Data Subject Rights

Effective date: 1st January 2026

At TrueDigi.ai ("TrueDigi", "we", "us"), we respect the privacy rights of individuals whose personal data may be processed in connection with our platform.

This notice explains (1) our role when processing personal data, and (2) how individuals can exercise applicable data protection rights.

1) Our role (Service Provider / Processor)

TrueDigi is an AI-powered engagement and digital collections workflow platform deployed by regulated lenders and banks, typically through an SDK embedded in a client's mobile application and a secure orchestration layer. In most implementations, TrueDigi processes personal data only on behalf of and under instructions from the lender, bank, or other organization that has a direct relationship with the individual (the "Client").

• Client as controller / data fiduciary: Our Client determines why and how personal data is processed (e.g., loan servicing, collections workflows, customer engagement).
• TrueDigi as processor / service provider: We process personal data to provide the services to our Client and do not use that data for our independent purposes except as permitted by contract and applicable law.
• Identification limits: In many cases, TrueDigi operates using internal identifiers (e.g., a clientID) and may not be able to directly identify an individual without the Client's assistance.

2) Your rights (where applicable)

Depending on your location and applicable law, you may have the right to:

• Access: Request confirmation of whether your personal data is processed and obtain access to it.
• Rectification: Request correction of inaccurate or incomplete personal data.
• Deletion / Erasure: Request deletion of personal data, subject to lawful exemptions (e.g., legal or regulatory retention, dispute resolution).
• Restriction: Request that processing be limited in certain circumstances (e.g., accuracy disputes).
• Data Portability: Request certain personal data in a structured, commonly used, machine-readable format (where legally required).
• Objection: Object to certain processing (where legally available), subject to overriding legitimate grounds and legal requirements.
• Withdraw consent: Where processing is based on consent, withdraw it at any time (withdrawal does not affect prior lawful processing).
• Human review / contesting automated decisions: Where applicable, request human review or raise concerns about decisions made solely by automated means that produce legal or similarly significant effects.

These rights are not absolute and may be subject to exceptions under applicable law.

3) How to submit a request

Primary and recommended route: Contact the organization you have a relationship with.

If your personal data was collected by or is managed by a lender, bank, or other organization using TrueDigi, your request generally must be handled by that organization (the Client), because they control the data and can verify your identity in their records.

If you still wish to contact TrueDigi:

Email us at privacy@truedigi.ai with the following details:

• Your full name and contact details
• The name of the lender, bank, or organization you believe is using TrueDigi
• Relevant identifiers (e.g., registered email or phone with that organization), if available
• The right(s) you wish to exercise and a brief description of your request

If the request should be handled by our Client, we may:

• Inform you of the appropriate Client contact (if known); and/or
• Forward your request to the Client where contractually permitted and appropriate.

4) Response timelines

We respond within the timelines required by applicable law. Where we can respond directly, we generally aim to respond within 30 to 45 days of verifying your identity and understanding the request.

Where permitted, timelines may be extended for complex or multiple requests, and we will inform you if an extension applies.

5) Identity verification

To protect personal data, we take reasonable steps to verify identity before fulfilling requests. The verification method depends on the nature and sensitivity of the request and may include:

• Information associated with your account or relationship with the Client
• Confirmation via the Client (where the Client is best placed to verify)
• Additional verification information where necessary

We seek to minimize the personal data collected for verification purposes.

6) Fees

Requests are generally processed free of charge. We may charge a reasonable fee or decline to act on a request only where permitted by applicable law (for example, if a request is manifestly unfounded, excessive, or repetitive).

If a fee applies, we will inform you in advance.

7) When a request may be declined or limited

We may be unable to fulfill a request (in whole or part) where:

• We cannot reasonably verify identity
• The request must legally be handled by our Client (controller/data fiduciary)
• Fulfilling the request would conflict with legal or regulatory obligations
• The request would adversely affect others' rights and freedoms
• The data is required to establish, exercise, or defend legal claims
• The request is manifestly unfounded or excessive (where permitted by law)

If we decline or limit a request, we will explain the reason where permitted and provide information on available next steps (including contacting the relevant Client and/or the applicable supervisory authority).

8) Data security

We maintain technical and organizational safeguards designed to protect personal data against unauthorized access, disclosure, alteration, and loss.

As a service provider/processor, we process personal data in accordance with our contractual obligations and our Client's instructions, subject to applicable law.

9) Updates to These Terms

These terms may be updated from time to time due to operational, technical, or compliance-related developments. Any updates will be posted on our website with a revised effective date.

We encourage individuals to check this page periodically.