AJC Group, LLC and its affiliated companies (“AJC Group”, “we”, “us”, or “our”) respect your privacy and are committed to protecting your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you visit our website www.ajcgroup.com (“Website”) and any affiliate Websites, interact with our services, or contact us. In most cases, AJC Group, acts as the data controller, meaning we determine the purposes and means of processing personal information collected from you. In certain limited situations, we may act as a data processor on behalf of third-party clients or partners, in which case we will process personal information solely in accordance with their instructions and applicable data processing agreements.

Multiple AJC Group entities may be responsible for the collection and use of your personal information for the purposes described in this Privacy Notice. Please see the “Contact Us” section below for further information on these entities.

Scope of Policy

This Privacy Policy applies to personal information collected by AJC Group and its affiliates in the course of business, including through our websites, digital platforms, forms, email correspondence, business development, and credit onboarding processes. It also applies to applicants, customers, vendors, service providers, and other external contacts.

How We Collect Your Data

When you interact with our Website(s), certain information is collected automatically through the use of technologies such as cookies, web server logs, web beacons, and other similar mechanisms. A "cookie" refers to a text file that is transmitted by a website to a visitor’s computer or other Internet-enabled device in order to uniquely identify the visitor’s browser or to store data or configuration settings within the browser. A "web beacon"—also known as an Internet tag, pixel tag, or clear GIF—is a technology that links web pages to web servers and associated cookies, and may be utilized to transmit information collected via cookies back to a web server.

We utilize automated data collection technologies to gather information regarding your device, browsing behavior, and interaction patterns with our Website(s) and services. The information collected through these technologies may include, but is not limited to, your device’s IP address, unique device identifiers, device type, browser type and settings, operating system and device characteristics, language preferences, referring and exit URLs, clickstream data, and the dates and times of your visits to our Website(s).

These technologies are used to support the following purposes:

1. To retain your information and preferences, thereby reducing the need for repeated data entry;
2. To monitor, analyze, and better understand how users access and interact with our products and services;
3. To customize and personalize our offerings based on your usage and stated or inferred preferences;
4. To assess the functionality, performance, and user experience of our products, services, and related communications; and
5. To administer, maintain, and enhance the quality, security, and delivery of our products and services.

Your browser settings may allow you to receive alerts when cookies are being sent or to limit or disable certain types of cookies altogether. Please be aware that some cookies are essential to the operation of our Sites and services; disabling them may limit functionality or prevent access to certain features.

If you are using a mobile device, you can control how your device and browser share specific types of data by adjusting your device’s privacy and security settings.

For more details about how we use cookies and how you can manage your cookie preferences, please refer to our Cookie Notice. Where required by applicable law, we will request your consent prior to deploying cookies or similar technologies.

What Information We Collect and How We Use It

We collect personal and business-related information directly from you or through authorized third parties in relation to you and/or your company (“Your Data”). This information is processed for the purpose of determining appropriate credit terms, credit limits, and/or payment conditions in connection with ongoing or prospective business transactions. It is also processed as necessary to comply with applicable legal, regulatory, and operational obligations.

The legal basis for processing Your Data includes the necessity of processing for the performance of a contract to which you or your company is a party, or to take steps at your request prior to entering into such a contract.

Your Data may include, but is not limited to, the following categories:

1. Information provided through a completed AJC Credit Profile, Application, or New Vendor Form;
2. Email communications containing names, contact details, business titles, and geographic information;
3. Personal and corporate data obtained from banks, trade references, agents, publicly available sources (including social media), photographs, travel reports from site visits (either to your facilities or by your personnel to ours), and reports from third parties such as credit reference agencies, insurance providers, brokers, underwriters, compliance bodies, government entities, financial auditors, logistics providers (including freight forwarders and NVOCC operators), or other sources used during the credit assessment and account management process;
4. Supporting documentation where applicable, including Cross Guarantees, Personal Guarantees, Offset Agreements, account statements, invoices, executed contracts or sales agreements, import/export licenses (e.g., OFAC), credit card details, government-issued identification (e.g., driver’s license or passport), and other information customarily required to administer your account;
5. Corporate documentation provided by you, including but not limited to: legal incorporation or formation documents, financial statements, product specifications or SKUs, inventory records, and related commercial data.

