Privacy Policy

Thank you for your interest in Franchise Ninja, a product of Visual Visitor, LLC. (referred to as "Visual Visitor", "we", "us" or "our"). Your privacy is important to us, and this Privacy Policy describes how we process personal information as part of our business operations, including the types of personal information that we collect, the purposes for which we use it, the types of third parties to whom we share it, and the rights and responsibilities you may have with respect to such personal information with respect to our Franchise Ninja offering (the "Services"). This Privacy Policy applies to the personal information you provide to us through any type of engagement or interaction, such as when you access or use our Site or any of our Services. For purposes of this Privacy Policy, the Site and Services are collectively referred to as the "Online Services". By accessing or using the Online Services or by otherwise providing us with personal information, you are consenting and agreeing to the terms and conditions set forth in this Privacy Policy.

1. Definitions

For purposes of this Privacy Policy, the term "personal information" refers to any information that, either alone or in conjunction with other data, can be used to distinguish or identify a particular individual, household, or device, and that is subject to, or otherwise afforded protection under, a law, statute, or regulation governing data privacy or security.

Any capitalized term that is not otherwise defined herein, shall be ascribed the meaning set forth in the Terms of Service and Services Agreement (the "Terms of Service").

2. The Types of Personal Information We Collect

The type and categories of personal information that Visual Visitor collects varies based on the nature and scope of our business activities. However, when you do not provide personal information that Visual Visitor requests, we may not be able to provide you our services or complete a transaction, and you agree that Visual Visitor will not be liable or otherwise responsible for any damages or loss arising from such circumstances. Generally, we collect the following types and categories of personal information from users of our Online Services or as part of our business operations:

Technical Data

In addition to the foregoing, when you use the Online Services, we collect and use additional data and tools, including usage data, metadata, location data, and cookies and tracking technologies (collectively, "Technical Data"), which is described below. The Online Services collect Technical Data on a consistent and reoccurring basis, unless your device settings are updated to prevent such collection. We use this Technical Data in accordance with the terms and disclosures set forth in this Privacy Policy.

Usage Data. When you access and use the Online Services, we may automatically collect details of your access to and use of the Online Services, including traffic data, usage logs, and other communication data, and the resources that you access and use on or through the Online Services (e.g., browsing history, search history). We may also collect information about your device and internet connection, including the device's unique device identifier (e.g., device type, IMEI, Wi-Fi MAC, IP address), operating system, browser type, and mobile network information. The Online Services may collect diagnostic-related data related to your use of the Online Services, such as crash data and logs, performance data (e.g., launch time, hang rate, or energy use), and any other data collected for the purposes of measuring technical diagnostics.

Metadata and Device Access. The Online Services may access metadata and other information associated with files stored on your device, such as photographs, audio and video clips, personal contacts, and address book information.

Location Data. When you access and use the Online Services, we may collect information and data identifying the precise, real-time location of the device that is used to access or use the Online Services. You can choose whether or not to allow the Online Services to collect and use information about your device's location. If you block the use of location information, some parts of the Online Services may become inaccessible or not function properly.

Cookies and Tracking Technologies. We use cookies and other tracking technologies within the Online Services. A cookie is a small file placed on your smartphone or other device. It may be possible to refuse to accept cookies by activating the appropriate setting on your smartphone or device. However, if you select this setting, some parts of the Online Services may become inaccessible or not function properly. In addition, the Online Services may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit us to analyze data on the users of the Online Services (e.g., recording the popularity of certain content and verifying system and server integrity). The Online Services may collect data about the advertisements you have seen or engaged. For more information, see our Cookies Policy.

4. How We Collect Personal Information / Sources

Visual Visitor obtains your personal information directly from you when you provide it to us (i.e., direct collection) and from third parties (i.e., indirect collection), which includes the following:

Direct Collection

We often collect personal information directly from you when you undertake the following activities: use or access our Services; complete one of our web forms; contact our customer service centers or request information from us in any other way; visit one of our locations or premises; submit an order or make a purchase with us; provide us contact information via a business card or through similar communications; complete a survey or otherwise provide us feedback; report product/service issues; communicate with us via social networking websites, third party applications, or similar technologies; and/or visit one of our trade counters at an exhibition.

Indirect Collection

We may collect personal information about you from third parties, which we may combine with other information we already retain in order to provide the Online Services or promote our legal or business interests. For example, institutions that partner with Visual Visitor may provide personal information to us so we can create user accounts for their users. In addition, employers may provide us with personal information and other background data on their job applicants so we can assist with their employment recruitment process. If you provide personal information about a third party, then you expressly represent and warrant to Visual Visitor that you have the full right and lawful authority to provide Visual Visitor with the information.

5. How We Use Your Information

We use, process and retain your personal information to provide the Online Services, and to promote and defend our business interests. This includes:

Promotional Communications

We may use your personal information to send you or assist in sending you updates (by email, text message, telephone or post) about our products and/or services or those of our customers, including exclusive offers, promotions or new products and/or services.

We have a legitimate interest in processing your personal information for promotional purposes. This means we do not usually need your consent to send you promotional communications. However, where consent is needed, we will ask for this consent separately and clearly.

