Privacy Policy

This Privacy Policy ("Policy") describes how OnePillar Holdings LLC and its controlled portfolio companies operating under assumed names (collectively, "the Company," "we," "us," or "our") collect, use, and disclose personal information. This Policy applies to information we process related to our employees, independent contractors, investors, vendors, and customers of our portfolio companies.

We are committed to protecting the privacy and security of personal information. This Policy is effective as of [2-15-2026]. Questions regarding this Policy may be directed to [hello@onepillarholdings.com].

Definitions

For the purposes of this Policy, the following terms have the meanings set forth below:

Personal Information: Any information that may be used, alone or in conjunction with other information, to identify a specific individual. This includes, but is not limited to, names, Social Security numbers, driver license numbers, financial account numbers, and unique electronic identifiers.
Sensitive Data: A subset of Personal Information that includes data concerning an individual's health, racial or ethnic origin, biometric data, or other information requiring heightened protection under applicable law. We process sensitive data only with explicit consent or as otherwise permitted by law.
Processing: Any operation performed on Personal Information, such as collection, recording, organization, storage, use, disclosure, or destruction.
Controller: The entity that determines the purposes and means of the processing of Personal Information.
Processor or Service Provider: A third party that processes Personal Information on behalf of a Controller.
Portfolio Company: A business entity owned or managed by OnePillar Holdings LLC, which may operate under an assumed name.

Categories of Personal Information Collected

We may collect and process various categories of Personal Information depending on your relationship with us. This includes, but is not limited to, the following:

Contact and Identity Information: Including full name, postal address, email address, telephone number, date of birth, Social Security number, and government-issued identification numbers (e.g., driver license or passport number).
Financial Information: Including bank account numbers, credit or debit card numbers, and other details related to financial accounts necessary for transactions, payroll, or investor relations.
Professional and Employment-Related Information: For employees, applicants, and contractors, this may include resumes, employment history, educational background, performance evaluations, and payroll and benefits information.
Investor and Vendor Information: Including business contact details, professional affiliations, and financial information required to manage the business relationship.
Technical and Usage Data: Information collected automatically when you interact with our websites or systems, such as IP addresses, browser types, operating systems, and information collected through cookies and similar technologies.
Sensitive Data: As legally required or permitted, and with appropriate consent, we may collect sensitive data, such as for administering health benefits for employees or accommodating disabilities.

We collect this information directly from you, from third parties (such as background check providers or business partners), and through automated means when you interact with our digital properties.

Purposes and Legal Bases for Processing

We process Personal Information for various business purposes, relying on one or more legal bases for processing. The purposes for which we collect and use Personal Information include:

Corporate Governance and Portfolio Management: To manage our investments, oversee the operations of our Portfolio Companies, and conduct internal analysis and reporting.
Human Resources and Payroll: To recruit, manage, and pay employees and contractors, administer benefits, and comply with employment laws.
Vendor and Investor Relations: To manage relationships with our service providers and investors, including processing payments and distributing communications.
Legal and Regulatory Compliance: To comply with applicable laws, regulations, and legal processes, such as responding to subpoenas or government requests.
Business Operations: To provide and manage the goods and services offered by our Portfolio Companies, including customer service and account management.
Marketing and Communications: With your consent where required, to provide you with information about our Company or Portfolio Companies.

Our legal bases for processing include the performance of a contract, compliance with a legal obligation, our legitimate business interests, and, where applicable, your consent. We limit the collection and processing of Personal Information to what is adequate, relevant, and reasonably necessary for the disclosed purposes.

How Information Is Shared and Disclosed

We do not sell Personal Information. We may share or disclose your Personal Information with the following categories of third parties for the purposes described in this Policy:

Affiliates and Portfolio Companies: We may share information within our corporate group, including with Portfolio Companies operating under assumed names, for operational, administrative, and management purposes.
Service Providers and Processors: We engage third parties to perform functions on our behalf, such as IT support, data hosting, payroll administration, and marketing. These providers are contractually obligated to protect the confidentiality and security of the information.
Professional Advisors: We may disclose information to our lawyers, auditors, accountants, and other professional advisors in the course of the services they provide to us.
Governmental and Regulatory Authorities: We may disclose Personal Information to law enforcement, courts, or other government bodies when required by law or in response to a valid legal process.
Parties in Corporate Transactions: In the event of a merger, acquisition, financing, or sale of assets, Personal Information may be transferred to the acquiring entity or other involved parties as part of the transaction.

