Privacy Policy

1. Introduction

This Privacy Policy describes how NestEggs Inc ("we," "us," or "our") collects, uses, and discloses your personal information when you use our software as a service (the "Service").

We are committed to protecting your personal information and your right to privacy. When you visit our software as a service and use our products, you trust us with your personal information. We take your privacy very seriously. In this Privacy Policy, we seek to explain to you in the clearest way possible what information we collect, how we use it, and what rights you have in relation to it.

This Privacy Policy applies to all information collected through our software as a service, as well as any related services, sales, marketing, or events.

Please read this Privacy Policy carefully as it will help you understand what we do with the information we collect.

2. Definitions

To help explain things as clearly as possible in this Privacy Policy, every time any of these terms are referenced, they are strictly defined as:

• Cookie: a small file placed on your device to enable certain features and functionality.
• Company: when this policy mentions "Company," "we," "us," or "our," it refers to NestEggs Inc.
• Country: where NestEggs Inc or the owners/founders of NestEggs Inc are based, in this case Canada.
• Customer: refers to the company, organization, or person that signs up to use the NestEggs Inc Service.
• Device: any internet-connected device such as a phone, tablet, computer, or any other device that can be used to visit NestEggs Inc and use the services.
• Personal Data: any information that directly, indirectly, or in connection with other information allows for the identification of a natural person.
• Service: refers to the software as a service provided by NestEggs Inc as described in the relative terms and on this platform.
• Third-party service: refers to third parties that provide infrastructure, payment processing, or other operational services on our behalf in connection with the Service.
• Website: NestEggs Inc's site, which can be accessed via https://nesteggs.ca.
• You: a person or entity that is registered with NestEggs Inc to use the Services.

3. Information We Collect

We collect several different types of information for various purposes to provide and improve our Service to you.

3.1 Personal Data

While using our Service, we may ask you to provide us with certain personally identifiable information that can be used to contact or identify you. Personally identifiable information may include, but is not limited to:

• Email address
• First name and last name
• Phone number
• Address, State, Province, ZIP/Postal code, City

3.2 Financial Data

Financial information such as payment method details (including credit card numbers and banking information) is collected and stored by our PCI-DSS compliant third-party payment processors, not by NestEggs Inc. We may receive limited information from these processors (for example, the last four digits of a card or a transaction reference) to facilitate payments and reconcile records. You should review the payment processor's privacy policy to understand their privacy practices. See Section 9.1 for more information.

3.3 Location Data

Our Service uses location information in two distinct ways:

• Stored destinations: addresses you explicitly enter into the Service (for example, appointment locations, or trip destinations) are stored on our servers so we can plan routes between them.
• Live device location: while you are actively using our mobile application to navigate a planned route, we access your device's location in the foreground only to display maps, guide you between stops, and calculate mileage. Live location is not collected when the application is in the background or closed, and is not retained on our servers after your session ends.

You can enable or disable location services at any time through your device settings. Disabling location will prevent live navigation features but will not affect destinations you have already saved. See Section 16 for the mobile permissions involved.

3.4 Cookies and Tracking Technologies

We use a limited set of first-party cookies and similar technologies to operate the Service:

• Essential cookies: required for core functionality such as authentication, session management, and remembering your preferences. These cannot be disabled without breaking the Service.
• First-party analytics: we operate our own self-hosted analytics on our infrastructure to understand how the Service is used and to improve it. Analytics data is collected and stored by us; it is not shared with any third-party analytics provider and is not used for advertising.

We do not use third-party advertising, marketing, or cross-site tracking technologies, and we do not load third-party trackers on our Service. You can manage cookies through your browser settings; disabling essential cookies will prevent the Service from functioning correctly.