We will always treat your personal information with the utmost respect and will only share it with other organizations for marketing purposes with your consent or pursuant to legitimate interests.

You have the right to opt out of receiving promotional communications at any time by:

• Contacting us at support@fdd.ninja
• Using the "unsubscribe" link in emails or "STOP" number in texts; or
• Logging into our application and updating your preferences.

We may ask you to confirm or update your marketing preferences if you instruct us to provide further products and/or services in the future, or if there are changes in the law, regulation, or the structure of our business.

Sharing Your Personal Information With Others

We routinely share personal information with:

• Our affiliates;
• Service providers we use to help deliver our products and/or services to you, such as payment service providers, warehouses and delivery companies;
• Other third parties we use to help us run our business, such as marketing agencies or website hosts;
• Third parties approved by you, including social media sites you choose to link your account to or third-party payment providers;
• Our customers in whom you indicate or demonstrate interest in their products and/or services.

We only allow our service providers to handle your personal information if we are satisfied they take appropriate measures to protect your personal information. We also impose contractual obligations on service providers to ensure they can only use your personal information to provide services to us and to you. We may also share personal information with external auditors, e.g., in relation to ISO accreditation and the audit of our accounts.

We may disclose and exchange information with law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.

We may also need to share some personal information with other parties, such as potential buyers of some or all of our business or during a restructuring. We will typically anonymize information, but this may not always be possible. The recipient of the information will be bound by confidentiality obligations.

6. How We Share Personal Information With Third Parties

Advisors and Third Party Employers. As part of the Services, we may share your personal information with advisors and employers with whom you may seek to engage for advice and consultation or we believe satisfy your employment or consulting needs or requirements.

Business Partners. In addition, we may share data with trusted partners to contact you based on your request to receive such communications, help us perform statistical analysis, or provide customer support. We may partner with trusted third parties to provide you with co-marketing content that we think may be relevant to you. We may also share your personal information with our third party professional advisors and consultants (e.g., outside counsel, tax advisors).

Corporate Restructuring. If we (or our assets) are acquired by another legal entity, whether by merger, acquisition, bankruptcy or otherwise, that legal entity would receive all information gathered by Visual Visitor via the Online Services, including your personal information retained thereon. To the extent practicable, we will notify you of any such change in corporate ownership by posting a notice on the Site or taking similar actions.

Compelled Disclosure. We will use or disclose your personal information if required by law, statute, or regulation, or judicial or administrative order or decree, or any other demand submitted by a government, regulatory, or judicial entity that has the force and effect of law.

Business Interests. We reserve the right to use and disclose your personal information to a third party if we reasonably believe that use or disclosure will protect our rights or your safety or the safety of others.

This Privacy Policy may describe other circumstances in which Visual Visitor shares personal information with third parties, and such descriptions shall not limit the categories of sharing set forth in this Section 6 of the Privacy Policy and the personal information descriptions set forth in this Section 6 shall not limit Visual Visitor's ability to share personal information as set forth elsewhere in this Privacy Policy.

In the event that you facilitate a transaction with Visual Visitor, or request information from, or otherwise engage with us, and such activities require Visual Visitor (in our sole judgment) to share your personal information with a service provider or other third party, you hereby consent to the same and acknowledge and agree that any such third party information sharing is being undertaken at your direction.

Personal Information We Sold or Disclosed for a Business Purpose

In the preceding 12 months, we have not sold to one or more third parties the following categories of personal information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household:

• Information that identifies, relates to, describes, or is capable of being associated with a particular individual, including, but not limited to, his or her signature, social security number, physical characteristics or description, passport number, driver's license or state identification card number, insurance policy number, education, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information;
• Characteristics of protected classifications under California or federal law;
• Commercial information (e.g., records of personal property, products or services purchased, obtained);
• Biometric information;
• Geolocation data;
• Audio, electronic, visual, thermal, olfactory, or similar information;
• Education information, defined as information that is not publicly available personally identifiable information as defined in the Family Educational Rights and Privacy Act (FERPA); and
• Inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

In the preceding 12 months, we have sold, subject to the permission control mechanisms described in this Policy, to one or more third parties the following categories of personal information:

• Identifiers (e.g., a real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, or other similar identifiers);
• Information that identifies, relates to, describes, or is capable of being associated with a particular individual, including, but not limited to, his or her name, address, telephone number, and current employment;
• Internet or other electronic network activity information (e.g., browsing history, search history, and information regarding a consumer's interaction with an Internet Web site, application, or advertisement);
• Commercial information (e.g., records of products or services considered, or other purchasing or consuming histories or tendencies);
• Professional or employment-related information;
• Inferences drawn from any of the information identified above to create a profile about a consumer reflecting the consumer's preferences.

Third Party Links, Single Sign On (SSO)

Visual Visitor may include in the Online Services certain links to other websites, including websites operated by unaffiliated third parties. Each such third party website has its own privacy policies and practices, which may be different than the policies and practices described herein; we urge you to read any privacy policy posted on a third party website carefully as such third party privacy policy (and not this Privacy Policy) controls with respect to the collection, use, and processing of your personal information thereon. Additionally, to the extent that you follow a link to a website operated by an independent third party, please be aware that Visual Visitor exercises no authority or control over that third party and we cannot be, and are not, responsible for any information that you may submit at that website or how it is used.

