do it together

Welcome to the Privacy Policy of Do2, Inc (“Do2”, “we”, “us” and/or “our”). This Privacy Policy is

provided by Do2 and has been created to provide information about how we collect and process

information through the Do2 website (“the Site”), mobile applications (“App”), and services provided by

us (the “Do2 Services”), as well as from our business customers who use our business services (the “Do2

Business Customer Services”). This Privacy Policy is divided into 3 parts depending on what type of user

of the Do2 services you are:

A. Site visitors, who are individuals visiting our website to learn more about Do2, in which case

the “Do2 Privacy Policy for Site Visitors” applies to you;

B. End-Users of Do2 Services offered by Do2 customers, in which case the “Do2 Privacy Policy

for End Users of Do2 Services Offered by Do2 Customers” applies to you; and

C. Do2 business customers, in which case the “Do2 Privacy Policy for Do2 Business

Customers” applies to you

Data Privacy Framework Policy Updates

Do2 and its affiliates comply with the requirements of the EU-U.S. Data Privacy Framework, the UK

Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework as

set forth by the U.S. Department of Commerce (collectively, the “DPF”). Do2 has certified to the U.S.

Department of Commerce that it adheres to the DPF Principles with respect to personal information

(as described below) that is transferred from the European Union and its Member States, the

European Economic Area, the United Kingdom (and Gibraltar), and/or Switzerland to the United

States. If there is any conflict between the terms in this DPF Policy or another applicable privacy

policy and the DPF Principles, the DPF Principles shall govern. To learn more about the Data Privacy

Framework and to view Do2’s certification, please visit: https://www.dataprivacyframework.gov.

This DPF Policy applies to personal information within the scope of Do2’s DPF certification, which

covers the following categories of information:

• Personal information regarding current, former and prospective partners, principals and

employees for the purposes of operating and managing Do2, performing human resource

administration and maintaining contact with individuals.

• Personal information regarding current, former and prospective clients and their personnel,

customers, or other data subjects for the purposes of delivering Do2 services, maintaining ongoing

relationships and performing business development activities.

• Personal information regarding our suppliers, service providers, and other third parties, and

their personnel for the purposes of managing and administering Do2’s business relationships

with such third parties.

Accountability for Onward Transfers Consistent with the DPF Principles

Do2 may transfer personal information to third parties, including transfers from one country to

another. We will only disclose an individual’s personal information to third parties under one or

more of the following conditions:

• The disclosure is to a third party providing services to Do2, or to the individual, in connection with

the operation of our business, and as consistent with the purpose for which the personal information

was collected. We maintain written contracts with these third parties and require that these third

parties provide at least the same level of privacy protection and security as required by the DPF

Principles. To the extent provided by the DPF Principles, Do2 remains responsible and liable under

the DPF Principles if a third party that it engages to process personal information on its Do2 | Do2's

Data Privacy Framework Policy 2 behalf does so in a manner inconsistent with the DPF Principles,

unless Do2 proves that it is not responsible for the matter giving rise to the damage;

• With the individual’s permission to make the disclosure;

• Where required to the extent necessary to meet a legal obligation to which Do2 is subject, including

a lawful request by public authorities and national security or law enforcement obligations and

applicable law, rule, order, or regulation;

• Where reasonably necessary for compliance or regulatory purposes, or for the establishment of legal

claims. Individual rights Individuals whose personal information is covered by this DPF Policy have

the right to access the personal information that Do2 maintains about them as specified in the DPF

Principles. Individuals may contact us to correct, amend or delete such personal information if it is

inaccurate or has been processed in violation of the DPF Principles (except when the burden or

expense of providing access, correction, amendment, or deletion would be disproportionate to the

risks to the individual’s privacy, or where the rights of persons other than the individual would be

violated). Individuals may also have the right to limit the use and disclosure of their personal

information (opt out) under certain circumstances, such as marketing. Requests to access, correct,

amend, delete, or limit the use and disclosure of personal information (opt out) may be submitted

using our request form.

Security

Do2 takes appropriate measures to protect personal information in its possession to ensure a level of

security appropriate to the risk of loss, misuse, unauthorized access, disclosure, alteration, and

destruction. These measures take into account the nature of the personal information and the risks

involved in its processing, as well as best practices in the industry for security and data protection.

Enforcement In compliance with the DPF Principles

Do2 commits to resolve complaints about our collection or use of your personal information. Individuals

with inquiries or complaints regarding our DPF Policy should first contact Do2. Do2 has a policy of

responding to individuals within forty five (45) days of an inquiry or complaint. If an individual has an

unresolved complaint or concern that is not addressed satisfactorily, that individual may contact our U.S.

based third party dispute resolution provider (free of charge). If the dispute involves human resources

personal information or information collected in the context of an employment relationship, we will

cooperate with the competent EU, UK, or Swiss data protection authorities and comply with the advice of

such authorities. You may have the option to select binding arbitration under the EU-U.S. Data Privacy

Framework Panel for the resolution of your complaint under certain circumstances. Do2

is also subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission.

