example, an employee handbook PDF containing health-benefit details, or a tax return containing SSNs), we process the documents as opaque content and do not extract such fields for our own purposes. We strongly recommend Users redact non-essential personal information from uploads before submission.

3. How We Use Your Information

3.1 Platform Operations

• Creating and managing your account and authenticating your identity
• Providing the Platform's core features, including seller preference capture, buyer offer submission, comparison matrix generation, competitive position calculation, quality of earnings analysis across eight categories, due diligence tracking, document management, closing workflow management, and post-close earnout/seller-note tracking
• Enforcing role-based access controls so each User sees only the information they are authorized to access
• Processing deal state transitions and managing the deal lifecycle
• Generating time-stamped, hash-chained records of submissions
• Sending transactional emails (deal invitations, status notifications, password resets, security alerts, daily digest emails)
• Operating the public REST API, the Model Context Protocol (MCP) server, and outbound webhooks at your direction

3.2 AI-Assisted Document Processing

We use a third-party large-language-model provider (Anthropic, Inc., the "AI Sub-Processor") to assist with two specific tasks:

• PDF Extraction. When you upload a financial document in PDF format (e.g., bank statements, P&Ls, tax returns), the document is transmitted to the AI Sub-Processor's API for structured extraction of tabular data.
• Column Mapping. When you upload structured data in CSV or XLSX format with non-standard column headers, the AI Sub-Processor suggests mappings between your columns and the Platform's canonical fields, with per-column confidence scores.

The following commitments apply:

• Purpose limitation. The AI Sub-Processor processes your data solely to return the requested extraction or mapping, under a written commercial agreement with Evenhand.
• No training on your data. Under our agreement with the AI Sub-Processor and the AI Sub-Processor's published policy for API customers as of the Effective Date, your inputs and outputs are not used to train the AI Sub-Processor's base models.
• No human review by Evenhand of LLM I/O for product-development purposes. Evenhand engineers do not read the contents of uploaded documents during normal operations. Access is limited to (i) automated processing, (ii) error investigation under documented runbooks, and (iii) lawful access requests handled per Section 11.
• AI output is informational. Outputs generated by AI processing — including extracted tabular data, suggested column mappings, and confidence scores — are informational and may contain errors. They are not professional advice. See Terms of Service Section 8.

We will update this section if the AI Sub-Processor changes or if additional AI-driven features are introduced. We will not introduce AI features that train on customer Deal Data without separately notifying you.

3.3 Billing and Payments

• Processing subscription payments through Stripe
• Managing invoices, receipts, and billing history
• Communicating about billing issues, payment failures, or subscription changes
• Calculating and applying entitlements (single-deal Buyer QoE entitlements, annual buyer entitlements fanned out across the buyer's existing deals)

3.4 Security, Integrity, and Trust

• Monitoring for unauthorized access, fraud, abuse, and security threats
• Maintaining and analyzing audit logs and authentication-event logs
• Enforcing the Terms, this Policy, the Acceptable Use Policy, and click-through NDAs
• Detecting and flagging potential conflicts of interest among Service Providers (e.g., a Service Provider invited by opposing parties on the same Deal)
• Detecting and flagging potential self-dealing (e.g., one IP address signing in as both a Broker and a Buyer on the same Deal)
• Computing advisory signals from uploaded financing prequalification documents (issuer email domain reputation; PDF metadata anomalies) to surface to Brokers
• Capturing IP address and user agent on offer attestation to support fraud-claim investigation
• Investigating and responding to security incidents

3.5 Product Improvement

• Analyzing aggregated usage patterns to improve Platform features, performance, and reliability
• Identifying and fixing bugs, errors, and performance issues
• Developing new features and functionality
• Conducting internal research and analysis on Platform usage

3.6 Aggregated and De-Identified Data

We create "Aggregated Data" by de-identifying, anonymizing, and aggregating Deal Data and usage data such that it cannot reasonably be used — alone or in combination with other available information — to identify any specific User, Deal, business, or party to a transaction. We use Aggregated Data for:

