Privacy Policy 1 — SurfCast

Privacy Policy

Otto Connect, Inc. PRIVACY POLICY for SurfCAST, ParkingCAST, CommunityCAST, and SportsCAST

Last updated: November 15th, 2020

It is important to understand our privacy practices and that we continuously update our Policy to comply with the various laws in the US and Europe, to clarify the information we collect, how we use and protect it. If you have any questions or concerns, you can always contact us via the applicable CAST app or via email at info@ottoconnect.us.

1. INTRODUCTION

At Otto Connect, Inc. (“Otto”), we respect the privacy expectations of our users and commit to complying with all applicable data protection and privacy laws. This Privacy Policy (“Policy”) describes who is responsible for the information we collect, the types of information we collect, how we use, share, retain, and protect this information, and the choices you, as one of our users (“Users”), have with respect to its access and use. This Policy applies to Otto mobile applications (“Applications”) and Otto websites (collectively “Services”), unless specified otherwise. “PII” as used in herein refers to Personally Identifiable Information to describe information that is about you and which identifies you. We encourage you to read this Policy in full to understand our privacy practices before using our Services.

2. ABOUT OTTO

Otto provides software Services that, where available, enables you to manage and pay for parking, parking citations, permits, registration fees for various activities, and ancillary services through our mobile applications. We may partner with local governments, inter-local agencies or partnerships, colleges, universities, hospital systems, churches, local communities, sports leagues and other public and private operators (our “Partners”) when they provide the Services through Otto Applications, in order to improve their operations and to simplify and personalize your interactions with such groups through our Services. Our collection and use of your information is designed with these purposes in mind. We offer the following products, services and applications (“Services” or “Applications”):

A. Parking – Otto’s ParkingCAST App (or any white-label/private-label implementations thereof) allows Users to pay parking fees based on zone and location and manage their accounts through the ParkingCAST App. ParkingCAST allows residents and/or employees permissions to park for free with registration and specification of a zone for each parking session as authenticated via the appropriate authority. Special seasonal or long-term rates may be offered as appropriate by the local organization or authority.

B. Citation Resolution – Otto’s Parking Enforcement Software allows parking enforcement agencies to use our software to issue citations, while Users can resolve citations by using Otto’s app-based payment service.

C. Communication and Scheduling via Otto’s CommunityCAST App allows community of interest groups to communicate and schedule activities directly via the app to improve local, group, team, or department coordination.

D. Sports league coordination and management via SportsCAST App.

E. Registration and Payment via all CAST-based applications for the specific activity including parking and any sport or group activity requiring payment of fees.

3. INFORMATION WE COLLECT We collect your information in the following ways: • from you through your use of our Services (such as in the course of your interactions with the Services or your communications whether by phone, email, chat, text, through the Apps or otherwise);

• from our Partners, service providers, and other third-party sources, when you have been notified of such information-sharing or registering for specific app functions or Partner activities, whether pursuant to this Policy or otherwise, or when the information is publicly available (such as the location and identifying details about your vehicle for parking Services);

• from other sources such as Departments of Motor Vehicles, Municipal Utilities, or other databases containing home or driver information, but only when we have an agreement with or the permission of such entities to lawfully obtain the information and to ensure its appropriate use and retention. The types of information that we collect are:

• Information about you and your Otto account – Any information that you voluntarily provide, such as name, email address, phone number, password, PIN, marketing preferences, license plate number, or other information as required for the activity you are registering for.

• Device information – Operating system, browser type, IP address, device type, and device version. We collect this information automatically when you use our Services.

• Geo-location information – If you have enabled location services on your device we may use such services to collect the geographic location of your device when you use the Services. Some services may not function as designed if location services are disabled.

• Vehicle information – Insurer, vehicle registration number (VIN), registration expiration date, license plate number and state, vehicle make/model/color, and registration.

• Financial information – Credit card number, expiration date, billing zip code, name on credit card, and/or similar account information for alternative funding sources that you may associate with your account including Apple Pay, Google Pay, or other payment services. If you make a payment via a third-party Service, you may be required to provide certain payment information, including your credit card number, to said secured third-party payment processor. Credit card information provided to such payment processor through a portal linked to the Services and may not be viewable by us, stored by us, or otherwise accessible to us.