Modifications- Do2 may update this DPF Policy at any time by publishing an updated version here,

however we will not update this DPF Policy in contravention of the DPF Principles.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF,

Do2, Inc. commits to cooperate and comply respectively with the advice of the panel established by the

EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) and the

Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved

complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF

and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment

relationship. This applies to parts A, B, and C of the Privacy Policy.

Do2 Contact Information:

No matter what type of user you are, you have any questions about Do2’s Privacy Policy or the

information practices of the Do2 Services, or wish to exercise any of your data protection rights

as described in the sections below, please email privacy@do2.co.

If you are a resident of the United Kingdom or European Economic Area, please note that we

have appointed an EU data protection representative. If you have any questions, please contact

Do2's Compliance Team at legal@do2.co

(A) Do2 Privacy Policy for Site Visitors

Do2, Inc., is the controller of your information collection through your use of our Site pursuant to the

EU General Data Protection Regulation 2016/679, as applicable.

Please read this section of Privacy Policy to understand how we may process your information via

your use of our Site. If you do not agree with how we process your information, please do not use the

Site.

1. Information We Collect

When you interact with us through the Site, we may collect your information from and about you,

as further described below:

• Information That You Provide: We collect information from you when you voluntarily

provide it, such as when you contact us with inquiries, respond to one of our surveys, or

provide it at a conference or event. This information may include your name, business contact

information, and title.

• Interaction with our Site: When you interact with Do2 through the Site, we receive and store

certain information automatically through various technologies. Do2 may store such

information itself or such information may be included in databases owned and maintained by

Do2 affiliates, agents or service providers. This Site may use such information and pool it with

other information to track, for example, the total number of visitors to our Site, the number of

visitors to each page of our Site, and the domain names of our visitors’ Internet service

providers. For further details please see the section on “Cookies” below.

• Research and Analytics Data: In an ongoing effort to better understand and serve the users of

the Do2 Services, Do2 often conducts research on its Site visitor demographics, interests and

behavior based on the information you provide to us and that we collect from and about you.

This research may be compiled and analyzed on an aggregate and/or de-identified basis, in

which case Do2 may share this aggregated and/or de-identified data with its affiliates, agents

and business partners. This aggregate and/or de-identified information cannot be used to

identify you personally. Do2 may also disclose aggregated user statistics to describe our services

to current and prospective business partners, and to other third parties for other lawful

purposes.

2. Our Use of Your Information and Legal Bases for Processing Information

We process information you provide to us to enable us to provide the Site to you pursuant to any

applicable Site terms, to ensure compliance with local legal and regulatory requirements, and for the

purposes of our legitimate business interests, including to:

● enable us to provide you with the information, products and services that you request from us;

● enable us to respond to an inquiry or other request you make when you contact us via our

Site, including for customer services support;

● notify you about any changes to the Site;

● enable us to issue a notice or corrective action to you in relation to the Site, if required;

● help us improve the content and functionality of the Site and Do2 Services, and to better

understand and analyze how you use our Site;

● detect security incidents, and protect against malicious, deceptive, fraudulent, or illegal activity;

● troubleshoot and debug Site;

● provide you with information about other services which we believe will be of interest to you

similar to those that you have already purchased or inquired about, as described in the

“Marketing” section below.

3. Cookies and Online Advertising

(a) Our Use of Cookies

In operating our Site, we may use a technology called “cookies”. A cookie is a piece of

information that the computer that hosts our Site stores to your browser when you access the Site.

We use various types of cookies, including session cookies, persistent cookies, local shared

objects, pixels, gifs and other tracking technologies, session and persistent technologies, first and

third-party cookies. Cookies can be persistent by remaining on your computer until you delete

them or be based on your browsing session where they delete once you close your browser. First

party cookies are used and controlled by us to provide services on our Site. Our use of cookies

falls into three categories:

● Strictly necessary cookies: these are essential to enable you to move around our Site and

use its features. Without these cookies, the services you have asked for cannot be provided.

● Performance cookies: also known as “analytical” cookies. These cookies allow us to

recognize and count the number of visitors and to see how visitors move around our site. For

example, they allow us to understand which pages are visited most often, and if they get

error messages from web pages. All information collected by these cookies is aggregated and

therefore anonymous.

● Advertising cookies: Through the help of third-party service providers, we may place

certain cookies on our Site that allow us to provide advertising for the Do2 Services both on and

off the Site, as explained below.

Strictly necessary cookies are necessary to provide the Site to you. We use such cookies without

your prior consent. All other cookies are dropped after you have consented via a cookie banner.

(b) Opting out of Cookies

You have the ability to accept or decline cookies. Most browsers automatically accept cookies, but

you can usually modify your browser setting to decline cookies if you prefer. Detailed instructions

are provided by your browser. If you do not accept all cookies or withdraw your consent, you may

still browse the Site; however, in this case you may not be able to use the full functionalities of the

Site. For more information on cookies and how they can be managed and deleted please visit

https://www.allaboutcookies.org/ or your browser cookie settings.

We and non-affiliated third parties performing services on our behalf may integrate advertising

technologies that allow for the delivery of relevant advertising on the Site, as well as on other

websites you visit. The ads may be based on various factors such as the content of the page you are

visiting, demographic data, and other information we and our service providers collect from or

about you. These ads may be based on your current activity or your activity over time and across

other websites and online services and may be tailored to your interests.

