WBA.CHAT PRIVACY POLICY

Effective Date: December 15, 2025

1. Introduction

Welcome! You have arrived at the wba.chat website powered by FriendliAI (“FriendliAI”, “we”, “our” or “us”). Our mission is to empower organizations to harness the full potential of their generative AI models with ease and cost-efficiency.

At FriendliAI, we take your privacy seriously. This Privacy Policy ("Policy") explains what information we collect about you, how we obtain it, how we share it, and how you may limit the ways in which we use your Personal Information. If you have questions about this Policy after you review it, feel free to contact us at privacy@friendli.ai.

2. Scope

This Policy governs https://wba.chat, its subdomains, and all subdomains or portals that link to this Policy ("Site"); or when you provide Personal Information or interact with us online or when you call or otherwise communicate with us. For the purpose of this Policy, "Personal Information" or “Personal Data” means any information relating to an identified or identifiable individual that is protected by applicable privacy laws. The definition of Personal Information does not include publicly available information from federal, state, or local government records, such as professional licenses and real estate or property records.

We refer to all the above as our “Services.”

Any Personal Information so collected will be used solely for the purposes for which your consent has been specifically given, and the provision of such Personal Information to, and handling by, third parties will be limited specifically to authorized persons only.

By using our Sites or otherwise using our Services, you acknowledge this Policy and agree to our https://wba.chat/terms-of-service (“Terms”).

3. What Information We Collect

As a rule, we limit the Personal Information we collect to that which is adequate, relevant and reasonably necessary for us to provide our Services to you.

Information That You Provide to Us

As you interact with our Site or Services, we collect the following Personal Information via the online chat function and webforms or inputs/uploads on our Site, when you use an authentication token to access the Services, and through telephone calls, letters, emails and other communications with you.

Contact information such as first and last name, username, email address, other addresses, telephone numbers, and mobile numbers, if provided.
Location information (which may be provided by you or from the device on which you accessed the Services);
Name and user ID of other third-party platforms or social media sites (Google, Github, etc.) that regular members have allowed access to, profile values provided by other third-party platforms or social media sites;
Financial information such as your business credit card or debit card number, bank account information, billing address, and your payment, service and purchase history, if applicable; and
Authentication tokens for access to third party services or cloud storage, requests made to inference servers and responses generated by AI models; and
Inputs (if you include Personal Data) and other information that could reasonably be used to identify you personally.

Information That Is Automatically Collected

Like many businesses, we and our service providers automatically collect and/or store certain information when you visit or interact with the Site or Services (“Usage Information”), including via cookies and other tracking technologies (see Use of Cookies and Other Tracking Technologies section below). This Usage Information may be stored and/or accessed from your personal computer, laptop, tablet, mobile phone or other device (a “Device”) whenever you visit or interact with our Site. Usage Information includes:

Your IP address, MAC address, IDFA, Android/Google Advertising ID, Device IDs issued by cloud service providers, IMEI, or another unique identifier;
Your Device functionality (including browser, browser language, settings and behavior, operating system, hardware, mobile network information);
Cookies, tags, pixels and SDKs;
Referring and exit web pages and URLs;
The areas within the Site that you visit and your activities there, including remembering you and your preferences;
Your Device location or other location information, including the zip code, state or country from which you accessed the Services;
Your Device characteristics (such as device type (computer vs. mobile) and ID, operating system, hardware);
Certain other Device data, including the time of day you visit our Site or other information used to provide analytics or other usage information;
Information about your engagement with our emails; and
Statistical information about how both unregistered and registered users, collectively, use the Site and Services.

Information Collected from Third Parties

The Site includes functionality that allows certain kinds of interactions between the Site and your account on a third-party website or application. The use of this functionality may involve the third-party site providing information to us. For example, we might obtain information about the traffic and usage of wba.chat from third parties. We might also allow you to login to the Site using third-party platforms such as Google and GitHub or provide links to facilitate sending postings to social media or via email (like a "Share" or "Forward" button). These third parties also use cookies and other tracking technologies to capture information about your interactions with wba.chat.

FriendliAI does not have control over the information that is collected, used, and shared by these third parties. We encourage you to review the privacy statements of these third parties to understand their privacy practices.

4. Use of Cookies and other Tracking Technologies

We use various methods and technologies ("Tracking Technologies") to store or collect Usage Information, to recognize your browser or device, learn more about your interests to personalize your experience and deliver our Site and Services to you. These tracking technologies allow us and other third parties to collect information such as your device type, browser type, interactions with our App, geographic location, your request, the date and time of your request, your Internet Protocol or MAC address, the domain name of your Internet service provider and other data. If you can be identified from this information, for example by combination with other pieces of information, then we will treat this information as Personal Information. Tracking Technologies may set, change, alter or modify settings or configurations on your Device. By using our Site, you consent to our use of Tracking Technologies as described in this Policy. A few of the Tracking Technologies used on the Site, include, but are not limited to, the following (as well as future-developed tracking technology or methods that are not listed here):

