This Privacy Policy (“Policy”) describes how Greenbax, Inc. d/b/a ZipHQ (“Zip”, “we,” “us” or

“our”) collects, uses, and discloses personal data, and the choices you have related to this.

Zip provides a pioneering platform that offers one place for employees to initiate a purchase or

vendor request. This Privacy Policy does not apply to information that we process on behalf of

our enterprise customers while providing the Zip platform to them. Our use of such information

is governed by our Master Subscription Agreement (“MSA”) with those enterprise customers,

including any data imported into the Solution by a customer. If you have concerns regarding

personal information that we process on behalf of an enterprise customer, for example if you

are an employee of such an enterprise customer, please direct your concerns to that enterprise

customer.

Our websites, products, and services are primarily designed for enterprise organizations and

their representatives. We do not offer products or services for use by individuals for their

personal, family, or household purposes. Accordingly, we treat all personal information we

collect as pertaining to individuals in their capacities as enterprise organization representatives

and not their individual capacities.

Zip may provide additional or supplemental privacy policies for specific products or services

that we offer at the time we collect personal information or as otherwise notified to you.

Please review this Policy carefully to understand our practices regarding your personal data. If

you do not agree with the practices described in this Policy, please do not access or use our

Websites or Solution (defined below).

This Policy is applicable to data collected through ziphq.com, and any other websites managed

by Zip (collectively, the “Websites”), through our software products (the “Solution”) and

through any other interactions you might have with us, such as through email newsletters,

online and in person events, and other interactive features and communications.

This Policy does not apply to any third party websites, applications or businesses to which we

link or who may link to us. You should review the privacy policies of those third parties to

understand how they may collect and use your personal data.

How We Collect

We may collect your personal data when you:

• Visit our Websites, through automated cookies

• Use our Websites or Solution

• Interact with us by communicating through the Solution, Websites, by email, by social

media, or by telephone

• Participate in our online communities, blogs or other forums

• Register for or attend an online or in person event sponsored by us

What We Collect

The types of information we collect from you may differ depending on how you interact with

us.

• Contact data - such as your first and last name, email address, billing and mailing

addresses, professional title and company name, and phone number.

• Demographic Information - such as your city, state, country of residence, and postal

code.

• Profile data - such as the username and password that you may set to establish an

online account with us and any other information that you add to your account profile.

• Communications data - that we exchange with you, including when you contact us with

questions or feedback, through the Solution, social media, or otherwise. When you

the future.

• Transactional data - such as information relating to or needed to complete your orders

on or through the Solution, including order numbers and transaction history.

• Marketing data - such as your preferences for receiving our marketing communications

and details about your engagement with them.

• User-generated content - such as comments, questions, messages, works of authorship,

and other content or information that you generate, transmit or otherwise make

available on the Solution, as well as associated metadata. Metadata includes

information on how, when, where, and by whom a piece of content was collected and

how that content has been formatted or edited.

• Financial information - such as your financial account numbers or payment card

information.

• Payment information needed to complete transactions, including payment card

information or bank account number.

• Other data not specifically listed here, which we will use as described in this Privacy

Policy or as otherwise disclosed at the time of collection.

Third-party sources. We may combine personal information we receive from you with personal

information we obtain from other sources, such as:

• Public and private sources - such as government agencies, public records, social media

platforms, and other publicly or privately available sources.

• Data providers - such as information services and data licensors.

• Our affiliate partners - such as our affiliate network provider and publishers, influencers,

and promoters who participate in our paid affiliate programs.

• Marketing partners - such as joint marketing partners and event co-sponsors.

Automatic data collection. We, our service providers, and our business partners may

automatically log information about you, your computer or mobile device, and your interaction

over time with the Solution, our communications, and other online services, such as:

• Device data - such as your computer’s or mobile device’s operating system type and

version, manufacturer and model, browser type, screen resolution, RAM and disk size,

CPU usage, device type (e.g., phone, tablet), IP address, unique identifiers (including

identifiers used for advertising purposes), language settings, mobile device carrier,

radio/network information (e.g., Wi-Fi, LTE, 3G), and general location information such

as city, state or geographic area.