We neither have access to, nor does this Privacy Policy govern, the use of cookies or other tracking

technologies that may be placed on your device you use to access the Services by such non-affiliated

third parties. If you are interested in more information about tailored browser advertising and how

you can generally control cookies from being put on your computer to deliver tailored advertising,

you may visit the Network Advertising Initiative’s Consumer Opt-Out Link, the Digital Advertising

Alliance’s Consumer Opt-Out Link, or Your Online Choices to opt-out of receiving tailored

advertising from companies that participate in those programs. To opt out of Google Analytics for

display advertising or customize Google display network ads, visit the Google Ads Settings page. We

do not control these opt-out links or whether any particular company chooses to participate in these

opt-out programs. We are not responsible for any choices you make using these mechanisms or the

continued availability or accuracy of these mechanisms.

Please note that if you exercise the opt out choices above, you will still see advertising when you use the

Site, but it will not be tailored to you based on your online behavior over time.

4. Marketing

Do2 and itsaffiliates (see Schedule I for list of affiliates) (the “Do2 Related Companies”) may also use

your information to contact you via email, phone, or postal mail with promotional materials in the

future to tell you about services we believe will be of interest to you, in accordance with applicable law.

In our promotional emails, there will be instructions explaining how to “opt-out” of receiving them in

the future, if you would like. In addition, if at any time you wish not to receive any future promotional

communications or you wish to have your name deleted from our mailing lists, please contact us as

indicated below. Please note that it may take time to process your request, consistent with our legal

obligations. Also, after you have opted out, you may continue to receive non-promotional, transactional

communications from us.

5. Our Disclosure of Your Information

We may share your information with certain third parties, as set forth below:

● Business Transfers: As we develop our business, we might sell or buy some or all of

our businesses or assets. In the event of a corporate sale, merger, reorganization,

dissolution or similar event, your information may be part of the transferred assets.

● Related Companies: We may also share information with our Do2 Related Companies

for purposes consistent with this Privacy Policy.

● Agents, Consultants and Related Third Parties: Do2, like many businesses, sometimes hires

other companies to perform certain business-related functions on our behalf. Examples of

such functions include hosting our Do2 Services, mailing information, sales and marketing,

shipping and fulfillment, maintaining databases, and processing payments. When we employ

another company to perform a function of this nature, we only provide them with the

information that they need to perform their specific function.

● Legal Requirements: Do2 may disclose your information if required to do so by law or in

the good faith belief that such action is necessary to (i) comply with a legal obligation, (ii)

protect and defend the rights or property of Do2, (iii) act in urgent circumstances to protect

the personal safety of users of the Site or the public, or (iv) protect against legal liability.

When we disclose your personal data to third parties, we take reasonable measures to ensure that the

rules set out in this Privacy Policy are complied with and that these third parties provide sufficient

guarantees to implement appropriate technical and organizational measures to protect your personal

data.

6. Storing Your Information

Your information collected via our Site will be stored on servers located in the United States,

European Union and other locations that may have different data protection laws than in your

jurisdiction. This includes by individuals or service providers engaged in, among other things,

administration of an enquiry or request you make via our Site, or the provision of support services.

By using the Site, you acknowledge that your information will be stored and processed in the United

States, European Union and potentially other global locations.

7. Data Privacy Framework Principles

Do2 complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-

U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) ("Data Privacy Framework") and

to the rights of EU and UK individuals and Swiss individuals. Do2 is committed to comply with the EU-

U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-

U.S. Data Privacy Framework (Swiss-U.S. DPF) and to the rights of EU and UK individuals and Swiss

individuals in regard to transfers of personal data from the European Union and, as applicable, the

United Kingdom, and/or with the Swiss-U.S. DPF Principles with regard to transfer of personal data

from Switzerland as reflected in Do2's self-certification submissions to the U.S. Department of

Commerce, and in the Do2 Privacy Policy. The Frameworks as set forth by the U.S. Department of

Commerce regarding the processing of Personal Data as defined in, and subject to, applicable EU, UK,

and Swiss data protection laws (for these purposes, reference to the EU also includes the European

Economic Area countries of Iceland, Liechtenstein and Norway). We process Personal Data (as defined in

applicable EU, UK, and Swiss data protection laws) in accordance with the EU-U.S. Data Privacy

Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy

Framework (Swiss-U.S. DPF).

Do2 complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-

U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S.

Department of Commerce. Do2 has certified to the U.S. Department of Commerce that it adheres to the

EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of

personal data received from the European Union and the United Kingdom in reliance on the EU-U.S.

DPF and the UK Extension to the EU-U.S. DPF. Do2 has certified to the U.S. Department of Commerce

that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with

regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If

there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the

Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework

(DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S.

DPF, Do2, Inc. commits to resolve DPF Principles-related complaints about our collection and use of

your personal information. EU and UK individuals and Swiss individuals with inquiries or

complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the

UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Do2, Inc. at the

following email: legal@do2.world We have further committed to refer unresolved Data Privacy

Framework complaints to an alternative dispute resolution provider.

On 4 June 2021, the Commission issued modernised standard contractual clauses under the GDPR

for data transfers from controllers or processors in the EU/EEA (or otherwise subject to the GDPR)

to controllers or processors established outside the EU/EEA (and not subject to the GDPR).

