Privacy Policy

TRILLIAD GLOBAL PRIVACY NOTICE AND COOKIE POLICY

Entity: Trilliad and All Affiliated Entities
Effective Date: March 11, 2026
Last Updated: March 16, 2026

TABLE OF CONTENTS

1. Introduction and Identity of the Controller
2. Scope of This Privacy Notice
3. Definitions
4. Information We Collect
5. How We Use Your Information — Purposes and Legal Bases
6. How We Share Your Information
7. Cookies and Tracking Technologies
8. Cross-Border Data Transfers
9. Data Retention
10. Your Privacy Rights
11. Children’s Privacy
12. Data Security
13. Do Not Track and Global Privacy Control
14. Links to Third-Party Sites
15. Changes to This Privacy Notice
16. Contact Us and How to Submit a Request
17. Supplemental Notices by Jurisdiction

1. • 17A. Supplemental Notice for California Residents (CCPA/CPRA)

1. • 17B. Supplemental Notice for EEA Residents (EU GDPR)

1. • 17C. Supplemental Notice for United Kingdom Residents (UK GDPR / PECR)

1. • 17D. Supplemental Notice for Japan Residents (APPI)

1. INTRODUCTION AND IDENTITY OF THE CONTROLLER

Trilliad, LLC and its affiliated entities (“Trilliad,” “we,” “our,” or “us”) respects your privacy and is committed to protecting the personal information you share with us. This Global Privacy Notice and Cookie Policy (the “Privacy Notice”) explains how we collect, use, share, retain, and protect personal information across our global operations as a B2B marketing agency.

The data controller for personal information processed in connection with our website and direct client and business development activities is:

Trilliad, LLC
[INSERT Registered Address]
Attn:      privacy@trilliad.com
                  Jessica Troiano, General Counsel, Growth and Commercial

Where Trilliad entities in other jurisdictions act as data controllers or data processors, the applicable affiliated entity is identified in the relevant Supplemental Notice in Section 17.

The type of personal information we collect and the legal basis on which we process it depends on the nature of your interaction with us and the jurisdiction in which you are located. Please read this Privacy Notice carefully and consult the applicable Supplemental Notice for your jurisdiction.

2. SCOPE OF THIS PRIVACY NOTICE

This Privacy Notice applies to:

• Visitors to any website operated by Trilliad or its affiliated entities (collectively, the “Website”);
• Individuals who contact us via the Website, by email, telephone, or any other channel;
• Prospective and existing clients, vendors, business partners, and their respective representatives;
• Individuals whose personal information is contained in campaign, suppression, or marketing lists shared with Trilliad by clients in connection with our services; and
• Applicants for employment or engagement with Trilliad (to the extent addressed herein and in any supplemental applicant notice issued separately).

This Privacy Notice does not apply to:

• The internal treatment of employee personal information (governed by Trilliad’s Internal Personal Information Protection Policy);
• Personal information processed solely on behalf of clients pursuant to a Data Processing Agreement, where Trilliad acts exclusively as a data processor (in such cases, the applicable client’s privacy notice governs); or
• The practices of third-party websites linked from our Website.

3. DEFINITIONS

For the purposes of this Privacy Notice, the following terms have the meanings set forth below:

“Affiliated Entity” means any subsidiary, parent company, holding company, or other entity that is directly or indirectly under common ownership or control with Trilliad.

“Consent” means a freely given, specific, informed, and unambiguous indication of agreement by a data subject — whether by a statement or by a clear affirmative action — to the processing of personal information relating to them.

“Cookie” means a small text file placed on a user’s device by a website, used to store information about the user’s browsing session or preferences.

“Data Controller” means the natural or legal person, public authority, agency, or other body that, alone or jointly with others, determines the purposes and means of processing personal information.

“Data Processor” means a natural or legal person, public authority, agency, or other body that processes personal information on behalf of a data controller.

“Data Subject” means an identified or identifiable natural person to whom personal information relates.

“EEA” means the European Economic Area.

“Personal Information” / “Personal Data” means any information relating to an identified or identifiable natural person. This includes, but is not limited to: names, postal and email addresses, telephone numbers, IP addresses, device identifiers, cookie identifiers, location data, and any other information that can, directly or indirectly, identify a natural person. In certain jurisdictions, the definition may extend to household-level data.

