Welcome to the Privacy Policy for The Sandbox Companies, Inc. (“Sandbox”, “we”, “us”, or “our”). In this Privacy Policy, we describe what Personal Data (as defined below) we collect, how we use and share that information, and your choices concerning our information practices. This Privacy Policy outlines how and when Sandbox collects, protects, shares, and uses information that can identify you individually (“Personal Data”), such as your name, email, or telephone number. Personal Data does not include information that is anonymous, aggregated, or can no longer be used to identify you as an individual.

This Privacy Policy applies to (1) users of our website, https://www.sandboxwealth.com, (the “Site”, and such users, “Site Visitors”), our mobile application (the “App”), and our related technologies, products and services (collectively with the Site and the App, the “Services”); and (2) any communications you may engage with us (“Communications”).

Our Services are designed to create the best place to manage and improve your financial life by enabling you to access personal financial management and advisory services, enabling you to open and access banking products and lending products provided by third-party bank services providers and lending providers (collectively, “Third-Party Services Providers”). Third-Party Services Providers will have access to your Personal Data uploaded to the Services and we do not have any control over how such Third-Party Services Providers may use such Personal Data. We will cooperate with Third-Party Services Providers in accordance with any request related to your Personal Data processed on behalf of such Third-Party Services Providers.

As a technology platform supporting Third-Party Services Providers who are financial institutions, our Services may be subject federal laws like the Gramm-Leach-Bliley Act in certain cases and contexts. This Privacy Policy is intended to provide everyone—both those using our Services and those just viewing our Site to learn more about our Services—notice about how we process Personal Data. For the legally required privacy notice specific to our Services in the context of the Gramm-Leach-Bliley Act, please see our separately provided Financial Information Privacy Notice.

We may collect Personal Data from you when you use the Services. This information is collected and stored electronically by us. This information may be provided to us voluntarily by you, collected automatically by us from you, or provided to us from third-party sources as further explained in this Section 2.

We collect Personal Data from you when you voluntarily provide this information to us, such as when you register for access to our Services, contact us with inquiries, link your accounts, respond to offers from us or third parties, obtain or use products or services from us or third parties, or when you authorize our Services to collect this information about you from your financial institution, credit bureaus or others. Personal Data that you voluntarily provide depends on your use of the Services but may include the following categories of information:

• Contact Data: Information provided related to your name, address, email address, or phone number.

• Identification Information: Information provided related to identifying information such as your tax identification number, social security number, or other government-issued ID number,

• Personal Contacts Data, including the first and last name, email address, and phone number of your personal contacts: We collect data about your contacts with your consent and in order to fulfill a request by you, such as finding your contacts on the Service or inviting your contacts to join the Services. Such functionality is only intended for U.S. residents. By using this functionality, you acknowledge and agree that both you and your contacts are based in the U.S. and that you have your contacts’ consent for us to use their contact information to fulfill your request.

• Demographic Information: Information provided related to date of birth, annual income, and other information about your finances and employment.

• Biometric identification data: Information provided related to facial recognition scans.

• Communication Information: Information provided related to records and copies of your correspondence with us, if you contact us.

• Transaction Information: Information provided related to details of transactions and search queries you may carry out through the Services.

You may choose to voluntarily provide other information to us that we do not request, and, in such instances, and in such situations, we have no control over what categories of personal information such disclosure may include. Any additional information provided by you to us is provided at your own risk.

Please note that if you are located outside of the United States, by providing this information to us, you acknowledge and agree that this Personal Data may be transferred from your current location to the offices and servers of Sandbox and the authorized third parties referred to in this Privacy Policy, located in the United States.

When you choose to use the Services to link or view activity on financial or finance related accounts operated by a Third-Party Services Provider (for example, your bank or credit card company), we collect Personal Data from that Third-Party Services Provider (directly or indirectly) to enable us to provide the Services or certain features thereof. Such data has historically included contact data, demographic data, content, service use data, device connectivity and configuration data, and location data, among other information.