• Online activity data - such as pages or screens you viewed, how long you spent on a

page or screen, the website you visited before browsing to the Solution, navigation

paths between pages or screens, information about your activity on a page or screen,

access times and duration of access, and whether you have opened our marketing

emails or clicked links within them.

Cookies and similar technologies. Like many online services, we may use the following

technologies:

• Cookies, which are text files that websites store on a visitor’s device to uniquely identify

the visitor’s browser or to store information or settings in the browser for the purpose

of helping you navigate between pages efficiently, remembering your preferences,

enabling functionality, helping us understand user activity and patterns, and facilitating

analytics and online advertising.

• Local storage technologies, like HTML5 and Flash, that provide cookie equivalent

functionality but can store larger amounts of data, including on your device outside of

your browser in connection with specific applications.

• Web beacons, also known as pixel tags or clear GIFs, which are used to demonstrate

that a webpage or email address was accessed or opened, or that certain content was

viewed or clicked.

Data about others. Users of the Solution may have the opportunity to refer other contacts to us

and share their contact information with us. Please do not refer someone to us or share their

contact information with us unless you have their permission to do so.

HOW WE USE YOUR DATA AND LEGAL BASIS FOR PROCESSING

How we use your personal data depends on how you interact with us. The specific purposes for

which we use the data we collect about you are listed below. In some jurisdictions, including

those subject to the EU General Data Protection Regulation (“GDPR”) or UK General Data

Protection Regulation (“UK GDPR”), we may only process your personal data when we have a

legal basis to do so. Our legal basis for processing your personal data is listed with each purpose

for processing below.

• To provide and support the Solution and Websites. We use your personal data to

provide and support the Solution and Websites. As part of doing so, we may send you

service announcements, technical notices, security alerts, billing and support-related

messages related to your account or transactions with us, through the Solution or by

email. You may not opt out of these messages, as they are considered part of the

Solution.

Legal Basis for Processing: We may have a contractual obligation to you, or to your

company, to provide you with access to and support for the Solution, which requires the

processing of your personal contact data. Otherwise, we have a legitimate interest in

providing you access to and support for our Websites.

• To provide an individualized experience on the Solution and Websites. We use the

information we collect to personalize content and experiences on our Solution and

Websites, to better understand your interests and make personalized recommendations

based on your interests, and tailor your experience with us to your preferences.

Legal Basis for Processing: We have a legitimate interest in processing your personal

data to improve your experience with us.

• To understand and manage our relationship with you. We use your personal data to

understand your use of the Solution and Websites so that we can monitor the health of

our relationship with you, and for our enterprise users, identify usage trends and

suggest new services or features based on your company’s usage of the Solution. We

also report this data back to our enterprise customers, so that you can maximize your

company’s use of our Solution.

Legal Basis for Processing: We have a legitimate interest in making sure that you are

getting the full value out of your use of the Solution and Websites, identifying product

champions, and making suggestions to optimize your usage or subscriptions.

• To communicate with you. We will send you emails or otherwise communicate with you

in response to your questions, feedback or comments. For example, we will respond to

comments on applicable community boards, and answer questions sent to us through

the Websites. We may also contact you with personalized messages via email,

telephone, or on social media if we identify that because of your experience or

background that our Solution might be of particular interest to you. You can also opt

into receiving emails about new product features and services. You can always opt out

of these communications by following the opt out instructions in the message or by

contacting us through the contact information listed below.

Legal Basis for Processing: We have a legitimate interest in corresponding with you

when you have contacted us, or when we have identified you may have a particular

interest in the Solution (when not prohibited by law). Otherwise, when processing your

personal data for marketing communications, we rely on your consent.

• To create anonymous data for use in product development. We may remove personal

identifiers from data containing personal information so that it cannot be traced back to

an individual, and aggregate it by combining it with the data from multiple sources

and/or individuals. We may use this data to understand feature adoption and feature

gaps, make product depreciation decisions, and make product development decisions.

When using collected data for product development, we will always remove all personal

data and Customer Data.