In addition, we collect personal information submitted through our website, such as through digital contact forms. This information is processed solely for the purpose of responding to your inquiry or communication.

Third Party Analytics 

We may use third-party analytics services, such as Google Analytics, to better understand how users interact with our websites and improve our services. These services may collect information such as your IP address, browser type, device type, and interaction data, using cookies and similar technologies. For more details, please review the privacy policies of these providers.

How We Process Your Personal Information

We process personal information Your Data in accordance with applicable data protection laws and internal policies designed to safeguard data integrity, confidentiality, and availability. Your Data may be shared within our corporate group and with authorized third parties, solely for purposes consistent with the reason it was collected—such as to evaluate creditworthiness, manage business relationships, process transactions, or comply with legal obligations. However, mobile phone numbers collected for SMS communications and any associated SMS consent records are not sold, rented, shared, or disclosed to third parties or affiliates for marketing or promotional purposes. SMS consent is not shared with third parties for marketing purposes.

Authorized data recipients may include, but are not limited to:

• Financial institutions and banking partners;
• Credit reference agencies and trade references;
• Insurance providers, brokers, and underwriters;
• Regulatory authorities, auditors, and legal counsel;
• Internal departments and personnel within AJC, across global offices, as necessary to evaluate or maintain your credit profile.

Before disclosing any personal information, we take steps to ensure that the recipient has a legitimate need for the data and is contractually or legally bound to apply adequate privacy and security measures.

We share only the minimum amount of data reasonably required to fulfill the specific purpose of the disclosure. AJC requires third parties to process Your Data in compliance with applicable laws and to implement technical and organizational safeguards that are no less protective than those we apply internally.

How We Protect Your Personal Information

AJC takes the protection of Your Data seriously. We maintain a comprehensive data security and governance program that includes administrative, technical, and physical controls designed to prevent unauthorized access, loss, misuse, or alteration of the data we manage. These measures include, but are not limited to, the following:

1. Secure Data Storage:
   Your credit file and related personal information are stored in a secure internal system protected by layered access controls. Data retention is governed by internal policies and applicable legal requirements.
2. No Sale or List-Sharing Policy:
   We do not sell, rent, or license personal information or customer lists to any external organization.
3. Technical Safeguards:
   Our systems are protected through enterprise-grade firewalls, antivirus software, intrusion detection tools, and continuous monitoring protocols.
4. Employee Awareness:
   We provide cybersecurity and fraud prevention awarness to employees across our global operations, including protocols for recognizing and preventing phishing, email spoofing, and other forms of social engineering.
5. Secure Communications:
   We do not use unsecured platforms (e.g., Yahoo, Gmail) for business communication. Sensitive information, such as banking or payment instructions, is communicated exclusively via encrypted channels.
6. Banking and Payment Verification:
   To prevent wire fraud or account hijacking:
   • We only send payment instructions via encrypted email.
   • Any changes to payment information will be communicated through the same secure method.
   • You must verify any bank detail changes by phone with your AJC credit contact.
   • If we owe you funds, we will call to verify your banking details prior to transfer.
7. Incident Response and Breach Notification:
   In the unlikely event of a data breach affecting Your Data, we will follow a documented incident response plan, which includes notification to affected individuals and relevant authorities in accordance with legal requirements and within a reasonable timeframe.
8. Data Minimization and Retention:
   We will not retain Your Data longer than necessary to fulfill the purposes for which it was collected, unless we are required to retain it for legal, regulatory, or contractual reasons.
9. Shared Responsibility:
   While we take strong measures to secure our systems, we also rely on you to use secure platforms when sending sensitive data to us. If your email account is compromised and results in unauthorized or fraudulent communications, this may expose both parties to risk. Please ensure proper safeguards are in place on your side, including up-to-date antivirus software, multi-factor authentication, and secure password practices.

