This Privacy Notice applies to the processing of personal information by Gnomi App Corp (GNOMI) including on our mobile application, our website at gnomi.com and our other online or offline offerings (collectively, the Services).

1. Updates to This Privacy Notice

We may update this Privacy Notice from time to time. If we do, we'll let you know by posting the updated Privacy Notice on our website, and/or we may also send other communications.

2. Personal Information We Collect

We collect personal information that you provide to us, personal information we collect automatically when you use the Services, and personal information from third-party sources.

A. Personal Information You Provide to Us Directly

• Account Information: Username, email address, password, country of location, and other information you store with your account
• Profile Information: Name, job title, bio, linked social media accounts, gender and birthday (private)
• Interactive Features: Content you submit through messaging, commenting, and social media features
• Purchases: Payment information for GNOMI Premium subscriptions
• Communications: Information you send us via email or chat tool
• Surveys: Information from surveys you participate in
• Contests: Information from sweepstakes or contests
• Events: Information from conferences and trade shows
• Job Applications: Contact information and CV if you apply for jobs

B. Personal Information Collected Automatically

• Device Information: IP address, user settings, cookie identifiers, browser information, location information
• Usage Information: Pages visited, search terms, content interactions, activity frequency and duration
• Cookies and Technologies: Cookies, pixel tags, and web beacons to collect information about your use of the Services

C. Personal Information Collected from Third Parties

We may collect personal information from third-party services when you connect GNOMI with social media accounts (Reddit, LinkedIn, Meta, X) or use third-party login services.

3. How We Use Personal Information

A. Provide the Services

• Managing your information and providing access to features
• Customer support and communications
• Processing payments
• Processing job applications

B. Improve the Services and Develop New Products

• Training AI and machine learning technologies
• Improving and enhancing the Services

C. Administrative Purposes

• Security and fraud prevention
• Analytics and measuring engagement
• Quality control and safety
• Legal compliance

D. Marketing

We may use your personal information to provide you with marketing messages and offers via email campaigns, as permitted by applicable law.

F. Automated Decision Making

We may engage in automated decision making, including profiling, to deliver customized content based on your interactions with the Services.

4. How We Disclose Personal Information

A. Disclosures to Provide the Services

• Service Providers: AI/ML services, hosting, customer service, analytics, marketing, IT support
• Other Users: Information you choose to share with other GNOMI users
• Third-Party Services: Services you connect or interact with
• Business Partners: Partners we work with to provide services
• Affiliates: Our corporate affiliates
• Advertising Partners: For free users, we may share information with advertising partners for targeted advertising

B. Disclosures to Protect Us or Others

We may disclose information to comply with legal requests, protect rights and safety, enforce policies, or assist with investigations.

C. Business Transactions

Your information may be disclosed in connection with mergers, acquisitions, or other corporate transactions.

5. Your Privacy Choices and Rights

Your Privacy Choices

• Email Communications: Unsubscribe using links in emails
• Text Messages: Reply "STOP" to opt out
• Mobile Devices: Adjust push notification and location settings
• Cookies: Adjust browser preferences (note: may affect functionality)
• Do Not Track: We do not respond to DNT signals

Your Privacy Rights

You may have the right to:

• Confirm whether we're processing your personal information
• Request access to or portability of your personal information
• Request correction of your personal information
• Request deletion of your personal information
• Request restriction of or object to processing
• Opt-out of targeted advertising, sales, or profiling
• Withdraw consent

6. International Transfers of Personal Information

Personal information may be transferred, processed, and stored anywhere in the world, including countries with different data protection laws. For transfers from the EU/UK, we may use EU Standard Contractual Clauses as safeguards.

7. Retention of Personal Information

We store personal information as long as you use the Services, or as necessary to fulfill purposes, provide Services, resolve disputes, and comply with legal obligations.

8. Supplemental Notice for EU/UK GDPR

This section applies to personal information subject to EU or UK GDPR. In some cases, providing personal information may be required by law or contract. We will inform you of consequences if you choose not to provide required information.

9. Children's Personal Information

The Services are not directed to children under 16, and we do not knowingly collect personal information from children. If you believe your child has uploaded information in violation of applicable law, please contact us.