Legal Basis for Processing: We have a legitimate interest in creating anonymized data so

that we can use that data to improve the Solution.

• For security, compliance, fraud prevention and safety. We may use your personal data

as we believe appropriate to investigate or prevent violation of the law, our MSA, to

secure the Solution, to protect our, your or others’ rights, privacy, safety or property;

and to protect, investigate and deter against fraudulent, harmful, unauthorized,

unethical or illegal activity. We may also use the information we collect about your

device to detect users violating our MSA and prevent further violations.

Legal Basis for Processing: We have a legitimate interest in protecting ourselves and our

users against unauthorized use of our Solution and Websites to ensure the security of

the data processed within them. We are also obligated to process certain personal data

to monitor compliance with our MSA and performance of other agreements we may

have with you.

• For compliance with law or to investigate legal claims. We may use your personal data

to comply with applicable laws, lawful requests and legal process, such as to respond to

subpoenas or requests from government authorities. We may also use your personal

data where permitted by law in connection with any legal investigation and to prosecute

or defend legal claims.

Legal Basis for Processing: In certain rare circumstances, we may rely on compliance

with a legal obligation or protection of vital interests in the event of a legal investigation

or request from a law enforcement or governmental entity. As a global company, there

are a wide variety of laws that might compel processing of your data under this legal

basis, but they may include the following types of laws: civil and commercial laws,

criminal laws, consumer laws, and corporate and taxation laws.

• With your consent. In some cases we may ask for your consent to collect, use or share

your personal data in ways we have not described here. When we do that, we will

always record your consent and you may change your mind and opt out by contacting us

via the methods listed in the Contact Us section.

ANONYMIZED, AGGREGATED, OR DE-IDENTIFIED DATA

Anonymization is a data processing technique that modifies personal information so that it

cannot be associated with a specific individual. Except for this section, none of the other

provisions of this Privacy Policy apply to anonymized, aggregated (i.e., information about our

customers that we combine so that it no longer identifies or references an individual customer)

or de-identified data. We may use this anonymized, aggregated, or de-identified data and share

it with third parties for our lawful business purposes, including to analyze and improve the

Solution and promote our business.

HOW WE SHARE YOUR DATA

Except for as mentioned below, we do not share your personal data with any other companies.

We will not sell or rent your personal data as part of a customer list or similar transaction.

We may share your personal data as follows:

• With Affiliates. We may share your personal data with our subsidiaries, joint ventures,

or other companies under common control, in which case we will require those entities

to honor this Privacy Policy. As a global company, we have employees employed by

subsidiary companies across the world. We may share any of the data listed above with

any of these affiliated companies.

• With Business Partners. We may share your personal data with our business partners

with whom we develop product integrations for our users, or partners who help us host

our events. For our event partners, we will only share your contact data, and only if you

have consented to it at the time of registration. If you would like to withdraw your

consent you can contact us as provided in the Contact Us section.

• With Third Party Agents and Service Providers. We have third party agents and service

providers that perform functions on our behalf, such as hosting, billing, push

notifications, storage, bandwidth, content management tools, analytics, customer

service, fraud protection, etc. These entities may have access to your personal data to

the extent needed to perform their services. All such third parties are contractually

obligated to maintain the confidentiality and security of your personal data, and are

restricted from using your personal data other than to provide their services.

• By Linking to Third Party Sites. Our Websites may link to other websites or services

operated by third parties, whose privacy practices may differ from ours and are

governed by their own privacy policies, not this Policy. We do not control or endorse

any of these third party websites or services, and we encourage you to carefully review

the privacy policy of any website you visit.

• With Law Enforcement, Government Entities, and Other Companies and

Organizations. In rare circumstances, we may share your personal data with law

enforcement or governmental entities for compliance with the law or to investigate

legal claims. In the event of confirmed fraudulent activity, we may also exchange

information with other companies and organizations for fraud protection.

• Through Business Transfers. We may sell, transfer or otherwise share some or all of our

business or assets, including your personal data, in connection with a business deal (or

potential business deal) such as a merger, consolidation, acquisition, reorganization,

sale of assets or in the event of bankruptcy.

