Corporate Privacy Policy

In this policy, the terms “we”, “us”, “our”, and “ours” refer to Jefferson Capital Holdings, LLC and its affiliates (“JCAP”). Sections 4-7 apply to JCAP affiliates designated in Section 4 and to information processed on accounts established in the European Economic Area (EEA) or the United Kingdom. All other sections of this policy apply to JCAP and all affiliates.

Section 1: Overview

JCAP respects individual privacy and values the confidence of its customers, employees, consumers, business partners, and others. Not only does JCAP strive to collect, use, and disclose Personal Information in a manner consistent with the laws of the countries in which it does business, but it also has a tradition of upholding the highest ethical standards in its business practices. We have therefore adopted a privacy and data protection policy that is applicable to information relating to our employees as well as to information relating to other individuals collected or processed in the general course of our business, including but not limited to Personal Information received from locations within the European Union.

Section 2: Scope

This Policy applies to any Personal Information received by JCAP in any format, including electronic, paper or verbal.

Section 3: Definitions

For purposes of this Policy, the following definitions shall apply:

• “EEA” means European Economic Area. Created in 1994, the EEA combines the countries of the European Union (EU) and member countries of EFTA (European Free Trade Association).
• “Agent” means any third party that collects or uses Personal Information under the instructions of, and solely for, JCAP or to which JCAP discloses Personal Information for use on JCAP’s behalf.
• “Consumer” means any natural person but excludes any individual acting in his or her capacity as an Employee.
• “Employee” means any current, former or prospective Employee of JCAP or any of its European affiliates.
• “Personal Information” means any information or set of information that identifies or could be used by or on behalf of JCAP to identify an individual. Personal Information does not include information that is encoded or anonymized, or publicly available information that has not been combined with non-public Personal Information.

Section 4: Data Privacy Framework (DPF) Affiliates

The following company affiliates adhere to the DPF Principles and may collect the same types of EU data as JCAP:

• JC International Acquisition, LLC
• Majestic Capital Holdings, LLC
• JCIA Holdings, LLC
• FMT Services, LLC
• JCIA Servicing Company, LLC
• Jefferson Capital Systems, LLC

Section 5: EU-U.S. Data Privacy Framework

JCAP complies with the EU-U.S. Data Privacy Framework (EU-US DPF) and the UK Extension to the ER-U.S. DPF as set forth by the US Department of Commerce. JCAP has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union or United Kingdom (including Gibraltar) in reliance on the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/ https://www.dataprivacyframework.gov/.

Section 6: EU-U.S. Data Privacy Framework Principles

NOTICE:

Where JCAP collects Personal data directly from individuals in the EEA or the United Kingdom, we will inform them of the following:

• The identity and the contact details of the controller (JCAP).
• The contact details of the Data Protection Officer.
• The types of data we collect under DPF Principles
• The purposes of the processing for which the personal data are intended as well as the legal basis for the processing.
• Their legitimate interests under UK GDPR Article 6(1)(f).
• The recipients, or categories of recipients of the personal data.
• Whether we intend to transfer personal data to a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available.

To ensure fair and transparent processing of personal data JCAP will also provide the following information:

• The period for which the personal data will be stored, or if that is not possible, the criteria used to determine that period.
• The existence of the data subject’s rights such as the right of access, rectification, erasure, restriction, objection and portability.
• The right of withdrawal consent at any time where processing was based upon the data subject’s consent in the first instance.
• The right to lodge a complaint with the supervisory body.
• Whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, as well as whether the data subject is obliged to provide the personal data and of the possible consequences of failure to provide such data.
• The existence of automated decision making if any, the logic involved and the envisaged consequences.

Where the personal data was not obtained from the data subject, the following information will be supplied in addition to the information set out above:

• The categories of personal data concerned.
• The original source of the personal data.

Where JCAP intends to further process the personal data for a purpose other than that for which the personal data were obtained JCAP shall provide the data subject prior to that further processing with information on that other purpose.

Where JCAP receives Personal Information from its subsidiaries, affiliates or other entities in the EEA or the United Kingdom, it will use and disclose such information in accordance with the notices provided by such entities and the choices made by the individuals to whom such Personal Information relates.