These modernised SCCs replace the three sets of SCCs that were adopted under the previous Data

Protection Directive 95/46. Consequently, we are relying on standard contractual clauses (based on the

clauses published here, a copy of which can be obtained by contacting us at privacy@do2.co) for

transfers of personal data from the EEA.

8. Data Retention

We will only retain your information for as long as necessary to fulfill the purposes we collected it

for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for your information, we consider the amount, nature,

and sensitivity of the information, the potential risk of harm from unauthorized use or disclosure of

your information, the purposes for which we process your information and whether we can achieve

those purposes through other means, and the applicable legal requirements.

9. Exclusions

This Do2 Privacy Policy for Site Visitors does not apply to information collected by Do2 other than

information collected through the Site. This Privacy Policy will not apply to any unsolicited

information you provide to Do2 through this Site or through any other means. This includes, but is

not limited to, information posted to any public areas of the Site, such as bulletin boards (collectively,

“Public Areas”), any ideas for new products or modifications to existing products, and other

unsolicited submissions (collectively, “Unsolicited Information”). All Unsolicited Information will be

deemed to be non-confidential and Do2 will be free to reproduce, use, disclose, and distribute such

Unsolicited Information to others without limitation or attribution.

10. Children

The Site is intended for general audiences and not for children under the age of 13. If we become aware

that we have collected “personal information” (as defined by the United States Children’s Online

Privacy Protection Act) from children under the age of 13 without legally valid parental consent, we

will take reasonable steps to delete it as soon as possible. We do not knowingly process data of EU

residents under the age of 16 without parental consent. If we become aware that we have collected data

from an EU resident under the age of 16 without parental consent, we will take reasonable steps to

delete it as soon as possible. We also comply with other age restrictions and requirements in

accordance with applicable local laws.

11. Links to Other Web Sites

The policies and procedures we described here do not apply to such Third Party Sites. The links from

this Site do not imply that Do2 endorses or has reviewed the Third Party Sites. We suggest contacting

those sites directly for information on their privacy policies and practices.

12. Our Policy on Do Not Track Signals

This Site may contain links to other web sites not operated or controlled by Do2 (the “Third Party Sites”).

The policies and procedures we described here do not apply to such Third Party Sites. The links from this

Site do not imply that Do2 endorses or has reviewed the Third Party Sites. We suggest contacting those

sites directly for information on their privacy policies and practices. Do2 takes steps to protect the

information provided via the Site from loss, misuse, and unauthorized access, disclosure, alteration, or

destruction. However, no Internet or e-mail transmission is ever fully secure or error free. Please keep

this in mind when disclosing any information to Do2.

13. Other Terms and Conditions

Your access to and use of this Site is subject to the Terms of Use (https://www.do2.com/terms/).

14. Changes to Do2's Privacy Policy

The Site, our business, and applicable legal requirements may change from time to time. As a result, at

times it may be necessary for Do2 to make changes to this Privacy Policy. Do2 reserves the right to

update or modify this Privacy Policy at any time in accordance with our legal obligations. Please

review this policy periodically. This Privacy Policy was last updated on the date indicated above. Your

continued use of the Site after any changes or revisions to this Privacy Policy will indicate your

agreement with the terms of such revised Privacy Policy.

15. Your Rights

To keep your information accurate, current, and complete, please contact us as specified at the

beginning of this Privacy Policy. We will take reasonable steps to update or correct your information

in our possession in accordance with applicable law.

You may have the right to: request access to your Personal Data we hold about you; request we correct

any inaccurate Personal Data we hold about you; request we delete any Personal Data we hold about

you; restrict the processing of Personal Data we hold about you; object to the processing of Personal

Data we hold about you; and/or receive any Personal Data we hold about you in a structured and

commonly used machine-readable format or have such Personal Data transmitted to another company.

We may ask you for additional information to confirm your identity and for security purposes, before

disclosing information requested to you. We will process any request in line with any local laws and

our policies and procedures. If you are located in the EEA or United Kingdom, you have the right to

lodge a complaint about how we process your Personal Data with the supervisory authority in your

country.

If you wish to exercise any of your rights, please contact us using the information provided in the

"Do2 Contact Information" section.

16. Privacy Notice for California Users

If you are a California resident, California law requires us to provide you with some additional

information regarding your rights with respect to your “personal information” (as defined in

the California Consumer Privacy Act ("CCPA") and California Privacy Rights Act(“CPRA")).

Please note that we describe the categories of personal information we collect, the sources and

uses of such information, and the entities to which we share such information above in the

“Information We Collect,” “Our Use of Your Information and Legal Bases for Processing

Information,” and “How We Disclose Your Information” sections above. Do2 allows users the

following rights in accordance with the CPRA/CCPA:

● Right to Request and Receive Personal Information Disclosures

● Right to Delete Personal Information

● Right to Correct Inaccurate Personal Information

● Right to Know what Personal Information is Being Collected and Right to Access

Personal Information

● Right to Know what Personal Information is Sold or Shared, and to Whom

● Right to Opt-Out of the Sale or Sharing of Personal Information:

● Right to Limit Use and Disclosure of Sensitive Personal Information

● Right of Non-Retaliation Following Opt-Out of Exercise of Other Rights

If you are a California resident and you have any questions about our practices, please contact us

using the contact information above.