You may log into our Online Services through or from a third party social media or authentication service (e.g., Facebook, LinkedIn, Google). These sign-on services will authenticate your identity and provide you access to our Services, provide you with the option to share certain personal information (e.g., name, email address, profile picture, location) with us, and pre-populate our forms or other parts of our Services with the personal information already retained by the third party. You should verify your privacy settings on these third party services to understand and determine the types of personal information sent to us.

8. Third Party Collection and Tracking

When you access the Online Services, certain third parties may use automatic information collection technologies to collect information about you or your device that is used to access the Online Services. These third parties may include advertisers, ad networks, and ad servers; analytics companies; your mobile device manufacturer, and your mobile service provider. They may collect personal information about your online activities over time and across different websites, apps, and other websites. They may use this information to provide you with interest-based (behavioral) advertising or other targeted content. We do not control the tracking technologies employed by third parties or how they may be used. If you have any questions about an advertisement or other targeted content, you should contact the responsible provider directly.

9. Data Retention and Localization

The time period in which Visual Visitor retains your personal information varies depending on the purpose for the data processing. For example, we retain personal information needed to provide you with products and services, to facilitate transactions you have requested, or to engage in marketing activities, and for so long as necessary to comply with applicable laws and regulations (including tax law) and defend our legal or business interests. In all other cases, we retain your personal information for as long as is needed to fulfill the purposes outlined in this Privacy Policy.

Visual Visitor is based in the United States and the personal information that we (and our third party service providers) collect and process is retained and stored in the United States. Please be aware that (i) the United States may not provide the same level of protection of personal information as in your country, state, or jurisdiction of residence or nationality, (ii) the European Union and other foreign authorities have determined that, in some circumstances, the United States does not provide an adequate level of protection for personal information, and (iii) when transferred to the United States, your personal information may be accessible by, or otherwise made available to, government authorities and officials pursuant to regulatory, judicial, and/or administrative orders, decrees, and demands, and/or other domestic laws, statutes, and regulations, applicable in the United States. In addition, we (and our third party service providers) may retain personal information in other jurisdictions that we (or our services providers) operate. You hereby consent to your personal information being transferred to, and stored in, the United States and the other jurisdictions where we (and our service providers) operate.

Generally, we retain personal data only as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law. Retention periods are determined by:

• Purpose Compliance: Data is deleted/anonymized when no longer needed for its original processing purpose (e.g., customer account data deleted 3 years after last activity).
• Legal Obligations: Extended retention where required by EU/Member State laws (e.g., 7 years for financial records under tax legislation).
• Ongoing Relationships: Active user accounts: Retained while active + 2 years post-inactivity.
• Dispute Resolution: Data relevant to litigation or regulatory investigations may be preserved until resolution.

User profile data will be retained for 36 months after account closure to comply with consumer protection regulations. Website analytics cookies are automatically purged after 14 months unless refreshed consent is obtained.

Key Retention Provisions

• Right to Erasure: We honor deletion requests within 30 days unless conflicting legal obligations exist (Art. 17(3) GDPR).
• Anonymization: Non-essential data may be irreversibly anonymized for statistical/archival purposes.
• System Coverage: Retention rules apply to all storage locations, including backups and third-party processors.
• Review Cycle: Retention periods are reassessed annually or when regulatory requirements change.

10. Information Security

We are committed to protecting the security of your personal information. We use a variety of security technologies and procedures to help protect your personal information from unauthorized access, use or disclosure. However, no information system can be fully secure, so we cannot guarantee the absolute security of your personal information. Moreover, we are not responsible for the security of information you transmit to the Online Services over networks that we do not control, including the Internet and wireless networks, and you provide us with any information and data at your own risk. To the extent permitted by law, Visual Visitor shall not be liable or otherwise responsible for any data incident that compromises or may compromise the confidentiality, security, integrity, or availability of your personal information. The safety and security of your personal information also depends on you. Where we have given you (or where you have chosen) a username and password to access the Online Services, you are responsible for maintaining the security and confidentiality of those credentials and not revealing them to others. You must contact us immediately if you have reason to believe that your username or password to our Online Services have been compromised.

11. No Personal Information Collected from Children

Our Online Services are not directed at, nor intended for use by, children under the age of thirteen. As a result, we will not knowingly collect information from children under thirteen years of age with or without consent from their parents or guardians. If you are under the age of thirteen, you are hereby prohibited from using our Online Services or with providing us with your personal information. If you are a customer who provides us with general information about children, you hereby represent and warrant that you have the right and authority to provide us with such data.