CHOICE:

JCAP will offer the opportunity to choose whether their Personal Information is to be used for a purpose other than the purpose for which it was originally collected or subsequently authorized by the individual. JCAP will provide clear and informed methods to exercise their choices.

ONWARD TRANSFER:

In cases of onward transfer to third parties of data of EU or United Kingdom individuals received pursuant to the EU-US Data Privacy Framework, JCAP is liable unless we can prove we were not a party to the events giving rise to the damages. JCAP will obtain assurances from its Agents that they will safeguard Personal Information consistently with this Policy. Examples of appropriate assurances that may be provided by Agents include: a contract obligating the Agent to provide at least the same level of protection as is required by the relevant DPF Principles, Data Privacy Framework certification by the Agent, or being subject to another European Commission adequacy finding. Where JCAP has knowledge that an Agent is using or disclosing Personal Information in a manner contrary to this Policy, JCAP will take reasonable steps to prevent or stop the use or disclosure.

ACCESS AND CORRECTION:

Upon request, JCAP will grant reasonable access to Personal Information that it holds. In addition, JCAP will take reasonable steps to permit Consumers and Employees to correct, amend, or delete information that is demonstrated to be inaccurate or incomplete.

SECURITY:

JCAP will take reasonable precautions to protect Personal Information in its possession from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to Personal Information to employees who need to know that information to provide services. We maintain physical, electronic and procedural safeguards that comply with applicable laws to guard Personal Information.

DATA INTEGRITY:

JCAP will use Personal Information only in ways that are compatible with the purposes for which it was collected or subsequently authorized by the individual. JCAP will take reasonable steps to ensure that Personal Information is relevant to its intended use, accurate, complete, and current.

ENFORCEMENT:

JCAP is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). Any Employee that JCAP determines is in violation of this policy may be subject to disciplinary action up to and including termination of employment.

DISPUTE RESOLUTION:

Any questions or concerns regarding the use or disclosure of Personal Information should be directed to ‘Department Privacy’ at the address given below. In compliance with the EU-US Data Privacy Framework EU-U.S. DPF and the UK Extension, to the EU-U.S., JCAP commits to resolve complaints about your privacy and our collection or use of your personal information transferred to the U.S. pursuant to the EU-U.S. DPF. Individuals with inquiries or complaints should first contact JCAP at:

JCAP
Department Privacy
200 14th Avenue E
Sartell, MN 56377
USA
Privacy@JCap.com

JCAP has further committed to refer unresolved DPF Principles-related complaints to a U.S.-based independent dispute resolution mechanism, DATA PRIVACY FRAMEWORK SERVICES, operated in the U.S. by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit www.bbbprograms.org/dpf-complaints for more information and to file a complaint. This service is provided free of charge to you. If your DPF complaint cannot be resolved through these above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. Seehttps://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf.

Section 7: Limitation on Application of Data Privacy Framework Principles

Adherence by JCAP to these DPF Principles may be limited (a) to the extent required to respond to a legal or ethical obligation; (b) to the extent necessary to meet national security, public interest or law enforcement obligations; and (c) to the extent expressly permitted by an applicable law, rule or regulation.

Section 8: What information do we collect?

• Contact Information

Information provided to us to enable us to contact you. Examples may include name, email address, mailing address, telephone number, etc. Contact information may identify you personally.

• Billing/Address Information

Information you may provide to us, which may include credit card number, bank information, billing address, billing contact name, telephone numbers, email address, etc. Billing information may identify you personally.

• Password Information

Information that allows you to access the services we provide, technical support, ticketing system and any third-party services provided through us. Examples may include user ID, invitation number, account number, access and permission levels, password, etc. Password information does not identify you personally, but it may when associated with other information.

• Technical Information

Information that allows us to configure the services we provide so that they are more easily provided to you. Examples may include your IP address, browser type, referring/exit pages, operating system, affiliate id, etc. Technical information does not identify you personally, but it may when associated with other information.

