EEA+ Supplemental Data Protection Law Disclosures

We are the data controller in relation to the processing of personal data as described in this Supplemental Notice.

Our contact details are as follows:

• Address: 400 1st Ave, San Mateo, CA 94401
• Telephone Number: 1-844-CHATAPI (242-8274)
• Email Address: privacy@sendbird.com

We process your personal data for different purposes and on several different legal bases, as follows:

i. Necessity to perform a contract with you (Art. 6 (1) lit. b GDPR/UK GDPR). We process your personal data to:

• enter into an agreement with you or a legal entity you represent;
• provide our Services and perform contractual obligations to you;
• process payments for products or Service purchased;
• respond to related questions and requests from you;
• provide customer or technical support; and
• list job openings, and collect job application information.

ii. Our legitimate interests. (Art. 6 (1) lit. f GDPR/UK GDPR). We process your personal data based on our legitimate interests to:

• transfer your personal data within the group of companies for internal administrative and support purposes (access is limited to colleagues with a need to know);
• transfer your personal data in connection with a transfer of all or part of our organization or assets for the orderly transition of all or part of our business;
• protect the security, safety, and integrity of our Services, our system, as well as our users ;
• engage in research and development efforts to assess the performance of our Services, analyze activities, usage, interests, and trends in connection with our Services, improve and personalize our Services, and develop new products and services;
• track your activities in connection with our Services and present you with advertisements based on your activities and interests, provided you have not opted out of such data processing;
• create de-identified and/or aggregated information, such as demographic information and information about the device from which you access our Services;
• assess and pursue potential business opportunities;
• protect and defend the rights, safety, or property of us or third parties, including to enforce agreements, policies, and terms of use, and in an emergency to protect the safety of our employees or any person;
• detect and prevent fraud;
• exercise our legal rights or defend legal claims; and
• contact you during your candidacy for employment, send you employment announcements, or request other types of information to determine your suitability for employment.

iii. Compliance with a legal obligation to which Sendbird is subject (Art. 6 (1) lit. c GDPR/UK GDPR). We process your personal data:

• for the transmission to law enforcement agencies, governmental authorities, legal counsel, and external consultants to comply with relevant laws and regulatory requirements, or to respond to lawful requests, court orders, and legal processes.

iv. Based on your prior consent (Art. 6 (1) lit. a GDPR/UK GDPR) for:

• participating in surveys or assessments ;
• sending marketing communications to you; and
• placing non-operationally necessary cookies on your device.

You may withdraw your consent to participate in the survey or assessment or to receive our marketing communications at any time with future effect by contacting us at [privacy@sendbird.com] or clicking on the opt-out link provided in each marketing communication.

We may share personal data with affiliates, vendors, agents, or other third parties as required or permitted by applicable law. For example, we may hire companies to assist with the provisioning of our Services or protect and secure our systems.

The personal data that we collect or receive about you may be transferred to and processed by recipients that are located inside or outside the EEA+ and which are not recognized from an EEA+ law perspective as providing for an adequate level of data protection. Sendbird may transfer your personal data to the United States, Singapore, India, and South Korea.

To the extent your personal data is transferred to countries that do not provide for an adequate level of data protection from an EU, Swiss, or UK law perspective, we will base the respective transfer on appropriate safeguards (Art. 46 GDPR/UK GDPR), such as standard data protection clauses adopted by the European Commission, such as using the European Commission’s Standard Contractual Clauses (“SCCs”). You can ask for a copy of such appropriate safeguards by contacting us as set out in the “Contact Us” section in our Privacy Notice. For personal data transferred from the United Kingdom, Switzerland, or European Union, to the United States, Sendbird has self-certified its compliance with the EU-U.S. Data Privacy Framework ("EU-U.S. DPF"), the Swiss-U.S. Data Privacy Framework ("Swiss-U.S. DPF"), and the UK Extension to the EU-U.S. DPF ("UK Extension"), collectively (the "DPF"). Further information can be found on Sendbird's Data Privacy Framework Notice.

Your personal data will be retained for as long as necessary for the purposes for which it was collected, which in most cases does not exceed 5 years. When Sendbird no longer needs to use your personal data to comply with our reasonable business, contractual or statutory obligations, we will remove it from our systems and records and/or take steps to properly anonymize it so that you can no longer be identified from it, unless we need to keep your information, including personal data, to comply with statutory retention periods, such as for tax, audit, or legal compliance purposes, for a legally prescribed time period thereafter, or if we need it to preserve evidence within statutes of limitation.

Under applicable law, you may have the following rights in relation to your personal data. These may be limited under applicable data protection law.

i. Right to request from us access to personal data. You have the right to confirm with us whether your personal information is processed, and if it is, to request access to that personal information including the categories of personal information processed, the purpose of the processing, and the recipients or categories of recipients. You have the right to obtain a copy of the personal data undergoing processing. However, this is not an absolute right and the interests of other individuals may restrict your right of access.

ii. Right to rectification. You have the right to obtain from us rectification of inaccurate or incomplete personal information concerning you without undue delay. Depending on the purposes of the processing, you may have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

iii. Right to erasure of your personal data (right to be forgotten). You have the right to ask us to erase personal data concerning you.

iv. Right to restriction of processing. In limited circumstances, you have the right to request that we restrict processing of your personal data.

v. Right to data portability. You may have the right to receive personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and you may have the right to transmit that personal data to another entity without hindrance from us.

vi. Right to object. Under certain circumstances, you may have the right to object, on grounds relating to your particular situation, at any time to the processing of your personal data, including profiling, by us and we can be required to stop processing your personal data.

Moreover, if your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of personal data concerning you for such marketing, which includes profiling to the extent that it is related to such direct marketing. In this case, your personal data will no longer be processed for such purposes by us.

vii. Right to withdraw consent. If you have declared your consent for any personal data processing activities, you can withdraw this consent at any time with future effect. Such a withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal.

You can exercise your rights by contacting us as set out in the “Contact Us” section in our Privacy Notice. You may also have the right to lodge a complaint with a supervisory authority.

Where we are required by law to collect your personal data, or we need to collect your personal data under the terms of a contract we have with you, and you fail to provide that personal data when we request it, we may not be able to perform the contract we have or are trying to enter into with you. This may apply where you do not provide the personal data we need in order to provide the Services you have requested from us. In this case, we may have to cancel the provision of the relevant Services to you, in which case we will notify you.

We use commercially reasonable efforts to protect the confidentiality and security of the personal data we process. However, despite these efforts to store personal data in a secure operating environment, we cannot guarantee the security of the personal data during its transmission or its storage on our systems. Furthermore, while we attempt to ensure the integrity and security of personal data, we cannot guarantee that our security measures will prevent third parties, such as hackers, from illegally obtaining access to it.

Data Subject Access Request

You may exercise your privacy rights at any time by contacting us.

Complaints

You may exercise your privacy rights at any time by contacting us. If you consider our use of your personal data to be unlawful, you have the right to lodge a complaint with the data protection authority in the country where you live. We encourage you to first reach out to us at so we have an opportunity to address your concerns directly before you do so.

Our contact details are as follows:

• Address: 400 1st Ave, San Mateo, CA 94401
• Telephone Number: 1-844-CHATAPI (242-8274)
• Email Address: privacy@sendbird.com

If we update this Supplemental Notice, we will take appropriate measures to inform you. These measures will be consistent with the significance of the changes we made. You can see when this Supplemental Notice was last updated by checking the “last updated” date displayed below.