10. Promotion Privacy Notice

GNOMI App Corp. (“Sponsor”) collects and processes personal information submitted by entrants, including name, email address, country or state of residence, and information required to verify eligibility and deliver prizes. This information is used solely to administer the promotion, prevent fraud, verify eligibility, and fulfill prizes.

For entrants located in the European Economic Area or United Kingdom, Sponsor processes personal data based on the performance of a contract (administration of the promotion) and Sponsor’s legitimate interests in operating and securing the promotion. If entrants choose to receive marketing communications, processing is based on consent. Entry into the promotion is not conditioned on providing marketing consent.

Sponsor may use service providers to assist with promotion administration, communications, analytics, and prize fulfillment. Personal data may be transferred to and processed in the United States or other countries where Sponsor or its service providers operate, subject to appropriate legal safeguards where required.

Personal data is retained for up to twelve (12) months after the promotion ends and then deleted or anonymized unless longer retention is required for legal or regulatory purposes. The promotion is open only to individuals who are at least 18 years old or the age of majority in their jurisdiction.

Depending on applicable law, entrants may have the right to request access to, correction or deletion of their personal data, restrict or object to processing, or request data portability. Entrants in the EEA or UK may also lodge a complaint with their local data protection authority. U.S. residents may have additional privacy rights under applicable state laws.

Requests regarding personal data may be submitted to: privacy@gnomi.com

11. Data Retention and Disposal Policy

GDPR and Applicable Privacy Law Compliance Documentation

2. GDPR and Applicable Privacy Law Compliance Statement

GNOMI maintains this defined and enforced Data Retention and Disposal Policy to support compliance with applicable data privacy and data protection laws, including the General Data Protection Regulation (GDPR) where GDPR applies to GNOMI processing activities. This policy is designed to operationalize GDPR-aligned retention and disposal principles, including storage limitation, data minimization, purpose limitation, integrity and confidentiality, accountability, and lawful handling of data subject deletion and restriction requests.

GNOMI’s retention and disposal controls are intended to ensure that personal data is not retained longer than necessary for the purposes for which it is collected or otherwise lawfully processed, unless continued retention is required for legal, regulatory, contractual, security, fraud-prevention, accounting, audit, dispute-resolution, or legitimate business purposes.

Where GNOMI processes user-authorized financial account or portfolio information through Plaid or similar providers, GNOMI applies retention and disposal controls designed to limit retention of financial integration data to the period necessary to provide authorized functionality, maintain security, satisfy contractual obligations, prevent fraud, and comply with applicable law.

3. Scope

This policy applies to all data collected, processed, stored, transmitted, or maintained by GNOMI or by third-party service providers acting on GNOMI’s behalf. This includes production systems, cloud services, application databases, user account systems, financial integration systems, portfolio analytics systems, AI-generated financial intelligence systems, financial analysis systems, Plaid integrations, brokerage account integrations, banking integrations, security logs, analytics environments, customer support tools, vendor platforms, corporate records, backups, and disaster recovery systems.

This policy applies to GNOMI employees, contractors, consultants, service providers, and other authorized personnel who create, access, manage, store, process, transmit, retain, delete, or dispose of data on behalf of GNOMI.

4. Policy Statement

GNOMI retains data only for as long as necessary to provide and improve its services, support authorized user functionality, maintain security, satisfy contractual and legal obligations, conduct business operations, and protect GNOMI, its partners, and its users. When data is no longer required, GNOMI deletes, anonymizes, aggregates, or securely disposes of it using appropriate administrative, technical, and procedural controls.

Retention periods are based on data type, purpose of processing, user relationship, legal basis, business need, contractual obligations, regulatory requirements, and security requirements. GNOMI periodically reviews retention and disposal practices to confirm that they remain appropriate for its business, products, systems, vendors, and applicable privacy obligations.

GNOMI retains user-authorized financial integration data only for as long as necessary to provide the authorized financial intelligence functionality requested by the user, including portfolio analysis, diversification analysis, portfolio sentiment generation, AI-generated financial insights, fraud prevention, and integration support.