12. Your Responsibilities and Warranties

You are permitted, and hereby agree, to only provide personal information to Visual Visitor if such personal information is accurate, reliable, and relevant to our relationship and only to the extent such disclosure will not violate any applicable data protection law, statute, or regulation or infringe upon any individual's data privacy rights or privileges. If you provide Visual Visitor with any personal information about yourself or a third party, you expressly represent and warrant to Visual Visitor that (i) you have the full right and authority to disclose such personal information to Visual Visitor, (ii) the company can use such personal information in accordance with this Privacy Policy, and (iii) you are in compliance with the requirements set forth herein. You also agree to fully reimburse Visual Visitor for any damages, losses, or expenses that arise based on your violation of your representations, warranties and responsibilities set forth in this Privacy Policy.

13. Marketing; Shine the Light Law (California Privacy)

You have the right to opt-out of receiving electronic direct marketing communications from us. All electronic direct marketing communications that you may receive from us, such as e-mail messages, will give you an "unsubscribe" option of not receiving such communications from us in the future. California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes. We do not share personal information with third parties with whom we have reason to believe use such information for their own direct marketing purposes.

14. California Privacy Rights (California Consumer Privacy Act)

Pursuant to the California Consumer Privacy Act of 2018, as amended ("CCPA"), California residents may have additional data privacy rights, such as the right to be notified about what personal information is collected about them, and our intended use and purpose for collecting your personal information. California residents have the right to know and access the categories or specific pieces of personal information we have collected, used, disclosed, or sold about them over the past twelve (12) months; the categories of sources from which the personal information is collected; and, the business or commercial purpose for which the personal information was collected, used, disclosed, or sold. In addition, certain California residents have the right to request Visual Visitor transfer, to the extent feasible, personal information in certain forms and formats. California residents have the right to request that we (and any applicable service provider) delete/erase their personal information under certain circumstances. California residents have the right to opt-out of the sale of their personal information and Visual Visitor does not sell your personal information to third parties for profit or other valuable consideration. California residents have the right not to be subject to discrimination for asserting their rights under the CCPA. The categories of personal information we have collected about California residents in the preceding twelve (12) months, the categories of sources from which the personal information is collected, and the business or commercial purpose for collecting such personal information is set forth in this Privacy Policy.

You, or your authorized agency, may submit a CCPA data privacy rights request to Visual Visitor by contacting us in accordance with the details set forth below. If you make, or an authorized agent on your behalf makes, any request related to your personal information under the CCPA, Visual Visitor will ascertain your identity (and the identity of the authorized agent, to the extent applicable) to the degree of certainty required under the law before addressing your request. Visual Visitor may require you to verify your request via email and match at least two or three pieces of personal information we have previously collected from you before granting you access to, or erasing, specific pieces, or categories of, personal information, or otherwise responding to your request. We may require written documentation that demonstrates a third party is authorized to serve as your agent for the purposes of submitting the requests set forth herein.

California Users. To the extent that the California Consumer Privacy Act of 2018, as amended ("CCPA") applies to your use of the Online Services, this clause shall apply. Unless defined elsewhere in these Terms, each capitalized term that is used, but not defined, in this clause shall be ascribed the meaning set forth in the CCPA. Each party acknowledges and agrees that you shall be considered a Business and Visual Visitor shall, in its role of providing the Online Services, be considered a Service Provider for purposes of the CCPA. Each party further acknowledges and agrees that the collection and disclosure of Personal Information submitted and transmitted to the Online Services (i) does not constitute, and is not the intent of either party for such disclosure to constitute, a Sale of Personal Information under the CCPA, and (ii) if valuable consideration, monetary or otherwise, is being provided by you to Visual Visitor, such valuable consideration, monetary or otherwise, is so being provided for use of the Online Services and not for the disclosure of Personal Information. You hereby represent to Visual Visitor that you shall only disclose Personal Information to Visual Visitor and the Online Services for a permissible Business Purpose and you have the consent or other lawful basis to so furnish such Personal Information to Visual Visitor and the Online Services. Visual Visitor shall only Process your Personal Information in accordance with these Terms, unless otherwise required by law, or judicial or administrative order or rule. Without limiting the foregoing, Visual Visitor shall not retain, use, or disclose your Personal Information for any purpose other than for the specific purpose of performing the Online Services, or as otherwise permitted by law or these Terms, including retaining, using, or disclosing your Personal Information for a Commercial Purpose other than providing the Online Services. For the avoidance of doubt, Visual Visitor shall not Sell your Personal Information or authorize or otherwise permit any third party subcontractor to undertake the same. Upon written request from you, Visual Visitor shall promptly provide you access to, and/or delete, your Personal Information in Visual Visitor's custody or control, or in the custody or control of a third party acting on Visual Visitor's behalf, or otherwise provide you the technical controls necessary to satisfy the same.

15. Other State-Specific Privacy Rights

In addition to the rights provided under the California Consumer Privacy Act (CCPA), residents of certain U.S. states may have additional privacy rights. These include, but are not necessarily limited to:

Colorado Residents

The Colorado Privacy Act (CPA) provides Colorado residents with the following rights:

• Access their personal data;
• Correct inaccuracies in their personal data;
• Delete their personal data;
• Obtain their personal data in a portable format;
• Opt out of the processing of personal data for targeted advertising, sale of personal data, or profiling.

If we refuse to take action on your request, you may have the right to appeal our decision. Instructions on how to appeal will be included in our response to your request.