• Developing and publishing anonymized benchmark reports and market analyses for small business M&A (deal terms, deal structures, pricing trends, transaction patterns)
• Statistical analyses of deal outcomes, QoE finding patterns, and due diligence patterns
• Improving the Platform's scoring algorithms, analytical models, and tools
• Developing new products, services, and data offerings
• Conducting and publishing research
• Training, validating, and improving Evenhand-owned machine-learning models and analytical tools that operate within the Platform (this does not authorize training of any third-party AI provider's base models)

Aggregated Data is not personal information under applicable privacy laws because it cannot be used to identify any individual. The creation and use of Aggregated Data is governed by the perpetual license granted in Section 6.2 of our Terms of Service. We commit to the de-identification standards and aggregation thresholds set out in Section 6.3 of our Terms.

3.7 Automated Decision-Making and Profiling — Honest Disclosure

The Platform generates automated signals and analytics derived from User-submitted data, including:

• Color-coded fit scoring of buyer offers against seller preferences (the comparison matrix)
• Composite fit scores and rankings
• Buyer competitive position signals (e.g., "competitive," "below median," "leading")
• Verified-financing badges on buyer offers
• QoE category outputs (trend analysis, normalization adjustments, ratios, anomaly flags, proof-of-cash variance)
• Customer concentration analysis and aging analyses
• Prequalification forgery-signal flags
• Multi-role IP collision flags
• Service-provider conflict-of-interest flags

These are decision-support tools intended for use by human decision-makers (Brokers, Buyers, Sellers, Service Providers). The Platform does not transact, settle, accept, or reject offers automatically; it does not deny credit, employment, housing, or insurance; and it does not by itself produce legal effects on any data subject. Final decisions on every Deal are made by the human parties and their advisors.

To the extent any of these signals or scores would constitute automated decision-making subject to state privacy laws including the CPRA, the Colorado Privacy Act, and similar state regimes, you have the right to (i) request meaningful information about the logic involved, (ii) express your point of view, and (iii) contest the decision. Contact us at the address in Section 13.

3.8 Legal Compliance

• Complying with applicable laws, regulations, legal processes, and governmental requests
• Establishing, exercising, or defending legal claims
• Responding to law enforcement requests and legal proceedings (see Section 11)
• Preserving evidence subject to litigation hold

3.9 Communications

• Responding to your inquiries and support requests
• Sending service-related announcements (changes to our Terms, this Policy, or Platform features)
• Sending product updates and feature announcements (you may opt out of non-transactional product emails at any time; transactional and security emails are essential to the service)
• Sending billing and subscription notifications

We do not send marketing emails to Deal Participants who access the Platform solely on a Broker's invitation, unless they have specifically opted in.

4. Geographic Scope and U.S.-Only Service

4.1 United States Only

The Platform is offered exclusively to Users located in the United States. Evenhand does not market, target, advertise to, or offer the Platform to individuals or businesses outside the United States. The Platform is not localized for non-U.S. languages or currencies, and it does not provide services tailored to non-U.S. legal, regulatory, or commercial frameworks.

By creating an account, accessing the Platform, or providing personal information to us, you represent and warrant that you are accessing the Platform from within the United States and that the activities you conduct on the Platform are performed in the United States.

4.2 Access from Outside the United States

We do not intend to bring our processing within the scope of the General Data Protection Regulation, the UK GDPR, the Swiss Federal Act on Data Protection, the Personal Information Protection Law of the People's Republic of China, or other non-U.S. data-protection regimes. Our marketing and services are not directed to data subjects in those jurisdictions.

If you nevertheless access the Platform from outside the United States, you do so on your own initiative and at your own risk. You acknowledge and agree that:

• your personal information will be transferred to, stored in, and processed in the United States and other locations where our Sub-Processors operate;
• the United States may not provide the same level of data protection as your home jurisdiction;
• we do not represent or warrant that the Platform complies with the data-protection or other laws of any jurisdiction outside the United States; and
• the rights set out in Sections 10 and 15 of this Policy are afforded based on U.S. federal law and the privacy laws of the U.S. state in which you reside; we do not extend rights specific to non-U.S. regimes (including the GDPR or UK GDPR) to Users outside the United States.