5. GDPR-Aligned Retention Principles

• Storage limitation: GNOMI retains personal data only for the period necessary for the relevant processing purpose, unless longer retention is justified by law, contract, security, dispute resolution, audit, accounting, or compliance requirements.
• Data minimization: GNOMI limits retained data to what is reasonably necessary for the relevant business, product, security, legal, or compliance purpose.
• Purpose limitation: GNOMI evaluates retention based on the purpose for which data was collected or otherwise lawfully processed.
• Integrity and confidentiality: GNOMI protects retained data with appropriate access controls, least-privilege permissions, monitoring, and secure handling practices.
• Accountability: GNOMI maintains ownership, review, and enforcement responsibilities for retention and disposal decisions.
• Data subject rights: GNOMI processes applicable deletion, correction, restriction, and objection requests in accordance with applicable privacy law and any lawful exceptions.
• User authorization limitation: Financial integration data is retained and processed only for the duration and purposes authorized by the user and supported by applicable lawful processing grounds.

6. Data Classification

GNOMI classifies data based on sensitivity, processing purpose, applicable obligations, and operational use. Retention and disposal controls are applied according to the nature of the data and the systems where it resides.

• Customer and user data: account-related information, user profile information, preferences, product usage data, support communications, and service-related records.
• Financial connection data: user-authorized brokerage account data, banking relationship data, portfolio holdings, transaction metadata, investment account metadata, balances, financial institution identifiers, financial integration credentials or tokens, AI-generated financial insights, portfolio analytics outputs, and related information processed through Plaid or similar financial integration providers.
• AI-generated financial intelligence data: portfolio sentiment analysis, diversification analysis, financial summaries, account-level AI outputs, and related user-specific financial intelligence generated from authorized financial integrations.
• Security and operational logs: authentication records, access logs, audit logs, monitoring data, system activity logs, and incident response records.
• Business and administrative data: contracts, vendor records, billing records, corporate records, legal records, tax records, and internal operational documentation.
• Aggregated, anonymized, or de-identified data: analytics, product improvement data, and reporting data that is not reasonably linked to an identifiable individual.

7. Retention Schedule

GNOMI applies retention periods according to the categories below. Specific periods may be adjusted where required by law, contract, security need, technical system requirements, or approved business necessity. Where a specific retention period is not legally required, GNOMI retains data only as long as needed for the applicable purpose and then deletes, anonymizes, or securely disposes of it.

Data Category	Primary Purpose	Retention Standard	Disposal Method
Account and user profile data	Account operation, authentication, user support, service delivery	Retained while the account is active and for a limited period after closure as needed for security, fraud prevention, legal, audit, or support purposes.	Deletion, anonymization, or secure purge from active systems.
User-authorized financial integration data	Providing authorized financial intelligence features, user-requested functionality, integration support, and security	Retained only while the user maintains the authorized financial connection or while necessary to provide authorized financial intelligence functionality, maintain security, prevent fraud, support lawful business operations, comply with contractual obligations, or satisfy legal and regulatory requirements. Revoked, disconnected, expired, or inactive integrations are deleted, deactivated, anonymized, or token-revoked according to operational and legal requirements.	Deletion from active systems, secure token revocation, anonymization, restricted archival retention where legally required, or secure disposal.
AI-generated financial insights and portfolio analytics	Portfolio intelligence, diversification analysis, sentiment analysis, AI chat functionality, user-requested analytics	Retained while associated user accounts remain active and functionality remains enabled, subject to deletion requests, security requirements, legal obligations, and operational necessity	Deletion, anonymization, aggregation, or secure disposal
Support and communications records	Customer support, issue resolution, quality assurance, and compliance	Retained as needed to resolve requests, maintain service records, and support business or legal requirements.	Deletion or secure archive disposal upon expiration.
Security, access, and audit logs	Security monitoring, fraud prevention, incident detection, access review, audit, and system integrity	Retained for a period appropriate to the security purpose, system requirements, and legal or contractual obligations.	Scheduled expiration, secure purge, or restricted archive disposal.
Billing, tax, corporate, and legal records	Accounting, tax, corporate governance, audit, contract administration, and legal compliance	Retained for the period required by applicable law, audit standards, contract, or corporate governance requirements.	Secure disposal after expiration of legal or business need.
Aggregated, anonymized, or de-identified data	Analytics, product improvement, research, reporting, and business intelligence	May be retained for longer periods where the data is not reasonably identifiable and is outside the scope of personal data under applicable law.	Ongoing use, further aggregation, or disposal when no longer needed.
Backups and disaster recovery data	Business continuity, security recovery, and system restoration	Retained according to backup lifecycle schedules and overwritten or purged through normal backup rotation unless subject to legal hold.	Scheduled overwrite, expiration, or secure destruction.