4. How We Use Your Information

NestEggs Inc uses the collected data for various purposes:

• To provide and maintain our Service
• To notify you about changes to our Service
• To allow you to participate in interactive features of our Service when you choose to do so
• To provide customer support
• To gather analysis or valuable information so that we can improve our Service
• To monitor the usage of our Service
• To detect, prevent and address technical issues
• To fulfill any other purpose for which you provide it
• In any other way we may describe when you provide the information
• For any other purpose with your consent

5. Legal Basis for Processing Personal Data Under GDPR

If you are from the European Economic Area (EEA), NestEggs Inc legal basis for collecting and using the personal information described in this Privacy Policy depends on the Personal Data we collect and the specific context in which we collect it.

NestEggs Inc may process your Personal Data because:

• We need to perform a contract with you
• You have given us permission to do so
• The processing is in our legitimate interests and it's not overridden by your rights
• To comply with the law

6. Retention of Your Personal Data

NestEggs Inc retains Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy, to comply with our legal obligations (such as tax and accounting requirements), to resolve disputes, and to enforce our legal agreements and policies. Retention periods vary by the category of data:

• Account data (including your profile, contact details, preferences, and stored destinations or trip data you have entered into the Service): retained for the lifetime of your account, and for up to 90 days after account closure to allow for accidental-deletion recovery and to complete any pending obligations. After that window, account data is deleted from our production systems.
• Financial records (invoices, billing history, and transaction records — excluding payment card details, which are held by our payment processors, not by us): retained for 7 years to comply with Canadian tax and accounting laws.
• Usage logs that can be tied to an identifiable user, session, or device: retained for up to 12 months and then deleted.
• Aggregated or anonymized analytics and metrics (statistics, counts, and trend data from which individual users cannot be re-identified, directly or in combination with other data we hold): retained indefinitely for product improvement and historical analysis.
• Backups: copies of production data are retained on a rolling basis for operational and disaster-recovery purposes. Personal Data that has been deleted from our production systems is not restored from backups; if a backup is restored for disaster recovery, we re-apply any pending deletions so that your deletion request continues to be honoured.

Where a legal obligation requires us to retain specific Personal Data for longer than the periods above (for example, to respond to a law-enforcement request or to comply with a legal hold), we will retain only the data required by that obligation and for only as long as the obligation requires.

7. Transfer of Your Personal Data

NestEggs Inc is based in Canada, and your Personal Data is hosted and processed in Canadian regions of our cloud service providers (see Section 9.2). We do not store or process your Personal Data in regions outside Canada.

If you are located outside Canada and choose to provide information to us, please note that your Personal Data will be transferred to Canada and processed there. Data protection laws in Canada may differ from those of your jurisdiction. Your consent to this Privacy Policy followed by your submission of such information represents your agreement to that transfer.

NestEggs Inc will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy, including ensuring that adequate controls are in place to protect the security of your data and other personal information.

8. Disclosure of Your Personal Data

8.1 Business Transactions

If NestEggs Inc is involved in a merger, acquisition or asset sale, your Personal Data may be transferred. We will provide notice before your Personal Data is transferred and becomes subject to a different Privacy Policy.

8.2 Disclosure for Law Enforcement

Under certain circumstances, NestEggs Inc may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).

8.3 Legal Requirements

NestEggs Inc may disclose your Personal Data in the good faith belief that such action is necessary to:

• Comply with a legal obligation
• Protect and defend the rights or property of NestEggs Inc
• Prevent or investigate possible wrongdoing in connection with the Service
• Protect the personal safety of users of the Service or the public
• Protect against legal liability

9. Third-Party Disclosure

9.1 Payments

Where we provide paid products or services, payments are handled by PCI-DSS compliant third-party payment processors. We do not store or collect your payment card details; that information is provided directly to the processor, whose use of your personal information is governed by their own privacy policy.

PCI-DSS is the Payment Card Industry Data Security Standard, managed by the PCI Security Standards Council — a joint effort of brands such as Visa, Mastercard, American Express, and Discover. Compliance with PCI-DSS helps ensure that payment information is handled securely by the processor.