If you are a resident of a jurisdiction outside the United States and wish to object to our processing or request deletion of your personal information, you may contact us at legal@evenhandhq.com. While we are not obligated to honor non-U.S. statutory rights, we will consider such requests in good faith and respond as a matter of policy.

4.3 No Marketing or Targeting

We do not run advertising campaigns directed at non-U.S. audiences. We do not use cookies, pixels, or analytics technology to monitor the behavior of individuals outside the United States. We do not maintain country-specific marketing pages, currency selectors, or language localizations for non-U.S. jurisdictions. The mere accessibility of evenhandhq.com from outside the United States does not constitute targeting under any privacy or consumer-protection regime.

5. Service Providers and Sub-Processors

We share personal information with a limited set of third-party service providers ("Sub-Processors") who assist us in operating the Platform. Each Sub-Processor is contractually required to use your information only for the purposes for which it was shared and to maintain appropriate security and confidentiality measures.

5.1 Current Sub-Processor List

5.2 User-Authorized Integrations (Sub-Processors on Your Authority)

The following integrations process information only when you (or your Brokerage) expressly connect them. These providers operate under your direct relationship with them, with Evenhand acting as the bridge. The information shared depends on the OAuth scopes you grant.

For these integrations:

• The OAuth refresh tokens are stored encrypted at rest using AES-256-GCM with keys held in our infrastructure (not in the database).
• We do not use information returned by these integrations for any purpose other than the Platform functionality you have activated.
• You can revoke any integration at any time from the Platform's settings; revocation deletes the stored tokens.
• The third-party provider's privacy policy and terms govern their own use of your data.

5.3 Outbound Webhook Recipients (Configured by You)

If your Brokerage configures outbound webhooks, event payloads will be transmitted to endpoints you specify. The configured endpoint is acting under your direction, not as our Sub-Processor. You are responsible for ensuring that any recipient endpoint is operated lawfully and securely, and for complying with any privacy obligations downstream.

5.4 Sub-Processor Changes

We may add, remove, or change Sub-Processors from time to time. We will update Section 5.1 of this Policy to reflect material changes. For Brokerages with an executed Data Processing Addendum (DPA), we will provide advance notice of new Sub-Processors as specified in that DPA, and the DPA will govern your right to object to such changes.

5.5 No Sale of Personal Information

We do not sell personal information to any third party. We do not share personal information with third parties for their own marketing or advertising purposes. We do not engage in "cross-context behavioral advertising" as defined in the CPRA. We have not sold or shared personal information in the preceding twelve (12) months.

6. Information Shared With Other Users

The Platform is designed to facilitate multi-party business transactions. Certain information you provide is, by design, visible to other Users who are party to the same Deal, subject to the Platform's role-based access controls. This sharing is the core function of the service.

6.1 Seller Information Shared With Buyers and Brokers

Seller preferences submitted through the Platform are visible to Buyers invited to the Deal and to the Broker User managing the Deal. Preferences are used to generate the comparison matrix and the buyer competitive-position signals. Seller-authored notes are split into two fields: internal notes (visible only to the seller team and broker) and buyer-facing notes (visible to the buyer team during diligence).

6.2 Buyer Information Shared With Sellers and Brokers

A submitted offer is visible to the Seller and the Broker User in full. Anonymized and aggregated signals derived from all submitted offers are shown to other Buyers as competitive position indicators, without revealing any individual Buyer's specific terms, identity, or count of competitors. Verified-financing badges are also surfaced.

Buyer offer attestations — including the attestation text version, timestamp, and (in redacted form) the submission IP and user agent — are visible to the Seller and Broker for the integrity claim.

6.3 Broker Visibility

Broker Users associated with a Deal through their Brokerage Account see all Deal Data for Deals to which they are assigned (or which they created). Brokerage Administrators and Brokerage Managers retain organization-wide visibility on administrative records (Deal lists, participant lists, broker assignments, billing) but do not see Deal contents (preferences, offers, QoE outputs) unless they self-assign or are assigned to the specific Deal.