Further, please note that applicable California privacy legislation permits individuals who are

California residents to request certain information regarding our disclosure of “personal information”

(as defined by California law) to third parties for their direct marketing purposes. We do not share

personal information with third parties for their own marketing purposes.

17. Federal Trade Commission (FTC)

Do2 is subject to the investigatory and enforcement powers of the FTC.

18. Arbitration

Do2 is obligated to arbitrate claims and follow the terms as set forth in Annex I of the DPF

Principles, provided that an individual has invoked binding arbitration by delivering notice to Do2

and following the procedures and subject to conditions set forth in Annex I of Principles.

19. Accountability for Onward Transfers Consistent with the DPF Principles.

Do2 may transfer personal information to third parties, including transfers from one country to

another. We will only disclose an individual’s personal information to third parties under one or

more of the following conditions:

• The disclosure is to a third party providing services to Do2, or to the individual, in connection with

the operation of our business, and as consistent with the purpose for which the personal information

was collected. We maintain written contracts with these third parties and require that these third

parties provide at least the same level of privacy protection and security as required by the DPF

Principles. To the extent provided by the DPF Principles, Do2 remains responsible and liable under the

DPF Principles if a third party that it engages to process personal information on its behalf does so in a

manner inconsistent with the DPF Principles, unless Do2 proves that it is not responsible for the matter

giving rise to the damage;

• With the individual’s permission to make the disclosure;

• Where required to the extent necessary to meet a legal obligation to which Do2 is subject, including a

lawful request by public authorities and national security or law enforcement obligations and

applicable law, rule, order, or regulation;

• Where reasonably necessary for compliance or regulatory purposes, or for the establishment of legal

claims.

(B) Do2 Privacy Policy for End-Users of Do2 Services Offered by Do2 Customers

To the extent that you are providing information via the mobile applications (“App”) in

connection with your occupation or use of a building or particular physical space (“End-Users”)

in which you live, visit or work, please note that Do2 processes this information on behalf of our

customers who are building or space owners (“Customer Data”) to provide Do2 services,

including access to the Do2 Platform and Tenant Experience applications (the “Do2 Services”) to

you as an App End User. We are a processor when we process Customer Data, our customer is

the data controller. This Privacy Policy explains the information collected from and about you as

an End User of the App.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S.

DPF, Do2, Inc. commits to cooperate and comply respectively with the advice of the panel

established by the EU data protection authorities (DPAs) and the UK Information

Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information

Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human

resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF

and the Swiss-U.S. DPF in the context of the employment relationship. This applies to parts A, B,

and C of the Privacy Policy.

Please read this Privacy Policy to understand how we and our Customers (together referred to

herein as “we”) may process your information via your use of the Do2 Services. If you do not

agree with how we process your information, please do not use the Do2 Services.

1. Information We Collect

When you interact with us through our Site, we may collect information from and about you, as

further described below:

Information That You Provide: We collect information from you when you voluntarily provide it,

such as when you contact us with inquiries, respond to one of our surveys, provide it at a

conference or event, register for access to the Do2 Services, or use certain Do2 Services. This

information may include your name, business contact information, and title.

Location Data: Some features and functionality in our Do2 Services require that you provide your

location. If you have location services turned on, whenever you use such Do2 Services on your

mobile device, we collect and use your geocoordinates (e.g. latitude and longitude) to tailor the

Do2 Services to your current location. We will only process your location with your express

permission. If you have persistent background location turned on, we will obtain your device’s

location even if you are not using the Do2 Services on your mobile device. Your location is never

shared with others, except with your consent or as permitted under this Privacy Policy. We use

various technologies to determine your precise location, such as the location services of your

operating system or browser, sensor data from your device (e.g. magnetometer, barometer,

gyroscopes, accelerometers, compasses, Bluetooth data, beacon data, Wi-Fi access points, GPS

data, and cell tower data), and other data that may help us understand your precise location. If

you have opted-in to sharing your background location with us as part of using the Do2 Services,

you may remove this permission at any time by going into your operating device settings and

toggling off background sharing.

Interaction with our App: When you interact with the Do2 Services through the App, we receive

and store certain information automatically about your interaction with the App. We may store

such information ourselves, or such information may be included in databases owned and

maintained by our affiliates, agents or service providers. The Do2 Services may use such

information and pool it with other information to track, for example, the total number of App

users, the number of users of different portions of the App, and similar App usage information.

Setting up an account via the App: when you download our App and set up an account, we will

collect certain information from you such as your username and password in order to process

your registration and administer your account.

Research and Analytics Data: In an ongoing effort to better understand and serve the users of the

Do2 Services, Do2 often conducts research on its customer and user demographics, interests and

behavior based on the information you provide to us. This research may be compiled and

analyzed on an aggregate and/or de-identified basis, in which case Do2 may share this

aggregated and/or de-identified data with its affiliates, agents and business partners. This

aggregate and/or de-identified information cannot be used to identify you personally. Do2 may

also disclose aggregated user statistics to describe our services to current and prospective

business partners, and to other third parties for other lawful purposes.