Connecticut Residents

Under the Connecticut Data Privacy Act (CTDPA), Connecticut residents have the right to:

• Access their personal data;
• Correct inaccuracies in their personal data;
• Delete their personal data;
• Obtain a copy of their personal data in a portable format;
• Opt out of the processing of personal data for targeted advertising, sale of personal data, or profiling.

If we refuse to take action on your request, you may have the right to appeal our decision. Instructions on how to appeal will be included in our response to your request.

Florida Residents

Under the Florida Digital Bill of Rights (FDBR), Florida residents have the right to:

• Access their personal data;
• Correct inaccuracies in their personal data;
• Delete their personal data;
• Opt out of the sale or sharing of their personal data;
• Opt out of targeted advertising.

Iowa Residents

Iowa residents have the following rights regarding their personal data: right to access; right to delete; right to data portability; right to opt-out of targeted advertising, sale of personal data, and profiling.

Maryland Residents

Maryland residents have the following rights regarding their personal data: right to access; right to delete; right to data portability; right to opt-out of targeted advertising and sale of personal data.

Minnesota Residents

Minnesota residents have the following rights regarding their personal data: right to access; right to delete; right to data portability; right to opt-out of targeted advertising and sale of personal data.

Montana Residents

Montana residents have the following rights regarding their personal data: right to access; right to delete; right to data portability; right to opt-out of targeted advertising and sale of personal data.

New Hampshire Residents

New Hampshire residents have the following rights: access, correction, deletion, and portability of their personal data; opt-out of targeted advertising, sale of personal data, or profiling.

Nebraska Residents

Nebraska residents have the right to: access their personal data; correct inaccuracies; delete their personal data; opt-out of targeted advertising, sale of personal data, and profiling.

New Jersey Residents

New Jersey residents have the following rights under the NJDPA: right to access personal data; right to correct inaccuracies; right to delete personal data; right to data portability; right to opt-out of targeted advertising, sale of personal data, and certain profiling.

Oregon Residents

Oregon residents have the following rights regarding their personal data: right to access; right to delete; right to correct inaccuracies; right to data portability; right to opt-out of targeted advertising, sale of personal data, and certain profiling. Right to Obtain List of Third Parties (Effective July 1, 2025): You will have the right to obtain a list of the specific third parties, other than processors, to whom the controller has disclosed the consumer's personal data.

Texas Residents

Texas residents have the following rights regarding their personal data: right to access; right to delete; right to correct inaccuracies; right to data portability; right to opt-out of targeted advertising, sale of personal data, and certain profiling.

Utah Residents

The Utah Consumer Privacy Act (UCPA) provides Utah residents with the following rights:

• Access their personal data;
• Delete their personal data;
• Obtain their personal data in a portable format;
• Opt out of the sale of their personal data or the processing of personal data for targeted advertising.

Virginia Residents

Under the Virginia Consumer Data Protection Act (VCDPA), Virginia residents have the right to:

• Access their personal data;
• Correct inaccuracies in their personal data;
• Delete their personal data;
• Obtain a copy of their personal data in a portable format;
• Opt out of the processing of personal data for targeted advertising, sale of personal data, or profiling.

If we refuse to take action on your request, you may have the right to appeal our decision. Instructions on how to appeal will be included in our response to your request.

16. European, Swiss, UK Data Protection Rights

If you are located in the European Economic Area, Switzerland, or the United Kingdom (UK), you may have additional rights with respect to the personal information we have about you. To the extent permitted by the European Union (EU) General Data Protection Regulation (GDPR), or applicable data protection laws in EU member states, Switzerland, or the UK, you may request the following: access to the personal information we hold about you; that inaccurate, outdated, or no longer necessary information be corrected, erased, or restricted; and, we provide your personal information in a format that allows you to transfer it to another entity. You also may withdraw your consent at any time if, and only if, we are solely relying on your consent for the processing of your personal information. You may object to our processing of your personal information where that processing is based on our legitimate interest. For purposes of clarity, we do not engage in any activity that subjects our survey participants, customers, or others to a decision based solely on automated processing, including profiling, which produces legal effects, or similarly significant results, impacting them. You may submit a data privacy rights request to Visual Visitor by contacting us in accordance with the details set forth below.

We process your personal information in accordance with the legal bases set forth in the GDPR. For example, our processing of personal information (as described herein) is justified based on the following GDPR provisions and which may overlap: (1) processing is based on your consent; (2) processing is necessary for our legitimate interests as set out herein; (3) processing is necessary for the performance of a contract to which you are a party; and (4) processing is required to comply with a legal or statutory obligation. You have the right to lodge a complaint with your competent data protection authority. If you wish to exercise any of these rights, please contact us in accordance with the instructions provided below in the "Contact Us" section. We may need to collect and process information about you solely for the purpose of responding and satisfying any data right request you may have.

