Article 1. Scope of Application

This Privacy Policy (hereinafter "this Policy") is issued by Alphora Group (hereinafter "the Company," "we," "us," or "our") pursuant to the Personal Data Protection Act (hereinafter "PDPA") of the Republic of China (Taiwan) and its implementing regulations, to provide legally required notice regarding the collection, processing, and use of personal data in connection with the Alphora Insights platform (hereinafter "the Platform" or "the Service").

This Policy applies to all circumstances in which a user accesses the Platform via the website, mobile device, or desktop application to complete account registration, apply for a subscription, use AI-powered analytics features, query financial data, or communicate with the Company's customer service personnel.

This Policy does not apply to third-party websites or applications accessible via hyperlinks from the Platform. Each third party's processing of personal data is governed exclusively by its own privacy policy. The Company bears no responsibility for any third party's data processing activities.

Article 2. Categories of Personal Data Collected

The Company collects the following categories of personal data in accordance with the PDPA:

Item 1 — Basic Identifying Information

Account login identifiers, email addresses, and account security verification information. Where a user chooses to log in using a third-party account, the Company will obtain, within the scope of user authorization, the user's email address, display name, and unique account identifier.

Item 2 — Account Settings and Usage Preference Data

Nationality, place of residence, language preference settings, subscription plan information, watchlists, alert conditions, portfolio tracking records, and notification execution status.

Item 3 — Subscription and Billing Data

Subscription status, plan type, billing cycle, payment event metadata, invoice information, and dispute-related records. The Company does not independently store complete credit card numbers, financial account numbers, or card verification codes. Such payment instrument sensitive data is processed directly by a PCI-DSS-compliant third-party payment processor, as described in Article 5.

Item 4 — AI Interaction Data

Query commands and conversation content entered by users in the AI features interface, system response records, and feature usage records. Users must not enter financial account numbers, national identification numbers, passport numbers, personal health information, or trade secrets into the AI interface. The Company bears no liability for any damages arising from a user's violation of this restriction; all such liability is borne entirely by the user.

Item 5 — Technical and Device Data

Internet Protocol (IP) addresses, browser type and version, device type and operating system, connection timestamps, and system logs.

Item 6 — Cookie and Tracking Technology Data

As governed by Article 10 of this Policy.

Item 7 — Usage Behavioral Data

Page browsing records, feature click paths, search query keywords, feature usage frequency, session duration, and error logs.

Item 8 — Customer Service and Communications Data

Issue descriptions, ticket records, and user feedback submitted through customer service channels.

Item 9 — Behavioral Analytics and Statistical Inference Data

The Company may use algorithms to infer user interest preferences, feature usage patterns, and service satisfaction from user behavioral data, for the purposes of service optimization and feature improvement. Such inferred data is processed in de-identified form and is not used in a manner that identifies specific individuals. The Company does not use such inferred data to provide any form of investment advice or financial advisory services.

The Company expressly does not collect race, religion, political affiliation, sexual orientation, personal health records, or any special categories of personal data under Article 6 of the PDPA, except where a user voluntarily provides such information through customer service communications.

Article 3. Purposes and Legal Basis for Collection

The Company collects, processes, and uses personal data exclusively for the following purposes:

• Account creation and identity verification, service provision and operations, subscription and billing management, AI feature responses, and storage of user preference data: Legal basis is a contractual or quasi-contractual relationship (PDPA Article 19, Paragraph 1, Subparagraph 2);
• Platform security monitoring, anomaly detection, fraud and misconduct prevention, regulatory compliance, cooperation with judicial proceedings, and regulatory authority requirements: Legal basis is explicit statutory provision (PDPA Article 19, Paragraph 1, Subparagraph 1);
• Service performance analysis, A/B testing, and internal research using de-identified or anonymized data: Legal basis is public interest or data subject's consent (PDPA Article 19, Paragraph 1, Subparagraph 6);
• Marketing communications (if the Company develops such activities): To be conducted only after obtaining affirmative opt-in consent through a separate, independent checkbox, with a mechanism for withdrawal at any time.

If the Company intends to process personal data for purposes other than those listed above, it will first obtain the user's explicit consent in accordance with the PDPA, and will proceed only after such consent is obtained.