“Sensitive Personal Information” / “Special Category Data” means personal information revealing or relating to racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic or biometric data processed for the purpose of uniquely identifying a natural person; data concerning health; data concerning a natural person’s sex life or sexual orientation; citizenship or immigration status; precise geolocation; government-issued identification numbers; and financial account credentials. The specific categories that constitute sensitive personal information vary by jurisdiction.

“Service Provider” means any natural or legal person that processes personal information on behalf of Trilliad pursuant to a written contract.

“Third Party” means a natural or legal person, public authority, agency, or body other than the data subject, the data controller, the data processor, and persons who, under the direct authority of the data controller or data processor, are authorized to process personal information.

“Website” means any website operated by Trilliad or any of its Affiliated Entities, including but not limited to www.trilliad.com; www.justglobal.com; www.sercante.com; www.sandler.com.

4. INFORMATION WE COLLECT

4.1 Information Collected Automatically

When you visit our Website, certain information is collected automatically through cookies, web beacons, pixel tags, server logs, and similar tracking technologies. This information includes:

• Internet Protocol (IP) address;
• Browser type and version;
• Operating system and device type;
• The URL of the page you visited immediately prior to navigating to our Website;
• Pages accessed on our Website, time spent, and date and time of access;
• Unique device identifiers and cookie identifiers;
• Approximate geographic location (derived from IP address); and
• Clickstream and navigational data.

This information is used for internal analytics, Website optimization, security, and — where you have provided consent — for marketing purposes. Please see Section 7 (Cookies and Tracking Technologies) for further detail.

4.2 Information You Voluntarily Provide

We collect personal information that you voluntarily provide to us when you:

• Contact us via Website forms, email, or telephone;
• Request information about our services or submit a proposal inquiry;
• Download white papers, reports, or other resources from our Website;
• Register for webinars or events we host or participate in; or
• Enter into a contract with us for the provision of services.

This information may include your name, business email address, telephone number, job title, company name, and the content of your communications with us.

4.3 Information Provided by Clients in Connection with Services

As a B2B marketing agency, Trilliad’s clients may provide us with personal information in the form of:

• Campaign lists: Lists of prospective contacts for the purposes of executing targeted marketing campaigns on behalf of our clients. These lists typically contain business contact information, including name, business email address, telephone number, job title, and company name.
• Suppression lists: Lists of individuals who have opted out of receiving marketing communications from our clients, which we use to ensure that such individuals are excluded from client campaigns.

When processing campaign and suppression list data, Trilliad acts as a data processor on behalf of the client as data controller. An individual’s information will appear on a campaign list only where the client represents that it holds a lawful basis for using that information for the stated marketing purposes. Trilliad’s use of such data is governed by the applicable Data Processing Agreement with the relevant client, and such data is not used for Trilliad’s own independent purposes.

4.4 Information Collected from Third-Party Sources

We may receive personal information about you from third-party sources, including:

• Business contact data providers and public professional databases (e.g., LinkedIn);
• Analytics and advertising technology partners;
• Service providers acting on our behalf; and
• Publicly available sources, including company websites and professional networks.

Where required by applicable law, we will notify you of such collection.

5. HOW WE USE YOUR INFORMATION — PURPOSES AND LEGAL BASES

Trilliad processes personal information only for specified, legitimate purposes and only where a valid legal basis exists. The legal bases applicable to each processing activity vary by jurisdiction. The table below sets forth our primary processing purposes, the categories of data involved, and the legal bases we rely upon.

Where we rely on legitimate interests as our legal basis, we have assessed that our interests are not overridden by the interests or fundamental rights and freedoms of data subjects, taking into account the reasonable expectations of individuals in a B2B marketing context. You have the right to object to such processing in certain jurisdictions; see Section 10 for details.

Where we rely on consent, you may withdraw your consent at any time without affecting the lawfulness of processing carried out prior to withdrawal. Instructions for withdrawing consent are set forth in Section 10 and Section 7 (for cookie consent).

We will not use your personal information for purposes that are materially different from, unrelated to, or incompatible with the purposes described in this Privacy Notice without providing prior notice and, where required, obtaining your consent.

6. HOW WE SHARE YOUR INFORMATION

Trilliad does not sell your personal information for monetary consideration. Trilliad does not share personal information with third parties for those third parties’ own direct marketing purposes without your consent.