• Marketing information – Marketing preferences (for example if you sign up to receive certain marketing communications), information about your interaction with, and responses to, our marketing communications, entries to contests, discounts, or rewards. • Social media information – When you interact with us through various social media, for example, by liking us on Facebook or following us on Twitter, or by logging into our services through Facebook or other social media accounts where available, we may collect information including your email address, gender, location, and age. The information we receive from your social network depends on your privacy settings. You should always review, and, if you prefer, adjust your privacy settings on third-party websites and services before linking or connecting them to our Services. We may also collect anonymized, aggregated social media information about you based on information you have provided in the course of using the Services. To learn about your information collection choices and to opt-out of data collection, see the “Your Choices” section below, and, for individuals located in the European Union/European Economic Area (“EU/EEA”), see also the “Your Rights” section below. 4. How We Use Information We use your PII in connection with the provision of the Services to you. In particular, your PII may be used by us, our employees and our service providers for the purposes described below. For Users in the EU/EEA, for each of these purposes, we have also set out the legal basis on which we use your PII. We may collect, use and share aggregated and/or anonymized data such as statistical or demographic data for any purpose. Such data may be derived from your PII, but once in an aggregated or blinded format that is not personally identifiable (either directly or indirectly), it will no longer constitute PII for the purposes of this policy. If you are located outside the EU/EEA, by providing Otto with your PII, you consent to the collection, use and disclosure of that information by Otto in accordance with this Privacy Policy and as otherwise permitted by applicable law. If you do not agree with these terms, please do not provide any PII to us. You have the right to withdraw your consent at any time, subject to legal or contractual restrictions and on reasonable notice to Otto, but then you might not be able to receive the full benefit of Otto’s services. We use collected information to:

• Communicate with you about your account and use of the Services. These communications are for our legitimate interests (i.e., the provision of the Services), and depending on the circumstances, to perform a contract between you and Otto. This communication includes:

◦ Providing information to help you use and navigate the Services.

◦ Supporting and responding to your inquiries when using the Services.

◦ Sending updates and notifications about the Services.

◦ Providing you with your transaction history. We may communicate with you via in-app notifications (also known as “push notifications”), text messages, emails, and/or telephone calls. Data and message rates apply.

• Communicate with others about your account use of the Services. These communications are for our legitimate interests (i.e., the provision of the Services). This communication includes:

◦ Developing reports and providing information as required by our Partners and other service providers, such as payment processing entities.

◦ At your request and on your behalf, contacting authorities regarding unpaid citations.

◦ Responding to all lawful access requests from law enforcement or other government authorities.

• Provide our Services. This activity is for our legitimate interests (i.e., the provision of the Services), and depending on the circumstances, to perform a contract between you and us. This activity includes:

◦ Operating the Services.

◦ Managing your account on your behalf, including correcting any errors, updating or terminating your account, and ensuring that your data is retained as required for audit and compliance purposes or as required by law.

• To audit and monitor the use of the Services. This activity is for our legitimate interests (i.e., the provision of the Services, as well as to monitor, maintain and improve the security of the Services). We may request your consent in circumstances (e.g., in relation to our use of certain cookies). This activity includes:

◦ Analyzing and monitoring usage.

◦ Maintaining security, preventing fraud, and enforcing our policies.

◦ Complying with applicable laws.

◦ Examining and remediating any Services outages or malfunctions.

• To notify you about changes to the Services. This activity is for our legitimate interests (i.e., the provision of the Services).

• To improve our Services. This activity is for our legitimate interests (i.e., the provision and improvement of the Services). This activity includes: ◦ Improving and personalizing the User experience. ◦ Creating aggregated and anonymized data to identify trends, errors, and opportunities for enhancements.

◦ Conducting and using data analyses to improve the Services or to develop new features or products

• Process your transactions, to help you manage your transactions and process payments on your behalf. This activity is for our legitimate interests (i.e., the provision of the Services), and depending on the circumstances, to perform a contract between you and Otto. This includes, in some cases, serving as the merchant of record or payment gateway provider.

• Market and advertise to you, in accordance with your marketing preferences and, where relied upon, your consent. This activity is for our legitimate interests (i.e., the provision and promotion of the Services). We may request consent in circumstances where a legal justification over and above legitimate interest is required by applicable law. This activity includes:

◦ Contacting you about services we offer, including details of any services which we believe may be of interest to you.

◦ From time to time, using your contact information to administer and conduct surveys or notify you about promotional activities such as contests, discounts, or rewards for ourselves or third parties. You may opt out from receiving these kinds of communications.