9.2 Cloud Services

We host the Service and store your data on infrastructure provided by the following third-party cloud service providers:

• Amazon Web Services (AWS) — privacy policy: https://aws.amazon.com/privacy/
• Microsoft Azure — privacy policy: https://privacy.microsoft.com/en-us/privacystatement
• Google Cloud Platform — privacy policy: https://cloud.google.com/terms/cloud-privacy-notice

We use services across these providers for hosting, storage, load balancing, and disaster recovery, and the specific provider handling a given request may change over time. In all cases, we configure these services to store and process your Personal Data in Canadian regions only. Your Personal Data is not stored or processed in regions outside Canada by these providers.

10. Security of Your Personal Data

The security of your Personal Data is important to us, but remember that no method of transmission over the Internet, or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.

In the event of a Personal Data breach, NestEggs Inc will notify affected users and the relevant regulatory authorities to the extent and within the timeframes required by applicable law.

11. Children's Privacy

Our Service is not directed to, and we do not knowingly collect Personal Data from, anyone under the age of 16. We have chosen 16 as our global minimum age to align with the strictest applicable threshold (the GDPR baseline) so that the same protections apply regardless of where a user is located. If you are a parent or guardian and you are aware that your child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from anyone under the age of 16 without verification of parental consent, we take steps to remove that information from our servers.

If we need to rely on consent as a legal basis for processing your information and your country requires consent from a parent, we may require your parent's consent before we collect and use that information.

12. Your Data Protection Rights

Depending on your location and applicable laws, you may have certain rights regarding your personal information, including rights to access, correct, delete, or restrict use of your information. We honor these rights regardless of your location and are committed to providing reasonable access to the information that you have shared with us.

12.1 General Data Access & Deletion Rights

Regardless of your location, you can make the following requests regarding your personal data:

• Access Your Data: You can request a copy of the personal information we have about you. We will provide this information in a structured, commonly used, and machine-readable format.
• Delete Your Data: You can request that we delete your personal information from our systems. We will comply with this request unless there is a legal requirement for us to keep certain information.

To submit a data access or deletion request, please contact us using the contact information provided at the end of this Privacy Policy. We will respond to your request within 30 days. We may need to verify your identity before processing your request.

12.2 GDPR Data Protection Rights (EU & UK Residents)

If you are a resident of the European Economic Area (EEA) or the United Kingdom, you have certain data protection rights under the GDPR and UK GDPR. NestEggs Inc aims to take reasonable steps to allow you to correct, amend, delete, or limit the use of your Personal Data.

If you wish to be informed what Personal Data we hold about you and if you want it to be removed from our systems, please contact us.

In certain circumstances, you have the following data protection rights:

• The right to access, update or to delete the information we have on you. Whenever made possible, you can access, update or request deletion of your Personal Data directly within your account settings section. If you are unable to perform these actions yourself, please contact us to assist you. We will comply with such requests within 30 days.
• The right of rectification. You have the right to have your information rectified if that information is inaccurate or incomplete.
• The right to object to our processing of your Personal Data.
• The right of restriction. You have the right to request that we restrict the processing of your personal information.
• The right to data portability. You have the right to be provided with a copy of your Personal Data in a structured, machine-readable and commonly used format.
• The right to withdraw consent. You also have the right to withdraw your consent at any time where NestEggs Inc relied on your consent to process your personal information.

Please note that we may ask you to verify your identity before responding to such requests.

You have the right to complain to a Data Protection Authority about our collection and use of your Personal Data. For more information, please contact your local data protection authority in the European Economic Area (EEA) or the UK Information Commissioner's Office (ICO).

12.3 CCPA Privacy Rights (California Residents)

If you are a California resident, you are entitled to learn what data we collect about you, ask to delete your data and not to sell (share) it. To exercise your data protection rights, you can make certain requests and ask us:

• What personal information we have about you. If you make this request, we will return to you the categories of personal information we have collected, the categories of sources from which we collect your personal information, the business or commercial purpose for collecting your personal information, the categories of third parties with whom we share personal information, and the specific pieces of personal information we have collected about you.
• To delete your personal information. If you make this request, we will delete the personal information we hold about you as of the date of your request from our records and direct any service providers to do the same. In some cases, deletion may be accomplished through de-identification of the information. If you choose to delete your personal information, you may not be able to use certain functions that require your personal information to operate.
• To stop selling or sharing your personal information. We do not sell, rent, or share your personal information to or with any third parties for targeted advertising, cross-context behavioural advertising, or any other purpose that would qualify as a "sale" or "share" under the CCPA, CPRA, or comparable state privacy laws. You are the only owner of your Personal Data and can request disclosure or deletion at any time.
• To correct inaccurate personal information. Under the CPRA, you have the right to request that we correct inaccurate personal information we maintain about you. Where possible, you can correct your information directly within your account settings; otherwise, please contact us using the details at the end of this Privacy Policy.

Sensitive Personal Information. The CPRA defines certain categories of Personal Data as Sensitive Personal Information ("SPI"). The SPI we collect is limited to (a) account log-in credentials (your email/username together with a password), and (b) precise geolocation, but only when you actively use mobile features that require it (see Section 3.3). We use SPI only for the purposes for which it was collected — namely, providing, securing, and operating the Service. We do not use SPI to infer characteristics about you, and we do not use or disclose SPI for any purpose that would trigger the right to limit the use or disclosure of SPI under the CPRA. As a result, no separate "Limit the Use of My Sensitive Personal Information" mechanism is required to honour that right. If our use of SPI ever changes, we will update this Privacy Policy and provide an opt-out mechanism as required by law.

We will respond to verified requests within 45 days as required by the CCPA. If we need more time, we will inform you of the reason and extension period in writing.

Please note, if you ask us to delete or stop selling your data, it may impact your experience with us, and you may not be able to participate in certain programs or membership services which require the usage of your personal information to function. But in no circumstances, we will discriminate against you for exercising your rights.

To exercise your California data protection rights described above, please send your request(s) by email: privacy@nesteggs.ca.

12.4 Canadian Privacy Rights

Under Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and provincial privacy laws, you have the right to:

• Access your personal information in our custody or control
• Request correction of your personal information if it is inaccurate or incomplete
• Withdraw consent to the collection, use, or disclosure of your personal information
• File a complaint with the Office of the Privacy Commissioner of Canada about the handling of your personal information

We will respond to your access or correction request within 30 days, unless an extension is required. There may be situations where we cannot provide access to all the personal information we hold about you, such as if doing so would reveal personal information about another individual or if the information is protected by legal privilege.

If you are a resident of Quebec, you have additional rights under An Act to modernize legislative provisions as regards the protection of personal information ("Law 25"). See Section 12.6 for those rights.

12.5 Australian Privacy Rights

Under the Australian Privacy Principles (APPs), you have the right to:

• Request access to your personal information
• Request correction of your personal information
• Opt-out of receiving direct marketing communications
• Make a complaint about a breach of the APPs

We will respond to your access or correction request within 30 days. If we refuse to give you access to or correct your personal information, we will provide you with reasons for our decision and information about how to make a complaint if you are not satisfied with our response.

12.6 Quebec Residents (Law 25)

If you are a resident of Quebec, you have additional rights under An Act to modernize legislative provisions as regards the protection of personal information ("Law 25"), in addition to your rights under PIPEDA described in Section 12.4:

• Right to be informed of the purposes for which your Personal Data is collected, the means by which it is collected, the categories of persons within NestEggs Inc who have access to it, and the third parties (if any) to whom it may be communicated.
• Right to access and correct your Personal Data, and to receive a copy of it.
• Right to data portability — to receive computerized Personal Data you have provided to us in a structured, commonly used technological format, and to have it transmitted to another organization where technically feasible.
• Right to withdraw consent to the collection, use, or disclosure of your Personal Data, and the right to request that your Personal Data cease to be disseminated or be de-indexed where the conditions in Law 25 are met.
• Right to information about automated decision-making — if a decision affecting you is based exclusively on automated processing of your Personal Data, you have the right to be informed of that fact and of the principal factors and parameters that led to the decision, and to have the decision reviewed by a person.
• Right to file a complaint with the Commission d'accès à l'information du Québec (CAI) regarding our handling of your Personal Data.