We may disclose personal information to the following categories of recipients, and only to the extent necessary for the stated purpose:

6.1 Service Providers

We engage third-party service providers that perform functions on our behalf, including website hosting, analytics, IT support, marketing technology platforms, and data management. We require all service providers to process personal information only on our instructions, in accordance with a written contract that includes appropriate data protection obligations, and consistent with the privacy notice under which the information was collected.

6.2 Client Disclosure

Where Trilliad processes campaign or suppression data provided by a client, that data may be shared with downstream vendors (e.g., media platforms, publishers, demand-side platforms) in connection with executing the client’s marketing campaign. All such sharing is governed by the client’s Data Processing Agreement and Trilliad’s vendor contracts.

6.3 Affiliated Entities

We may share personal information among Trilliad’s Affiliated Entities for purposes consistent with this Privacy Notice, including service delivery, administration, and compliance. Where such transfers cross jurisdictional borders, appropriate safeguards are implemented as described in Section 8.

6.4 Legal and Regulatory Disclosure

We may disclose personal information to courts, regulators, supervisory authorities, law enforcement agencies, or government bodies where required or permitted by applicable law, including in response to a valid court order, subpoena, regulatory inquiry, or legal process. To the extent permissible and practicable, we will notify affected clients or data subjects of such disclosure.

6.5 Business Transfers

In connection with a merger, acquisition, reorganization, sale of assets, or similar corporate transaction, personal information held by Trilliad may be transferred to a successor entity. Any such transfer will be conducted in compliance with applicable data protection law, and affected individuals will be notified where required.

6.6 Protection of Rights and Safety

We may disclose personal information where we believe in good faith that disclosure is reasonably necessary to protect the rights, property, or safety of Trilliad, our personnel, clients, or the public; to detect, prevent, or address fraud; or to enforce our contractual or legal rights.

7. COOKIES AND TRACKING TECHNOLOGIES

7.1 Overview

When you visit our Website, we use cookies and similar tracking technologies (including web beacons, pixel tags, and analytics tools) to collect information about your device, browser, and interactions with our Website.

A cookie is a small text file placed on your device when you visit a website. Cookies enable websites to function efficiently and help website operators understand how their sites are used.

A web beacon (also known as a pixel tag or clear GIF) is a small electronic file embedded in a webpage or email that allows us and our service providers to track actions such as page visits or email interactions.

We use cookies and similar technologies for the following purposes:

• operating and securing our Website
• remembering your preferences
• analyzing Website usage
• measuring advertising performance
• delivering and measuring advertising campaigns

7.2 Cookie Categories

We use the following categories of cookies on our Website:

7.2.1 Strictly Necessary Cookies

These cookies are essential for the Website to function properly and cannot be switched off in our systems. They are usually set in response to actions you take, such as setting your privacy preferences or navigating the site.

Because these cookies are strictly necessary for the operation of the Website, they do not require consent where permitted by applicable law.

7.2.2 Analytics and Performance Cookies

These cookies help us understand how visitors interact with our Website by collecting information about page visits, traffic sources, and user behavior. This information helps us improve Website performance and usability.

We use Google Analytics 4 for analytics and performance measurement.

Where required by applicable law, these cookies are only set after you provide consent.

You may learn more about Google Analytics here:
https://support.google.com/analytics

You can opt out of Google Analytics tracking using the Google Analytics Opt-out Browser Add-on:
https://tools.google.com/dlpage/gaoptout

7.2.3 Functional Cookies

These cookies enable the Website to remember choices you make and provide enhanced functionality and personalization features.

Where required by applicable law, these cookies are only set after you provide consent.

7.2.4 Marketing and Advertising Cookies

These cookies are used by us and our advertising partners to measure the effectiveness of advertising campaigns, build audiences, and deliver advertising that may be more relevant to your interests.

These cookies are only set after you provide consent where required by applicable law.

We currently use the following advertising and marketing partners.

Google Ads

More information:
https://adssettings.google.com

Meta (Facebook)

More information:
https://www.facebook.com/privacy/policy/

LinkedIn

More information:
https://www.linkedin.com/legal/privacy-policy

X (formerly Twitter)

More information:
https://twitter.com/en/privacy

The Trade Desk

More information:
https://www.thetradedesk.com/us/privacy

Captify

Captify provides search-intent data used for advertising targeting and campaign measurement.