• To enforce any of our rights and to enforce or apply the agreements concerning you, such as in connection with a dispute or an attempt to collect unpaid amounts, for all other legal purposes, including to comply with any legal or regulatory obligations. This activity is for our legitimate interests and for compliance with legal obligations to which we are subject. Where we rely on our legitimate business interests or those legitimate interests of a third party to justify the purposes for using your PII, this will include:

• pursuit of our commercial activities and objectives, or those of a third party;

• compliance with applicable legal and regulatory obligations and any codes of conduct;

• improvement and development of our business operations and service offering, or those of a third party; or

• protection of our business, shareholders, employees and customers, or those of a third party.

5. USE OF COOKIES AND OTHER TRACKING TECHNOLOGIES

We use common information-gathering tools to collect data when you are using our Services, such as cookies and other tracking technologies, to remember settings, track activities within the Services, and analyze trends. We may obtain reports based on the use of these technologies on an individual and aggregated basis. • Cookies – We use session-based and persistent cookies. Session cookies exist only during one session whereas persistent cookies remain on your device after you close your browser or turn off your device. You can control the use of cookies at the browser level. If you reject or delete cookies, some Services may no longer function as designed. Each browser provides different mechanisms for managing cookies; your browser’s help menu can assist you in determining the best way to modify your browser’s cookie storage. For more information about how to control or delete cookies, visit www.aboutcookies.org.

• Analytics – We use Google Analytics and Google Analytics for Firebase to measure how you interact with our websites and Apps to improve your experience. To learn more about Google Analytics privacy practices and opt-out mechanisms, click here (support.google.com/analytics/answer/6004245?hl=en), and click here (firebase.google.com/policies/analytics) to learn more about Firebase Analytics privacy practices and opt-out mechanisms. We also use Facebook Analytics to measure how you interact with our website to improve your experience. To learn more about Facebook Analytics privacy practices and opt-out mechanisms, click here (www.facebook.com/privacy/explanation). Finally, we may store certain information in server logs, including IP address and device information, and collect and store information on your device using local storage objects; other tracking technologies we use include scripts, tags, MAC address, IMEI device number and pixels.

• “Do-Not-Track” Technologies – We do not respond to web browser “Do-Not-Track” signals.

• Third Party Tracking – Third parties, other than our service providers (such as our website analytics provider), do not have authorization from us to track which websites you visited prior to and after visiting the Services. That said, we cannot control third party tracking and there may be some thirdparty tracking that occurs without our knowledge or consent.

6. HOW WE SHARE INFORMATION

We share information about you with third parties in the following manner:

• With external companies and vendors with whom we partner to operate our business, who provide payment processing, website hosting, data analytics, information technology, marketing, customer service, email delivery, audit, debt collection and similar services.

• With our affiliates as allowed by law.

• If you participate in promotional activities such as surveys and promotions, we may share your information with our service providers and other third parties relating to such activities.

• We share certain information with our Partners in accordance with this Policy and any applicable provisions of our Partner agreements, so that they may appropriately provide services and support to you or so that we may appropriately provide services and support to them as required by our agreements.

• As part of merger, acquisition, or sale of substantially all of our assets, if your PII is to be transferred to a party unaffiliated with Otto, we will provide you with notice prior to transferring your PII to the new entity. Notice will be provided directly through our Services.

• With our professional advisers, such as accountants and lawyers that assist us in carrying out our business activities.

• With government authorities and third parties involved in court action, including external agencies and organizations (including the police and the relevant local authority) for the purpose of complying with applicable legal and regulatory obligations.

• When we believe that disclosure is (1) reasonably necessary to comply with any applicable law, regulation, subpoena, legal process or enforceable governmental request; (2) necessary to enforce the provisions of the Policy; (3) required to enforce our terms, including investigation of potential violations; or (4) necessary to investigate or protect against actual or threatened harm to the rights, property, or safety of Otto, our Users, or the public as required or permitted by law. You acknowledge and agree that we cannot be held liable for actions or omissions of any party with whom we share your information, and such information will be governed by such parties ’policies, procedures, and practices.

7. YOUR CHOICES You can notify us of your preferences about how your information is used during your account registration process, and change your preferences by changing your settings in our Apps directly where available. For ancillary services provided by Otto that are not necessary for the proper operation of our Apps, you may also limit the use and disclosure of your data or revoke your consent, where relied upon, by changing your settings in our Apps directly where available. For ancillary services provided by third parties, such as marketing emails and third-party communications, you may limit the use and disclosure of your data or revoke your consent by contacting such service providers directly.

• Marketing emails – You can choose to stop receiving marketing emails from Otto by following the unsubscribe instructions included in these emails. Otto is not responsible for marketing emails sent by our Partners.