Third Party Links and Features

Our Sites may include links to third-party websites, applications, or online services, as well as embedded features such as social media plugins, tools, widgets, or integrations (e.g., those provided by Facebook, LinkedIn, or similar platforms). These third-party services are provided for your convenience and may operate independently from AJC.

Please be aware that we do not control the data practices of these third parties. Any personal information you provide through or in connection with such services is subject to the privacy policies of the respective third parties, not this Privacy Policy. We encourage you to carefully review their privacy notices to understand how your information may be collected, used, or shared.

To the extent these services are not owned or operated by AJC, we are not responsible for their content, security, or privacy practices.

Legal Compliance and Government Disclosures

AJC may be required to disclose your personal or business information to government authorities, regulatory agencies, or law enforcement entities in accordance with applicable laws, regulations, or legal processes. Such disclosures may occur without prior notice to you and may include, but are not limited to, obligations under:

• Know Your Customer (KYC) and anti-money laundering (AML) regulations
• The U.S. Foreign Corrupt Practices Act (FCPA)
• The Racketeer Influenced and Corrupt Organizations Act (RICO)
• The USA PATRIOT Act
• The Bank Secrecy Act
• Office of Foreign Assets Control (OFAC) sanctions and compliance rules
• Financial Action Task Force (FATF) guidelines
• International or domestic customs authorities and enforcement agencies
• The U.S. Department of Homeland Security, including ICE
• Interpol and other international policing bodies
• The OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions
• The Specifically Designated Nationals (SDN) list and other applicable sanctions programs

AJC cannot be held liable for any consequences, including any alleged breach of privacy, resulting from such legally required disclosures. We limit such disclosures to the minimum required by law and will take reasonable steps to ensure lawful handling of all shared data.

Retention of Personal Information

We retain personal information for as long as is reasonably necessary to fulfill the purposes for which it was collected, as outlined in this Privacy Policy. This includes, but is not limited to, satisfying legal, regulatory, accounting, or reporting obligations; maintaining business records for audit and compliance purposes; enforcing our agreements; and resolving disputes.

The retention period for personal information is determined based on the following criteria:

• The nature and sensitivity of the information
• The purposes for which the information was collected and is used
• The legal or regulatory requirements applicable to the information
• The existence of ongoing business or contractual relationships
• Industry best practices and risk management considerations

Where applicable, we will anonymize, aggregate, or securely delete personal information when it is no longer required for these purposes. In certain cases, we may retain personal information for longer periods where required by law, court order, or regulatory investigation.

If you have questions about our data retention practices, or if you would like us to delete your personal information (subject to applicable legal exceptions), please email us at privacypolicy@ajcgroup.com.

Children's Personal Information

Our services are not directed to, and we do not knowingly collect personal information from, individuals under the age of 13 (or under the applicable age of digital consent in certain jurisdictions, such as 16 in parts of the European Economic Area or China), without verifiable parental consent as required by law.

If we become aware that we have collected personal information from a child without appropriate authorization or legal basis, we will take reasonable steps to delete such information as soon as possible.

If you are a parent or legal guardian and believe that your child has provided us with personal information without your consent, please contact us immediately using the information provided in the “Contact Us” section of this Privacy Policy. We will take appropriate steps to investigate and address your concerns in accordance with applicable laws.

Updates to Our Privacy Notice

We may update this Privacy Notice from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will revise the "Last Updated" date at the top of this page. If the changes are material, we will provide additional notice as required by applicable law, such as by posting a prominent notice on our website or notifying you directly.

We encourage you to review this Privacy Notice periodically to stay informed about how we collect, use, disclose, and protect your personal information.

Your continued use of our Websites or services after any update constitutes your acknowledgment of the revised Privacy Notice, unless otherwise required by applicable law.

Supplemental Privacy Notices

As a global business, we are committed to complying with the data privacy laws of the jurisdictions in which we operate. This section supplements our primary Privacy Policy and provides additional information for individuals whose personal information is collected, processed, or transferred in or from specific regions, in accordance with local data protection regulations.

