Data Subject Rights

Effective date: 1st January 2026

At TrueDigi.ai (“TrueDigi”, “we”, “us”), we respect the privacy
rights of individuals whose personal data may be processed in connection with
our platform.

This notice explains (1) our role when processing personal data, and (2) how
individuals can exercise applicable data protection rights.

1) Our role (Service Provider / Processor)

TrueDigi is an AI-powered engagement and digital collections workflow platform
deployed by regulated lenders and banks, typically through an SDK embedded in a
client’s mobile application and a secure orchestration layer. In most
implementations, TrueDigi processes personal data only on behalf of and under
instructions from the lender, bank, or other organization that has a direct
relationship with the individual (the “Client”).

• Client as controller / data fiduciary: Our Client determines
  why and how personal data is processed (e.g., loan servicing, collections
  workflows, customer engagement).
• TrueDigi as processor / service provider: We process personal
  data to provide the services to our Client and do not use that data for
  our independent purposes except as permitted by contract and applicable law.
• Identification limits: In many cases, TrueDigi operates using
  internal identifiers (e.g., a clientID) and may not be able to directly
  identify an individual without the Client’s assistance.

2) Your rights (where applicable)

Depending on your location and applicable law, you may have the right to:

• Access: Request confirmation of whether your personal data is
  processed and obtain access to it.
• Rectification: Request correction of inaccurate or incomplete
  personal data.
• Deletion / Erasure: Request deletion of personal data, subject
  to lawful exemptions (e.g., legal or regulatory retention, dispute resolution).
• Restriction: Request that processing be limited in certain
  circumstances (e.g., accuracy disputes).
• Data Portability: Request certain personal data in a
  structured, commonly used, machine-readable format (where legally required).
• Objection: Object to certain processing (where legally
  available), subject to overriding legitimate grounds and legal requirements.
• Withdraw consent: Where processing is based on consent,
  withdraw it at any time (withdrawal does not affect prior lawful processing).
• Human review / contesting automated decisions: Where
  applicable, request human review or raise concerns about decisions made solely
  by automated means that produce legal or similarly significant effects.

These rights are not absolute and may be subject to exceptions under applicable
law.

3) How to submit a request

Primary and recommended route: Contact the organization you
have a relationship with.

If your personal data was collected by or is managed by a lender, bank, or
other organization using TrueDigi, your request generally must be handled by
that organization (the Client), because they control the data and can verify
your identity in their records.

If you still wish to contact TrueDigi:

Email us at
privacy@truedigi.ai with the following
details:

• Your full name and contact details
• The name of the lender, bank, or organization you believe is using TrueDigi
• Relevant identifiers (e.g., registered email or phone with that organization),
  if available
• The right(s) you wish to exercise and a brief description of your request

If the request should be handled by our Client, we may:

• Inform you of the appropriate Client contact (if known); and/or
• Forward your request to the Client where contractually permitted and
  appropriate.

4) Response timelines

We respond within the timelines required by applicable law. Where we can
respond directly, we generally aim to respond within 30 to 45 days
of verifying your identity and understanding the request.

Where permitted, timelines may be extended for complex or multiple requests,
and we will inform you if an extension applies.

5) Identity verification

To protect personal data, we take reasonable steps to verify identity before
fulfilling requests. The verification method depends on the nature and
sensitivity of the request and may include:

• Information associated with your account or relationship with the Client
• Confirmation via the Client (where the Client is best placed to verify)
• Additional verification information where necessary

We seek to minimize the personal data collected for verification purposes.

6) Fees

Requests are generally processed free of charge. We may charge a reasonable fee
or decline to act on a request only where permitted by applicable law (for
example, if a request is manifestly unfounded, excessive, or repetitive).

If a fee applies, we will inform you in advance.

7) When a request may be declined or limited

We may be unable to fulfill a request (in whole or part) where:

• We cannot reasonably verify identity
• The request must legally be handled by our Client (controller/data fiduciary)
• Fulfilling the request would conflict with legal or regulatory obligations
• The request would adversely affect others’ rights and freedoms
• The data is required to establish, exercise, or defend legal claims
• The request is manifestly unfounded or excessive (where permitted by law)

If we decline or limit a request, we will explain the reason where permitted and
provide information on available next steps (including contacting the relevant
Client and/or the applicable supervisory authority).

8) Data security

We maintain technical and organizational safeguards designed to protect
personal data against unauthorized access, disclosure, alteration, and loss.

As a service provider/processor, we process personal data in accordance with
our contractual obligations and our Client’s instructions, subject to
applicable law.

9) Updates to These Terms

These terms may be updated from time to time due to operational, technical, or
compliance-related developments. Any updates will be posted on our website with
a revised effective date.

We encourage individuals to check this page periodically.