6.4 Service Provider Visibility

Service Providers see only the Deal Data that the party who invited them has authorized them to access, through granular permission settings.

6.5 Post-Close Observer Visibility

A "Post-Close Observer" is a Deal Participant whose access has been narrowed to earnout and seller-note tracker records only after a Deal closes. Post-Close Observers do not see preferences, offers, QoE content, comments, documents, or NDAs.

6.6 Seller Confidentiality Register

A Seller may maintain a private register of confidential disclosures made outside the Platform. Individual register entries are visible only to the Seller. Assigned Brokers and Brokerage Managers see only aggregate count rollups.

6.7 Consent to Multi-Party Sharing

By using the Platform, you consent to the sharing described in this Section 6 and to the role-based access controls implemented at the database layer via Row-Level Security.

7. Cookies and Tracking Technologies

7.1 Cookies We Set

We use only strictly necessary cookies and similar local-storage mechanisms required for the Platform to function.

Authentication (set by Clerk). Session cookies maintain your authenticated session, enforce multi-factor authentication, and manage session timeouts. Current configuration: seven-day session with hourly token refresh. These cookies cannot be disabled without preventing use of the Platform.

Security (set by Vercel and Cloudflare). Cookies for bot detection, DDoS protection, edge routing, and load balancing.

Bot Detection (set by Cloudflare Turnstile). Used on contact forms and account-creation flows to prevent automated abuse. Turnstile is designed to use minimal device signals and is intended as a privacy-friendlier alternative to traditional CAPTCHAs.

A full per-cookie inventory (cookie name, domain, purpose, lifetime) is available on request at legal@evenhandhq.com.

7.2 What We Do Not Use

We do not use:

• analytics cookies (PostHog operates in cookieless mode with persistence: 'memory' and autocapture: false)
• advertising or targeting cookies
• third-party tracking pixels or web beacons
• cross-site tracking technologies
• social media plugins that set cookies
• device fingerprinting for advertising or user tracking (Turnstile may use minimal challenge-response signals for bot detection; this is not used for any tracking purpose)

7.3 Cookie Consent

Because we use only strictly necessary cookies and operate in cookieless analytics mode, we do not display a cookie consent banner. Strictly necessary cookies — those required to deliver the service you have explicitly requested — do not require opt-in consent under any applicable U.S. state privacy law. If we introduce non-essential cookies (analytics with persistent identifiers, advertising, or similar), we will update this Policy and implement an appropriate consent or opt-out mechanism before deployment.

7.4 Do Not Track and Global Privacy Control

Some browsers transmit "Do Not Track" (DNT) signals. There is no universally accepted standard for responding to DNT, and we do not currently respond to DNT in a special way. We do recognize the Global Privacy Control ("GPC") signal where required by applicable law (e.g., California). Because we do not sell or share personal information for cross-context behavioral advertising, the GPC signal does not change our processing — but we will continue to honor opt-out rights as a matter of policy regardless of how they are communicated.

7.5 Tracking Pixels in Email

Transactional emails sent via Resend may include link-tracking redirects for delivery diagnostics. They do not contain marketing or behavioral-advertising trackers. If you wish to receive plain-text or untracked emails, contact us at support@evenhandhq.com.

8. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, or as required by applicable law.

When retention periods expire, we delete or irreversibly anonymize the data. Anonymized data may be retained indefinitely as it is no longer personal information.

Litigation hold: if data is subject to a litigation hold notice we have received, we will preserve such data beyond the retention periods above for the duration of the hold.

9. Data Security

We implement technical and organizational measures designed to protect personal information against unauthorized access, alteration, disclosure, or destruction.