European, Swiss, and UK Users. You acknowledge and agree to notify Visual Visitor of any intent you have to submit or transmit personally identifiable information to Visual Visitor and the Online Service that is subject to, or otherwise afforded protection under, European Union (EU), Swiss, or United Kingdom (UK) data protection laws. In the event you are permitted by Visual Visitor to submit or transmit such personally identifiable information to the Online Services, each party shall comply with its obligations and responsibilities set forth in Exhibit 1 (Data Processing Addendum). Notwithstanding any other provision within this Agreement, to the extent Visual Visitor collects and processes, on your behalf, any personally identifiable information that is subject to, or otherwise afforded protection under, EU, Swiss, or UK data protections laws, such collection and processing shall be subject to Exhibit 1 only (and not the Privacy Policy). In the event of a conflict between these Terms and Exhibit 1, the terms and conditions set forth in Exhibit 1 shall supersede and control with respect to such conflict.

17. Do Not Track Signals

Some web browsers may transmit "Do Not Track" signals to our Online Services. Because of differences in how web browsers incorporate and activate this feature, it is not always clear whether users intend for these signals to be transmitted, or whether they even are aware of them. We currently do not, unless otherwise required by law, take action in response to these signals.

18. Non-Discrimination

We will not discriminate against you for exercising your privacy rights. This means we will not deny you goods or services, charge you different prices or rates, or provide you with a different level or quality of goods or services just because you exercised your rights under these state privacy laws.

19. Universal Opt-Out Mechanisms

Effective January 1, 2025, we will honor user-enabled global privacy controls, such as a browser plug-in or privacy setting, device setting, or other mechanism, that communicate or signal the consumer's choice to opt out of the sale and sharing of their personal information.

20. Automated Decision-Making and Profiling

We may use automated decision-making and profiling in certain circumstances. You have the right to:

• Obtain human intervention;
• Express your point of view;
• Obtain an explanation of the decision reached;
• Challenge such decisions.

21. Data Security Measures

We implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information we collect and process. These measures include:

• Encryption of personal data at rest and in transit;
• Regular security assessments and penetration testing;
• Employee training on data protection and security best practices;
• Access controls and authentication mechanisms;
• Incident response and data breach notification procedures.

22. Targeted Advertising Opt-Out

You have the right to opt out of the processing of your personal data for targeted advertising purposes. To exercise this right, please visit our "Do Not Sell or Share My Personal Information" page or contact us at support@fdd.ninja.

23. Data Protection Impact Assessments

We conduct data protection impact assessments for processing activities that are likely to result in a high risk to individuals' rights and freedoms. These assessments help us identify and minimize data protection risks.

24. Persons with Disabilities

Visual Visitor strives to ensure that every person has access to information related to our products and services, including this Privacy Policy. Please contact us if you would like this Privacy Policy provided in an alternative format and we will seek to meet your needs.

25. Aggregated Data

Visual Visitor collects and retains de-identified, and aggregated data relating to the use of our Online Services ("Aggregated Data"), and we use such Aggregated Data for our own business purposes, such as to analyze customers and to develop, improve, and market our services. For the avoidance of doubt, we may use Aggregated Data for any purpose and such Aggregated Data is not subject to this Privacy Policy.

26. Communications Data

For the avoidance of doubt, in the event you provide Visual Visitor with a telephone number as part of your registration to the Online Services or as part of a purchase or transaction with us, you hereby consent and agree that Visual Visitor (or our service providers) may contact said telephone number by any means (including SMS/text message) for service and transactions purposes.

27. Changes to the Privacy Policy

At any time, we reserve the right to add to, modify or remove portions of our Privacy Policy. The effective date of our Privacy Policy will be included at the beginning of the Privacy Policy and will serve as a notice of when changes have been implemented to the Privacy Policy. It is your responsibility to review this Privacy Policy to determine if any revisions have been made to it. Your continued use of our Online Services after any revisions have been made to this Privacy Policy will indicate your acknowledgement of such changes and agreement to be bound by the updated terms and conditions set forth herein.

28. Contact Us

If you have questions regarding this Privacy Policy, would like to request more information from us, or would like to exercise a data privacy right or privilege, please contact us at:

Visual Visitor, LLC
Email: support@fdd.ninja
Website: https://www.fdd.ninja/

---

Exhibit 1 — Data Processing Addendum

1. Definitions

1.1 In this Data Processing Addendum ("DPA"), capitalized terms shall have the following meanings, unless defined in Visual Visitor's Terms of Service and Privacy Policy or otherwise required given the context.

1.2 The captions and section headings used are for the purposes of reference and convenience only, are not a part of this DPA, and shall not be used in construing this DPA. References in this DPA to "writing" or "written" includes e-mails and certified mail.

2. Scope and Application of This DPA

2.1 This DPA only supplements the provisions of the Terms in relation to the Online Services provided by the Data Processor to the Data Controller pursuant to the Terms.

3. Data Processing Obligations

3.1 With respect to Personal Data uploaded to the Online Services, the Data Controller will be responsible for complying with all requirements that apply to it under Applicable Data Protection Laws. In particular but without prejudice to the generality of the foregoing, the Data Controller acknowledges and agrees that it will be solely responsible for the following: (i) the accuracy, quality, and legality of Personal Data uploaded to the Online Services; (ii) complying with all necessary transparency and lawfulness requirements under applicable law for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations; (iii) ensuring the Data Controller has the right to transfer, or provide access to, the Personal Data to the Data Processor for Processing in accordance with the Terms (including this DPA); and (iv) ensuring that its Processing instructions comply with all Applicable Data Protection Laws. The Data Controller will not input into the Online Services, or otherwise provide the Data Processor, with any Special Categories of Personal Data, unless otherwise agreed to separately by the Data Controller. The Data Controller will inform the Data Processor, immediately and without undue delay, if Data Controller is not able to comply with its responsibilities set forth in this DPA.