Cookies. A cookie is a file placed on a Device to uniquely identify your browser or to store information on your Device. Our Site may use HTML5 cookies and other types of cookie technology to store information on local storage.
Pixels: A pixel is a small graphic file that allows us and third parties to monitor the use of the Site and provide us with information based on your interaction with the Site. These pixels may collect the IP address from the device which you loaded the App or page and the browser type. Pixel tags are also used by our third parties to collect information when you visit our Site, the links and other actions you take on our Site, and we may use this information in combination with cookies to display targeted advertisements.
Web Beacons. A Web Beacon is a small tag (which may be invisible to you) that may be placed on our Site's pages and messages.
Embedded Scripts. An embedded script is programming code that is designed to collect information about your interactions with the Site, such as the links you click on.
ETag, or entity tag. An Etag or Entity Tag is a feature of the cache in browsers. It is an opaque identifier assigned by a web server to a specific version of a resource found at a URL.
Browser Fingerprinting. Collection and analysis of information from your Device, such as, without limitation, your operating system, plug-ins, system fonts and other data, for purposes of identification.
Recognition Technologies. Technologies, including application of statistical probability to data sets, which attempt to recognize or make assumptions about users and devices (e.g., that a user of multiple devices is the same user).
SDKs. Our Site uses software development kits ("SDKs") which are pieces of code from analytics or advertising providers that developers embed in their apps to collect and send data back to the provider. We may have developed our own software and App or used SDKs provided by third parties in our software and Site.

We may use the following types of cookies:

Strictly necessary cookies. These cookies are essential for you to browse the Sites and use its features, such as accessing secure areas of the site.
Functionality cookies. Also known as “preference cookies,” these cookies allow the Sites to remember choices you have made in the past, like what language you prefer, or what your username and password are so you can automatically log in.
Analytics cookies. Also known as “performance cookies,” these cookies collect information about how you use a website, like which pages you visited and which links you clicked on. Their purpose is to improve website functions. This includes cookies from third-party analytics services if the cookies are for the exclusive use of the owner of the website visited.
Advertising cookies. These cookies track your online activity to help advertisers deliver more relevant advertising or to limit how many times you see an ad. These cookies can share that information with other organizations or advertisers. These are persistent cookies and almost always of third-party provenance.

We use Google Analytics to help us understand how our customers use the Site. Read more about how Google uses your Personal Information or opt-out of Google Analytics.

We also use third-party advertising and affiliate services to support our work, including Microsoft Bing Ads. These services may use cookies, tracking pixels, and similar technologies to deliver ads that are more relevant to you or to track referrals for purchases made through affiliate links.

You can opt out of Microsoft Bing Ads here. Please note that opting out will not stop you from seeing ads; it will, however, limit the personalization and tracking associated with them.

5. Why We Collect Information

We use the information we collect about you in a variety of ways, including the following:

To Provide Our Services

We process certain Personal Information when you access or use our services, including to:

provide, operate, monitor the status of, maintain and improve the Site and the Services;
provide registration, identity verification, user authentication, account linking and other administration related to the Site and the Services;
process your purchases of, or requests for, software and services;
create and verify user accounts;
maintain and administer the Site and the Services, or to facilitate the functionality of our Site, including payment-related functionality, if applicable; and
customize experiences and personalization when you are on our Site.

To Communicate with You

We process certain information to communicate with you in relation to your accounts, our services, our marketing, and your requests, including to:

communicate with you about our Services, accounts and programs;
respond to your inquiries and requests for information;
post your comments or statements on our Site;
send you personalized promotions, content, and special offers;
communicate with you about our brands, events, or other promotional purposes;
implement your communications preferences, such as sharing information with our business partners so that they may email you about their promotions, products and initiatives; and

For Improvement of Our Site or Services

We want to ensure that our Site and Services are continually improving and expanding so that we meet and exceed your needs and expectations. To do so, we may process certain Personal Information, including to:

test, research, analyze, or develop our new or existing products or applications;
analyze, research, plan and implement our marketing activities;
maintain, improve, and analyze our Site or Services; and
detect, prevent, or investigate suspicious activity or fraud.

To Comply with Applicable Laws

We may be required to process certain Personal Information under certain laws and regulations, such as tax laws, as well as to:

maintain appropriate records for internal administrative purposes; and
comply with applicable legal and regulatory obligations, and respond to lawful governmental requests, as needed.

To Enforce our Terms, Agreements, or Policies

To maintain a safe, secure, and trusted environment for you when you use our Site and Services, we use your Personal Information to ensure our terms, policies, and agreements with you and any third parties are enforced.

With Your Consent

We process certain Personal Information to fulfill any other business or commercial purposes at your direction or with your consent.

6. When We Disclose Information

To the extent permitted by law, certain Personal Information about you may be disclosed in the following situations:

Service providers. To provide information to our affiliates and nonaffiliated third parties who perform services or functions for us in conjunction with our services to you, but only if we have a contractual agreement with the other party which prohibits them from disclosing or using the information other than for the purposes for which it was disclosed. Examples of such disclosures include using a payment processor, customer service provider, email marketing provider, analytics provider, or cloud service provider.
Legal process. To comply with a validly issued and enforceable subpoena or summons; as a part of any actual or threatened legal proceedings or alternative dispute resolution proceedings either initiated by or against us, provided we disclose only the information necessary to file, pursue, or defend against the lawsuit and take reasonable precautions to ensure that the information disclosed does not become a matter of public record.
Business transactions. In conjunction with a prospective purchase, sale, or merger of all or part of our practice, if we take appropriate precautions (for example, through a written confidentiality agreement) so the prospective purchaser or merger partner does not disclose information obtained in the course of the review.