• Other users and the public. Your profile and other user-generated content (except for

messages) may be visible to other users of the Solution and the public. For example,

other users of the Solution or the public may have access to your information if you

choose to make your profile or other personal information available to them through

the Solution, such as when you provide comments, reviews, survey responses, or share

other content. This information can be seen, collected, and used by others, including

being cached, copied, screen captured, or stored elsewhere by others (e.g., search

engines), and we are not responsible for any such use of information.

OUR PRODUCTS

The Solution may be used to process personal data on behalf of you, our customer. We may not

have any direct relationship with the individuals to whom the data belongs. Individuals who

would like to access, correct or delete personal data processed by us on behalf of our

customers should direct their questions to our customers, who are the data controllers. We use

and disclose this personal data as permitted by our customer agreements and as required by

law.

DATA RETENTION

We will retain your personal data as needed to fulfill the purposes for which it was collected.

We may retain your information as needed to provide you services, comply with our business

requirements and legal obligations, resolve disputes and enforce our rights and agreements.

Following termination or deactivation of your account, we will delete your Customer Data, but

may retain your contact information, user profile, and other personal data in our records. When

the purpose for which your personal data was collected no longer exists and there is not a

business or legal reason to retain your personal data, Zip will securely delete or anonymize your

data. To request deletion of your personal data before the expiry of our retention period,

please see the Contact Us section.

DATA SECURITY

We take security very seriously. We take appropriate measures, including organizational,

technical, and physical precautions to help protect against unauthorized access to, alteration of,

or destruction of your personal data.

While we follow industry standards and best practices to protect your data, no transmission of

data over the Internet or any public network can be guaranteed to be 100% secure.

CHILDREN’S DATA

The Solution and Websites are not directed to anyone under the age of 16. A parent or

guardian who becomes aware that his or her child under the age of 16 has provided us with

personal data may Contact Us and we will delete the child’s data.

YOUR DATA RIGHTS

We respect your control over your personal data and, upon request, we will confirm whether

we hold or are processing data that we have collected from you. You also have the right to

amend or update inaccurate or incomplete personal data, request deletion of your personal

data, or request that we no longer use it. Under certain circumstances we will not be able to

fulfill your request, such as if it interferes with our regulatory obligations, affects legal matters,

we cannot verify your identity, or fulfillment involves disproportionate cost or effort, but in any

event we will respond to your request within a reasonable timeframe and provide you an

explanation.

You can always contact us as provided in the Contact Us section to exercise these rights. You

may also be able to take action yourself through the methods listed below.

• View, correct and delete your account information. If you use the Solution or have an

account through our Websites, you can view, update and delete certain information

directly through your account.

• Opt out of communications. You can opt out of receiving future marketing

communications from us by clicking the unsubscribe link within a marketing email, by

responding to our emails with the subject line “Opt Out,” or by updating your profile

settings. Please note that you generally can’t opt out of service related communications.

• Deactivate your account. If you would like to stop using our Solution, you or your

administrator may be able to deactivate your account. Please be aware that depending

on how you use our Solution and Websites, this may not delete all of your information.

YOUR CHOICES

You also have the following choices with respect to your personal information.

• Cookies. Most browsers let you remove or reject cookies. To do this, follow the

instructions in your browser settings. Many browsers accept cookies by default until you

change your settings. Please note that if you set your browser to disable cookies, the

Service may not work properly. For more information about cookies, including how to

see what cookies have been set on your browser and how to manage and delete them,

visit www.allaboutcookies.org.

• Advertising choices. You may be able to limit use of your information for interest-based

advertising by:

o Browser settings. Blocking third-party cookies in your browser settings.

o Privacy browsers/plug-ins. By using privacy browsers or ad-blocking browser

plug-ins that let you block tracking technologies.

o Platform settings. Google and Facebook offer opt-out features that let you opt-

out of use of your information for interest-based advertising:

§ Google: https://adssettings.google.com/

§ Facebook: https://www.facebook.com/about/ads

o Ad industry tools. Opting out of interest-based ads from companies participating

in the following industry opt-out programs:

§ Network Advertising Initiative:

http://www.networkadvertising.org/managing/opt_out.asp

§ Digital Advertising Alliance: optout.aboutads.info.