When you access and use Services in connection with banking products or lending products from Third-Party Services Providers (for example, banks or credit card companies), our processing of Customer Data is governed by the terms of our service agreements with our business customers. We rely on your authorization you provide to those Third-Party Services Providers to disclose your information to us. To the extent we combine such information with Personal Data we have collected through the Services, we will treat the combined information in accordance with the practices described in this Privacy Policy, plus any additional restrictions imposed by such Third-Party Partner. We are not responsible for how any Third-Party Partner treats the information we collect on their behalf, and we recommend you review their own privacy policies.

When you interact with our Services, we receive and store certain information about your visit, use, or interactions. Such information, which is collected passively using various technologies, cannot presently be used to specifically identify you. We may store this information itself or it may be included in databases owned and maintained by our agents or service providers. Our Services may use this information and pool it with other information to track, for example, the total number of visitors to our website, the number of visitors to each page of our website, and the domain names of our visitors' Internet service providers.

In particular, the following information is created and automatically logged in our systems:

• Log Information: Information that your browser automatically sends whenever you visit the Site. Log Information includes your Internet Protocol (“IP”) address, browser type and settings, the date and time of your request, and how you interacted with the Services.

• Cookies Information: These are small data files stored on your device that act as a unique tag to identify your browser. We use two types of cookies: session cookies and persistent cookies. Session cookies make it easier for you to navigate our website and expire when you close your browser. Persistent cookies help with personalizing your experience, remembering your preferences, and supporting security features. Additionally, persistent cookies allow us to bring you advertising both on and off the Services. Persistent cookies may remain on your device for extended periods of time, and generally may be controlled through your browser settings. Please see the “Cookies and Similar Technologies” section below to learn more about how we use cookies.

• Pixels (also known as web beacons): These are types of code embedded in a website, video, email, or advertisement that sends information about your use to a server. There are various types of pixels, including image pixels (which are small graphic images) and JavaScript pixels (which contains JavaScript code). When you access a website, video, email, or advertisement that contains a pixel, the pixel may permit us or a separate entity to drop or read cookies on your browser. Pixels are used in combination with cookies to track activity by a particular browser on a particular device. We may incorporate pixels from separate entities that allow us to track our communications, bring you advertising both on and off the Services, and provide you with additional functionality, such as the ability to connect our Services with your social media account. Please see the “Cookies and Similar Technologies” section below to learn more about how we use cookies.

• Device Information: Includes name of the device, operating system, and browser you are using. Information collected may depend on the type of device you use and its settings.

• Usage Information: We collect information about how you use the Services, such as the types of content that you view or engage with, the features you use, the actions you take, and the time, frequency, and duration of your activities.

• Location Information: We may collect and use your location information (for example, by using your IP address to determine your approximate geographic location) through the Services in order to help us authenticate activity related to your account. We may also use your location information in an aggregate way as Aggregate Data (defined below). We do not share your location information with other users of our Services.

In connection with our Services, we use a number of technologies, including “cookies,” to gather information about you to improve your experience as you use our Services. This section provides details about the online technologies implemented and used by us and our service providers. For more information about your rights and choices and how to control these online technologies, please see Your Rights and Choices below.

Uses of Online Technologies

The following details are provided to explain the purpose and uses of these online technologies:

• Functionality, Support and Security: Some of the online tracking technologies like the cookies we use are to recognize your device, to facilitate navigation, to display information more effectively, to personalize your experience, maintain the security of our Site, manage your account, prevent crashes, fix bugs, save your preferences, and assist with basic Site functions and other performance functions.

• Session Replay: Some of the technologies implemented are used in a manner to recreate your session and understand how you navigated our Site, what content or Services you looked at and other related information that helps us assess how our Sites are being used. We may obtain this information through the use of cookies and pixels, and may share this with third parties to obtain related insights.

• Advertising and Marketing Measurements: Pixel tags may be used to market our Services to you, measure the engagement with marketing campaigns and compile statistics about Site usage, interests, and response rates. Furthermore, we may incorporate pixels from separate entities that allow us to bring you advertising both on and off the Sites. For more information about Advertising, please see Analytics and Advertising below.

• Behavioral Analytics: We also use pixels in combination with cookies to track activity by a particular browser on a particular device. These pixels may be provided by a third-party and certain information may be shared back with such provider. In addition, we may use technologies included in applications (that are not browser-based like cookies and cannot be controlled by browser settings) such as SDKs to track our communications and provide you with additional functionality, such as the ability to connect your account to our Services with other third-party services.