Cross-Border Transfers and Data Localization

OnePillar Holdings LLC is based in the United States, and information we collect is primarily processed and stored in the United States. If you are interacting with us from outside the United States, your Personal Information will be transferred to, stored, and processed in the United States, where data protection laws may differ from those in your jurisdiction.For transfers of Personal Information from other jurisdictions, such as the European Economic Area or the United Kingdom, we implement appropriate safeguards to ensure that your data is protected. These safeguards may include executing Standard Contractual Clauses approved for transfers of personal data, relying on adequacy decisions, or other data transfer mechanisms recognized under applicable law. We also employ technical and organizational measures, such as encryption, to protect information during transit and at rest.

Data Retention and De-identification

We retain Personal Information for as long as necessary to fulfill the purposes for which it was collected, including for the purposes of satisfying any legal, accounting, or reporting requirements. The criteria used to determine our retention periods include the duration of our relationship with you, the existence of a legal obligation, or whether retention is advisable in light of our legal position (such as in regard to applicable statutes of limitations or litigation).

Upon expiration of the applicable retention period, we will securely destroy or dispose of Personal Information in a manner designed to ensure it cannot be reconstructed or read, such as by shredding physical documents or permanently erasing electronic data. We may also de-identify or aggregate Personal Information for statistical or analytical purposes, in which case we may use this information indefinitely without further notice to you, as it is no longer considered Personal Information.

Data Subject Rights and How to Exercise Them

Depending on your jurisdiction, you may have certain rights regarding your Personal Information. These rights may include:

The right to access: You may have the right to request a copy of the Personal Information we hold about you.
The right to correction (rectification): You may have the right to request that we correct any inaccurate or incomplete Personal Information.
The right to deletion (erasure): You may have the right to request that we delete your Personal Information, subject to certain legal exceptions.
The right to data portability: You may have the right to receive your Personal Information in a structured, commonly used, and machine-readable format.
The right to object to or restrict processing: You may have the right to object to or request the restriction of our processing of your Personal Information under certain circumstances.
The right to withdraw consent: Where we rely on consent as the legal basis for processing, you may have the right to withdraw your consent at any time.

To exercise any of these rights, please submit a request to [hello@onepillarholdings.com]. We must verify your identity before processing your request and may require you to use an existing account or provide additional information for authentication purposes. We will respond to your request within the time frames required by applicable law. These rights are not absolute, and we may deny a request in accordance with applicable legal provisions. A provision of a contract cannot waive or limit these consumer rights.

Security Measures and Incident Response

We have implemented and maintain reasonable administrative, technical, and physical data security practices designed to protect the confidentiality, integrity, and accessibility of Personal Information. These measures include access controls, encryption, employee training, and vendor security assessments to guard against unauthorized access, use, disclosure, alteration, or destruction of your information.

In the event of a data breach or cybersecurity event, we will take prompt action to investigate the incident, mitigate harm, and restore the security of our systems. If we determine that a "breach of system security" has occurred that requires notification, we will notify affected individuals and relevant regulatory authorities without unreasonable delay and in accordance with applicable laws.

This notification will generally be made no later than forty-five (45) days from the discovery of the breach, unless a delay is requested by law enforcement. If the breach affects more than one thousand (1,000) individuals, we will also notify consumer reporting agencies.

Use of Cookies and Automated Technologies

Our websites and digital platforms may use cookies, web beacons, and other similar automated technologies to collect information about your device and browsing activity. This information helps us operate our websites, analyze performance and usage, improve user experience, and for other disclosed purposes.Where we use these technologies for purposes such as targeted advertising, we will provide clear and conspicuous disclosure and a mechanism for you to opt out of such processing. You may manage your cookie preferences through your browser settings or through a cookie consent tool provided on our websites. Please note that disabling certain cookies may affect the functionality of our websites.