2. Our Use of Your Information and Legal Bases for Processing Information

We process the information you provide to us to enable us to perform the contract we are about

to enter into or have entered into with your landlord or your employers landlord, to ensure

compliance with local legal and regulatory requirements, and for the purposes of our legitimate

business interests, including to:

• to provide you with access to our Platform and the Services, to support your use of Do2

Services, and to support the use of the Do2 Services by others who interact with you

through our Do2 Services (such as your landlord, your property manager, your

employer, or third party service providers)

• enable us to carry out our obligations arising from any contracts and to provide you with

the information, products and services that you request from us;

• enable us to respond to an inquiry or other request you make when you contact us via our

App, including for customer services support;

• notify you about any changes to the Do2 Services;

• enable us to issue a notice or corrective action to you in relation to any of the Do2 Services,

if required;

• help us improve the content and functionality of the Do2 Services, and to better

understand and analyze how you use our App;

• detect security incidents, and protect against malicious, deceptive, fraudulent, or illegal

activity;

• troubleshoot and debug Do2 Services errors;

• provide you with information about other services which we believe will be of interest to

you similar to those that you have already purchased or inquired about, as described in

the “Marketing” section below.

3. Marketing

Do2 and its affiliates (see Schedule I for list of affiliates) (the “Do2 Related Companies”) may also

your information to contact you via email, phone, or postal mail with promotional materials in

the future to tell you about services we believe will be of interest to you in accordance with

applicable law. In our promotional emails, there will be instructions explaining how to “opt-out”

of receiving them in the future, if you would like. In addition, if at any time you wish not to

receive any future promotional communications or you wish to have your name deleted from our

mailing lists, please contact us as indicated below. Please note that it may take time to process

your request, consistent with our legal obligations. Also, after you have opted out, you may

continue to receive non-promotional, transactional communications from us.

4. Our Disclosure of Your Information

We may share your information with certain third parties, as set forth below:

• Business Transfers: As we develop our business, we might sell or buy some or all of our

businesses or assets. In the event of a corporate sale, merger, reorganization, dissolution

or similar event, your information may be part of the transferred assets.

• Related Companies: We may also share your information with our Do2 Related

Companies for purposes consistent with this Privacy Policy.

• Agents, Consultants and Related Third Parties: We, like many businesses, sometimes hire

other companies to perform certain business-related functions on our behalf. Examples of

such functions include hosting the Do2 Services, mailing information, sales and

marketing, shipping and fulfillment, maintaining databases, and processing payments.

When we employ another company to perform a function of this nature, we only provide

them with the information that they need to perform their specific function.

• Legal Requirements: We may disclose your information if required to do so by law or in

the good faith belief that such action is necessary to (i) comply with a legal obligation, (ii)

protect and defend our rights or property, (iii) act in urgent circumstances to protect the

personal safety of users of the Do2 Services or the public, or (iv) protect against legal

liability.

When we disclose your personal data to third parties, we take reasonable measures to ensure that

the rules set out in this Privacy Policy are complied with and that these third parties provide

sufficient guarantees to implement appropriate technical and organizational measures to protect

your personal data.

5. Storing Your Information

Your information collected via the Do2 Services will be stored on servers located in the United

States, European Union and other locations that may have different data protection laws than in

your jurisdiction. This includes individuals or service providers engaged in, among other things,

and provision of support services. By using the Do2 Services, you acknowledge that your

information will be stored and processed in the United States, European Union and potentially

other global locations.

6. Data Privacy Framework Principles

Do2 complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to

the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) ("Data Privacy

Framework") and to the rights of EU and UK individuals and Swiss individuals. Do2 is

committed to comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK

Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) and

to the rights of EU and UK individuals and Swiss individuals in regard to transfers of personal

data from the European Union and, as applicable, the United Kingdom, and/or with the Swiss-

U.S. DPF Principles with regard to transfer of personal data from Switzerland as reflected in

Do2's self-certification submissions to the U.S. Department of Commerce, and in the Do2

processing of Personal Data as defined in, and subject to, applicable EU, UK, and Swiss data

protection laws (for these purposes, reference to the EU also includes the European Economic

Area countries of Iceland, Liechtenstein and Norway). We process Personal Data (as defined in

applicable EU, UK, and Swiss data protection laws) in accordance with the EU-U.S. Data Privacy

Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data

Privacy Framework (Swiss-U.S. DPF).

Do2 complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to

the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the

U.S. Department of Commerce. Do2 has certified to the U.S. Department of Commerce that it

adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard

to the processing of personal data received from the European Union and the United Kingdom in

reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Do2 has certified to the

U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework

Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received

from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in

this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the

Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to

view our certification, please visit https://www.dataprivacyframework.gov/

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S.

DPF, Do2, Inc. commits to resolve DPF Principles-related complaints about our collection and use

of your personal information. EU and UK individuals and Swiss individuals with inquiries or

complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and

the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact Do2, Inc. at the

following email: legal@do2.co . We have further committed to refer unresolved Data Privacy

Framework complaints to an alternative dispute resolution provider.