More information:
https://www.captify.co.uk/privacy-policy/

Bombora

Bombora provides B2B audience intelligence and interest-based segmentation.

More information:
https://bombora.com/privacy/

7.3 Consent for Non-Essential Cookies

For visitors in the European Economic Area, the United Kingdom, and other jurisdictions where prior consent is required for non-essential cookies: When you first visit our Website, a cookie consent banner will be displayed. No analytics, functional, or marketing cookies will be set until you provide your affirmative consent by selecting the applicable cookie categories. You may accept all non-essential cookies, reject all non-essential cookies, or customize your preferences by category. The option to reject all non-essential cookies is presented with equal prominence to the option to accept all cookies. Your consent preferences are stored and applied to your subsequent visits to our Website.

For visitors in jurisdictions where an opt-out mechanism is the applicable standard: Non-essential cookies may be set on your device, but you may opt out at any time using the controls described in Section 7.4.

7.4 Managing Your Cookie Preferences

You may manage or withdraw your cookie consent preferences at any time using the cookie preference center accessible via the “Cookie Settings” link located in the footer of every page of our Website.

In addition, most web browsers permit you to control cookies through their settings. You may instruct your browser to refuse cookies or to delete existing cookies. Please note that disabling certain cookies may affect the functionality of our Website. Browser-specific guidance is available at:

• Google Chrome: chrome://settings/cookies
• Mozilla Firefox: https://support.mozilla.org/en-US/kb/cookies-information-websites-store-on-your-computer
• Microsoft Edge: https://support.microsoft.com/en-us/microsoft-edge/delete-cookies-in-microsoft-edge
• Safari: https://support.apple.com/en-us/HT201265
• General guidance: www.allaboutcookies.org

For industry-wide advertising opt-outs, you may also visit:

• https://aboutads.info/choices/

https://www.youronlinechoices.eu/

8. CROSS-BORDER DATA TRANSFERS

Trilliad operates globally with offices and service providers located in multiple jurisdictions. In conducting our business, personal information may be transferred to, stored in, or processed in a country other than the country in which it was originally collected, including countries whose data protection laws may differ from those of your home jurisdiction.

Where personal information is transferred across jurisdictions, we implement appropriate safeguards to protect the information in accordance with applicable law:

We also may rely on adequacy decisions where applicable — for example, transfers of personal information to countries that the European Commission, the UK Secretary of State, or another applicable authority has recognized as providing an adequate level of protection.

A copy of the applicable transfer safeguards may be requested by contacting us at the details set forth in Section 16.

9. DATA RETENTION

Trilliad retains personal information only for as long as necessary to fulfill the purposes for which it was collected, to comply with legal obligations, to resolve disputes, and to enforce agreements. Retention periods may vary depending on the category of personal information and the context in which it was collected. The appropriate retention period is determined by considering:

• the purpose for which the information was collected and whether that purpose has been fulfilled;
• the nature and sensitivity of the information;
• the potential risk of harm from unauthorized use or disclosure;
• applicable legal, regulatory, or contractual retention requirements; and
• applicable limitation periods for legal claims.

Upon expiry of the applicable retention period, personal information is securely deleted or anonymized in accordance with Trilliad’s Records Retention and Disposal Policy. Requests regarding data retention specific to your personal information may be directed to the contact details set forth in Section 16.

10. YOUR PRIVACY RIGHTS

Subject to applicable law and jurisdiction, individuals may have the following rights with respect to their personal information held by Trilliad. Additional jurisdictional rights are described in the Supplemental Notices in Section 17.

The specific rights available to you, and any applicable conditions or exceptions, depend on the jurisdiction in which you are located. To exercise any of the rights listed above, please submit a request using the contact details set forth in Section 16. Trilliad may need to verify your identity before processing your request.

Trilliad will respond to privacy rights requests within the timeframe required by applicable law. As a general guide:

• GDPR / UK GDPR: Within 30 days (extendable by an additional 60 days for complex or numerous requests, with written notice to the requestor)
• CCPA / CPRA: Within 45 days (extendable by an additional 45 days with written notice)
• APPI (Japan): Within a reasonable period as specified by applicable PPC guidance

Trilliad does not charge a fee to respond to a privacy rights request unless the request is manifestly unfounded, excessive, or repetitive, in which case a reasonable administrative fee may be charged or the request may be declined, with written explanation provided to the requestor.