9.1 Technical Measures

• Encryption in transit using TLS 1.2 or higher for all connections
• Encryption at rest in our database and backup systems
• Row-level security (RLS) enforced at the database layer with two authorization paths: organization-based access for Brokers and user-based access linked through deal_participants for Buyers, Sellers, and Service Providers
• Cross-tenant probe suite enforced as a CI gate on every code change
• Encrypted storage of OAuth refresh tokens using AES-256-GCM with key material held outside the database
• Multi-factor authentication available and required for accounts with elevated privileges
• Session management with configurable timeouts and automatic refresh
• Append-only, cryptographically hash-chained audit logs
• Tamper-evident accounting snapshots with SHA-256 integrity hashes of provider payloads
• Append-only QoE financial uploads with explicit supersedes chain

9.2 Organizational Measures

• Principle of least privilege for internal access
• All credentials managed through an enterprise password manager with vault separation
• Hardware security keys (YubiKey) required for critical infrastructure accounts
• Signed commits required for code changes
• Automated CI/CD pipeline including type checking, linting, testing, and cross-tenant access probes
• Error tracking and security alerting through Sentry with immediate notification on security-tagged events
• Documented runbooks for incident response, token rotation, and revocation flows

9.3 Security Certifications and Transparency

Evenhand has not completed a SOC 2 audit, ISO 27001 certification, or independent third-party penetration test. We pursue independent security audits and attestations as our security program matures and will update this Policy when our certification status changes.

This Policy does not represent or warrant that the Platform is SOC 2, ISO 27001, HIPAA, PCI-DSS, or HITRUST certified. The Platform is not designed to process protected health information ("PHI") under HIPAA, full credit card data, or other regulated data classes for which formal certification is required.

9.4 Breach Notification

If we become aware of a personal data breach affecting personal information we control (as defined under applicable U.S. federal or state breach-notification law, including but not limited to RCW 19.255 (Washington), Cal. Civ. Code §§ 1798.29 and 1798.82, and analogous statutes in other U.S. states), we will:

• For Brokerages with an executed DPA: notify the Brokerage's designated contact without undue delay and in any event within seventy-two (72) hours of becoming aware, providing reasonably available information about the nature of the breach, the categories and approximate volume of affected data, the likely consequences, and the measures taken or proposed.
• For all other Users: notify affected Users without undue delay through the Platform, the affected email addresses, or a public notice, in each case in the manner and within the timeframes required by applicable U.S. state breach-notification statutes.
• Cooperate with reasonable Brokerage requests in connection with the Brokerage's own notification obligations under applicable state law.

9.5 Vulnerability Disclosure

To report a security vulnerability, contact security@evenhandhq.com. We commit to good-faith engagement with researchers who follow responsible disclosure practices, including not pursuing legal action against researchers who report vulnerabilities under the procedures published at https://evenhandhq.com/security.

9.6 Limitations

No method of electronic transmission or storage is completely secure. While we use commercially reasonable measures to protect your personal information, we cannot guarantee absolute security. You are responsible for maintaining the security of your account credentials, MFA factors, and any API or MCP access tokens you generate.

10. Your Privacy Rights

Depending on where you are located, you may have certain rights regarding your personal information.

10.1 Rights Available to All Users

Regardless of location, all Users may:

• Access their personal information held by Evenhand
• Correct inaccurate personal information by updating account settings or contacting us
• Delete their account by contacting us
• Export Deal Data during the export periods provided under the Terms (including the 30-day post-closure export window for active participants and the 7-day post-revocation tokenized export link for non-selected Buyers)
• Opt out of non-essential communications by following unsubscribe instructions in any such communication

10.2 Additional Rights Under CCPA / CPRA (California)

If you are a California resident, you have the following rights:

• Right to Know. Categories and specific pieces of personal information collected, sources, business purposes, categories of third parties with whom we share it, and (if any) categories of personal information sold or disclosed for a business purpose.
• Right to Delete. Subject to exceptions.
• Right to Correct. Inaccurate personal information.
• Right to Limit Use and Disclosure of Sensitive Personal Information. See Section 10.6.
• Right to Opt Out of Sale or Sharing. We do not sell or share for cross-context behavioral advertising; no opt-out is necessary.
• Right to Non-Discrimination. We will not discriminate against you for exercising your rights.