3.2 The Data Processor agrees to Process the Personal Data in accordance with the terms and conditions set out in this DPA, and in particular the Data Processor undertakes: (i) to Process the Personal Data only on behalf of the Data Controller and at all times in compliance with the Data Controller's Instructions as defined in this DPA, and all Applicable Data Protection Laws; (ii) to ensure that any personnel entrusted with Processing the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and (iii) to implement and maintain commercially reasonable technical and organizational measures to appropriately protect Personal Data against a Personal Data Breach, and which shall include security requirements no less stringent than the ones the Data Processor implements and maintains to protect the confidentiality, integrity, and availability of its own proprietary information.

3.3 The Data Processor agrees to promptly notify the Data Controller about (i) any legally binding request for disclosure of the Personal Data by a government authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a government investigation; (ii) any Personal Data Breach affecting the Personal Data Processed on behalf of the Data Controller; and (iii) any request received directly from the Data Subjects (including rights to access, rectification, deletion, objection, restriction, data transfer, and the right not to be subject to a decision based solely on automated Processing, including profiling). The Data Processor will not respond directly to that request, except to notify the Data Subject that it is acting on behalf of the Data Controller and to furnish the Data Subject with the contact information of the Data Controller. The Data Processor, taking into account the nature of the Processing, will assist the Data Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller's obligation to respond to requests for exercising the Data Subject's rights.

3.4 The Data Processor agrees to provide commercially reasonable cooperation to the Data Controller to assist the Data Controller comply with its own legal obligations related to Personal Data, such as: notification of a Personal Data Breach to the competent supervisory authority, communication of such Personal Data Breach to the Data Subjects affected and, where applicable, implementation of data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of the Processing and the information available to the Data Processor.

4. International Data Transfers

4.1 The Data Controller hereby acknowledges and agrees that the Data Processor is located in the United States of America and that it will Process Personal Data in the United States of America in order to perform the Online Services. The Data Controller will ensure it has all proper authorization to transfer Personal Data to the Data Processor and the Online Services. If the Data Controller is located outside of the European Economic Area, the parties shall apply the provisions of the Standard Contractual Clauses, provided that the Standard Contractual Clauses are legally required and sufficient to meet the requirements of the applicable data protection regulations for the transfer of Personal Data by the Data Controller to the Data Processor pursuant to the Terms.

4.2 If the parties apply the Standard Contractual Clauses pursuant to Section 4.1 of this DPA, then the following shall apply:

• 4.2.1 The Standard Contractual Clauses shall be governed by the Module Two, Transfer controller to processor clauses in all applicable instances.
• 4.2.2 For purposes of Clause 9(a) of the Standard Contractual Clauses, the parties agree that Option 2 shall apply as set forth in Section 7 of this DPA.
• 4.2.3 For purposes of Clause 13(a) of the Standard Contractual Clauses, the applicable supervisory authority shall be the supervisory authority identified, in writing, by the Data Controller pursuant to the Terms (Data Protection).
• 4.2.4 For purposes of Clause 17 of the Standard Contractual Clauses, the parties agree that Option 2 shall apply. In particular, the Standard Contractual Clauses shall be governed by the law of the EU Member State in which the Data Exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights, and this shall be the law of the Republic of Ireland.
• 4.2.5 For purposes of Clause 18 of the Standard Contractual Clauses, the parties agree that any dispute arising from the Standard Contractual Clauses shall be resolved in accordance with the dispute resolution framework set forth in the Terms. In the event such dispute resolution framework is legally prohibited, then the parties agree that the Courts of the Republic of Ireland shall resolve any such disputes.
• 4.2.6 Annex I of the Standard Contractual Clauses shall be applied on the following basis: (A) (i) Data Exporter: Data Controller, (ii) Data Importer: Data Processor; (B) (i) Categories of Data Subjects: Any and all users of the Online Services, (ii) Categories of Personal Data transferred: Personal Data relating to the use of the Online Services owned, licensed, or managed by the Data Processor, including the Personal Data set forth in the Terms and Privacy Policy, (iii) Sensitive Data transferred: none anticipated and prohibited, unless otherwise agreed to in writing by both parties, (iv) The frequency of transfer: continuous and as often as the Data Subjects use the Online Services, (v) Nature of Processing: cloud storage and facilitate access and use of the Online Services, (vi) Purpose of the data transfer and further processing: to provide access and use of the Online Services, (vii) The period for which Personal data will be retained: For the duration of the Terms and for the termination and transition period thereafter, as set forth in the Terms, to conclude, and (viii) Subprocessor transfers: The relevant information is set forth in Section 7 of this DPA; (C) The competent supervisory authority is set forth in accordance with the Terms ("Data Protection" section).
• 4.2.7 For purposes of Annex II of the Standard Contractual Clauses, the Data Processor shall implement and maintain technical and organizational security measures to protect Personal Data including: measures of pseudonymisation and encryption; measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems; measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures; measures for user identification and authorisation; measures for the protection of data during transmission and storage; measures for ensuring physical security of locations at which Personal Data are processed; measures for ensuring events logging, system configuration, internal IT governance, certification, data minimisation, data quality, limited data retention, accountability, and data portability and erasure.
• 4.2.8 For purposes of Annex III of the Standard Contractual Clauses, the list of Subprocessors is set forth in Section 7 of this DPA.