11. CHILDREN’S PRIVACY

Our Website is intended for adults conducting business and is not directed to, nor does it knowingly solicit personal information from, children under the age of 16 (or the applicable minimum age in the relevant jurisdiction, which may be as low as 13 under certain laws).

If we become aware that a child under the applicable minimum age has submitted personal information to us through our Website without verifiable parental or guardian consent, we will take prompt steps to delete such information from our systems.

If you are a parent or guardian and believe that your child has provided personal information to us, please contact us at the details set forth in Section 16.

12. DATA SECURITY

Trilliad implements technically and organizationally appropriate security measures designed to protect personal information against unauthorized access, disclosure, alteration, or destruction. These measures include, but are not limited to:

• Encryption of personal information in transit using industry-standard protocols (TLS);
• Encryption of personal information at rest on Trilliad’s secure file management platform;
• Role-based access controls limiting access to personal information to personnel who require it to perform their duties;
• Regular security assessments and monitoring of systems and infrastructure;
• Incident response procedures and a documented data breach notification process; and
• Security training for all personnel with access to personal information.

Notwithstanding these measures, no method of data transmission over the internet or electronic storage is completely secure. We cannot guarantee the absolute security of personal information. By providing your information to us, you acknowledge this inherent risk.

To report a suspected security incident or data privacy concern, please contact us at privacy@trilliad.com or via the privacy contact details set forth in Section 16.

13. DO NOT TRACK AND GLOBAL PRIVACY CONTROL

Do Not Track (DNT): Some web browsers transmit a “Do Not Track” signal to websites. There is no universally accepted standard for how websites should respond to DNT signals. Our Website does not currently modify its data collection and use practices in response to DNT signals.

Global Privacy Control (GPC): Trilliad honors valid Global Privacy Control (GPC) signals transmitted by users’ browsers as a legally recognized opt-out of the sale and sharing of personal information under the California Privacy Rights Act (CPRA) and applicable state laws that recognize GPC as a valid opt-out mechanism. Where a GPC signal is detected from a user located in a jurisdiction in which GPC recognition is required, Trilliad will treat that signal as an opt-out request and will not process the user’s personal information for sale or cross-context behavioral advertising purposes.

GPC does not affect processing that is strictly necessary for the operation of the Website or that is otherwise lawful on a basis other than the data subject’s consent or absence of an opt-out.

14. LINKS TO THIRD-PARTY SITES

Our Websites may contain links to third-party websites, services, or resources that are operated by parties other than Trilliad. These links are provided for convenience and informational purposes only. Trilliad has no control over, and assumes no responsibility for, the content, privacy practices, or data handling of any third-party website or service. We encourage you to review the privacy notice of any third-party site you visit before providing personal information.

15. CHANGES TO THIS PRIVACY NOTICE

The global privacy regulatory landscape is dynamic, and we may update this Privacy Notice from time to time to reflect changes in applicable law, our data practices, or our organizational structure. When material changes are made, we will update this Privacy Notice by posting the revised version on our Website.

Where required by applicable law, we will provide more prominent notice of material changes (e.g., by email notification or a notice on our Website homepage) and, when required, we will seek your renewed consent.

Your continued use of our Website following the posting of any revised Privacy Notice constitutes your acknowledgment of such changes. If you do not agree to the revised Privacy Notice, please discontinue use of our Website and contact us to exercise any applicable privacy rights.

16. CONTACT US AND HOW TO SUBMIT A REQUEST

If you have any questions, concerns, or requests relating to this Privacy Notice or the handling of your personal information, please contact Trilliad’s Privacy function using the following details:

Privacy Officer / Legal Department
Trilliad, LLC
7920 Norfolk Avenue Suite 200. Bethesda, MD 20814
Email:  privacy@trilliad.com
Online Request Form: Click Here

For residents of specific jurisdictions, additional or alternative contact details may be set forth in the applicable Supplemental Notice in Section 17.

Trilliad will endeavor to acknowledge receipt of all privacy inquiries promptly and to respond within the applicable statutory timeframe.

17. SUPPLEMENTAL NOTICES BY JURISDICTION

The following supplemental notices apply to residents of specific jurisdictions and supplement — but do not replace — the general provisions of this Privacy Notice. In the event of any conflict between a Supplemental Notice and the general provisions of this Privacy Notice, the Supplemental Notice controls with respect to the residents of the applicable jurisdiction.

