LEGAL

CodeWaves Solutions Private Limited ("CodeWaves", "we", "us", or "our") is committed to protecting the privacy of individuals who access and use our Services. This Privacy Policy describes how we collect, use, share, and safeguard personal information through our website, applications, and any associated services, tools, or communications (collectively, the "Services"), including our AI-powered video reframing product, Tracer. By accessing or using the Services, you agree to the practices described in this Privacy Policy and consent to the collection, use, and disclosure of your information as outlined herein. This Policy is incorporated into and forms part of our Terms of Service. If you do not agree with our practices, please do not use the Services. We handle your personal information in accordance with applicable data protection laws, including India's Digital Personal Data Protection Act, 2023 (DPDPA), and other relevant regulations. We encourage you to read this Policy carefully to understand our practices and how you can exercise your rights. If you have any questions or concerns, please contact us using the details provided in the "Contact Us" section below.

We collect information necessary to provide and improve our Services. The information we collect depends on how you interact with us and may include the following: Information You Provide Directly: • Account and Profile Information: When you create an account, we collect identifiers such as your name, email address, and authentication details (including credentials provided via Google Sign-In). • Video Uploads and Content: When you use Tracer, we collect the video files you upload for processing, along with associated metadata such as file name, size, duration, and format. Videos may contain visual content including faces and other biometric-adjacent information. • Payment and Billing Information: If you subscribe to a paid plan, we collect transaction records processed through third-party payment providers. We do not store full card numbers on our servers. • Support and Communication Records: When you contact us for support or feedback, we collect your contact details and the content of your communications. Information We Collect Automatically: • Device and Technical Information: IP address, browser type and version, operating system, device type, and language settings. • Usage and Interaction Data: Access times, features used, pages viewed, session duration, navigation paths, and error logs. • Log and Diagnostic Data: System-generated logs that support debugging, performance monitoring, and security. • Approximate Location: Inferred from your IP address for localization and security purposes only. Information from Third Parties: • Authentication Providers: If you sign in with Google, we receive your name, email address, and profile photo as authorised by Google's OAuth flow. • Analytics Providers: Aggregated or pseudonymised data to help us evaluate platform usage and feature effectiveness. • Payment Processors: Transaction status, subscription state, and billing dispute information. We do not collect sensitive personal data beyond what is incidentally present in user-uploaded video content, and we do not sell your personal information.

We use the information we collect for the following purposes: • To Provide and Operate the Services: To deliver, maintain, and administer the Services, including enabling you to upload videos, run the Tracer AI pipeline, and receive processed outputs. • To Process and Deliver AI Pipeline Results: Your uploaded videos are passed through our GPU-based machine learning pipeline (subject to the safeguards in the "AI Processing" section below) solely to produce the reframed video output you requested. • To Improve and Optimise the Services: We analyse usage patterns, session behaviour, error logs, and aggregated data to troubleshoot issues, enhance performance, and develop new features. • To Process Payments and Manage Subscriptions: To facilitate purchases, confirm transactions, send invoices, handle failed payments, and manage your subscription status. • To Communicate with You: For account notifications, service updates, support responses, and — where you have opted in — promotional communications. • To Secure the Platform and Enforce Policies: To monitor for suspicious activity, detect fraud or abuse, authenticate accounts, and enforce our Terms of Service. • To Comply with Legal and Regulatory Obligations: As required by applicable laws, court orders, or governmental requests. • To Defend Our Legal Rights: As necessary to enforce our legal rights, pursue available remedies, or defend against claims. We do not use your personal information to make fully automated decisions that have a legal or similarly significant impact on you without human oversight.

Tracer processes the video files you upload through a multi-stage machine learning pipeline running on secure GPU infrastructure hosted on AWS (ap-south-1). The following governs how your video data is handled: • Purpose Limitation: Your uploaded videos are processed exclusively for the purpose of generating the reframed output you requested. We do not use your video content to train, fine-tune, or improve our AI models without your explicit consent. • Retention: Uploaded videos and their processed outputs are stored in encrypted AWS S3 storage and are automatically deleted 30 days after upload under a lifecycle policy. You may request earlier deletion at any time. • No Third-Party Sharing: Your video content is not shared with, sold to, or accessible by any third party outside of the infrastructure providers necessary to operate the pipeline (AWS). • Biometric Consideration: Videos may incidentally contain facial data. We do not extract, store, or create biometric identifiers. Face detection is performed in-memory during pipeline processing and is not persisted after job completion.