4.3 If the Standard Contractual Clauses are applicable between the parties pursuant to Section 4.1 of this DPA, their provisions will be deemed incorporated by reference into this DPA. To the extent required by the applicable data protection regulations, the parties shall enter into and execute the Standard Contractual Clauses as a separate document.

5. Termination

5.1 This DPA will terminate automatically upon the later of termination or expiry of (a) the Terms or (b) of the Data Processor's obligations in relation to the Processing. Where applicable, on termination of this DPA, the Data Processor shall return to the Data Controller or delete, at the Data Controller's request, all the Data Controller's Personal Data in its possession or under its control. Upon the request of the Data Controller, the Data Processor shall confirm compliance with such obligations in writing and delete all existing copies, unless applicable law requires storage or otherwise permits retention of the Personal Data.

5.2 The Data Controller shall be entitled to terminate this DPA by notice in writing to the Data Processor if the Data Processor is in a material or persistent breach of this DPA which, in the case of a breach capable of remedy, shall not have been remedied within thirty (30) working days from the date of receipt by the Data Processor of a notice from the Data Controller identifying the breach and requiring its remedy.

5.3 The Data Processor shall be entitled to terminate this DPA by notice in writing to the Data Controller if the Data Controller is in a material or persistent breach of this DPA which, in the case of a breach capable of remedy, shall not have been remedied within thirty (30) working days from the date of receipt by the Data Controller of a notice from the Data Processor identifying the breach and requiring its remedy.

6. Audits and Information Requests

6.1 The Data Processor agrees to make available to the Data Controller all information necessary to prove compliance with the obligations laid out in this DPA and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller as set forth in this Section 6. Within the limit of one (1) audit per year and subject to the notification by the Data Controller with a thirty (30) day prior notice, except in the case of an audit requested by a supervisory authority, the Data Controller may during regular business hours, without unreasonably interfering with Data Processor's business operations, personally audit the Data Processor, or appoint a third-party auditor being subject to confidentiality obligations to carry out such audit.

6.2 The Data Processor shall cooperate in the case of an audit under this Section 6 and provide to the Data Controller all information necessary to carry out such audit. The Data Controller shall cover the costs and expense incurred by each party in relation to audits under this Section 6.

7. Appointment of Subprocessors

7.1 The Data Controller authorizes the Data Processor to use Subprocessors solely as required for the performance of the Online Services in connection with the Terms.

7.2 The Data Controller authorizes the Data Processor to add and/or replace any of the aforementioned Subprocessors, provided the Data Processor informs the Data Controller in writing (which may include email or posting a clear and conspicuous notice on the Online Services) of any such intended changes at least ten (10) business days in advance, thereby giving the Data Controller sufficient time to be able to object to such changes prior to the addition and/or replacement of the Subprocessor(s). The Data Processor shall provide the Data Controller with the information necessary to enable the Data Controller to exercise its right to object to the addition and/or replacement of the Subprocessor(s). If the Data Controller objects to the change of Subprocessor(s), the Data Controller may, throughout the period of notice, terminate this DPA in writing. If the Data Controller does not terminate within the notice period, this formalizes the consent of the Data Controller to the notified change of Subprocessor(s).

7.3 Where the Data Processor uses the services of a Subprocessor, the Data Processor shall execute a written agreement with any such Subprocessor that contains, in substance, the same data protection obligations as those binding on the Data Processor under this DPA, including the terms of third-party beneficiary rights for Data Subjects (as set forth in the Standard Contractual Clauses). The Data Processor shall remain fully responsible to the Data Controller for the acts or omissions of its Subprocessors.

8. Miscellaneous Provisions

8.1 Amendments or additions to this DPA must be made in writing to be effective. Should any provision of this DPA be or become invalid, this shall not affect the validity of the remaining terms. In the event of invalidation of any provision of this DPA, the parties shall, in any case, endeavor, in good faith, to replace the invalidated provision by another one, enforceable, valid and legal, having to the greatest possible extent a legal impact equal or equivalent to the one of the initial provision.

---

FDD.ninja is an informational tool only. It does not provide legal, financial, or investment advice and does not replace review of an official Franchise Disclosure Document. Users should consult qualified legal and financial advisors and review current FDDs before making any franchise decision. Use of FDD.ninja does not satisfy or waive the fourteen (14) day pre-sale disclosure quiet period required by applicable federal and state franchise laws.

© 2026 Visual Visitor, LLC — All Rights Reserved