We recognize that data privacy requirements vary across countries and regions. Where applicable, we implement additional measures to ensure compliance with local laws, including international data transfer mechanisms, enhanced rights for data subjects, and obligations around consent, security, and accountability.

For more information on how we manage personal data in specific regions and to understand your rights under local privacy laws, please refer to our Supplemental Privacy Notices below.

• The EEA, UK and Switzerland
• China
• Brazil
• Employees in California

The EEA, UK and Switzerland

If you are located in the EEA, the UK, or Switzerland, your personal data is processed in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR), the UK GDPR, and the Swiss Federal Act on Data Protection (FADP), as applicable. This section supplements the general Privacy Policy and addresses your rights and our obligations under these laws.

Legal Bases for Processing

We only process your personal data when we have a lawful basis to do so. Depending on the context, our legal bases under Article 6 of the GDPR and corresponding UK/Swiss provisions may include:

• Performance of a contract: To enter into or fulfill contractual obligations with you or your company;
• Legal obligation: To comply with legal or regulatory requirements;
• Legitimate interests: To pursue our legitimate business interests, provided your rights and freedoms are not overridden;
• Consent: Where we are legally required to obtain your explicit consent (e.g., for marketing or the use of certain cookies);
• Vital interests or public interest: Where necessary to protect someone’s life or comply with legal obligations in the public interest.

You will be informed of the specific legal basis applicable to each processing activity, where required.

Your Rights Under the GDPR

Subject to applicable limitations and exceptions, you have the following rights regarding your personal data:

• Right of access: To request confirmation as to whether we are processing your data and receive a copy.
• Right to rectification: To correct inaccurate or incomplete personal data.
• Right to erasure (right to be forgotten): To request deletion of your data in certain situations.
• Right to restriction of processing: To limit how we process your data under specific conditions.
• Right to data portability: To receive your personal data in a structured, commonly used, and machine-readable format, and transfer it to another controller.
• Right to object: To object to processing based on legitimate interests or direct marketing.
• Right not to be subject to automated decision-making: Including profiling that has legal or similarly significant effects.
• Right to withdraw consent: At any time, where processing is based on your consent.

You can exercise these rights by contacting us using the information in the " Contact Us" section. We will respond to verified requests in accordance with applicable laws and within the timelines established under the GDPR (typically within one month).

You also have the right to lodge a complaint with your local supervisory authority (e.g., the UK Information Commissioner’s Office or your country’s data protection authority in the EEA or Switzerland).

International Data Transfers

When we transfer your personal data to countries outside the EEA, UK, or Switzerland that have not been recognized by the European Commission or relevant authorities as providing an adequate level of data protection, we implement appropriate safeguards to ensure your data remains protected.

These safeguards may include:

• Standard Contractual Clauses (SCCs): Approved by the European Commission or the UK ICO, and signed with the data recipient.
• Binding Corporate Rules (BCRs): Where adopted within our corporate group or by processors.
• Derogations: Where applicable, for example with your explicit consent or for the performance of a contract.

You may request a copy of the safeguards in place for specific transfers by contacting us.

Data Retention and Security

We retain personal data for no longer than necessary for the purposes for which it was collected, unless a longer retention period is required by law. We also apply technical and organizational security measures consistent with GDPR standards to protect your personal information.

THE PEOPLES REPUBLIC OF CHINA

If you are located in mainland China, the processing of your personal information is subject to the Personal Information Protection Law of the People’s Republic of China (PIPL), along with other applicable Chinese laws and regulations. This section supplements the general Privacy Policy and provides additional information required under Chinese law.

Lawful Basis for Processing

We process personal information in accordance with the principles of legality, legitimacy, necessity, and good faith. Depending on the context, our lawful bases for processing may include:

• Your consent, where required by law.
• The performance of a contract with you or your company.
• The fulfillment of statutory obligations.
• Response to public health emergencies or to protect the life, health, or property of an individual in emergencies.
• Processing within a reasonable scope for activities such as news reporting or public interest.
• Other circumstances permitted under applicable Chinese law.