Customer data may be used for any purpose, including without limitation for FriendliAI’s and third-parties’ products, services, and business purposes and the testing, development, maintenance and improvement of the Friendli Services and FriendliAI’s and third parties’ other products and services. Please see our Terms of Service for more information.

Finally, we may aggregate, de-identify, and/or anonymize any information collected through the Site or Services such that such information is no longer linked to your personally identifiable information. We may use and share this aggregated and anonymized information (non-Personal Information) for any purpose, including without limitation, for research and marketing purposes, and may also share such data with our affiliates and third parties, including advertisers, promotional partners and others.

7. Automated Decision Making

Automated decision making refers to a decision that is taken solely on the basis of automated processing of your Personal Information. We may use automated decision-making software for security reasons, such as to detect fraudulent or illegal actions, or to protect consumer safety. When we do so, you cannot opt out of the use of the decision-making technology. We do not make any automated decision making technologies to produce an adverse legal effect on you.

8. Retention of Personal Information

FriendliAI will retain your Personal Information only for as long as necessary for the purposes set out in this Policy. We will retain and use your Personal Information to the extent necessary to comply with our legal obligations (for example, if we are required to retain your Personal Information to comply with applicable laws), resolve disputes and enforce our legal agreements and policies.

All information you provide to us is stored on our secure servers or those of our third-party data storage providers.

We retain Personal Information as follows:

User information (email, nickname, name and user ID of the social media account that a regular member has allowed access to, profile value provided by social media, gender, age): retained until five (5) days after withdrawal from regular and/or social membership.
Information such as log data (including IP information, browser type, visited domain, visited page, mobile device and application ID, search term, etc.), links, cookie data, Service usage history, bad usage record, etc.: retained until five (5) days after withdrawal from regular and/or social membership.
AI inference information: is retained indefinitely after the organizations and projects have been deleted.

We utilize the following criteria to determine the length of time for which we retain Personal Information:

How long we have had a relationship with you or provided our Services to you;
The business purposes for which the information is used, and the length of time for which the information is required to achieve those purposes;
Whether we are required to retain the information, or the information is otherwise necessary, in order to: comply with legal obligations or contractual commitments: defend against potential legal claims: detect or prevent potential illegal activity or actions in violation of our policies and procedures; secure our systems and online environment; or protect health and safety;
The privacy impact on individuals of ongoing retention; and
The manner in which information is maintained and flows through our systems, and how best to manage the lifecycle of information in light of the volume and complexity of the systems in our infrastructure.

When the purpose of collection and use of Personal Information is finally achieved, FriendliAI will destroy the personal data without delay after a predetermined period in line with its internal policy and applicable laws and regulations, unless the Personal Information must be retained in accordance with the relevant laws and regulations.

Notwithstanding the above, if the applicable laws and regulations require us to retain any Personal Information collected hereunder, we will have the right to retain any user’s Personal Information for such prescribed duration.

9. Your Choices About the Information We Collect

Communications Preferences

We prefer to keep your Personal Information accurate and up to date. If you would like to change your contact information, please contact us using the information in the Contact Us section below. We will make good faith efforts to make requested changes in our then active databases as soon as reasonably practicable (but we may retain prior information as business records).

You can opt out of receiving marketing emails from us at any time. You will still receive transactional messages from us. To manage your email preferences with us, please click on the unsubscribe link in any email you receive from us or contact us using the information in the Contact Us section below. Your choice will not affect our ability to share information in the other ways described in this Policy.

Controlling Your Cookies

You can opt-out of cookies by enabling an opt-out preference signal on your browser or opting-out of cookies in our Sites’ cookie preference centers.

On most web browsers, you will find a “help” section on the toolbar. Please refer to this section for information on how to receive a notification when you are receiving a new cookie and how to turn cookies off. Please see the links below to learn how to modify your web browser’s settings on the most popular browsers:

Note that if you turn cookies off, you may be unable to access certain parts or benefit from the full functionality of the Sites. To learn more about cookies and similar technologies or to opt-out of targeted advertising cookies, visit resources from the Digital Advertising Alliance (“DAA”). We do not control these opt-out links or whether any organization chooses to participate in these opt-out programs.

Please note that even if you exercise the opt-out choices above, you may continue to receive advertisements, for example, ads based on the website you are viewing (e.g., contextually based ads), or ads that are not targeted at you and may be less relevant. Also, if your browser (like some Safari browsers) is configured to reject opt-out cookies when you opt out on the DAA website, your opt out may not be effective.