• Internet Data

Some information about your IP address, web browser, and computer system are automatically transmitted to our web servers as an integral part of the operation of the Internet. Thus, if you use our internet site(s) after reviewing the terms of use and/or receiving proper disclosure, we reserve the right to automatically collect and/or track: 1) The home server domain names, email addresses, type of computer, and type of web browsers of visitors to our web site and 2) Information on what pages of our web site visitors’ access. Internet data does not identify you personally, but it may when associated with other information.

• Voluntary Information

Information you choose to provide to us and that is not necessary for the operation of the services we provide. Examples may include acceptance of an offer extended to you, your endorsement of us and your connections to us in social networks, etc. It is your decision whether you include information that identifies you personally when you provide voluntary information to us.

Section 9: How do we use the information we collect?

We may collect non-public personal information about you as permitted by law from:

• Your transactions with us
• Applications or other forms that you provide to us

We may disclose non-public personal information about you to third parties, such as business partners, vendors, and credit reporting agencies. We will disclose information about you only to the extent that it is: (a) specifically directed by you; (b) permitted by applicable law and (c) not prohibited by other applicable law.

We use your Personal Information to send you information about our company, process requests for services, and to contact you when necessary. You will be permitted to opt out prior to using your Personal Information for any other purpose. We also may be required to disclose an individual’s Personal Information in response to a lawful request by public authorities, including to meet national security or law enforcement requirements. We may also use the information we collect to improve the content of our website(s).

Section 10: Method to access and ability to correct personal information

An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data, should direct their query via email to Privacy@JCap.com. If requested to provide or remove data, we will respond within a reasonable timeframe or within the timeframe as required by applicable law.

Section 11: Online Privacy

COOKIES:

We may use cookies to keep track of your interaction and time spent on this site(s) or related websites. We may also use them to recognize return visitors and to track our promotions. We may collect personally identifiable information from visitors in the way of online forms but only where visitors volunteer such information. We may also collect information about how visitors interact with our website. This information may be obtained through the analysis of server logs and through the use of “cookies” placed on user machines. A cookie is a piece of software that a web server can store on a computer system to identify the visitor if they visit the website again. All of the information that we collect through the use of cookies from visitors is not personally identifiable. However, it may be associated with personally identifiable information that visitors provide us through our website(s). We gather this information for internal use only and will never authorize the release of this information with anyone outside of our company. Most browsers are initially configured to accept and process cookies. You can configure your browser to refuse cookies, however, certain online interactions may be negatively affected by such a configuration. Most browsers allow you to configure them to notify you when you receive a cookie and to thereby allow you to decide whether to accept that cookie. We reserve the right to use cookies on our website(s).

INTERNET DATA SECURITY AND INTEGRITY:

We make every effort to follow industry standard security measures to prevent the loss, misuse and alteration of the information under our control. However, no information transmitted on the internet or stored on servers is 100% secure. Fraudulent people exist, software and hardware can malfunction, and people make mistakes. As a result, we cannot guarantee that any information covered by this Policy will be absolutely secure.

DO NOT TRACK BROWSER REQUESTS:

At this time, we do not respond to “do not track” signals sent from browsers.

Section 12: SMS/Text Messaging

To facilitate consumer preference in a digital environment, our SMS JCAP Outreach (SMS/TXT program/system) provides efficient two-way communication. By providing your mobile number, you give permission to send you account-related text messages, like payment reminders and notifications, in conjunction with the services we provide.

• By providing your mobile number, you agree you have ownership rights, and we have permission to use the number given
• The number of messages will vary by account
• Message and data rates may apply
• You are able to opt-out at any time by replying STOP to any of the messages we have sent. An opt-out confirmation will be sent back to you
• You are able to request additional information or assistance by replying HELP to any of the messages we have sent
• If your handset does not support MMS, any MMS messages sent may be delivered as SMS messages
• Wireless carriers are not liable for undelivered or delayed messages

Section 13: Contact Us

If you have questions regarding this Policy or about the privacy practices of JCAP, please contact us at: Privacy@JCap.com.

Section 14: Changes to this Privacy Policy

We may update this Privacy Policy from time to time. We will post our Privacy Policy on our website(s) and will update the "Effective" date to reflect the date of any changes and to reflect a review that occurs at least annually.

Effective October 18. 2023