On 4 June 2021, the Commission issued modernised standard contractual clauses under the

GDPR for data transfers from controllers or processors in the EU/EEA (or otherwise subject to

the GDPR) to controllers or processors established outside the EU/EEA (and not subject to the

GDPR).

These modernised SCCs replace the three sets of SCCs that were adopted under the previous

Data Protection Directive 95/46. Consequently, we are relying on standard contractual clauses

(based on the clauses published here, a copy of which can be obtained by contacting us at

privacy@do2.co) for transfers of personal data from the EEA.

7. Data Retention

We will only retain your information for as long as necessary to fulfill the purposes we collected

it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for your information, we consider the amount,

nature, and sensitivity of the information, the potential risk of harm from unauthorized use or

disclosure of your information, the purposes for which we process your information and whether

we can achieve those purposes through other means, and the applicable legal requirements.

8. Exclusions

This Privacy Policy does not apply to information collected by us other than information collected

through the Do2 Services. This Privacy Policy will not apply to any unsolicited information you

provide to Do2 through any means. This includes, but is not limited to, any ideas for new

products or modifications to existing products, and other unsolicited submissions (collectively,

“Unsolicited Information”). All Unsolicited Information will be deemed to be non-confidential

and we will be free to reproduce, use, disclose, and distribute such Unsolicited Information to

others without limitation and attribution.

This Privacy Policy does not address, and we are not responsible for, the privacy, information, or

other practices of any third parties with whom you interact using our Do2 Services, including any

landlord, property manager, tenant, merchant or service provider, and including any other third

party operating any site, application or service that may be introduced, included or integrated

into our Do2 Services. We encourage you to read the privacy policy of every person with whom

you interact using our Do2 Services.

9. Children

Do2 Services are intended for general audiences and not for children under the age of 13. If we

become aware that we have collected “personal information” (as defined by the United States

Children’s Online Privacy Protection Act) from children under the age of 13 without legally valid

parental consent, we will take reasonable steps to delete it as soon as possible. We do not

knowingly process data of EU residents under the age of 16 without parental consent. If we

become aware that we have collected data from an EU resident under the age of 16 without

parental consent, we will take reasonable steps to delete as soon as possible. We also comply with

other age restrictions and requirements in accordance with applicable local laws.

10. Links to Other Web Sites

This Privacy Policy applies only to the Do2 Services. The Do2 Services and App may contain links

to other web sites not operated or controlled by Do2 (the “Third Party Sites”). The policies and

procedures we described here do not apply to such Third Party Sites. The links from the Do2

Services do not imply that Do2 endorses or has reviewed the Third Party Sites. We suggest

contacting those sites directly for information on their privacy policies and practices.

11. Security

We take steps to protect the information provided via the Do2 Services from loss, misuse, and

unauthorized access, disclosure, alteration, or destruction. However, no Internet or e-mail

transmission is ever fully secure or error free. Please keep this in mind when disclosing any

information to us.

12. Changes to this Privacy Policy

Our business, and applicable legal requirements may change from time to time. As a result, at

times it may be necessary for us to make changes to this Privacy Policy. We reserve the right to

update or modify this Privacy Policy at any time in accordance with our legal obligations. Please

review this policy periodically. This Privacy Policy was last updated on the date indicated above.

Your continued use of the Do2 Services after any changes or revisions to this Privacy Policy will

indicate your agreement with the terms of such revised Privacy Policy.

13. Your Rights

To keep your information accurate, current, and complete, please contact us as specified below.

We will take reasonable steps to update or correct your information in our possession in

accordance with applicable law.

You may have the right to: request access to your Personal Data we hold about you; request we

correct any inaccurate Personal Data we hold about you; request we delete any Personal Data we

hold about you; restrict the processing of Personal Data we hold about you; object to the

processing of Personal Data we hold about you; and/or receive any Personal Data we hold about

you in a structured and commonly used machine-readable format or have such Personal Data

transmitted to another company. We may ask you for additional information to confirm your

identity and for security purposes, before disclosing information requested to you. We will

process any request in line with any local laws and our policies and procedures. If you are located

in the EEA or United Kingdom, you have the right to lodge a complaint about how we process

your Personal Data with the supervisory authority in your country.

If you wish to exercise any of your rights, please contact us using the information provided in the

"Do2 Contact Information" section.

14. Privacy Notice for California Users

If you are a California resident, California law requires us to provide you with some additional

information regarding your rights with respect to your “personal information” (as defined in the

California Consumer Privacy Act ("CCPA") and California Privacy Rights Act(“CPRA")). We

describe the categories of personal information we collect, the sources and uses of such

information, and the entities to which we share such information above in the “Information We

Collect,” “Our Use of Your Information and Legal Bases for Processing Information,” and “How

We Disclose Your Information” sections above. Do2 allows users the following rights in

accordance with the CPRA/CCPA:

• Right to Request and Receive Personal Information Disclosures

• Right to Delete Personal Information

• Right to Correct Inaccurate Personal Information

• Right to Know what Personal Information is Being Collected and Right to Access Personal

Information

• Right to Know what Personal Information is Sold or Shared, and to Whom

• Right to Opt-Out of the Sale or Sharing of Personal Information:

• Right to Limit Use and Disclosure of Sensitive Personal Information

• Right of Non-Retaliation Following Opt-Out of Exercise of Other Rights

If you are a California resident and you have any questions about our practices, or would like to

exercise any rights you may have (subject to any legal exceptions) please contact us using the

contact information above. Further, please note that applicable California privacy legislation

permits individuals who are California residents to request certain information regarding our

disclosure of “personal information” (as defined by California law) to third parties for their direct

marketing purposes. We do not share personal

information with third parties for their own marketing purposes.