• Third-party communications – You may opt in to receive emails or other communications from our Partners, vendors, or affiliates. If you opt in, you may be subject to such parties’ separate privacy policies.

• Push notifications – You can opt out of receiving push notifications through your application or device settings. Please note that opting out of receiving push notifications will impact the functionality of our Services.

• Account – You can stop Otto from collecting information through your Otto account by ceasing to use our Services. You can also contact us to delete or modify certain account information at the email address listed in the Contact Us section below. Please note that Users may not opt out of critical service messages, such as emergency alerts. 8. ACCESS AND CORRECTION It is important that the information about you contained in our records is accurate and complete. If your PII happens to change during the course of our relationship, please keep us informed of such changes. You can access, review, update, and object to the processing of your information, as well as cancel your user account, by canceling your account on the app or by contacting our customer support team at the email address listed in the Contact Us section below. We will respond to your request at our earliest opportunity and within any response periods required under applicable law. Typically, you will not have to pay a fee to access your PII (or to exercise any of the other rights outlined above). However, we may charge a reasonable fee if your request is repetitive or excessive, or we may refuse to comply with your request in these circumstances. We may need to request specific information from you to help us confirm your identity and ensure your right to access your PII (or to exercise any of your other rights). This is a security measure to ensure that PII is not disclosed to any person who has does not have the right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. 9. CHILDREN’S PRIVACY Our Services are not directed to children under the age of 13, or under the applicable legal age in jurisdictions outside of the United States, and we do not knowingly collect information from them.

10. RETENTION

We retain your information for as long as necessary to comply with our legal obligations, resolve disputes, enforce our rights, or as reasonably necessary for business purposes. Where appropriate or legally required, we retain your information on our servers even after deletion or termination of your user account to comply with our legal obligations, resolve disputes, or enforce our rights.

11. SECURITY SAFEGUARDS

We use reasonable and appropriate physical, technical, and administrative safeguards to protect your information from unauthorized use, access, loss, misuse, alteration, or destruction. Notwithstanding our security safeguards, it is impossible to guarantee absolute security in all situations. If you have any questions about the security of our Services, please contact us using the email address listed in Contact Us section below.

12. CHANGES TO THIS POLICY

We periodically update this Policy to account for changed legal and operational circumstances and to describe new features, products, or services, and how those changes affect our use of your information. Any changes we make to this Policy in the future will be posted on this page, and, if we make material changes to this Policy, we may provide notification through our Services or directly to you; in any case, you may choose to discontinue using our Services if you do not wish to accept the changes. The updated Policy will take effect as soon as it has been updated or otherwise communicated to you. We encourage you to review this Policy for updates each time you use our Services.

13. THIRD PARTY SERVICES, APPLICATIONS, AND WEBSITES

Certain third-party services, websites, or applications you use or navigate to from our Services may have separate user terms and privacy policies that are independent of this Policy. This includes, for example, websites owned and operated by our Partners or service providers. We are not responsible for the privacy practices of these third-party services or applications. We recommend carefully reviewing the user terms and privacy statement of each third-party service, website, and/or application prior to use. 14. CROSS-BORDER TRANSFERS Our Services are US based and may be global. Data (including PII of Users) may be transferred, stored and processed in any country where we have operations or where we engage service providers. Currently we have operations and engage service providers in the United States. We may transfer data to countries outside of your country of residence, which may have data protection rules that are different from those of your country, subject to any applicable laws. Data hosted within and outside of your country of residence may be accessed by Otto personnel located in the U.S. We take appropriate measures to ensure that any such transfers comply with applicable data protection laws and that your data remains protected to the standards described in this Policy. For Users located in the EU/EEA, if we transfer your PII outside of the EU/EEA, we will establish the necessary means to ensure an adequate level of data protection. This may be an adequacy decision of the European Commission confirming an adequate level of data protection in the respective non-EEA country or an agreement on the basis of the EU Model Clauses (a set of standard clauses issued by the European Commission).

15. APPLICABILITY OF LAW; PARTNER AGREEMENTS

As discussed earlier, Otto may have an agreement with a Partner when operating the Services in a certain area. Our Partners and our Users are located in different jurisdictions in which we operate, and therefore we may have varying privacy obligations depending on the applicable jurisdiction and on our privacy obligations under the applicable Partner agreement. It is our policy to comply with the applicable privacy law and with the applicable Partner agreement. If any of the foregoing provisions of this Policy conflict with how Otto may collect, use, share, retain, or transfer your information under any applicable international, state, federal, provincial, or other territorial laws, Otto will comply with such law or laws accordingly.

