Product & Services Privacy Statement Ambridge Underwriting & Insurance Services Privacy Statement (“Privacy Statement”) The Ambridge Group (which includes Ambridge Partners LLC, Ambridge Europe Limited (and its subsidiary, Ambridge Europe GmbH & Co. KG) (“The Group” or “we” and each entity a “Group Entity”) provides underwriting and/or insurance-related services. This Privacy Statement explains how we collect, use, disclose, and otherwise process end user personal data in connection with our products and services, including the insurance policies we underwrite (collectively, the “Services”). The Group’s processing of personal data in connection with the Services is governed by this Privacy Statement and our customer agreements, including without limitation any Non-Disclosure Agreements, Expense Agreements or other agreement (each, a “Customer Agreement”) with any Group Entity. In the event of any conflict between this Privacy Statement and a Customer Agreement, the Customer Agreement will control to the extent permitted by applicable law. This Privacy Statement is not a substitute for any privacy notice that any Group Entity’s customers are required to provide to their employees or other end users. Information We Collect Information provided to us by customers in connection with their use of the Services. This may include personal data that customers provide when they: Provide information in connection with soliciting the Services in their capacity as a representative of a business; or Submit documents, such as presentations or due diligence materials, to a Group Entity for purposes of underwriting and other insurance-related services. We process this information only to provide the Services as described in this Privacy Statement and the relevant Customer Agreements (as such term is defined herein). How We Use Information We use the information we collect for the following purposes: To provide our Services, which includes using information for the purposes of: Underwriting due diligence and assessing materials submitted in connection with claims for insurance coverage and other notifications under the insurance policies we underwrite; Performing KYC and AML checks; Determining whether additional information is needed for purposes of underwriting or claims servicing; and Improving the Services and developing new products and services. Our legal basis for processing personal information for the above purposes is our legitimate interest in providing services to our Customers (as such term is defined herein). To comply with law: We may use personal information as we believe necessary or appropriate to comply with applicable law. For compliance, fraud prevention and safety: As we believe necessary or appropriate to (a) enforce the terms and conditions that govern the Services; (b) protect our rights, privacy, safety or property, and/or that of you or others; and (c) protect, investigate and deter against fraudulent, harmful, unauthorised, unethical or illegal activity. Our legal basis for processing personal information for these purposes is our legitimate interest in operating our business. How We Share Information We share the information we collect with: Our parent, subsidiaries, and affiliates (including all Group Entities) for purposes consistent with this Privacy Statement; The insurers (and their reinsurers and legal advisors) for which we underwrite; Third party service providers that help us administer, execute, manage and improve the Services; Our professional advisors, such as lawyers, accounting/financial/professional advisors, bankers, auditors and insurers, where necessary in the course of the professional services that they render to us; Government, regulator, law enforcement officials or private parties as required by law or regulation, when we believe such disclosure is necessary or appropriate to (a) comply with applicable law; (b) enforce the terms and conditions that govern the Service; (c) protect our rights, privacy, safety or property, and/or that of you or others; and (d) protect, investigate and deter against fraudulent, harmful, unauthorised, unethical or illegal activity We may sell, transfer or otherwise share some or all of a Group Entity’s business or assets, including personal data, in connection with a business deal (or potential business deal) such as a merger, consolidation, acquisition, reorganisation or sale of assets or in the event of bankruptcy. Data Subject Rights For the purposes of this Agreement, the term “Customer” includes any person or entity, together with their affiliates, that requests our underwriting and/or insurance-related services as well as their representatives (including employees, brokers, legal advisors and other professional advisors). Customers of a Group Entity are data controllers of the personal data they provide to us, and have a direct relationship with the Customer providing the personal data to the Group Entity in connection with the Services. Our customers are responsible for providing or requiring their Customers to provide all necessary privacy notices to the individuals to whom the personal data pertain, as well as receiving and responding to – or requiring their Customers to receive and respond to – data subjects’ requests to exercise any rights afforded to them under applicable data protection law. The Group will assist Customers in responding to such requests as set forth in a Customer Agreement, if applicable. For additional information concerning Data Subject Rights, please contact [email protected]. Information for Individuals in the European Economic Area: Data subjects in Europe whose information is processed by Ambridge Partners, LLC, and data subjects whose information is processed by Ambridge Europe Limited and its subsidiaries (including Ambridge Europe GmbH & Co. KG), have rights to request to: access, correct, delete, and transfer their personal information; and restrict and object to our processing of personal information. Cross Border Data Transfer In connection with the Services, the Group or a Group Entity may transfer personal data to countries outside the European Union. When transferring data to Ambridge Partners LLC in the United States, Ambridge Europe Limited and Ambridge Europe GmbH & Co. KG rely on standard contractual clauses to establish the basis for the transfer. If we transfer personal data to other third parties outside of the European Union, we verify that the transfer is supported by an appropriate legal basis, such as the third party’s EU-US Privacy Shield certification, model clauses, or Binding Corporate Rules. Data Retention Subject to the terms of any Customer Agreements with the Group, we retains personal data for as long as necessary to (a) provide the Services; (b) comply with legal obligations; (c) resolve disputes; and (d) enforce the terms of Customer Agreements. we will retain data as set forth in a Customer Agreement, if applicable. For additional information concerning the Group’s data retention practices, please contact [email protected]. Contact Us If you have any question about this Ambridge Underwriting & Insurance Services Privacy Statement, you can contact our privacy team at [email protected]. Individuals in the European Economic Area (EEA) may contact Ambridge Europe GmbH & Co. KG, which is the data controller for individuals located in the EEA: Ambridge Europe GmbH & Co. KG Attn: Legal – Privacy Friedrich-Ebert-Anlage 36, 60325 Frankfurt am Main, Germany Residents within the EEA also have the right to file a complaint with the supervisory authority of their member state.