Do Not Track

Do Not Track ("DNT") is a web browser setting that requests that a web application disable its tracking of an individual user. When you choose to turn on the DNT setting in your browser, your browser sends a special signal to websites, analytics companies, ad networks, plug in providers, and other web services you encounter while browsing to stop tracking your activity. Various third parties are developing or have developed signals or other mechanisms for the expression of consumer choice regarding the collection of information about an individual consumer's online activities over time and across third-party websites or online services (e.g., browser do not track signals), but there is no universally agreed upon standard for what an organization should do when it detects a DNT signal. Currently, we do not monitor or take any action with respect to these signals or other mechanisms. You can learn more about Do Not Track here.

Opt-Out Preference Signals

Some browsers and browser extensions support opt-out preference signals such as the Global Privacy Control ("GPC") that can send a signal to the websites you visit indicating your choice to opt-out from certain types of data processing, including data sales. GPC is a web browser-level setting, maintained by either a browser or a browser extension, that a user or privacy-focused technology can set. In certain regions, when we detect such a signal, we will make reasonable efforts to respect your choices as required by applicable law.

Other Privacy Rights

Users in some jurisdictions may have additional privacy rights as set forth below. Please review the applicable sections for your state or country and follow the directions to exercise your available privacy rights.

10. Children's Privacy

Our Site is not intended for use by children under the age of 16. We do not request, or knowingly collect, any personally identifiable information from children under the age of 16. If you are the parent or guardian of a child under 16 who you believe has provided her or his information to us, please contact us using the information in the Contact Us section below to request the deletion of that information.

11. Visitors to the Site Outside of the United States

If you are visiting the Site from a location outside of the U.S., your connection will be through and to servers located in the U.S. All information you receive from the Site will be created on servers located in the U.S., and all information you provide will be maintained on web servers and systems located within the U.S. The data protection laws in the United States may differ from those of the country in which you are located, and your information may be subject to access requests from governments, courts, or law enforcement in the United States according to laws of the United States. By using the Site or providing us with any information, you consent to the transfer to, and processing, usage, sharing and storage of your information in the United States and in other countries, as set forth in this Policy.

12. Links

For your convenience, the Site and this Policy may contain links to other websites. FriendliAI is not responsible for the privacy practices, advertising, products, services, or the content of such other websites. None of the links on the Site should be deemed to imply that FriendliAI endorses or has any affiliation with the links.

13. Security

We incorporate commercially reasonable safeguards to help protect and secure your Personal Information. However, no data transmission over the Internet, mobile networks, wireless transmission, or electronic storage of information can be guaranteed 100% secure. As a result, we cannot guarantee or warrant the security of any information you transmit to or from the Site, and you provide us with your information at your own risk.

14. Your California Privacy Rights

This section of the Policy applies solely to California residents. We adopt this Section to comply with the California Consumer Privacy Act of 2018 (“CCPA”) as amended by the California Privacy Rights Act (“CPRA”). Any terms defined in the CCPA or CPRA have the same meaning when used in this Section.

California residents have the following rights:

To know the categories of Personal Information being collected about you, the purposes for which the categories of Personal Information are collected or used, and whether that information is sold or shared;
To know the length of time we intend to retain each category of Personal Information;
To know whether your Personal Information is sold or disclosed and to whom;
To access your Personal Information;
To delete the Personal Information you have provided to us, with certain exceptions;
To correct your Personal Information;
To opt out of the sale of Personal Information;
To know if Sensitive Personal Information (“SPI”) is being collected about you, the categories of SPI being collected, the purposes for which the categories of SPI are collected or used, and whether the SPI is sold or shared;
To limit the use of your SPI if it is used for cross-contextual behavioral advertising or for the purposes of inferring characteristics about you; and
Not to be discriminated against, even if you exercise your privacy rights.

Request for Information, Correction, or Deletion

California residents have the right to request, under certain circumstances, that a business that collects Personal Information about them disclose the information listed below for the preceding 12 months:

The categories of Personal Information collected about you;
The categories of sources from which the Personal Information is collected;
The business or commercial purpose for collecting, selling or sharing Personal Information;
The categories of third parties to whom the business discloses Personal Information; and
The specific pieces of Personal Information collected about you.

Please note that if we collected information about you for a single one-time transaction and do not keep that information in the ordinary course of business, that information will not be retained for purposes of a request under this section. In addition, if we have de-identified or anonymized data about you, we are not required to re-identify or otherwise link your identity to that data if it is not otherwise maintained that way in our records.

You can also request that we correct or delete your Personal Information. There may be certain exceptions to our obligation to correct or delete your information such as if you have an existing account or transaction with us or if we have a legitimate business reason to keep your information.