16. DATA CONTROLLER

We, Otto Connect, Inc., are the data controller for the purpose of data protection law, in respect of your PII collected and used through your use of the Services. This is because we dictate the purposes for which your PII is used. Our Partners may act as data controllers for the purpose of data protection law when they offer you the services, or any part thereof. Please refer to the privacy policies of our Partners for more information.

17. YOUR RIGHTS

If you are a User located in the EU/EEA, then you have certain additional rights with respect to your PII under the General Data Protection Regulation. The rights may only apply in certain circumstances and are subject to certain exemptions. Please see the table below for a summary of your rights. You can exercise these rights using the contact details under the “Contact Us” section at the very end of this Policy. Summary of your rights:

• Right of access to your PII

◦ You have the right to receive a copy of your PII that we hold about you, subject to certain exemptions.

• Right to rectify your PII

◦ You have the right to ask us to correct your PII that we hold where it is incorrect or incomplete.

• Right to erasure of your PII

◦ You have the right to ask that your PII be deleted in certain circumstances. For example (i) where your PII is no longer necessary in relation to the purposes for which they were collected or otherwise used; (ii) if you withdraw your consent and there is no other legal ground for which we rely on for the continued use of your PII; (iii) if you object to the use of your PII(as set out below); (iv) if we have used your PII unlawfully; or (v) if your PII needs to be erased to comply with a legal obligation.

• Right to restrict the use of your PII

◦ You have the right to suspend our use of your PII in certain circumstances. For example (i) where you think your PII is inaccurate and only for such period to enable us to verify the accuracy of your PII; (ii) the use of your PII is unlawful and you oppose the erasure of your PII and request that it is suspended instead; (iii) we no longer need your PII, but your PII is required by you for the establishment, exercise or defense of legal claims; or (iv) you have objected to the use of your PII and we are verifying whether our grounds for the use of your PII override your objection.

• Right to data portability

◦ You have the right to obtain your PII in a structured, commonly used and machine-readable format and for it to be transferred to another organization, where it is technically feasible. The right only applies where the use of your PII is based on your consent or for the performance of a contract, and when the use of your PII is carried out by automated (i.e. electronic) means.

• Right to object to the use of your PII ◦ You have the right to object to the use of your PII in certain circumstances. For example (i) where you have grounds relating to your particular situation and we use your PII for our legitimate interests (or those of a third party); and (ii) if you object to the use of your PII for direct marketing purposes.

• Right to withdraw consent

◦ You have the right to withdraw your consent at any time where we rely on consent to use your PII.

• Right to complain to the relevant data protection authority ◦ You have the right to complain to the relevant data protection authority where you think we have not used your PII in accordance with data protection law.

18. California Residents

If you are a California resident and have an established business relationship with us, you can request via email (see the address below) a list of the personal information we have shared with third parties for their marketing purposes. We will also give you a list of the third parties that have received your information. Mention in your email that you are making a "California Shine the Light" inquiry. We will respond within 30 days. California Consumer Privacy Act (CCPA). If you are a California resident, you have specific privacy rights governed by the CCPA. Subject to certain limitations, you have the right to (1) request to know more about the categories and specific pieces of personal information we collect, use, and disclose about you, (2) request deletion of your personal information, (3) opt out of any sales of your personal information, if we engage in that activity in the future, and (4) not be discriminated against for exercising these rights. You may make these requests by using the contact details under “Contact Us” below. To verify your identity, we may collect information such as your full name and email address and compare this information to our existing records. Further, depending on the sensitivity of the information requested and the type of request, we may require additional information to verify your identity before responding. We will respond to your request within 45 days if possible and required under the law. In the preceding 12 months, we have collected the following categories of personal information: [identifiers, commercial information, internet or other electronic network activity information, and inferences]. For details about the precise data we collect and the categories of sources of such collection, please see “Information We Collect” above. We collect personal information for the business and commercial purposes described in “How We Use Information” above. Also, in the preceding 12 months, we have disclosed the following categories of personal information for business purposes to the following categories of recipients: [identifiers, commercial information, internet or other electronic network activity information, and inferences].

19. CONTACT US

If you have questions about this Policy or our information handling practices, please contact through the app Communications portal, at info@ottoconnect.us or write to us at:

Otto Connect, Inc.,
Attention: Privacy Officer,
9107 Maria Luisa Pl. Raleigh, NC. 27617. USA

Note: due to COVID restrictions, it may take 2 to 4 weeks or more for mail service responses.