• Site Analytics: We use analytics services, such as Google Analytics, to help us understand how users access and use the Sites through the use and sharing of cookies. You can learn about Google’s practices by going to www.google.com/policies/privacy/partners/.

For information to understand your rights and choices related to online technologies, please see Your Rights and Choices below.

Analytics and Advertising

We use analytics services, such as Google Analytics, to help us understand how users access and use the Services. In addition, we work with agencies, advertisers, ad networks, and other technology services to place ads about our products and services on other websites and services. For example, we place ads through Google and Facebook that you may view on their platforms as well as on other websites and services.

As part of this process, we may incorporate tracking technologies into our own Services (including our website and emails) as well as into our ads displayed on other websites and services. Some of these tracking technologies may track your activities across time and services for purposes of associating the different devices you use, and delivering relevant ads and/or other content to you.

In general, Sandbox uses Personal Data we collect through the Services to:

• Provide products and services you request;

• Improve our offerings to you, including to develop new products and services;

• Communicate with you or provide notices in connection with such products and services;

• Process and respond to customer inquiries and provide support;

• Detect security incidents and prevent fraud and illegal activities;

• Fulfill our legal requirements and enforce our agreements;

• Improve the content, functionality, and usability of the Services;

• Communicate with you, either directly or through our service providers, including for marketing and promotional purposes;

• Improve our marketing and promotional activities; and

• For our other legitimate business purposes permitted by law.

In addition, Sandbox uses Personal Data to verify your identity in order to expedite your ability to obtain banking and lending products from Third-Party Services Providers. You expressly authorize Sandbox to use your identity verification information for its own purposes, as well as the purposes of its Third-Party Services Providers from whom you have requested products and services.

In an ongoing effort to better understand and serve our users, we may also conduct research on our Customer demographics, interests, and behavior based on Personal Data and other information provided to us. This research may be compiled and analyzed on an aggregate or other non-identifiable basis (“Aggregate Data”), and we may share this Aggregate Data with our contractors, agents, and business partners. We may also disclose Aggregate Data in order to describe our Services to current and prospective business partners, and to other third parties for other lawful purposes. In addition, we may share Aggregate Data with third party providers to permit them to make offers that are more relevant to you. We may collect and share Aggregate Data through the Services, through cookies, and through other means described in this Privacy Policy.

We may share your Personal Data in the following circumstances:

We may share your Personal Data where you have consented or otherwise given us permission to share your data. For example, if you want us to expedite your identity verification with a banking Third-Party Services Provider in order to open a deposit account, we will need to share your Personal Data with that Third-Party Services Provider. When you use the Services to request a banking or lending product from one or more Third-Party Services Providers, you expressly authorize Sandbox to share your identity verification information with that Third-Party Services Provider.

We will not share your name, address, email address, phone number, or tax identification number (such as U.S. social security number) with third party product providers for marketing purposes without your express consent. Note that when you decide to pursue an offer from a third-party product or service provider, you may be asked to provide additional information directly to that provider, including your Personal Data. Using our Services does not require you to provide any additional information directly to such providers, unless you wish to.

We may share your Personal Data with the financial institutions with whom you choose to link your account, Third-Party Services Partners, and other service providers that we use in delivering the Services. Examples include providers that provide us with technology services such as hosting, identity verification, support, payment, and email service. We provide these providers with only the Personal Data they need to perform their specific function, or to evaluate new potential vendors, and take commercially reasonable steps to ensure our service providers adhere to the security standards we apply to your Personal Data.

We may share your information if required by applicable law or legal process, or if we believe it is in accordance with applicable law or legal process. This can include protecting the rights, property, and safety of Sandbox, our users, and the public, including, for example, in connection with court proceedings, or to detect or prevent criminal activity, fraud, material misrepresentation, or to establish our rights or defend against legal claims.

As we develop our business, we might sell or buy businesses or assets. In the event of a corporate or asset sale, merger, reorganization, dissolution, or similar event, your Personal Data may be part of the transferred assets.