10.3 Other U.S. State Privacy Laws

If you are a resident of a state with a comprehensive consumer privacy law, you generally have rights similar to those above, including access, correction, deletion, portable copy, opt-out of targeted advertising (which we do not engage in), profiling for legally significant decisions (which we do not engage in autonomously; see Section 3.7), and sale of personal information (which we do not engage in). States with such laws in effect or imminent at the Effective Date include (without limitation):

• Virginia (VCDPA)
• Colorado (CPA)
• Connecticut (CTDPA)
• Utah (UCPA)
• Oregon (OCPA)
• Texas (TDPSA)
• Delaware (DPDPA)
• New Hampshire (NHPA)
• Montana (MTCDPA)
• Iowa (ICDPA)
• Indiana (INCDPA)
• Tennessee (TIPA)
• Florida (FDBR)
• Maryland (MODPA)
• Minnesota (MCDPA)
• New Jersey (NJDPL)

For a state-specific request, contact us at the address in Section 13. If we deny your request, you may appeal by responding to our denial in writing with the basis for your appeal, and we will respond within the timeframes required by the applicable law.

10.4 Exercising Your Rights

To exercise any right under this Section 10, contact us at legal@evenhandhq.com or through the in-product privacy request form (when available). We will verify your identity before processing your request. For requests submitted on behalf of another person, we may require written authorization.

We will respond to verified requests within the timeframes required by applicable law:

• CCPA / CPRA: forty-five (45) days, extendable by forty-five (45) additional days with notice
• Other state laws: as required by the specific statute (generally 45–60 days)

We do not charge for the first request in a 12-month period. For repeated or manifestly unfounded or excessive requests, we may charge a reasonable fee or refuse to act.

10.5 Limitations on Deletion

Certain personal information cannot be deleted in response to a deletion request:

• Aggregated Data from which your individual information cannot be extracted
• Deal Data we are required to retain by law, regulation, or contractual obligation (including the seven-year retention for closed Deal Data)
• Audit logs, which are immutable records maintained for security and compliance
• Information necessary to complete an active Deal in which you are a participant (we will delete it after the Deal closes and the retention period expires)
• Information necessary to detect or respond to security incidents, fraud, or illegal activity
• Information necessary to establish, exercise, or defend legal claims, including data subject to litigation hold

We will inform you if we cannot fully comply with a deletion request and explain the basis.

10.6 Sensitive Personal Information (CPRA)

Under the CPRA, "Sensitive Personal Information" ("SPI") includes — among other categories — account log-in credentials, financial account information, and the contents of mail, email, and text messages where the business is not the intended recipient. The following SPI categories are or may be processed in connection with the Platform:

• Account login credentials and MFA factors (hashed and held by our authentication Sub-Processor; not accessed by Evenhand staff)
• Financial account information contained in uploaded documents (bank statements, tax returns) and OAuth-authorized accounting connections (held in encrypted form; processed only to deliver the QoE features the User requested)

We use SPI only as reasonably necessary to provide the services you requested, comply with the law, ensure security and integrity, and similar purposes permitted under California Civil Code § 1798.121. We do not use SPI for advertising, profiling, or other purposes that would require limitation under that section. You may request that we limit our use of SPI to those permitted purposes by contacting us at the address in Section 13. We will not retain SPI longer than necessary for the disclosed purposes.

11. Data Location and Transfers Among Sub-Processors

Evenhand is based in the United States, and our primary application and data infrastructure is located in the United States (Vercel global edge network with U.S. compute; Neon hosted on AWS US-West-2 in Oregon). As described in Section 4, the Platform is offered only to Users located in the United States.

Some of our Sub-Processors maintain global infrastructure. Where personal information is routed through non-U.S. infrastructure (for example, an edge node located outside the United States serving a static asset, or a Sub-Processor's support team operating from a global location), we rely on:

• Sub-Processor contractual commitments to maintain data-protection, security, and incident-notification standards consistent with the practices described in this Policy;
• Encryption in transit and at rest using TLS 1.2 or higher and AES-256-GCM as applicable;
• Sub-Processor selection weighted toward providers that maintain U.S.-based primary processing and that are bound by U.S. legal process.