Article 4. Third-Party Login Account Data

Where a user chooses to log in to the Service using a third-party account, the Company may obtain, through the applicable third-party authorization mechanism, the account information the user authorizes for disclosure, including email address, display name, and unique identifier. Such data is used solely for account creation, identity verification, account linking, security management, and access control. The Company does not sell such data and does not use it for advertising targeting or behavioral tracking purposes.

Article 5. Payment Processing and Billing Data Protection

The Company engages a PCI-DSS-compliant third-party payment processor to handle all subscription payment transactions. Complete credit card numbers, financial account numbers, and card verification codes are received and processed directly by the payment processor's secure payment environment; the Company's servers do not store, log, or access such complete payment data. Accordingly, the Company bears no liability for the security of payment data.

The Company retains only the billing metadata necessary to provide the Service, including invoice reference numbers, customer identifiers, payment status, subscription plan status, and billing cycle information. The retention period for such billing metadata is determined by applicable tax law requirements; if no mandatory legal provision applies, the retention period shall not exceed one (1) year, after which the data is automatically deleted or de-identified.

The third-party payment processor's handling of payment data is subject to its own terms of service and privacy policy. The Company bears no liability for any action of the payment processor, including any data breach event.

Article 6. Disclosure and Delegation of Personal Data Processing

The Company does not sell, rent, or exchange users' personal data with any unauthorized third party for commercial purposes. Within the scope necessary for the purposes of collection, the Company may provide, share, or delegate the processing of personal data to the following recipients only:

• The Company's employees and authorized personnel (limited to what is necessary for the performance of their duties, subject to confidentiality obligations under the PDPA);
• Cloud hosting and infrastructure service providers (providing services under data processing agreements that specify data use restrictions);
• Identity verification service providers (e.g., Google, solely for account login and verification purposes);
• Payment processing service providers (solely for the minimum data necessary for billing management and dispute resolution);
• AI model service providers (limited to what is necessary to provide the Service, processed in de-identified or pseudonymized form);
• Analytics and monitoring service providers (processed in anonymized or pseudonymized form);
• Customer support platforms (providing only the minimum necessary data in accordance with the principle of data minimization);
• Legal, accounting, or other professional advisors (to the extent necessary for dispute resolution or legal proceedings);
• Government authorities or law enforcement (pursuant to statutory provisions, court orders, or regulatory authority requirements; the Company is entitled to cooperate without notifying the user).

The Company will contractually require third-party service providers entrusted with processing personal data to comply with confidentiality obligations and data use restrictions; however, the Company bears no joint liability for the acts of such service providers.

Article 7. AI Data Processing Policy

• User interaction data with the Service is used solely for real-time service provision and for service optimization and analysis in de-identified or anonymized form. Use beyond the foregoing purposes shall require additional consent in accordance with the PDPA.
• AI interaction logs are retained for no more than thirty (30) days and are automatically deleted upon expiration, unless otherwise required by applicable law.
• The Company currently does not use personally identifiable interaction data to train or optimize AI models. If the Company intends to change this practice in the future, it will notify users in advance through appropriate means, and will proceed only with the data of users who have given explicit consent in accordance with the PDPA.

• You may not present or market AI-Generated Content as investment advice, investment analysis, or any form of financial consulting services. Violations will entitle the Company to immediately terminate your Account and to pursue all available legal remedies.
• The Company does not hold a Securities Investment Advisory Enterprise license under Article 4 of the Securities Investment Trust and Consulting Act, nor a Futures Advisory Enterprise license under Article 82 of the Futures Trading Act. No AI feature output changes this legal characterization.

Article 8. Data Security Measures

Pursuant to the PDPA, the Company has established a Personal Data Security Maintenance Plan and has implemented reasonable security measures consistent with industry best practices across all aspects of data transmission, storage, access control, identity verification, backup, and third-party management. The Company has designated a Personal Data Protection Officer to oversee related matters.

Internet transmission and electronic storage methods cannot guarantee absolute security. In the event of a personal data security incident that, pursuant to applicable law, requires notification to affected individuals, the Company will notify affected users to the extent required by applicable law.