8. Data Deletion and Secure Disposal Procedures

GNOMI enforces data deletion and disposal through administrative, technical, and procedural controls. Disposal methods are selected based on the data type, system, sensitivity, retention requirement, and technical feasibility.

• Deletion or purge from active production systems when data is no longer required.
• Anonymization or aggregation where GNOMI needs to preserve analytics or product insights without retaining reasonably identifiable personal data.
• Restriction or deactivation of data where deletion is temporarily limited by legal hold, security, audit, accounting, dispute-resolution, or technical constraints.
• Secure disposal of records and exports using approved deletion, destruction, or access revocation processes.
• Review of systems and vendors to confirm that retention and disposal obligations are operationalized where data is processed on GNOMI’s behalf.
• Revocation and deletion of Plaid access tokens, OAuth credentials, API credentials, and associated integration secrets when integrations are disconnected, expired, or no longer required.
• Deletion or anonymization of AI-generated financial insights where associated underlying financial integrations are revoked or deleted, unless retention is otherwise required.

9. GDPR Data Subject Requests and Account Closure

Where GDPR or other applicable privacy law applies, GNOMI processes data subject requests relating to access, correction, deletion, restriction, objection, and portability in accordance with applicable legal requirements and lawful exceptions. GNOMI evaluates requests based on the requester’s identity, the nature of the data, the applicable legal basis, system requirements, and any lawful obligation to retain data.

Upon verified account closure or verified deletion request, GNOMI deletes, anonymizes, or restricts applicable personal data from active systems unless retention is required or permitted for legal, regulatory, contractual, security, fraud-prevention, accounting, audit, dispute-resolution, or legitimate business purposes. Where data cannot be immediately deleted from backups, it is protected from ordinary use and removed through the applicable backup lifecycle.

Where technically feasible and legally permitted, GNOMI processes verified requests to disconnect financial integrations, revoke financial access tokens, delete associated portfolio analytics data, and remove AI-generated financial insights associated with user-authorized financial integrations.

10. Legal Holds and Retention Exceptions

GNOMI may suspend normal retention or deletion schedules when data is subject to a legal hold, dispute, investigation, regulatory request, audit requirement, security incident, contractual obligation, accounting obligation, or other lawful business requirement. Data subject to a legal hold or approved exception is retained only for as long as the exception applies and is then returned to the applicable retention and disposal process. Security, fraud-prevention, anti-abuse, dispute-resolution, audit, regulatory review, or other lawful compliance obligations may require limited continued retention of financial integration records or security-related financial metadata.

11. Vendors, Processors, and Third-Party Systems

When GNOMI uses third-party service providers to store or process data, GNOMI requires appropriate retention and disposal handling through vendor review, contractual obligations where applicable, and operational controls. For providers acting as processors or service providers, GNOMI expects retention, deletion, confidentiality, security, and assistance obligations to be addressed in applicable agreements, data processing terms, or vendor controls.

GNOMI reviews vendor data handling practices as appropriate to the nature of the service, the sensitivity of the data, and applicable privacy and security requirements. Where GNOMI receives a verified deletion request that applies to data held by a vendor or processor, GNOMI takes reasonable steps to communicate or execute the deletion, restriction, or anonymization request through the applicable vendor workflow, subject to lawful exceptions.

GNOMI evaluates Plaid and other financial integration providers for appropriate contractual, privacy, security, retention, deletion, confidentiality, and regulatory compliance controls.

Where required, GNOMI implements appropriate GDPR-compliant data transfer safeguards for cross-border processing involving financial integration data.

12. Backups and Disaster Reco

Data contained in backups or disaster recovery systems may persist for a limited period after deletion from active production systems. Backup data is protected from unauthorized access and is subject to lifecycle controls, retention schedules, and scheduled overwrite or deletion. GNOMI does not use backup data for ordinary business processing after an applicable deletion request, except where restoration is required for security, disaster recovery, legal, or operational necessity. Financial integration data and AI-generated financial insights retained within backup systems remain subject to access restrictions, encryption controls, lifecycle management, and secure overwrite procedures.