15. Federal Trade Commission (FTC)

Do2 is subject to the investigatory and enforcement powers of the FTC.

16. Arbitration

Do2 is obligated to arbitrate claims and follow the terms as set forth in Annex I of the DPF

Principles, provided that an individual has invoked binding arbitration by delivering notice to

Do2 and following the procedures and subject to conditions set forth in Annex I of Principles.

17. Accountability for Onward Transfers Consistent with the DPF Principles.

Do2 may transfer personal information to third parties, including transfers from one country to

another. We will only disclose an individual’s personal information to third parties under one or

more of the following conditions:

• The disclosure is to a third party providing services to Do2, or to the individual, in connection

with the operation of our business, and as consistent with the purpose for which the personal

information was collected. We maintain written contracts with these third parties and require that

these third parties provide at least the same level of privacy protection and security as required

by the DPF Principles. To the extent provided by the DPF Principles, Do2 remains responsible

and liable under the DPF Principles if a third party that it engages to process personal

information on its behalf does so in a manner inconsistent with the DPF Principles, unless Do2

proves that it is not responsible for the matter giving rise to the damage;

• With the individual’s permission to make the disclosure;

• Where required to the extent necessary to meet a legal obligation to which Do2 is subject,

including a lawful request by public authorities and national security or law enforcement

obligations and applicable law, rule, order, or regulation;

• Where reasonably necessary for compliance or regulatory purposes, or for the establishment

of legal claims.

If you are a business customer of Do2, Do2, Inc., is the controller of your information collected

from and about you as part of our business customer services (“Do2 Business Customer

Services”).

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S.

DPF, Do2, Inc. commits to cooperate and comply respectively with the advice of the panel

established by the EU data protection authorities (DPAs) and the UK Information

Commissioner’s Office (ICO) and the Swiss Federal Data Protection and Information

Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human

resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF

and the Swiss-U.S. DPF in the context of the employment relationship. This applies to parts A, B,

and C of the Privacy Policy.

Please read this Privacy Policy to understand how we may process your information via your use

of our Do2 Business Customer Services. If you do not agree with how we process your

information, please do not use the Do2 Business Customer Services. If you are a business

customer that also uses the Do2 Services through our App, or that uses our Site, please also see

the privacy policies relevant to those services.

1. Information We Collect

When you interact with us as a user of the Do2 Business Customer Services, we may collect

information from and about you, as further described below:

• Information That You Provide: We collect information from you when you voluntarily

provide it, such as when you contact us with inquiries, respond to one of our surveys,

provide it at a conference or event, or otherwise use the Do2 Business Customer Services.

This information may include your name, business contact information, and title.

• Research and Analytics Data: In an ongoing effort to better understand and serve the users

of Do2 Business Customer Services, Do2 often conducts research on its customer

demographics, interests and behavior based on the information you provide to us. This

research may be compiled and analyzed on an aggregate and/or de-identified basis, in

which case Do2 may share this aggregated and/or de-identified data with its affiliates,

agents and business partners. This aggregate and/or de-identified information cannot be

used to identify you personally. Do2 may also disclose aggregated user statistics to

describe our services to current and prospective business partners, and to other third

parties for other lawful purposes.

2. Our Use of Your Information and Legal Bases for Processing Information

We process the information you provide to us to enable us to provide the Do2 Business Customer

Services to you, to ensure compliance with local legal and regulatory requirements, and for the

purposes of our legitimate business interests, including to:

• enable us to carry out our obligations to provide you with the information, products and

services that you request from us;

• enable us to respond to an inquiry or other request you make when you contact us,

including for customer services support;

• notify you about any changes to the Do2 Business Customer Services;

• enable us to issue a notice or corrective action to you in relation to any of the Do2 Business

Customer Services, if required;

• help us improve the content and functionality of the Do2 Business Customer Services, and

to better understand and analyze how you use our Services;

• detect security incidents, and protect against malicious, deceptive, fraudulent, or illegal

activity;

• troubleshoot and debug Do2 Business Customer Services errors;

• provide you with information about other services which we believe will be of interest to

you similar to those that you have already purchased or inquired about, as described in the

• “Marketing” section below.

3. Marketing

Do2 and its affiliates (see Schedule I for list of affiliates) (the “Do2 Related Companies”) may also

use your information to contact you via email, phone, or postal mail with promotional materials

in the future to tell you about services we believe will be of interest to you, in accordance with

applicable law.

In our promotional emails, there will be instructions explaining how to “opt-out” of receiving

them in the future, if you would like. In addition, if at any time you wish not to receive any future

promotional communications or you wish to have your name deleted from our mailing lists,

please contact us as indicated below. Please note that it may take time to process your request,

consistent with our legal obligations. Also, after you have opted out, you may continue to receive

non-promotional, transactional communications from us.