§ AppChoices mobile app, available at

https://www.youradchoices.com/appchoices, which will allow you to

opt-out of interest-based ads in mobile apps served by participating

members of the Digital Advertising Alliance.

o Mobile settings. Using your mobile device settings to limit use of the advertising

ID associated with your mobile device for interest-based advertising purposes.

You will need to apply these opt-out settings on each device from which you wish to opt-out.

Do Not Track. Some Internet browsers may be configured to send “Do Not Track” signals to the

online services that you visit. We currently do not respond to “Do Not Track” or similar signals.

To find out more about “Do Not Track,” please visit http://www.allaboutdnt.com.

Declining to provide information. We need to collect personal information to provide certain

services. If you do not provide the information we identify as required or mandatory, we may

not be able to provide those services.

INTERNATIONAL TRANSFERS OF DATA

We are a global company headquartered in the United States, with entities, operations and

service providers situated around the world. Your personal data may be transferred outside of

your local jurisdiction, to countries without an adequacy decision by the European Commission.

We have put appropriate safeguards in place to ensure that your personal data receives an

adequate level of security regardless of the country in which it is processed. This includes

entering into agreements with written assurances from our services providers, including, as

required, standard contractual clauses for the transfer of personal data as approved by the

European Commission and the British Information Commissioner’s Office. Depending on the

particular circumstances of the transfer, we may use the GDPR Standard Contractual Clauses

Controller – Controller, Controller – Processor, or Processor – Processor, and/or the UK

Standard Contractual Clauses Controller – Controller or Controller to Processor. Our standard

contractual clauses can be provided upon request.

EUROPEAN RESIDENTS

If you are located in the European Economic Area, Switzerland, or United Kingdom, you have

additional data privacy rights that include the right to:

• Access, correct update or request deletion of your personal information

• Object to the processing of your personal information, ask us to restrict processing of

your personal information, or request portability of your personal information

• Opt out of marketing communications we send you at any time

• Withdraw your consent for processing, if we are processing your personal data based on

consent. Note that withdrawing consent does not affect the lawfulness of processing

based on consent before its withdrawal; and

• Make a complaint to a data protection authority about or collection and use of your

personal data.

• To exercise these rights, please contact us as provided in the Contact Us section below.

CALIFORNIA RESIDENTS

This Policy contains a list of the categories of personal data we collect and have collected for

the past twelve months.

If you are a California resident, you may have additional rights under the California Consumer

Privacy Act (“CCPA”) and California Privacy Rights Act (“CPRA”) that include the right to:

• Request access, correction and deletion of your personal information;

• Opt out of the sale of your personal information; and

• Not be discriminated against for exercising one of your CCPA/CPRA privacy rights.

Please note that we do not sell the personal data that we collect.

To exercise your rights, please contact us as provided in the Contact Us section. You will not be

discriminated against for exercising your privacy rights under the CCPA and CPRA. In order to

protect your personal data from unauthorized access or deletion, we may require you to

provide additional information for verification. If we can’t verify your identity, we will not

provide or delete your data.

CHANGES TO THIS PRIVACY POLICY

We reserve the right to modify this Privacy Policy at any time. If we make material changes to

this Privacy Policy, we will notify you by updating the date of this Privacy Policy and posting it

on the Websites. If required by law we will also provide notification of changes in another way

that we believe is reasonably likely to reach you, such as via email or another manner through

the Solution or Websites. Any modifications to this Privacy Policy will be effective upon our

posting the modified version (or as otherwise indicated at the time of posting). In all cases, your

use of the Solution or Websites after the effective date of any modified Privacy Policy indicates

your acceptance of the modified Privacy Policy.

If you have any questions about this Policy, or to exercise any of your data privacy rights, please

email us at [email protected]. You can also contact us at our mailing address below:

33 New Montgomery St

Suite 1420

San Francisco, CA 94105

Attn: Legal

Last updated: August 2, 2022