Regarding security controls for engineers accessing production systems from abroad, the Company implements access control mechanisms in accordance with its internal security policies, which are specifically documented in the Company's Personal Data Security Maintenance Plan in compliance with Article 27 of the PDPA.

Article 9. Personal Data Retention Periods

Retention periods for the Company's various categories of personal data and related records are as follows:

• AI interaction logs: No more than thirty (30) days; automatically deleted upon expiration;
• Customer service communications records: Retained for one (1) year; automatically deleted or de-identified upon expiration;
• Billing metadata: Retained as required by applicable tax law; if no mandatory legal provision applies, no more than one (1) year;
• Usage behavioral data (following de-identification): Retained as needed for service optimization, for a maximum of three (3) years;
• Account data: Retained throughout the term of Account existence; following Account termination, retained for the period required by applicable law; if no legal provision mandates retention, deleted or de-identified within ninety (90) days of termination;
• Other data: Retained for the period required by the nature of the data and applicable law.

The Company has no obligation to provide, restore, or reconstruct data that has exceeded its retention period, has been deleted pursuant to applicable procedures, or is technically irrecoverable due to system constraints. The Company bears no liability for such data.

Article 10. Cookies and Tracking Technologies

The Company may use various tracking technologies to improve service quality and operational efficiency, including but not limited to:

• Third-party analytics tools: Used to record usage behavior and feature usage, and may identify devices through cookies;
• Browser local storage (LocalStorage): Used to store login status and user preference settings;
• Session storage (SessionStorage): Used to handle login authentication and temporarily store security information;
• Behavioral analytics tracking: Records page interactions in anonymized or pseudonymized form for service improvement.

Your use of the Service constitutes your consent to the use of all of the foregoing tracking technologies, and you may not assert any claim for damages against the Company in connection with such use. The Company does not provide individual opt-out mechanisms, except as required by applicable law. The Company may adjust the types and purposes of such technologies at any time based on operational needs. Non-material technical adjustments do not require user notification.

Article 11. Cross-Border Data Transfers

The Company may, as necessary for the provision of the Service and pursuant to Article 21 of the PDPA, transfer personal data to overseas third parties for processing, including but not limited to cloud service providers, AI model service providers, and analytics tool service providers.

Your use of the Service constitutes your irrevocable knowledge of and consent to the Company's cross-border transfers described herein. The Company will protect personal data transferred across borders through contractual measures or other appropriate security mechanisms. However, the Company makes no warranty regarding the data protection standards of overseas processing entities, and bears no liability for losses arising from overseas data processing beyond the statutory standard of care.

Article 12. User Eligibility and Representations and Warranties

By using the Service, you make the following irrevocable representations and warranties to the Company:

1. You have full legal capacity and have not been subject to a declaration of guardianship or assistantship;
2. You are at least eighteen (18) years of age and have full legal capacity under the laws of the Republic of China (Taiwan) or your jurisdiction;
3. You are not subject to any legal, judicial, or regulatory restriction from using the Service;
4. You are not an individual or entity on any international sanctions list;
5. All information you provide is true, accurate, and complete, and does not contain any false or misleading content.

If you breach any of the foregoing representations or warranties, the Company may immediately terminate your Account or restrict your use of the Service without notice, and reserves the right to seek full damages under applicable law. All legal liabilities and losses arising from use of the Service by an ineligible user shall be borne entirely by such user; the Company bears no joint, supplementary, or other liability.

Article 13. Data Subject Rights

Pursuant to the PDPA, you may exercise the following rights with respect to your personal data held by the Company by submitting a written request (including email) to the Company:

• To inquire or request access;
• To request a copy;
• To request supplementation or correction;
• To request cessation of collection, processing, or use;
• To request deletion.

The Company will process requests within the scope required by the PDPA and may charge a reasonable administrative fee (approximately NTD 1,000 to 1,500, or equivalent). The Company may refuse or limit requests in circumstances permissible under Article 20, Paragraph 1, proviso of the PDPA or other applicable law, and will provide a legally compliant explanation for any such refusal.

The Company has no obligation to provide, restore, or reconstruct data that has exceeded its retention period or is technically irrecoverable, and bears no liability therefor. You may withdraw your consent to any specific purpose at any time. Withdrawal of consent does not affect the lawfulness of processing conducted prior to withdrawal, and does not give rise to any obligation to refund fees.

