This Privacy Notice for Cimon Lampa (doing business as Impalads) ("we", "us", or "our"), describes how and why we might access, collect, store, use, and/or share ("process") your personal information when you use our services ("Services"), including when you:

• Visit our website at https://www.impalads.ai, or any website of ours that links to this Privacy Notice
• Use Impalads. Impalads is a performance marketing platform for B2B and B2C companies who run paid advertising on Meta, Google Ads, LinkedIn, and other ad platforms. Customers connect their ad accounts via OAuth, generate ad creatives (image and video), launch campaigns, and feed offline conversion data back to optimize ROAS over time.
• Engage with us in other related ways, including any marketing or events

Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at privacy@impalads.ai.

This summary provides key points from our Privacy Notice, but you can find out more details about any of these topics by clicking the link following each key point or by using our table of contents below to find the section you are looking for.

What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us and the Services, the choices you make, and the products and features you use. Learn more about personal information you disclose to us.

Do we process any sensitive personal information? Some of the information may be considered "special" or "sensitive" in certain jurisdictions. We do not process sensitive personal information.

Do we collect any information from third parties? We may collect information from public databases, marketing partners, social media platforms, and other outside sources. Learn more about information collected from other sources.

How do we process your information? We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We may also process your information for other purposes with your consent. We process your information only when we have a valid legal reason to do so. Learn more about how we process your information.

In what situations and with which parties do we share personal information? We may share information in specific situations and with specific categories of third parties. Learn more about when and with whom we share your personal information.

How do we keep your information safe? We have adequate organisational and technical processes and procedures in place to protect your personal information. However, no electronic transmission over the internet or information storage technology can be guaranteed to be 100% secure. Learn more about how we keep your information safe.

What are your rights? Depending on where you are located geographically, the applicable privacy law may mean you have certain rights regarding your personal information. Learn more about your privacy rights.

How do you exercise your rights? The easiest way to exercise your rights is by submitting a data subject access request, or by contacting us. We will consider and act upon any request in accordance with applicable data protection laws.

1. WHAT INFORMATION DO WE COLLECT?
2. HOW DO WE PROCESS YOUR INFORMATION?
3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR PERSONAL INFORMATION?
4. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?
5. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?
6. DO WE OFFER ARTIFICIAL INTELLIGENCE-BASED PRODUCTS?
7. HOW DO WE HANDLE YOUR SOCIAL LOGINS?
8. IS YOUR INFORMATION TRANSFERRED INTERNATIONALLY?
9. HOW LONG DO WE KEEP YOUR INFORMATION?
10. HOW DO WE KEEP YOUR INFORMATION SAFE?
11. DO WE COLLECT INFORMATION FROM MINORS?
12. WHAT ARE YOUR PRIVACY RIGHTS?
13. CONTROLS FOR DO-NOT-TRACK FEATURES
14. DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?
15. DO OTHER REGIONS HAVE SPECIFIC PRIVACY RIGHTS?
16. DO WE MAKE UPDATES TO THIS NOTICE?
17. HOW CAN YOU CONTACT US ABOUT THIS NOTICE?
18. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECT FROM YOU?

In Short: We collect personal information that you provide to us.

We collect personal information that you voluntarily provide to us when you register on the Services, express an interest in obtaining information about us or our products and Services, when you participate in activities on the Services, or otherwise when you contact us.

Personal Information Provided by You. The personal information that we collect depends on the context of your interactions with us and the Services, the choices you make, and the products and features you use. The personal information we collect may include the following:

• names
• email addresses
• usernames
• contact preferences
• contact or authentication data
• billing addresses
• debit/credit card numbers

Sensitive Information. We do not process sensitive information.

Payment Data. We may collect data necessary to process your payment if you choose to make purchases, such as your payment instrument number, and the security code associated with your payment instrument. All payment data is handled and stored by Stripe. You may find their privacy notice link(s) here: https://stripe.com/privacy.

Social Media Login Data. We may provide you with the option to register with us using your existing social media account details, like your Facebook, X, or other social media account. If you choose to register in this way, we will collect certain profile information about you from the social media provider, as described in the section called "HOW DO WE HANDLE YOUR SOCIAL LOGINS?" below.

All personal information that you provide to us must be true, complete, and accurate, and you must notify us of any changes to such personal information.

In Short: Some information — such as your Internet Protocol (IP) address and/or browser and device characteristics — is collected automatically when you visit our Services.