We may provide your Personal Data to companies that perform marketing services on our behalf or to other financial institutions with whom we have joint marketing agreements, such as lenders and loan brokers that can present financing offers relevant to you. These third-party financial institutions have agreed that they will not use or disclose your Personal Data except to effectuate the joint marketing agreement and as otherwise permitted by federal financial privacy laws. If you directly provide your Personal Data to these third parties, they may use or share it in accordance with their privacy policies. Sandbox does not share your Personal Data with or sell your Personal Data to any third parties for their marketing purposes.

No method of transmission over the Internet or electronic storage is 100% secure; however, we implement and maintain reasonable safeguards designed to protect your personal information from unauthorized access and use by maintaining physical, electronic, and procedural safeguards in compliance with applicable law. These measures include computer safeguards, organizational controls to limit the parties that can access data, and physical safeguards related to files and buildings.

In the event that any information under our control is compromised as a result of a breach of security, we will take reasonable steps to investigate the situation and where appropriate, notify those individuals whose information may have been compromised and take other steps, in accordance with any applicable laws and regulations.

We keep Personal Data for as long as reasonably necessary for the purposes described in this Privacy Policy, while we have a business need to do so, or as required by law (for example, for tax, legal, accounting, or other purposes), whichever is longer.

You may access, update, or remove certain information that you have provided to us through your account by visiting your account settings or sending an email to the email address set out as set out in the section entitled Contact Us below. We may require additional information from you to allow us to confirm your identity.

Please note the following:

We will retain and use information about you as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

Changes to your account does not necessarily mean that changes will be reflected in data held by any Third-Party Services Providers (for example, your bank or credit card company) and you should reach out to such Third-Party Services Providers to confirm and ensure all changes are reflected in its retained data (as appropriate).

The following is information about how to opt out of receiving certain communications from us, depending on means of delivery:

• E-mails. You can opt-out of receiving promotional emails from us at any time by following the instructions as provided in emails to click on the unsubscribe link, or emailing us at the email address set out as set out in the section entitled Contact Us below with the word UNSUBSCRIBE in the subject field of the email. Please note that you cannot opt-out of non-promotional emails, such as those about your account, transactions, servicing, or our ongoing business relations.

• Phone & SMS Text Messaging. You can opt-out of receiving text messages or calls to your phone number at any time by (i) for text messages, texting “STOP” in response to any text message you receive from us or contacting us as set out in the Contact Us section below and specifying you want to opt-out of text messages; and (ii) for calls, requesting opt-out during any call you receive from us or contacting us as set out in the Contact Us section below and specifying you want to opt-out of calls.

• Push Notifications. If you have opted-in to receive push notification on your device, you can opt-out at any time by adjusting the permissions in your device or uninstalling our mobile application.

The following disclosures relate to your rights and choices in connection with cookies and other tracking technologies:

• Do Not Track. Your browser settings may allow you to automatically transmit a “Do Not Track” signal to online services you visit. We do not currently monitor or take action with respect to “Do Not Track” signals. For more information on “Do Not Track,” visit http://www.allaboutdnt.com.

• Cookies and Pixels. Most browsers accept cookies by default. You can instruct your browser, by changing its settings, to decline or delete cookies. If you use multiple browsers on your device, you will need to instruct each browser separately. Your ability to limit cookies is subject to your browser settings and limitations.

• Mobile Application and Location Technologies. You can stop all collection of information via our mobile application by uninstalling the mobile application. You can also reset your device Ad Id at any time through your device settings, which is designed to allow you to limit the use of information collected about you. You can stop all collection of precise location data through the mobile application by uninstalling the application or withdrawing your consent through your device settings.

Please be aware that if you disable or remove tracking technologies some parts of the Services may not function correctly.

Google provides tools to allow you to opt out of the use of certain information collected by Google Analytics at https://tools.google.com/dlpage/gaoptout and by Google Analytics for Display Advertising or the Google Display Network at https://www.google.com/settings/ads/onweb/.

If you are using our Services related to products, services or offerings governed by the Gramm-Leach-Bliley Act, our legal Financial Information Privacy Notice can be found in our Financial Customer Privacy Notice.

The Services are not intended for children or minors under the age of 18. We do not knowingly collect personal information from, or market to, children under the age of 18. If we become aware that a child under the age of 18 has provided us with personal information, we will take steps to comply with applicable legal requirements to remove such information.