13. Enforcement and Responsibilities

GNOMI management, security, engineering, product, operations, and compliance personnel are responsible for applying this policy within their areas of responsibility. Employees and contractors must follow approved retention, deletion, access control, and disposal procedures. Unauthorized retention, export, copying, or disposal of data outside approved processes is prohibited.

14. Periodic Review

This policy is reviewed at least annually and upon material changes to GNOMI’s products, systems, vendors, data processing activities, legal requirements, contractual obligations, or security posture. Reviews are intended to confirm that retention standards, disposal procedures, GDPR-aligned practices, vendor controls, and operational enforcement remain appropriate and effective. Reviews must consider new financial integration features, AI financial analysis functionality, portfolio analytics systems, changes to Plaid integrations, and evolving privacy or financial-data obligations.

15. Compliance Confirmation

GNOMI maintains this policy as active company documentation for data retention, deletion, and disposal. This policy is designed to support compliance with applicable data privacy laws, including GDPR where applicable, and to provide a defined and enforceable framework for how GNOMI retains, deletes, anonymizes, and disposes of data.

16. Approval

Approved by GNOMI management as an active company policy for Data Retention and Disposal, including GDPR-aligned retention and deletion practices.

12. Information Security Policy

Including GDPR and Applicable Privacy Law Controls

2. Scope

This policy applies to all GNOMI employees, founders, officers, contractors, consultants, service providers, vendors, systems, applications, cloud environments, databases, source code repositories, production assets, corporate devices, user data, partner data, and any other information assets used to deliver GNOMI products and services.

This policy applies to company, customer, user, financial, technical, operational, authentication, API, and vendor-managed data, including user-authorized brokerage account data, banking relationship data, portfolio holdings, transaction metadata, financial integration tokens, AI-generated portfolio analysis, and financial intelligence outputs, including personal data, sensitive data, and regulated data processed by or on behalf of GNOMI.

3. Legal, Regulatory, and Privacy Compliance

GNOMI designs and operates its security program to support compliance with all applicable information security and privacy laws, rules, regulations, and contractual requirements relevant to its operations, including, where applicable:

• General Data Protection Regulation (GDPR) and applicable EU/EEA data protection requirements;
• UK GDPR and Data Protection Act requirements, where applicable;
• U.S. state privacy and security laws, including CCPA/CPRA and the New York SHIELD Act, where applicable;
• GLBA and FTC Safeguards Rule requirements to the extent GNOMI processes data subject to those obligations;
• Contractual partner security obligations, including data protection, confidentiality, access control, incident notification, and vendor security requirements;
• Applicable breach notification, data minimization, retention, deletion, and user rights requirements;
• Plaid contractual security and data-handling obligations applicable to financial integration environments;
• Applicable financial-data privacy, safeguarding, and consumer protection obligations relating to user-authorized financial integrations.

Where laws, contracts, or partner requirements impose stricter obligations than this policy, the stricter standard applies. GNOMI periodically reviews this policy to ensure it remains aligned with applicable legal, regulatory, partner, and security requirements.

4. GDPR and Privacy-by-Design Requirements

GNOMI applies privacy-by-design and security-by-design principles to systems and processes that involve personal data. Where GDPR applies, GNOMI’s security and privacy controls are designed to support the following principles:

• Lawfulness, fairness, and transparency in data processing activities;
• Purpose limitation and use of data only for legitimate business, product, legal, security, or user-authorized purposes;
• Data minimization and collection of only data reasonably necessary for the stated purpose;
• Accuracy and appropriate correction or deletion processes;
• Storage limitation through defined retention and deletion standards;
• Integrity and confidentiality through appropriate technical and organizational measures;
• Accountability through documentation, ownership, review, and enforcement of privacy and security controls.
• User-authorized financial data processing must be limited to the scope of consent, contractual necessity, or other lawful basis applicable to the requested functionality.
• Financial intelligence features and AI-generated portfolio analysis functionality must incorporate data minimization, least-privilege access, secure processing, and appropriate user transparency controls.