Personal Information Collected

We have collected the following categories of Personal Information from consumers within the last twelve (12) months:

Category of Personal Information	Examples of this Category	Sources of Personal Information	Business Purpose for Collection
Identifiers	Real name, alias, postal address, unique personal identifier, online identifier, Internal Protocol address, email address, account name, social security number, driver’s license number, passport number or other similar identifiers.	You, Automatically, Third Parties	To provide, improve and market our products and Services, To provide information you requested, To identify potential customers, To verify identity, To prevent fraud, To comply with law
Personal information described in California Civ. Code § 1798.80(e)	Name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.	You, Automatically, Third Parties	To provide, improve and market our products and Services, To provide information you requested, To identify potential customers, To verify identity, To prevent fraud, To comply with law
Characteristics of protected classifications under California or federal law	Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or credit, marital status, medical condition (AIDS/HIV status, cancer), physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information), political activities or affiliations, familial status, source of income status, status as a victim of domestic violence, assault, or stalking.	N/A	N/A
Commercial information	Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.	You, Automatically	To provide, improve and market our products and Services, To provide information you requested, To identify potential customers, To verify identity, To prevent fraud, To comply with law
Biometric information	An individual’s genetic, physiological, biological or behavioral characteristics.	N/A	N/A
Internet or other electronic network activity information	Browsing history, search history, and information regarding a consumer’s interaction with an Internet Web site, application, or advertisement.	Automatically	To provide, improve and market our products and Services, To provide information you requested, To identify potential customers, To verify identity, To prevent fraud, To comply with law
Geolocation data	Physical location and/or movements.	N/A	N/A
Sensory data	Audio, electronic, visual, thermal, olfactory, or similar information.	N/A	N/A
Professional or employment related information	Current or past job history or performance evaluations	You	To provide, improve and market our products and Services, To provide information you requested, To identify potential customers, To verify identity, To prevent fraud, To comply with law
Non-public education information (per the Family Educational Rights and Privacy Act - 20 U.S.C. § 1232g, 34 CFR Part 99)	Education records directly related to a student maintained by an educational institution or party acting on its behalf.	N/A	N/A
Inferences drawn from other Personal Information	Information used to create a profile about a consumer reflecting the consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.	You, Automatically, Third Parties	To provide, improve and market our products and Services, To provide information you requested, To identify potential customers, To verify identity, To prevent fraud, To comply with law
Sensitive Personal Information	Social security number, driver’s license number, account log-in, debit, or credit card number in combination with password or PIN, precise geolocation (less than 1850 square foot radius), racial/ethnic origins, religious or philosophical beliefs, union membership, contents of e-mails or texts to others, genetic/biometric data, health information, sex life/sexual orientation data	N/A	N/A

Information related to how long we retain each category of Personal Information is included in the Retention of Personal Information section above.

Personal Information Sold or Shared

We have sold or shared (as those terms are defined in the CCPA) to third parties the following Categories of Personal Information in the last twelve (12) months:

Category of Personal Information	Recipient Categories	Purpose for Sale/Sharing
Identifiers	Advertising, marketing, and analytics providers	Marketing
Commercial information	Advertising, marketing, and analytics providers	Marketing and analytics
Internet or other electronic network activity information	Advertising, marketing, and analytics providers	Marketing and analytics
Inferences drawn from other Personal Information	Advertising, marketing, and analytics providers	Marketing and analytics

We do not sell or share the Personal Information of consumers under 16 years of age.

Personal Information Disclosed for Business Purposes

We have disclosed the following categories of Personal Information for business purposes in the last twelve (12) months:

Category of Personal Information	Recipient Categories	Business Purpose for Disclosure
Identifiers	Service Providers	Helping to ensure the security and integrity of Personal Information, Performing services on behalf of the business, Internal research for technological development and demonstration, Activities to verify or maintain the quality of, improve, upgrade, and/or enhance our Services
Commercial information	Service Providers and Advertising Partners	Helping to ensure the security and integrity of Personal Information, Performing services on behalf of the business, Internal research for technological development and demonstration, Activities to verify or maintain the quality of, improve, upgrade, and/or enhance of our Services
Internet or other electronic network activity information	Service Providers and Advertising Partners	Helping to ensure the security and integrity of Personal Information, Performing services on behalf of the business, Internal research for technological development and demonstration, Activities to verify or maintain the quality of, improve, upgrade, and/or enhance of our Services

Do Not Sell My Personal Information

As a California resident, you also have the right, at any time, to tell us not to sell Personal Information - this is called the “right to opt-out” of the sale of Personal Information. We do not sell Personal Information, but we recognize that some privacy laws define “Personal Information” in such a way that making available identifiers linked to you for a benefit may be considered a “sale.” To opt out of this, please click on Cookie Preferences in our footer.

Right to Limit Use of Sensitive Personal Information

California residents have the right to limit the use of each type of Sensitive Personal Information for each purpose with each type of third-party partner. Currently, we do not provide your Sensitive Personal Information to any third parties.

Right Not to Be Discriminated Against

We will not discriminate against you for exercising any of your rights under the CCPA. Unless permitted by California law, we will not:

Deny you goods or services.
Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
Provide you a different level or quality of goods or services.
Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Third Party Marketing ("Shine the Light Act")

California Civil Code Section 1798.83 permits our users who are California residents and who have an established business relationship with us to request and obtain from us a list of what Personal Information (if any) we disclosed to third parties for their own direct marketing purposes in the preceding calendar year and the names and addresses of those third parties. We do not currently disclose Personal Information protected under this section to third parties for their own direct marketing purposes.

Exercising Your California Privacy Rights

You or your authorized agent may make a request to access, correct, delete, opt-out of the sale of your Personal Information, or limit the use of your Sensitive Personal Information by contacting us using the information in the Contact Us section below.