Processing of Sensitive Personal Data and Special Categories

We restrict the processing of Sensitive Personal Data to limited and necessary purposes. We will not process Sensitive Data, such as information related to health, biometrics, or racial or ethnic origin, without first obtaining your explicit consent, or as otherwise required or permitted by applicable law. For example, we may process such data to administer health and disability benefits for our employees. When we process Sensitive Data, we apply heightened security measures and access controls to ensure its protection.

Minors and Age-Restricted Data

Our services and business operations are not directed toward individuals under the age of 16, and we do not knowingly collect Personal Information from minors. In the case of processing sensitive data concerning a known child, we will do so only in accordance with the federal Children's Online Privacy Protection Act (COPPA). If we become aware that we have inadvertently collected Personal Information from a minor without parental consent, we will take steps to delete the information as soon as possible.

Third-Party Links and Third-Party Services

Our websites and communications may contain links to third-party websites, applications, and services that are not operated by us. We provide these links for your convenience, but we do not review, control, or monitor the privacy practices of third parties. We are not responsible for their content or privacy policies. We encourage you to review the privacy policy of any third-party site you visit.

Vendor and Processor Management

We conduct due diligence when selecting third-party vendors and service providers who may process Personal Information on our behalf. We require our vendors to enter into written agreements that impose data protection obligations, including requirements to maintain the confidentiality and security of the information they process for us. These agreements restrict vendors from using Personal Information for any purpose other than providing the contracted services. We also take steps to ensure that our vendors notify us in the event of a cybersecurity incident affecting our data.

Legal Compliance, Mandatory Disclosures, and Law Enforcement Requests

We are committed to complying with all applicable laws and regulations regarding the processing of Personal Information. We may be required to disclose your Personal Information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Such disclosures may be made pursuant to a court order, subpoena, or other legal process. While we seek to protect individual privacy, our policy is to cooperate with valid legal requests. Any disclosure will be limited to what is legally required.

California/State and International Privacy Rights (Jurisdictional Addendum)

Residents of certain jurisdictions may be afforded additional rights regarding their Personal Information under applicable laws. For example, laws in states like California, Virginia, Colorado, and Tennessee provide specific consumer rights. We are committed to honoring these rights as required by law. If you are a resident of one of these jurisdictions, you may have additional rights to access, delete, or opt-out of the sale or sharing of your Personal Information. For more details on the rights available in your jurisdiction and how to exercise them, please contact us at [hello@onepillarholdings.com].

Changes to This Policy

We reserve the right to amend this Policy at any time. When we make changes, we will post the updated Policy on our website and revise the "Effective Date." We encourage you to review this Policy periodically to stay informed about our information practices. For material changes, we may provide more direct notification as appropriate under the circumstances.

Contact Information and Complaints

If you have any questions, concerns, or complaints regarding this Policy or our privacy practices, please contact us at [hello@onepillarholdings.com]. We will investigate and attempt to resolve any complaints and disputes. You may also have the right to lodge a complaint with the competent data protection authority in your jurisdiction.

Dispute Resolution and Governing Law

This Policy and any disputes arising out of or related to it shall be governed by and construed in accordance with the laws of the State of [TN], without regard to its conflict of law principles. We encourage you to first contact us to resolve any dispute internally. Any legal action or proceeding arising under this Policy will be brought exclusively in the federal or state courts located in [TN], and the parties hereby irrevocably consent to the personal jurisdiction and venue therein.

Acknowledgment and Applicability to Portfolio Companies

This Policy establishes the foundational privacy principles for OnePillar Holdings LLC and its controlled Portfolio Companies. Each Portfolio Company operating under an assumed name must adopt or adhere to this Policy, particularly where OnePillar acts as the data controller or as otherwise contractually mandated. However, a Portfolio Company may issue its own separate, customer-facing privacy notice to govern the processing of Personal Information for which it is the independent controller. This Policy shall continue to govern data processed at the holding company level.

Version: [1.0] Effective Date: [2-15-26] Approved By: [Joseph R Brown]