We automatically collect certain information when you visit, use, or navigate the Services. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use our Services, and other technical information. This information is primarily needed to maintain the security and operation of our Services, and for our internal analytics and reporting purposes.

Like many businesses, we also collect information through cookies and similar technologies. You can find out more about this in our Cookie Notice: https://impalads.ai/cookies.

The information we collect includes:

• Log and Usage Data. Log and usage data is service-related, diagnostic, usage, and performance information our servers automatically collect when you access or use our Services and which we record in log files. Depending on how you interact with us, this log data may include your IP address, device information, browser type, and settings and information about your activity in the Services (such as the date/time stamps associated with your usage, pages and files viewed, searches, and other actions you take such as which features you use), device event information (such as system activity, error reports (sometimes called "crash dumps"), and hardware settings).
• Device Data. We collect device data such as information about your computer, phone, tablet, or other device you use to access the Services. Depending on the device used, this device data may include information such as your IP address (or proxy server), device and application identification numbers, location, browser type, hardware model, Internet service provider and/or mobile carrier, operating system, and system configuration information.
• Location Data. We collect location data such as information about your device's location, which can be either precise or imprecise. How much information we collect depends on the type and settings of the device you use to access the Services. For example, we may use GPS and other technologies to collect geolocation data that tells us your current location (based on your IP address). You can opt out of allowing us to collect this information either by refusing access to the information or by disabling your Location setting on your device. However, if you choose to opt out, you may not be able to use certain aspects of the Services.

Our use of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

In Short: We may collect limited data from public databases, marketing partners, social media platforms, and other outside sources.

In order to enhance our ability to provide relevant marketing, offers, and services to you and update our records, we may obtain information about you from other sources, such as public databases, joint marketing partners, affiliate programs, data providers, social media platforms, and from other third parties. This information includes mailing addresses, job titles, email addresses, phone numbers, intent data (or user behaviour data), Internet Protocol (IP) addresses, social media profiles, social media URLs, and custom profiles, for purposes of targeted advertising and event promotion.

If you interact with us on a social media platform using your social media account (e.g. Facebook or X), we receive personal information about you from such platforms such as your name, email address, and gender. You may have the right to withdraw your consent. Any personal information that we collect from your social media account depends on your social media account's privacy settings. Please note that their own use of your information is not governed by this Privacy Notice.

In Short: We process your information to provide, improve, and administer our Services, communicate with you, for security and fraud prevention, and to comply with law. We process the personal information for the following purposes listed below. We may also process your information for other purposes only with your prior explicit consent.

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:

• To facilitate account creation and authentication and otherwise manage user accounts.
• To deliver and facilitate delivery of services to the user.
• To respond to user inquiries/offer support to users.
• To send administrative information to you.
• To request feedback.
• To send you marketing and promotional communications. You can opt out at any time. See "WHAT ARE YOUR PRIVACY RIGHTS?" below.
• To deliver targeted advertising to you. See our Cookie Notice: https://impalads.ai/cookies.
• To protect our Services (fraud monitoring and prevention).
• To identify usage trends.
• To determine the effectiveness of our marketing and promotional campaigns.
• To save or protect an individual's vital interest.

In Short: We only process your personal information when we believe it is necessary and we have a valid legal reason (i.e. legal basis) to do so under applicable law, like with your consent, to comply with laws, to provide you with services to enter into or fulfil our contractual obligations, to protect your rights, or to fulfil our legitimate business interests.

If you are located in the EU or UK, this section applies to you.

The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on in order to process your personal information. As such, we may rely on the following legal bases:

• Consent. You can withdraw your consent at any time.
• Performance of a Contract.
• Legitimate Interests. Including: send users information about special offers and discounts; develop personalised advertising; analyse Service usage; support marketing; diagnose problems and prevent fraud; understand user behaviour to improve UX.
• Legal Obligations.
• Vital Interests.

If you are located in Canada, this section applies to you.

We may process your information based on express or implied consent. You can withdraw your consent at any time. In some exceptional cases, we may be legally permitted under applicable law to process your information without your consent (interests of individual, fraud investigations, business transactions, witness statements/insurance claims, identifying deceased/ill persons, suspected financial abuse, court orders/subpoenas, journalistic/artistic purposes, publicly available information, de-identified research).

In Short: We may share information in specific situations described in this section and/or with the following categories of third parties.