If you use an authorized agent to submit your request, we may require proof of the written authorization you have given. We also may require you to confirm your identity and your residency to obtain the information, and you are only entitled to make this request twice in a 12-month period. For emails, please include “California Privacy Rights” as the subject line. You must include your full name, email address, and attest to the fact that you are a California resident. We will acknowledge your request within 10 days and respond to your request within 45 days or let you know if we need additional time. If you make this request by telephone, we may also ask you to provide the request in writing so that we may verify your identity. If we are unable to honor your request for any reason, we will notify you of the reason within the request time period.

15. Your Privacy Rights under Other US State Laws

If you live in certain other U.S. states, such as Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, Nevada, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have rights under applicable privacy laws.

Based on the applicable law in the state where you live, you may have the following rights with respect to your Personal Information:

To confirm whether or not a controller is processing your Personal Information and to access such Personal Information;
To know the categories of Personal Information we collect about you, the purposes for the collection, how long we retain your Personal Information, and whether that information is sold or shared or disclosed and to whom;
To correct inaccuracies in your Personal Information;
To delete your Personal Information;
To obtain a copy of your Personal Information that you previously provided to us in a portable, and if technically feasible, readily usable format, if processing is carried out by automated means;
To opt out of the processing of your Personal Information for purposes of (i) targeted advertising, (ii) the sale of Personal Information, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
Not to discriminate against you because you have exercised any of these rights, including by:
- denying you Services;
- charging different prices or rates for our Services, including through the use of discounts or other benefits or imposing penalties;
- providing you a different level or quality of Services; and/or
- suggesting that you will receive a different price or rate for Services, or at a different level or quality of Services.

To exercise any of these rights, you may make a request to confirm, access, correct, delete, obtain a copy, or opt-out of the processing of your Personal Information for targeting advertising, sale, or profiling by using this link or contacting us using the information in the Contact Us section below. Please include your state of residence. Some states may allow you to use an authorized agent to make this request. If you use an authorized agent to submit your request, we may require proof of the written authorization you have given, or we may decline it if applicable law does not provide for authorized agents to make such a request in your state.

We may require you to confirm your identity and your residency in order to obtain the information, and you are only entitled to make this request up to twice annually. For emails, please include "Privacy Rights" as the subject line. You must include your full name, email address, and attest to the state in which you are a resident. We will process your request within 45 days or let you know if we need additional time or cannot process your request. If you make this request by telephone, we may also ask you to provide the request in writing so that we may verify your identity. If we are unable to honor your request for any reason, we will notify you of the reason within the request time period.

Right to Opt Out

You may have the right to opt out of the processing of your Personal Information for purposes of (i) targeted advertising, (ii) the sale of Personal Information, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer. To exercise your right, please click on the Cookie Preferences link on the bottom of the webpage where your information is being collected.

Opt-Out Preference Signals

Some browsers and browser extensions support opt-out preference signals such as the Global Privacy Control (“GPC”) that can send a signal to the websites you visit indicating your choice to opt-out from certain types of data processing, including data sales. GPC is a web browser-level setting, maintained by either a browser or a browser extension, that a user or privacy-focused technology can set. In certain regions, when we detect such a signal, we will make reasonable efforts to respect your choices as required by applicable law.

Appeals of Our Decisions

In some jurisdictions (Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas or Virginia), you may appeal to us if we refuse to take action on your exercise of certain choices described above. In order to appeal such a refusal, please contact us using the information in the Contact Us section below with the subject line “Appeal of Refusal to Take Action on Privacy Request” and provide the relevant information in the email.

If we decline to take action on any request you make, we will provide you with the information required by the applicable law where you live. This may include an explanation of why we declined your request, information on how to appeal our decision, and/or how to make a complaint to your state Attorney General.

16. Your Rights Under the General Data Protection Regulation

This section of the Policy applies if you are a data subject who resides or is located in the European Economic Area (“EEA”). We adopt this section to comply with European privacy laws, including the General Data Protection Regulation (“GDPR”). Any terms defined in the GDPR have the same meaning when used in this section.

Under applicable law, we are considered the “data controller” of the Personal Information we handle under this Policy. In other words, we are responsible for deciding how to collect, use and disclose this information, subject to applicable law.

We want to ensure that the Personal Information we possess is always accurate and therefore we encourage you to update your information in case any changes have occurred. We have listed below the rights that you may be able to exercise in respect of the processing of your Personal Information, subject to applicable law. We take reasonable steps to ensure that the Personal Information that we process is limited to the Personal Information that are required in connection with the purposes set out in this Policy.

If you are a resident of or located within the EEA, you have certain data protection rights. These rights include:

The right to access, update or delete the information we have collected from you.
The right of rectification. You have the right to have your information rectified if that information is inaccurate or incomplete.
The right to object. You have the right to object to our processing of your Personal Information.
The right of restriction. You have the right to request that we restrict the processing of your Personal Information.
The right to data portability. You have the right to be provided with a copy of the information we have on you in a structured, machine-readable, and commonly used format.
The right to withdraw consent. You also have the right to withdraw your consent at any time where we relied on your consent to process your Personal Information.