17A. SUPPLEMENTAL NOTICE FOR CALIFORNIA RESIDENTS

California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA)

Effective Date: March 11, 2026 | Last Updated: March 11, 2026

This Supplemental Notice applies to all California residents (“consumers”) and is issued in compliance with the California Consumer Privacy Act of 2018 (Cal. Civ. Code §1798.100 et seq.) (“CCPA”) and the California Privacy Rights Act of 2020 (“CPRA”), as amended and implemented by regulations of the California Privacy Protection Agency (“CPPA”). Any terms defined in the CCPA or CPRA have the same meaning when used in this Supplemental Notice.

Categories of Personal Information Collected

In the preceding twelve (12) months, Trilliad has collected the following categories of personal information:

Sources of Personal Information

Trilliad collects the categories of personal information identified above from the following sources:

• Directly from you (e.g., via Website forms, email correspondence, or service agreements);
• Indirectly through your interaction with our Website (e.g., cookies, log files, analytics); and
• From clients who provide campaign or suppression list data containing business contact information.

Purposes for Collection and Use of Personal Information

We collect and use personal information for the following business and commercial purposes:

• To operate, maintain, and improve our Website;
• To respond to your inquiries and provide our services;
• To process client campaign and suppression lists in accordance with applicable Data Processing Agreements;
• To analyze trends and user behavior for internal business analytics;
• To comply with applicable legal obligations;
• To detect and prevent fraud and other unlawful activity; and
• As otherwise described in Section 5 of this Privacy Notice.

Disclosure of Personal Information for a Business Purpose

In the preceding twelve (12) months, Trilliad has disclosed the following categories of personal information for business purposes:

• Identifiers (including persistent online identifiers and IP addresses) — disclosed to data analytics and advertising technology providers.
• Internet or Network Activity — disclosed to website analytics providers.
• Professional or Employment Information — disclosed to downstream marketing technology vendors in connection with client campaign execution, pursuant to applicable Data Processing Agreements.

Sale and Sharing of Personal Information

Trilliad does not sell your personal information for monetary consideration within the meaning of CPRA §1798.140(al).

Trilliad may share personal information (specifically, online identifiers and internet activity data) with advertising technology partners for purposes of cross-context behavioral advertising. California residents have the right to opt out of such sharing at any time; see “Your CPRA Rights” below.

Your CPRA Rights

California residents have the following rights under the CPRA:

1. Right to Know. You have the right to request that Trilliad disclose: (a) the categories and specific pieces of personal information collected about you; (b) the categories of sources from which your personal information was collected; (c) the business or commercial purpose for collecting, selling, or sharing your personal information; (d) the categories of third parties to whom your personal information is disclosed; and (e) information about any sale or sharing of your personal information.
2. Right to Delete. You have the right to request deletion of personal information that Trilliad has collected from you, subject to exceptions set forth in CPRA §1798.105.
3. Right to Correct. You have the right to request correction of inaccurate personal information that Trilliad maintains about you (CPRA §1798.106).
4. Right to Opt Out of Sale / Sharing. You have the right to opt out of the sale of your personal information and the sharing of your personal information for cross-context behavioral advertising purposes. To exercise this right, click “Do Not Sell or Share My Personal Information” in the footer of our Website or submit a request via the contact details below. Trilliad also honors valid Global Privacy Control (GPC) signals as an opt-out of sale/sharing.
5. Right to Limit Use of Sensitive Personal Information. You have the right to direct Trilliad to limit the use and disclosure of your Sensitive Personal Information to the uses necessary to perform the services you requested or as otherwise permitted by CPRA §1798.121. Trilliad does not use sensitive personal information beyond the permitted purposes enumerated in the CPPA regulations.
6. Right to Data Portability. You have the right to request a portable copy of your personal information in a readily usable format.
7. Right to Non-Discrimination. Trilliad will not discriminate against you for exercising any CPRA rights. We will not deny you services, charge you different prices, or provide you with a different level of quality of service as a result of your exercise of these rights.

Exercising Your CPRA Rights

To exercise any of the rights described above, you or your authorized agent may submit a verifiable consumer request by:

• Email: privacy@trilliad.com
• Online: Click Here

We will endeavor to respond to a verifiable consumer request within forty-five (45) calendar days of receipt. If we require additional time (up to an additional 45 days), we will notify you in writing within the initial 45-day period and provide the reason for the extension.