Your Rights Under PIPL

As a data subject under PIPL, you have the following rights regarding your personal information, subject to certain conditions and exceptions:

• Right to know how your personal information is processed.
• Right to decide and consent to processing, including withdrawal of consent.
• Right to access and request copies of your personal information.
• Right to correct or supplement inaccurate or incomplete information.
• Right to delete personal information in certain circumstances.
• Right to restrict or object to specific processing activities.
• Right to request an explanation of our data handling rules.
• Right to data portability (where permitted by law).

You may exercise these rights by contacting us through the methods outlined in the “ Contact Us” section below. We will respond within a reasonable period, as required by law.

Cross-Border Data Transfers

We may transfer your personal information outside the territory of the People’s Republic of China to recipients located in jurisdictions that may not offer the same level of protection as Chinese law. In such cases, we will implement appropriate safeguards, including:

• Obtaining your separate, informed consent for international transfers.
• Conducting a personal information protection impact assessment (PIPIA) where required.
• Entering into the Standard Contract for Cross-Border Transfers issued by the Cyberspace Administration of China (CAC), where applicable.
• Ensuring the overseas data recipient provides equivalent levels of protection and does not unlawfully share the data with others.

You may request more details about the mechanisms and safeguards in place by contacting us directly.

Sensitive Personal Information

Where we collect or process sensitive personal information (e.g., financial data, ID numbers, biometric identifiers, precise geolocation, or information about minors), we will:

• Notify you of the necessity of processing.
• Obtain your separate and explicit consent before collection.
• Take enhanced measures to ensure data security and restrict access to authorized personnel only.

BRAZIL

If you are located in Brazil, the collection and processing of your personal data is subject to the Lei Geral de Proteção de Dados (LGPD) – Brazil’s General Data Protection Law (Federal Law No. 13,709/2018). This section supplements our Privacy Policy and explains how we handle personal data in compliance with Brazilian law.

Legal Bases for Processing

We process your personal data only where permitted by LGPD, including but not limited to the following lawful bases:

• With your consent, where required.
• When necessary for the performance of a contract or preliminary procedures related to a contract to which you are a party.
• To comply with legal or regulatory obligations.
• To exercise rights in judicial, administrative, or arbitration proceedings.
• For the legitimate interests of AJC or a third party, provided your fundamental rights and freedoms are not compromised.
• For the protection of life or physical safety, either of the data subject or a third party
• To protect public health, in accordance with applicable laws.
• For conducting studies by research entities, where anonymization is ensured when possible.

Your Rights Under the LGPD

As a data subject under Brazilian law, you have the right to:

• Confirm the existence of processing of your personal data.
• Access the data we hold about you.
• Correct incomplete, inaccurate, or outdated information.
• Request the anonymization, blocking, or deletion of unnecessary, excessive, or unlawfully processed data.
• Request the portability of your personal data to another service or product provider, subject to regulation.
• Request deletion of personal data processed with your consent.
• Obtain information about entities with which we have shared your data.
• Revoke your consent at any time, where consent was the basis for processing.
• Object to processing carried out on the basis of legitimate interest.
• File a complaint with Brazil’s National Data Protection Authority (ANPD)

You may exercise any of these rights by contacting us via the methods provided in the “How to Contact Us” section of this Privacy Policy. We will respond within the timeframe required under LGPD.

International Data Transfers

If your personal data is transferred outside Brazil, we will ensure it is protected through legally acceptable mechanisms, which may include:

• Your explicit consent to the international transfer.
• Standard contractual clauses or international cooperation agreements.
• Compliance with ANPD-approved safeguards.
• Transfers to countries recognized by the ANPD as providing an adequate level of data protection.
• Other legal mechanisms permitted under Brazilian law.

Data Processing of Minors

We do not knowingly collect or process personal data of children under the age of 12 without the express and specific consent of a parent or legal guardian, as required by LGPD.