Vendors, Consultants, and Other Third-Party Service Providers. We may share your data with third-party vendors, service providers, contractors, or agents who perform services for us. We have contracts in place with our third parties designed to safeguard your personal information.

The categories of third parties we may share personal information with are:

• Ad Networks
• AI Platforms
• Affiliate Marketing Programs
• Data Analytics Services
• Cloud Computing Services
• Data Storage Service Providers
• Government Entities
• Payment Processors
• Performance Monitoring Tools
• Retargeting Platforms
• Sales & Marketing Tools
• Social Networks
• Website Hosting Service Providers
• User Account Registration & Authentication Services

We also may need to share your personal information in the following situations:

• Business Transfers. In connection with any merger, sale of company assets, financing, or acquisition.

In Short: We may use cookies and other tracking technologies to collect and store your information.

We may use cookies and similar tracking technologies (like web beacons and pixels) to gather information when you interact with our Services. Some online tracking technologies help us maintain the security of our Services and your account, prevent crashes, fix bugs, save your preferences, and assist with basic site functions.

We also permit third parties and service providers to use online tracking technologies on our Services for analytics and advertising.

To the extent these online tracking technologies are deemed to be a "sale"/"sharing" under applicable US state laws, you can opt out as described under "DO UNITED STATES RESIDENTS HAVE SPECIFIC PRIVACY RIGHTS?"

Cookie Notice: https://impalads.ai/cookies.

We may share your information with Google Analytics. Features used may include: Remarketing with Google Analytics, Google Display Network Impressions Reporting, and Google Analytics Demographics and Interests Reporting. Opt out: https://tools.google.com/dlpage/gaoptout, Ads Settings, optout.networkadvertising.org. Google Privacy & Terms.

In Short: We offer products, features, or tools powered by artificial intelligence, machine learning, or similar technologies.

As part of our Services, we offer products powered by AI ("AI Products").

We provide AI Products through third-party service providers ("AI Service Providers"), including fal.ai and Anthropic. Your input, output, and personal information will be shared with and processed by these AI Service Providers.

• AI applications
• AI document generation
• AI insights
• AI predictive analytics
• Image generation
• Image analysis
• Video generation
• Natural language processing
• Text analysis

In Short: If you choose to register or log in to our Services using a social media account, we may have access to certain information about you.

Our Services offer you the ability to register and log in using your third-party social media account details (like your Facebook or X logins). We will receive profile information about you from your social media provider, which may include your name, email address, friends list, and profile picture.

We will use the information we receive only for the purposes that are described in this Privacy Notice. We do not control, and are not responsible for, other uses of your personal information by your third-party social media provider.

In Short: We may transfer, store, and process your information in countries other than your own.

Our servers are located in the United States and Sweden. Your information may also be transferred to facilities of third parties in Ireland, United States, and other countries.

If you are a resident in the European Economic Area (EEA), United Kingdom (UK), or Switzerland, these countries may not necessarily have data protection laws as comprehensive as those in your country. However, we will take all necessary measures to protect your personal information in accordance with this Privacy Notice and applicable law.

European Commission's Standard Contractual Clauses: We have implemented measures to protect personal information, including using the European Commission's Standard Contractual Clauses for transfers between us and our third-party providers. Our Standard Contractual Clauses can be provided upon request.

In Short: We keep your information for as long as necessary to fulfil the purposes outlined in this Privacy Notice unless otherwise required by law.

No purpose in this notice will require us keeping your personal information for longer than six (6) months past the termination of the user's account, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements).

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise such information.

In Short: We aim to protect your personal information through a system of organisational and technical security measures.

We have implemented appropriate and reasonable technical and organisational security measures. However, despite our safeguards, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure. You should only access the Services within a secure environment.

In Short: We do not knowingly collect data from or market to children under 18 years of age or the equivalent age as specified by law in your jurisdiction.

By using the Services, you represent that you are at least 18 or the equivalent age as specified by law in your jurisdiction, or that you are the parent or guardian of such a minor. If we learn that personal information from users less than 18 has been collected, we will deactivate the account and delete such data. Contact us at privacy@impalads.ai.

In Short: Depending on your state of residence in the US or in some regions (EEA, UK, Switzerland, Canada), you have rights that allow you greater access to and control over your personal information.

In some regions (like the EEA, UK, Switzerland, and Canada), you have certain rights including: (i) access and copy, (ii) rectification or erasure, (iii) restrict processing, (iv) data portability, and (v) not be subject to automated decision-making. You can make such a request by contacting us at "HOW CAN YOU CONTACT US ABOUT THIS NOTICE?" below.