We will verify your identity before fulfilling any request. The verifiable consumer request must provide sufficient information for us to reasonably confirm that you are the person about whom we collected personal information. You may authorize an agent to submit a request on your behalf; we may require written authorization and verification of the agent’s identity.

Contact for California Privacy Inquiries

privacy@trilliad.com

17B. SUPPLEMENTAL NOTICE FOR EEA RESIDENTS

EU General Data Protection Regulation (GDPR)

This Supplemental Notice applies to residents of the European Economic Area (“EEA”) and is issued in compliance with Regulation (EU) 2016/679 of the European Parliament and of the Council (the “GDPR”).

Identity and Contact Details of the Data Controller

For personal information collected in connection with our Website and EEA-based business activities, the data controller is:

Trilliad, LLC
706 Giddings Ave Suite 400 Annapolis, MD 21401

Data Protection Officer (if appointed): not required. Privacy contact: privacy@trilliad.com

If you have any questions about our data protection practices or wish to exercise your rights under the GDPR, please contact: privacy@trilliad.com

Lawful Bases for Processing

Trilliad processes personal information of EEA residents on the following lawful bases under GDPR Article 6:

• Performance of a Contract (Art. 6(1)(b)): Where processing is necessary to perform a contract to which you are party or to take steps at your request prior to entering into a contract.
• Legal Obligation (Art. 6(1)(c)): Where processing is necessary for compliance with a legal obligation to which Trilliad is subject.
• Legitimate Interests (Art. 6(1)(f)): Where processing is necessary for the purposes of our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights and freedoms. Our legitimate interests include: operating and improving our Website; conducting B2B direct marketing; fraud prevention and network security; and defending or pursuing legal claims. We have documented legitimate interests assessments for each such purpose and these are available upon request.
• Consent (Art. 6(1)(a)): Where you have given freely given, specific, informed, and unambiguous consent to the processing of your personal information for one or more specific purposes, including the placing of non-essential cookies. You may withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal.

For processing of Special Category Data (GDPR Article 9), Trilliad relies on explicit consent (Art. 9(2)(a)) or another applicable basis enumerated in Article 9(2).

International Transfers

Transfers of EEA personal data to countries outside the EEA that do not benefit from an adequacy decision by the European Commission are conducted pursuant to the Standard Contractual Clauses adopted by the European Commission (Decision 2021/914/EU), supplemented where required by a Transfer Impact Assessment. A copy of the applicable SCCs may be requested by contacting privacy@trilliad.com

Rights of EEA Data Subjects

EEA residents have the following rights under the GDPR:

1. Right of Access (Art. 15): To request confirmation of whether Trilliad processes your personal data and, if so, to receive a copy and supplementary information.
2. Right to Rectification (Art. 16): To request correction of inaccurate or incomplete personal data.
3. Right to Erasure — “Right to be Forgotten” (Art. 17): To request deletion of your personal data where it is no longer necessary for the purpose collected, consent has been withdrawn, or processing is unlawful.
4. Right to Restriction of Processing (Art. 18): To request that we restrict processing in certain circumstances.
5. Right to Data Portability (Art. 20): To receive your personal data in a structured, machine-readable format and transmit it to another controller.
6. Right to Object (Art. 21): To object to processing based on legitimate interests (including direct marketing). Where the objection relates to direct marketing, processing for that purpose will cease immediately upon receipt of your objection.
7. Rights Related to Automated Decision-Making and Profiling (Art. 22): Not to be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects on you.
8. Right to Lodge a Complaint: To lodge a complaint with the supervisory authority in the EEA member state where you are habitually resident, where you work, or where the alleged infringement occurred. Contact details for EU supervisory authorities are available at: https://www.edpb.europa.eu/about-edpb/board/members_en.

To exercise any of these rights, please contact us at [INSERT EEA PRIVACY CONTACT EMAIL]. We will respond within thirty (30) days of receipt, extendable by a further sixty (60) days for complex or numerous requests, with written notice of the extension provided within the initial 30-day period.