We do not transfer personal information to non-U.S. infrastructure as a matter of routine processing. To the extent any such routing occurs in connection with global Sub-Processor architecture, your information is protected by the contractual and technical safeguards above. Sub-Processors listed in Section 5 each maintain their own privacy programs; refer to their privacy policies for details on their data-location practices.

12. Children's Privacy

The Platform is designed for use by business professionals in commercial M&A transactions. It is not intended for use by individuals under the age of eighteen (18). We do not knowingly collect personal information from anyone under 18. We do not knowingly collect personal information from children under 13, and the Platform is not directed to children under 13 within the meaning of the U.S. Children's Online Privacy Protection Act (COPPA).

If we become aware that we have collected personal information from someone under 18, we will promptly delete it. If you believe we have, contact legal@evenhandhq.com.

13. Contact Information

If you have questions about this Policy or our data practices, contact us at:

Evenhand LLC [Physical address — to be inserted] Washington, United States

• General privacy inquiries: legal@evenhandhq.com
• Data subject requests: legal@evenhandhq.com
• Security concerns: security@evenhandhq.com
• General support: support@evenhandhq.com

We have not appointed a dedicated Data Protection Officer; the scale and nature of our processing do not require one under any applicable U.S. privacy law. Privacy matters are handled by our legal contact at the address above.

14. Changes to This Privacy Policy

We may update this Policy from time to time. When we make changes, we will:

• Update the "Last Updated" date at the top
• Post the revised Policy on the Platform
• For Brokerages with active subscriptions, provide at least thirty (30) days' prior written notice of material changes via email to the address associated with the Brokerage Account
• Where required by applicable law, obtain your consent before applying material changes to the processing of your personal information

"Material change" means a change that meaningfully reduces your rights, expands the categories of personal information we collect, expands the purposes for which we use personal information, expands the categories of recipients with whom we share personal information, or extends our retention periods. Editorial, clarifying, or expanding-protections changes are not material.

Your continued use of the Platform after the effective date of a revised Policy constitutes acceptance of the revised Policy. If you do not agree, you must stop using the Platform and may request deletion of your account per Section 10.

A history of changes to this Policy is maintained at https://evenhandhq.com/privacy/history.

15. Additional State-Specific Disclosures

15.1 California (CCPA / CPRA) — Categories Disclosure

In the preceding twelve (12) months, we have collected the following categories of personal information as defined by the CCPA:

We have not sold or shared personal information for cross-context behavioral advertising in the preceding 12 months. We use sensitive personal information only for purposes permitted by Cal. Civ. Code § 1798.121.

Notice at Collection — this Section 15.1 (read together with Sections 2 and 3 of this Policy) constitutes our Notice at Collection under Cal. Civ. Code § 1798.100(b). Personal information is retained per Section 8.

15.2 California Auto-Renewal

Paid subscriptions (Brokerage Subscriptions; Buyer Self-Serve QoE Subscriptions) renew automatically unless canceled. Cancellation instructions appear in your account billing settings and in renewal-notice emails. California Business and Professions Code §17600 et seq. compliance details — including how to cancel and how to opt out of automatic renewal — are set out in the Terms.

15.3 Other States

If you are a resident of any of the other states named in Section 10.4 above, the rights and procedures in that Section apply.

15.4 Washington State

Evenhand is a Washington LLC. Washington's "My Health My Data Act" (MHMDA) applies to "consumer health data." The Platform is not designed to collect consumer health data within the meaning of the MHMDA. If your use of the Platform incidentally results in collection of consumer health data through uploaded documents (e.g., an employee benefits census including health information), you (as the uploader) are responsible for any compliance obligations arising from that use, and we will treat such data with the same protections as other sensitive content.

16. How to Contact Us

For privacy questions, requests, or complaints, contact:

Evenhand LLC Attn: Legal — Privacy [Physical address — to be inserted] Washington, United States legal@evenhandhq.com

For security vulnerability reports: security@evenhandhq.com For general support: support@evenhandhq.com

This Privacy Policy is designed for a U.S.-only service and to comply with major U.S. federal and state privacy regimes as of the Effective Date.