EEA/UK complaints: Member State data protection authority or UK data protection authority. Switzerland: Federal Data Protection and Information Commissioner.

Withdrawing your consent: You have the right to withdraw your consent at any time by contacting us. This will not affect the lawfulness of processing before withdrawal.

Opting out of marketing and promotional communications: Unsubscribe link in emails or contact us. You will then be removed from marketing lists, but we may still communicate with you about service-related messages.

If you would at any time like to review or change the information in your account or terminate your account, you can log in to your account settings or contact us. Upon termination, we may retain some information to prevent fraud, troubleshoot problems, assist with investigations, or comply with legal requirements.

Cookies and similar technologies: Most Web browsers are set to accept cookies by default. You can choose to remove or reject cookies. See our Cookie Notice: https://impalads.ai/cookies.

If you have questions or comments about your privacy rights, you may email us at privacy@impalads.ai.

Most web browsers and some mobile operating systems and mobile applications include a Do-Not-Track ("DNT") feature. At this stage, no uniform technology standard for recognising and implementing DNT signals has been finalised. As such, we do not currently respond to DNT browser signals.

Global Privacy Control: We recognize and honor Global Privacy Control (GPC) signals. If you use a browser or extension that supports GPC, we will treat this as a valid request to opt out of the sale or sharing of your personal information for targeted advertising purposes under applicable state privacy laws, including CCPA. Visit globalprivacycontrol.org.

In Short: If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have rights to access, correct, copy, or delete your personal information.

Category	Examples	Collected
A. Identifiers	Contact details: real name, alias, postal address, phone, IP address, email, account name	YES
B. Personal information (California Customer Records statute)	Name, contact, education, employment, financial information	YES
C. Protected classification characteristics	Gender, age, race, ethnicity, marital status	NO
D. Commercial information	Transaction information, purchase history, payment information	YES
E. Biometric information	Fingerprints and voiceprints	NO
F. Internet or other similar network activity	Browsing history, search history, online behaviour, interactions with our and other websites	YES
G. Geolocation data	Device location	YES
H. Audio, electronic, sensory information	Images, audio, video or call recordings	NO
I. Professional or employment-related information	Business contact details, job title, work history	NO
J. Education Information	Student records and directory information	NO
K. Inferences drawn from collected personal information	Profile/summary about preferences and characteristics	NO
L. Sensitive personal information	—	NO

Retention: Category A — 6 months; Category B — 6 months; Categories D, F, G — As long as the user has an account with us.

You have rights under certain US state data protection laws. These include:

• Right to know whether or not we are processing your personal data
• Right to access your personal data
• Right to correct inaccuracies in your personal data
• Right to request the deletion of your personal data
• Right to obtain a copy of the personal data you previously shared with us
• Right to non-discrimination for exercising your rights
• Right to opt out of targeted advertising, sale of personal data, or profiling

To exercise these rights, contact us by submitting a data subject access request, by emailing us at privacy@impalads.ai, or by visiting impalads.ai/contact.

We honour Global Privacy Control (GPC) signals.

California Civil Code Section 1798.83 permits California residents to request and obtain from us, once a year and free of charge, information about categories of personal information disclosed to third parties for direct marketing purposes. Submit such requests via the contact details below.

In Short: You may have additional rights based on the country you reside in.

We collect and process your personal information under the obligations and conditions set by Australia's Privacy Act 1988 and New Zealand's Privacy Act 2020. You have the right to request access to or correction of your personal information.

Complaints: Office of the Australian Information Commissioner / Office of New Zealand Privacy Commissioner.

Contact: The Information Regulator (South Africa). Enquiries: enquiries@inforegulator.org.za. Complaints: PAIAComplaints@inforegulator.org.za & POPIAComplaints@inforegulator.org.za.

In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.

We may update this Privacy Notice from time to time. The updated version will be indicated by an updated "Revised" date.

If you have questions or comments about this notice, you may contact our Data Protection Officer (DPO) by email at privacy@impalads.ai, or contact us by post at:

Cimon Lampa
Data Protection Officer
Havregatan 9
Stockholm, Stockholm 11859
Sweden

Based on the applicable laws of your country or state of residence in the US, you may have the right to request access, correction, or deletion of your personal information, or to withdraw your consent. To request to review, update, or delete your personal information, please submit a data subject access request.