17C. SUPPLEMENTAL NOTICE FOR UNITED KINGDOM RESIDENTS

UK GDPR / UK Data Protection Act 2018 / Privacy and Electronic Communications Regulations (PECR)

This Supplemental Notice applies to residents of the United Kingdom (“UK”) and is issued in compliance with the UK General Data Protection Regulation (as retained in UK law pursuant to the European Union (Withdrawal) Act 2018) (the “UK GDPR”), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (as amended) (“PECR”).

Identity and Contact Details of the Data Controller

For personal information collected in connection with our Website and UK-based business activities, the data controller is:

Trilliad, LLC
706 Giddings Ave Suite 400 Annapolis, MD 21401

Lawful Bases and Rights

The lawful bases for processing personal information of UK residents are materially the same as those described in Section 17B (EEA Residents), applied under the UK GDPR. UK residents hold materially the same data subject rights as EEA residents as described in Section 17B, subject to any modifications introduced by UK law, including the Data (Use and Access) Act 2025 (DUAA) to the extent in force at the applicable effective date of this Privacy Notice.

Cookies (PECR)

Under PECR, we are required to obtain prior informed consent before placing any non-essential cookies on the devices of UK Website visitors. Our consent mechanism complies with applicable PECR requirements and UK GDPR consent standards. Strictly necessary cookies are exempt from this consent requirement. Please see Section 7 for full details of our cookie practices and consent controls.

International Transfers from the UK

Transfers of UK personal data to countries outside the UK that do not benefit from UK adequacy regulations are conducted pursuant to the International Data Transfer Agreement (IDTA) issued by the UK Information Commissioner’s Office, or the Addendum to the European Commission’s Standard Contractual Clauses, as applicable. Transfers to EEA countries are made under the UK-EU adequacy decision (subject to its continuation).

Supervisory Authority

The supervisory authority for UK data protection matters is the Information Commissioner’s Office (ICO). You have the right to lodge a complaint with the ICO at any time:

Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Website: https://ico.org.uk
Helpline: 0303 123 1113

17D. SUPPLEMENTAL NOTICE FOR JAPAN RESIDENTS

Act on the Protection of Personal Information (APPI) (Act No. 57 of 2003, as amended 2022)

This Supplemental Notice applies to individuals located in Japan and is issued in compliance with the Act on the Protection of Personal Information (個人情報の保護に関する法律) (“APPI”), as amended effective April 2022, and the guidelines issued by the Personal Information Protection Commission (“PPC”) (個人情報保護委員会).

Business Operator Information

Trilliad, LLC
706 Giddings Ave Suite 400 Annapolis, MD 21401
Privacy Contact: privacy@trilliad.com

Collection, Use, and Purpose Specification

Trilliad specifies, in advance, the purposes for which personal information of Japan residents is used (APPI Article 17) and handles such information only within the scope necessary to achieve those purposes. We will notify or publicly announce the purposes of use at the time of collection (Article 21).

Sensitive Personal Information (Yōhairyo Kojin Jōhō)

Trilliad does not collect or use sensitive personal information (including information relating to race, creed, social status, medical history, criminal records, or other categories designated by Cabinet Order) without the prior, explicit consent of the data subject (APPI Article 20(2)).

Third-Party Provision

Trilliad will not provide personal information to a third party without your prior consent, except as permitted by the APPI (e.g., as required by law, within the scope of entrustment, or between group companies for shared use). Where Trilliad provides personal information to a third party, we maintain records of such disclosures as required by Articles 29–30 of the APPI.

Opt-Out of Third-Party Provision

Where Trilliad intends to provide personal information to a third party on an opt-out basis (as permitted by APPI Article 27(2)), we will notify the PPC in advance and publicly announce the categories of personal information subject to such provision, the method of third-party provision, and the procedure for opting out.

Rights Under the APPI

Japan residents have the right to request that Trilliad:

• Disclose retained personal information concerning them (Article 33);
• Correct, add to, or delete such information if it is inaccurate (Article 34);
• Cease using or erase personal information where it has been acquired unlawfully or is no longer necessary for the specified purpose (Article 35); and
• Cease third-party provision of personal information where such provision violates the APPI (Article 35).

Requests should be submitted using the contact details above. We will respond within a reasonable period in accordance with PPC guidance. A reasonable fee may apply for disclosure requests.

PPC Complaints

Complaints regarding Trilliad’s handling of personal information may be directed to the Personal Information Protection Commission:
Website: https://www.ppc.go.jp