Legal Basis for Processing Personal Information

We rely on the following legal bases for processing your Personal Information:

Contract: To conclude or perform a contract with you; for example:
- To manage and fulfill queries and to provide other Services;
- To manage our accounts and records;
- To handle your inquiries and requests;
Legitimate Interests: When we process your Personal Information for our legitimate interests, we make sure to consider and balance any potential impact on you and your rights under data protection laws. Our legitimate business interests do not automatically override your interests - we will not use your Personal Information for activities where our interests are overridden by the impact on you unless we have your consent or those activities are otherwise required or permitted to by law. You have the right to object to processing that is based on our legitimate interests, as further described below. Examples of legitimate interests include:
- To respond to your inquiries and requests for information;
- To maintain, improve, and analyze our Site and Services we offer;
- To conduct marketing activities;
- To detect, prevent, or investigate security breaches or fraud; and
- To facilitate the functionality of our Site;
Legal Compliance: To comply with our legal obligations; for example:
- To maintain appropriate records for internal administrative purposes and as required by applicable law, and
Consent: We will send you information by email on our Services or other promotions only with your consent or if you otherwise opt-in to receiving those communications. If you do not provide us with your consent to the processing of your Personal Information for this purpose, we will not send you this information. You have the right to withdraw your consent at any time as described below.

How to Exercise Your Rights Under the GDPR

If applicable, you may exercise any of your rights under the GDPR by submitting a verifiable data subject request to us by using the contact details below. You may make a request related to your Personal Information or on behalf of someone for which you have authorization. You must include your full name, email address, and attest to the fact that you are a citizen or resident of the EEA by including your country of citizenship or residence in your request. We may require you to confirm your identity and/or legal standing for the request as well as your residency in the EEA to obtain the information. We will respond to your request within 30 days or let you know if we need additional time.

Please note that we will ask you to verify your identity before responding to such requests, and we may deny your request if we are unable to verify your identity or authority to make the request.

Should you wish to raise a concern about our use of your data (and without prejudice to any other rights you may have), you have the right to do so with your local supervisory authority; however, we hope that we can assist with any queries or concerns you may have about our use of your Personal Information first by contacting us using the information in the Contact Us section below.

17. Your Rights Under the UK GDPR

If you are based in the United Kingdom, the following provisions also apply:

If we share your Personal Information within FriendliAI or with third parties located outside the United Kingdom, we take steps to ensure that appropriate safeguards are in place to guarantee the continued protection of your Personal Information, such as by entering into the international data transfer addendum to the European Commission’s Standard Contractual Clauses, adopted by the UK Government under section 119A of the Data Protection Act 2018.

You have the same data subject rights as those for the EU listed above, except that references to the "GDPR" should be read as references to the "UK GDPR" and complaints should be filed with the UK supervisory authority, the Information Commissioner’s Office.

18. Changes to This Privacy Policy

We may change this Privacy Policy at any time. We will post all changes to this Policy on this page and will indicate at the top of the page the modified policy’s effective date. We therefore encourage you to refer to this page on an ongoing basis so that you are aware of our current privacy policy. If required by the applicable law, we will notify you of the changes.

By continuing to use the Site or Services or providing us with information following such a replacement Policy being uploaded, you agree that you will be bound by the Privacy Policy as changed.

19. Contact Us

If you have any questions or suggestions regarding this Policy, please contact us as follows:

Data Controller

FriendliAI is the data controller of Personal Information processed in relation to the Service. You may contact us through the following contact information:

FriendliAI

Address: 303 Twin Dolphin Drive, Suite 600 Unit 6009, Redwood City, CA 94065

Phone Number: (650) 563-5047

Email Address: privacy@friendli.ai

ANNEX 1: ADDITIONAL CLAUSES FOR KOREAN RESIDENTS

1. Personal Data Retention Period

Notwithstanding the Retention of Personal Information section of the Privacy Policy, FriendliAI may use and retain Korean residents’ personal data until the end of the relevant retention period in the below cases:

Cases	Retention Period
Investigation is necessary to find out the reason for termination in case FriendliAI terminates the relevant service agreement due to a reason attributable to user	Three (3) years from the date of termination
Investigation in progress due to violation of any applicable laws and regulations	Until the completion of the investigation
Existence of claims and/or obligations	Until the settlement of the claims and/or obligations
Records related to resolution of user’s complaints or settlement of disputes	Three (3) years
Records related to payment for and provision of services	Five (5) years

2. Consignment of Personal Data Processing

The following applies to the consignment of processing personal data of Korean residents:

Consignment of personal data processed overseas:

Consignee	Destination Country	Time and Method of Transfer	Personal Data	Purpose of Use	Period of Retention and Processing
Amazon Web Service Inc. (aws-korea-privacy@amazon.com)	U.S.	Transferred through server	Any personal data processed	Data management	Until member’s membership withdrawal; or until the consignment agreement is terminated
Neon, Inc. (security@neon.tech)	U.S.	Transferred through server	Any personal data processed	Data management	Until member's membership withdrawal; or until the consignment agreement is terminated
Nebius B.V. (privacy@nebius.com)	U.S.	Transferred through server	Any personal data processed	Data management	Until member's membership withdrawal; or until the consignment agreement is terminated
Vercel (privacy@vercel.com)	U.S.	Transferred through server during bot detection and latency tracking	IP address, user agent, request metadata used for bot detection and latency measurement	Bot detection (automated traffic identification), latency tracking, and security	Until member's membership withdrawal; or until the consignment agreement is terminated
WorkOS, Inc. (support@workos.com)	U.S.	Transferred through server	Name, email, organization name, authentication and identity provider information, login data	Authentication, and Identity Management	Until member’s membership withdrawal; or until the consignment agreement is terminated
Microsoft Clarity (clarity@microsoft.com)	U.S.	Transferred through server when Service usage history occurs	Service usage history	Analysis of usage patterns	Until member’s membership withdrawal; or until the consignment agreement is terminated
Stripe, Inc. (privacy@stripe.com)	U.S.	Transferred through server	Name, email, billing address, credit card information, purchase amount, date of purchase	Electronic payment processing	Until member’s membership withdrawal; or until the consignment agreement is terminated
Google LLC (googlekrsupport@google.com)	U.S.	Transferred through server when Service usage history occurs	Service usage history	Analysis of usage patterns	Until member’s membership withdrawal; or until the consignment agreement is terminated
Amplitude, Inc. (privacy@amplitude.com)	U.S.	Transferred through server when Service usage history occurs	Service usage history	Analysis of usage patterns	Until member’s membership withdrawal; or until the consignment agreement is terminated
Functional Software, Inc. (compliance@sentry.io)	U.S.	Transferred through server during error monitoring and performance tracking	No personal data collected; only error logs and performance metadata (such as stack traces, timestamps, request paths without identifiers)	Application error monitoring and performance tracking	Until member’s membership withdrawal; or until the consignment agreement is terminated
HubSpot, Inc. (privacy@hubspot.com)	U.S.	Transferred through server when Service usage history occurs	Service usage history	Analysis of usage patterns	Until member’s membership withdrawal; or until the consignment agreement is terminated
Twilio Inc. (privacy@twilio.com)	U.S.	Transferred through server when sending emails	Email address	Sending email	Until member’s membership withdrawal; or until the consignment agreement is terminated
OpenRouter, Inc (support@openrouter.ai)	U.S.	Transferred through server	Personal information contained in user inputs	Third party AI service	Until member’s membership withdrawal; or until the consignment agreement is terminated
X Corp. (https://xai-privacy.relyance.ai)	U.S.	Transferred through server	Personal information contained in user inputs	Third party AI service	Until member’s membership withdrawal; or until the consignment agreement is terminated
OpenAI OpCo, LLC (privacy@openai.com)	U.S.	Transferred through server	Personal information contained in user inputs	Third party AI service	Until member’s membership withdrawal; or until the consignment agreement is terminated
Anthropic PBC (privacy@anthropic.com)	U.S.	Transferred through server	Personal information contained in user inputs	Third party AI service	Until member’s membership withdrawal; or until the consignment agreement is terminated
Upstage Co., Ltd. (contact@upstage.ai)	KR	Transferred through server	Personal information contained in user inputs	Third party AI service	Until member’s membership withdrawal; or until the consignment agreement is terminated

3. Destruction of Personal Data

In the event the personal data needs to be retained by Korean Data Protection laws, such personal data will be segregated, moved to a separate database and safely stored in a different location.

The process and method of Korean residents’ personal data destruction are as follows:

Destroying Procedure: FriendliAI will determine the personal data to be destroyed, and such personal data will be destroyed with an approval of FriendliAI's Chief Privacy Officer.
Destroying Method: Hard copy printouts of personal data are shredded or burned, whereas electronic files of personal data are destroyed through a technical or physical means to ensure that the relevant data cannot be recovered.

4. The Chief Privacy Officer and Staff Responsible for Privacy Inquiries

The Chief Privacy Officer and the department responsible for handling privacy inquiries are designated as below to oversee all matters related to customer privacy and handle complaints, as well as to address any damage from privacy-related issues. For the avoidance of doubt, the Chief Privacy Officer is not the Data Protection Officer under the European General Data Protection Regulation (GDPR):

Chief Privacy Officer	Staff Responsible for Privacy Inquiries
Name: Byung Gon Chun Title: CEO	Department: Legal Phone number: +1(650)563 5047 Email address: privacy@friendli.ai Contact Person: Elizabeth Yoon

The users may contact the above department and staff for all personal data protection inquiries, complaint handling, damage relief, etc., that occurred while using FriendliAI's Service. FriendliAI will endeavor to respond and process any inquiry promptly.

5. Complaint to the Data Protection Authority

A Korean resident may submit a complaint to the below institutions:

Personal Data Breach Reporting Center: 118 (www.privacy.kisa.or.kr);

Personal Data Dispute Mediation Committee: 1833-6972 (www.kopico.go.kr);

Cybercrime Investigation Division at the Supreme Prosecutors' Office: 02-3480-3573 (www.spo.go.kr);

Cybercrime Investigation Bureau at the National Police Agency: 182 (http://cyberbureau.police.go.kr).