Our business and Services may change from time to time. As a result, at times it may be necessary to make changes to this Privacy Policy. If we make changes, we will notify you by revising the “Last Updated” date at the top of this page. If we make material changes, we will do so in accordance with applicable legal requirements, and we will post a notice on our website and mobile applications alerting our users to the material changes prior to such changes becoming effective. Your continued use of our Services after any changes or revisions to this Privacy Policy will indicate your agreement with the terms of such revised Privacy Policy.

The General Data Protection Regulation (“GDPR”) and data protection laws in Europe distinguish between organizations that process personal information for their own purposes (known as “controllers”) and organizations that process personal information on behalf of other organizations (known as “processors”).

We generally act as a processor with respect to personal information collected from you as you engage with our Services. Third-Party Services Providers (for example, your bank or credit card company) is the Controller of information. If you have questions with respect to our processing of information where we are acting as a processor, we may direct your quest to the respective Third-Party Services Providers.

In limited circumstances we act a controller (such as with respect to information related to our Site or direct communications with us). Where we are acting as a controller, you can contact us with questions by email at the email address set forth in the section entitled Contact Us below.

The GDPR and data protection laws in Europe require a “lawful basis” for processing personal information. Our lawful bases include the following:

• To fulfill obligations in the agreement between you and Company. To use our Sites or Services, you and Company entered into an agreement under the applicable terms of use, and in order for us to fulfill our obligations with respect to providing our Sites or Services under such agreement, we must collect your personal information to provide the necessary functionality. The information we collect and how it is used by us is further detailed in the sections entitled Information We Collect About You and How We Use The Information We Collect above.

• To pursue our legitimate interests. Our legitimate interests include, among others, understanding how our Sites or Services are functioning, improving our Sites or Services, developing new products and services, and preventing fraud. To pursue the foregoing, we process personal information. Where we rely on a legitimate interest to process personal information, we carry out a balancing test to weigh the legitimate interest against your right to protection of your personal information; however, our processing of your personal information will never override your fundamental rights and freedoms, and you can always exercise your right to object to such processing.

• Consent. In certain situations where you provide us with consent, we may process your personal information.

• To comply with law. In limited circumstances, we may process personal information in order to comply with legal obligations. To the extent we have received such information from third parties with whom we have agreed to certain contractual requirements or obligations (for example, standard contractual clauses), we will use our reasonable efforts to dispute the disclosure of personal information, unless legally required to do so.

If you choose to provide us with your information, you acknowledge that information will be transferred and stored on our servers located in the United States. The information we collect is subject to state and federal law in the United States. If you are accessing our websites from outside the United States, please be advised that you are transferring your personal information to us in the United States where data protection and privacy laws may be different or less stringent than the laws of your country.

If the GDPR applies and your data is transferred outside the UK or the EEA to the United States or any other country, we will transfer your personal information subject to appropriate safeguards, such as an adequacy decision by the European Commission on the basis of Article 45 of Regulation (EU) 2016/679 or Standard Contractual Clauses, as provided from time to time by the European Commission. You can receive additional information about where your personal information is transferred and the appropriate safeguards by contacting us.

If you are a data subject under the GDPR, subject to certain conditions, you have the right to:

Access, rectify, or erase any personal information we process about you;

Data portability – that is, asking us to transfer your personal information to any third party of your choice;

Restrict or object to our processing of your personal information; and

Where applicable, withdraw your consent at any time for any processing of your personal information.

To exercise your rights, please email us at info@sandboxwealth.com.

If you have a complaint about our use of your personal information or our response to your request(s) regarding your personal information, you may submit a complaint to the Data Protection Supervisory Authority in your jurisdiction. We would, however, appreciate the opportunity to address your concerns before you approach a data protection regulator and welcome you to first direct an inquiry to us.

In addition to our contact details set out above, you can also contact our Designated Individual Overseeing Compliance of this Privacy Policy by emailing info@sandboxwealth.com or writing us at the address in Contact Us below.

If you have any questions or concerns about this Policy, you can contact us at:

The Sandbox Companies Inc.

Email: info@sandboxwealth.com

Address: 234 5th Avenue, Suite 210

New York, NY 10001