GNOMI supports data subject rights processes, including access, correction, deletion, restriction, portability, and objection where applicable. Requests are evaluated under applicable law and GNOMI’s internal privacy, security, retention, and legal hold requirements.

5. Security Governance and Accountability

• Executive management is responsible for ensuring GNOMI maintains an information security program appropriate to the company’s size, risk profile, products, data, and partner obligations.
• Security responsibilities are assigned across engineering, product, operations, legal, and executive stakeholders as appropriate.
• Security requirements are incorporated into product development, vendor selection, access management, incident response, data handling, and operational decision-making.
• GNOMI maintains internal procedures and supporting controls for implementing this policy, including access controls, data retention, incident response, vendor management, and secure development practices.

6. Risk Management

GNOMI identifies, evaluates, mitigates, and monitors information security risks that may affect confidentiality, integrity, availability, privacy, or legal compliance. Risk review may include system architecture, data flows, vendor dependencies, authentication controls, access privileges, production environments, new product features, third-party integrations, and incident history.

Material risks are escalated to appropriate management for remediation, acceptance, transfer, or additional controls. Risk treatment decisions must consider legal requirements, partner obligations, user impact, security impact, and business continuity.

Risk assessments must consider financial integrations, Plaid dependencies, AI-generated financial analysis functionality, portfolio analytics systems, financial-data access controls, model outputs, and third-party financial data flows.

7. Data Classification and Handling

GNOMI classifies and protects data according to sensitivity, business value, legal obligations, and risk. Data categories may include public, internal, confidential, sensitive, personal, financial, authentication, source code, security, and partner data.

• Sensitive and personal data must be accessed only by authorized personnel with a legitimate business need.
• Data must be stored, transmitted, and processed using approved systems and appropriate safeguards.
• Secrets, credentials, tokens, API keys, private keys, and certificates must not be stored in plaintext repositories, unsecured documents, chat messages, or unauthorized systems.
• Production data may not be copied to non-production environments unless approved and appropriately protected, minimized, anonymized, or pseudonymized where feasible.
• Data handling must align with GNOMI’s retention, deletion, disposal, and privacy requirements.
• User-authorized brokerage account data, banking information, portfolio holdings, transaction metadata, AI-generated financial insights, and portfolio sentiment outputs must be classified as sensitive data.
• Financial integration data may only be processed through approved systems and authorized workflows.
• Production financial integration data may not be copied into development or testing environments unless minimized, anonymized, pseudonymized, or otherwise appropriately protected.

8. Identity and Access Management

GNOMI enforces access controls designed to limit access to production assets, cloud resources, administrative tools, systems, source code repositories, and sensitive data. Access is granted based on role, business need, least privilege, and approval requirements.

• Role-based access control (RBAC) is used where supported by systems and applications.
• Privileged and administrative access is limited to authorized personnel and reviewed periodically.
• Centralized identity and access management solutions are used where appropriate to manage user authentication and authorization.
• Multi-factor authentication is required for privileged accounts and critical systems where supported.
• Access reviews and audits are performed periodically to validate that access remains appropriate.
• Access is modified or revoked when personnel change roles, transfer responsibilities, or terminate their relationship with GNOMI.
• Non-human authentication, including service accounts, OAuth tokens, API credentials, and TLS certificates, must be approved, securely stored, scoped to the minimum required privileges, and rotated or revoked when no longer needed.
• Access to financial integration systems, Plaid administrative environments, AI financial intelligence systems, and user financial datasets must be restricted to authorized personnel with a legitimate operational, security, compliance, or support need.
• Administrative access to systems capable of retrieving or analyzing user-authorized financial account data requires multi-factor authentication where supported.

9. Production Asset Security

• Production environments must be protected through access controls, logging, monitoring, secure configuration, and change management practices.
• Production access is restricted to personnel with an approved operational or engineering need.
• Changes to production systems must follow appropriate review, testing, approval, and deployment practices based on risk and urgency.
• Sensitive production data should not be exported, downloaded, or transferred unless authorized for a legitimate business, legal, security, or operational purpose.
• Emergency production access must be limited, logged, and reviewed after use.
• Systems processing user-authorized financial integration data must implement appropriate logging, monitoring, encryption, access restriction, and secure configuration controls.
• Access to AI-generated financial insights and portfolio analytics outputs must be restricted consistent with the sensitivity of the associated user financial data.