NestEggs Inc has designated a Privacy Officer responsible for ensuring compliance with Law 25 and other applicable privacy laws. Our Privacy Officer can be contacted at privacy@nesteggs.ca. In the event of a confidentiality incident (a privacy breach) presenting a risk of serious injury, we will notify the CAI and affected individuals as required by Law 25.

12.7 Other US State Privacy Rights

If you are a resident of a US state with a comprehensive consumer privacy law — including, as of the effective date of this Privacy Policy, Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), and Texas (TDPSA), and other states whose laws come into effect from time to time — you have rights similar to those described in Section 12.3 for California residents, including:

• The right to confirm whether we process your personal data and to access that data.
• The right to correct inaccurate personal data.
• The right to request deletion of your personal data.
• The right to obtain a portable copy of personal data you have provided to us.
• The right to opt out of the sale of your personal data, targeted advertising, and certain forms of profiling. As described in Section 12.3, we do not sell personal data, do not use it for targeted advertising, and do not engage in profiling that produces legal or similarly significant effects.
• The right to appeal a refusal to take action on a request, where the applicable law provides for one.

To exercise any of these rights, please contact us at privacy@nesteggs.ca. We will respond within the timeframe required by the applicable state law (typically 45 days, with one extension where permitted).

13. Service Providers

We may employ third-party companies and individuals to facilitate our Service ("Service Providers"), to provide the Service on our behalf, to perform Service-related services or to assist us in analyzing how our Service is used.

These third parties have access to your Personal Data only to perform these tasks on our behalf and are obligated not to disclose or use it for any other purpose.

14. Links to Other Sites

Our Service may contain links to other sites that are not operated by us. If you click on a third party link, you will be directed to that third party's site. We strongly advise you to review the Privacy Policy of every site you visit.

We have no control over and assume no responsibility for the content, privacy policies or practices of any third party sites or services.

15. Changes to This Privacy Policy

We may update our Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page.

We will let you know via email and/or a prominent notice on our Service, prior to the change becoming effective and update the "effective date" at the top of this Privacy Policy.

You are advised to review this Privacy Policy periodically for any changes. Changes to this Privacy Policy are effective when they are posted on this page.

16. Mobile Application Permissions

Some NestEggs Inc services are offered as mobile applications on iOS and Android. These applications may request the following device permissions to deliver specific features. Permissions are requested at runtime and you may grant, deny, or revoke them at any time through your device settings. Denying a permission will disable the feature that relies on it but will not otherwise prevent you from using the application.

• Camera: used to capture photos and scan documents to populate forms within the application. Captured media is stored locally and only transmitted to our servers if you explicitly submit it as part of an in-app action.
• Microphone: used for on-device voice-to-text dictation. Audio is processed locally on your device and is not transmitted to NestEggs Inc or any third party.
• Photo Library / Media Images: used to let you attach existing images from your device to forms and records within the application. We only access the images you explicitly select.
• Location (foreground only): used to display maps, plan routes and calculate mileage while you are actively using the application. We do not collect location data when the application is in the background or closed. See Section 3.3 for details on how stored destinations and live device location are handled.
• Calendar (read and write): used to read existing events and write new events (such as scheduled trips) to the calendar you select. We do not upload your calendar contents to our servers.
• Network access: used to synchronize your data with our cloud services and, where applicable, process payments through our third-party payment processors.

Some of the above data may be transmitted to NestEggs Inc servers or to the third-party service providers listed in Section 9 solely for the purpose of delivering the feature you have requested. The categories of data collected and the legal basis for processing are described in Sections 3 through 5 of this Privacy Policy.

17. Contact Us

NestEggs Inc has designated a Privacy Officer who is accountable for our compliance with this Privacy Policy and with applicable privacy laws, including PIPEDA and Quebec's Law 25. If you have any questions about this Privacy Policy, would like to exercise any of the rights described above, or wish to raise a privacy concern, please contact our Privacy Officer:

• By email: privacy@nesteggs.ca