Data Security and Retention

We maintain appropriate technical and organizational measures to safeguard personal data in accordance with LGPD principles. We retain personal data only as long as necessary for the purposes for which it was collected or to comply with legal or regulatory requirements.

Supplemental Privacy Notice for California Employees, Applicants, and Contractors

Effective Date: April 28, 2026
Last Updated: April 28, 2026

This Supplemental Privacy Notice (“Notice”) applies to California residents who are current or former employees, job applicants, contractors, interns, consultants, directors, or officers of AJC Group, LLC or any of its affiliated entities (“AJC,” “we,” “us,” or “our”). It is provided in accordance with the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA).

This Notice explains what categories of personal information and sensitive personal information we collect in the context of your role with AJC, and how we use, disclose, and protect that information. This Notice supplements AJC’s general Privacy Policy and applies solely to individuals residing in California in their capacity as members of our workforce or applicants.

Categories of Personal Information We Collect

In the course of your relationship with AJC, we may collect the following categories of personal information, as defined under the CCPA/CPRA:

• Identifiers – Name, alias, postal address, email address, phone number, date of birth, Social Security number (SSN), employee ID, driver’s license or passport number, and other similar identifiers.
• Professional or Employment Information – Job title, employment history, disciplinary records, evaluations, compensation, benefits enrollment, work authorization status, and other employment-related records.
• Education Information – Academic background, degrees, schools attended, and certifications.
• Internet or Network Activity – Company device usage, login data, browsing history, and email metadata, to the extent collected in the course of your work.
• Geolocation Data – Location data derived from access badges or GPS-enabled devices (if applicable).
• Audio, Visual, or Similar Information – Security camera footage, photographs for ID badges, voice recordings (e.g., voicemail systems or recorded meetings).
• Sensitive Personal Information – Government-issued ID numbers, financial account details (for payroll or reimbursement), racial or ethnic origin (if voluntarily disclosed), health or disability-related information (for benefits or accommodations), and union membership (if applicable).

Sources of Personal Information

We collect personal information from the following sources:

• Directly from you (e.g., during onboarding, application, or employment)
• From third parties such as background check providers, prior employers, benefit administrators, or recruiting platforms
• Automatically through company systems, such as network and email monitoring tools (in accordance with internal policies)
• From internal records, such as HR, payroll, security systems, or supervisors

Purposes for Collecting and Using Personal Information

We collect and use personal and sensitive personal information for the following business purposes:

• To process employment applications and conduct background checks
• To manage the employment relationship, including onboarding, payroll, timekeeping, benefits, scheduling, and performance management
• To maintain workplace safety and security, including access control, investigations, and compliance with internal policies
• To comply with applicable laws, regulations, and legal obligations (e.g., EEO reporting, wage/hour laws, tax reporting)
• To monitor and protect the security of our facilities, systems, and assets
• To respond to lawful requests from law enforcement or government entities
• To manage occupational health, disability accommodations, or leave requests
• To support internal audits, dispute resolution, or investigations
• With your separate consent, where required (e.g., for certain sensitive data uses)

We do not sell or share your personal information for cross-context behavioral advertising.

Retention of Personal Information

We retain personal and sensitive personal information for as long as necessary to fulfill the purposes described above, including legal, compliance, tax, audit, and employment recordkeeping obligations. Retention periods are determined based on the type of data, applicable law, and legitimate business needs.

Your Rights Under California Law

As a California resident, and subject to applicable exceptions, you have the right to:

• Know the categories and specific pieces of personal information we collect, use, or disclose.
• Access your personal information.
• Request deletion of personal information we have collected, subject to legal exceptions.
• Correct inaccurate personal information.
• Limit the use or disclosure of sensitive personal information (if applicable).
• Not be retaliated against for exercising your rights.

To submit a request, please contact us using the methods below. We may need to verify your identity before processing your request.

How to Contact Us

If you have questions about this Notice or wish to exercise your rights under California law, you may contact by email at privacypolicy@ajcgroup.com.