Article 14. User Indemnification Obligations

You shall fully indemnify, defend, and hold harmless the Company and all Protected Persons from and against any damages, and shall reimburse the Company for all attorneys' fees, litigation costs, arbitration costs, and other reasonable expenses incurred, in connection with any of the following:

1. Your breach of any provision of this Policy or the Company's Terms of Service;
2. Any unlawful or improper conduct, including but not limited to fraud, money laundering, or infringement of third-party rights;
3. Improper use of the Service, including but not limited to misuse of AI features or circumvention of security measures;
4. Providing false, fraudulent, or misleading information causing harm to the Company or any third party;
5. Any act or omission by you resulting in the Company being subject to regulatory penalties, corrective orders, or judicial or administrative proceedings;
6. Your breach of any representation or warranty set forth in Article 12;
7. Any third-party claim against the Company arising from your use of the Service.

Article 15. Consent Mechanism

By clicking to agree or checking the consent box during registration or use of the Service, you acknowledge that you have read, understood, and agreed to this Policy and all related terms in their entirety, and you consent to the Company's collection, processing, and use of your personal data in accordance with this Policy. This consent constitutes valid consent as required by the PDPA. You may not subsequently assert that your consent is invalid on the grounds of insufficient review.

For marketing communications purposes, the Company obtains your written consent through a separate independent checkbox, distinct from the foregoing consent. You may unsubscribe or withdraw such consent at any time by email. Withdrawal does not affect the lawfulness of processing conducted prior to withdrawal and does not give rise to any obligation to refund fees.

Article 16. Amendments to This Policy; Unilateral Amendment Right

1. Amendments to this Policy take effect upon publication on the Company's official website. The Company is not obligated to notify each user individually by email.
2. For material changes to your substantive rights or the purposes for which personal data is processed, the Company may post a notice on the website homepage, login page, or other appropriate location, displayed for at least five (5) days prior to the effective date. Emergency amendments required for regulatory compliance may take effect immediately without the five-day notice period.
3. The amended Policy takes effect on the date indicated in the publication. Your continued use of the Service following the effective date constitutes your irrevocable knowledge of, understanding of, and full consent to the amended Policy in its entirety. If you do not accept the amended Policy, your sole remedy is to immediately cease using the Service. The Company bears no liability for any losses arising from Account termination.

Article 17. Notice

Notices from the Company to you may be delivered by website publication, service page display, login prompts (including but not limited to pop-up windows), or other appropriate digital means, and shall be deemed validly delivered upon dispatch. The Company is not obligated to use email as the sole means of notification. You may not deny the effectiveness of any notice on the grounds that you did not actually receive it.

Article 18. Severability

If any provision of this Policy or any portion thereof is held to be invalid, unlawful, or unenforceable for any reason, such invalidity shall not affect the remaining provisions of this Policy, which shall continue in full force and effect.

Article 19. Survival

Provisions of this Policy that by their nature should survive termination of the Service, including but not limited to Article 7 (AI Data Processing and Disclaimer), Article 14 (User Indemnification Obligations), Article 18 (Severability), and Article 20 (Governing Law and Jurisdiction), shall continue in full force and effect following termination of the service relationship and shall not be extinguished for any reason.

Article 20. Governing Law and Jurisdiction

This Policy shall be governed exclusively by the laws of the Republic of China (Taiwan), to the exclusion of any conflict of laws principles. Any dispute arising out of or in connection with this Policy or the Service shall be submitted exclusively to the Taiwan Taipei District Court as the court of first instance, with all other courts' jurisdiction fully excluded, except as otherwise required by applicable mandatory law.

Article 21. Language

The Chinese (Traditional Chinese) version of this Policy is the official and sole legally authoritative version. Any versions in other languages are for reference only. In the event of any ambiguity or conflict, the Chinese version shall be the final determinative authority.

Article 22. Contact Information

For matters relating to personal data, exercise of data subject rights, and billing inquiries, please submit a written request (including email) to:

• Company Name: Alphora Group
• Email: info@alphoragroup.com
• Service Platform: https://insights.alphoragroup.com