We do not sell your personal information. We may share your information only in the following limited circumstances: • Service Providers and Infrastructure Partners: We share data with trusted third-party service providers (such as AWS for cloud infrastructure, payment processors for billing, and Google for authentication) who assist in operating our Services. These providers are bound by confidentiality and data processing agreements. • Legal Compliance: We may disclose information if required by applicable law, court order, regulatory authority, or governmental request, including under India's DPDPA or any other applicable jurisdiction. • Business Transfers: In the event of a merger, acquisition, restructuring, or sale of assets, your data may be transferred to the successor entity, subject to equivalent privacy protections. • Protection of Rights: We may disclose information as necessary to enforce our Terms of Service, protect the rights, property, or safety of CodeWaves, our users, or the public. Any third party with whom we share data is required to handle it in accordance with applicable data protection laws and our contractual requirements.

We use cookies and similar technologies on our website and platform for the following purposes: • Essential Cookies: Required for core functionality such as user authentication, session management, and security. These cannot be disabled. • Analytics Cookies: Help us understand how visitors interact with our site. These are anonymised or pseudonymised and do not identify individual users. You may opt out by adjusting your browser settings or using standard opt-out mechanisms. • Preference Cookies: Remember your settings and preferences to improve your experience. We do not use third-party advertising or cross-site tracking cookies. For detailed cookie information or to manage your preferences, contact us at sagar@codewaves.co.

• Storage Location: All user data is stored on Amazon Web Services (AWS) infrastructure in the Asia Pacific (Mumbai) region (ap-south-1), within India's data residency. • Encryption: Data is encrypted in transit using TLS and at rest using AES-256 encryption on S3 and DynamoDB. • Access Controls: Access to personal data is restricted to authorised personnel on a least-privilege basis. Our infrastructure uses IAM roles with scoped permissions. • Retention: Account data is retained for as long as your account is active. Uploaded videos and processed outputs are deleted after 30 days. You may request deletion at any time. • Security Practices: We implement industry-standard security measures including VPC network isolation, audit logging, and periodic security reviews. • No Guarantee: No method of transmission over the Internet is 100% secure. While we commit to best practices, we cannot guarantee absolute security against all threats.

Subject to applicable law, you have the following rights regarding your personal data: • Right to Access: Request a copy of the personal data we hold about you. • Right to Correction: Request correction of inaccurate or incomplete personal data. • Right to Erasure: Request deletion of your personal data. Note that some data may be retained for legal compliance purposes. • Right to Restriction: Request that we restrict processing of your data in certain circumstances. • Right to Data Portability: Receive your personal data in a structured, machine-readable format. • Right to Withdraw Consent: Where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing. • Right to Grievance Redressal: Under India's DPDPA, you have the right to raise a grievance with us as the Data Fiduciary. To exercise any of these rights, contact us at sagar@codewaves.co. We will respond within 30 days. If you are unsatisfied with our response, you may escalate to the relevant Data Protection Board under the DPDPA.

Our Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from minors. If we become aware that a child under 18 has provided us personal data without verifiable parental consent, we will delete it promptly. If you believe a minor has submitted data to us, please contact us immediately at sagar@codewaves.co.

Our website or Services may contain links to third-party websites or integrate with third-party services (such as Google Sign-In or payment processors). This Privacy Policy applies only to CodeWaves' Services. We are not responsible for the privacy practices of third-party services and encourage you to review their policies independently.

We may update this Privacy Policy from time to time to reflect changes in our Services, applicable law, or business practices. When we make material changes, we will notify you by posting the updated policy on this page with a revised effective date and, where required by law, by sending you a direct notification. Continued use of our Services after the effective date constitutes your acceptance of the updated policy.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact our Data Fiduciary representative: Email: sagar@codewaves.co Company: CodeWaves Solutions Private Limited Registered in India We are committed to resolving complaints and will respond within 30 days of receiving your request.