10. Encryption, Secrets, and Key Management

GNOMI uses appropriate technical safeguards to protect sensitive data, credentials, and communications. Encryption must be used for sensitive data in transit and applied to sensitive data at rest where supported and appropriate. Secrets, tokens, certificates, keys, and credentials must be stored in approved secure systems and protected against unauthorized use or disclosure.

Keys and credentials must be rotated, disabled, or revoked when compromised, no longer needed, or when personnel or vendor access changes. Credentials must not be shared between users except where approved service account controls are used.

Plaid API credentials, financial integration tokens, OAuth credentials, webhook secrets, refresh tokens, and related financial integration secrets must be encrypted, securely stored, and protected against unauthorized access.

11. Logging, Monitoring, and Security Review

GNOMI maintains logging and monitoring practices appropriate to its systems and risk profile. Logs may include authentication events, administrative activity, application events, system activity, production changes, access changes, and security-relevant errors or alerts.

• Logs are reviewed as needed to investigate security events, operational issues, access anomalies, and incidents.
• Security-relevant events are escalated to responsible personnel for investigation and remediation.
• Monitoring and alerting controls are updated as systems, vendors, and business risks evolve.
• Logs containing personal data or sensitive information must be protected and retained consistent with GNOMI’s retention and privacy obligations.
• Security monitoring should include financial integration activity, Plaid integration events, token-management events, privileged access to financial datasets, and anomalous access patterns involving user financial information.

12. Secure Development and Change Management

GNOMI incorporates security into software development and product delivery. Security requirements are considered during design, development, testing, deployment, and maintenance of GNOMI systems.

• Code changes should be reviewed before deployment to production where appropriate.
• Security-impacting changes must be evaluated for risk, including changes involving authentication, authorization, data flows, APIs, integrations, production infrastructure, or sensitive data.
• Dependencies, libraries, and third-party components should be reviewed and updated as appropriate to reduce known vulnerabilities.
• Vulnerabilities identified through internal review, third-party reports, monitoring, or vendor notifications must be triaged and remediated based on severity and business impact.
• Security-impacting changes involving financial integrations, Plaid APIs, AI-generated portfolio analytics, financial analysis functionality, or user financial data flows must undergo appropriate security and privacy review prior to deployment.

13. Vendor and Third-Party Security

GNOMI evaluates third-party vendors, processors, subprocessors, and integration partners based on the type of data processed, services provided, operational dependency, security posture, legal obligations, and contractual requirements.

• Vendors that process sensitive, personal, financial, or user data must be reviewed for appropriate security and privacy safeguards.
• Contracts should include confidentiality, data protection, security, access control, incident notification, retention, deletion, and subprocessor obligations where appropriate.
• Vendor access to GNOMI systems or data must be limited to authorized use and revoked when no longer required.
• GNOMI monitors material vendor risks and may request security documentation, attestations, or compliance evidence from vendors when appropriate.
• Financial integration providers, including Plaid and related subprocessors, must be evaluated for security posture, data protection controls, regulatory compliance alignment, and contractual privacy obligations.
• Cross-border transfers involving EU or UK financial integration data must utilize appropriate lawful transfer mechanisms where required.

14. Incident Response and Breach Notification

GNOMI maintains incident response procedures to identify, investigate, contain, remediate, document, and communicate security incidents. Security incidents may include unauthorized access, data exposure, credential compromise, system compromise, data loss, malware, service disruption, or suspected breach of confidentiality, integrity, or availability.

• Incidents must be escalated promptly to appropriate internal stakeholders.
• GNOMI will assess the nature, scope, affected systems, affected data, user impact, partner impact, legal obligations, and remediation measures.
• Notification to users, regulators, partners, vendors, or other parties will be made when required by applicable law, contract, or GNOMI’s incident response determination.
• Incident lessons learned may be used to improve controls, procedures, training, monitoring, and vendor oversight.
• Incidents involving financial integration systems, Plaid credentials, brokerage or banking information, portfolio analytics systems, or AI-generated financial intelligence outputs must be prioritized for investigation and containment.

15. Data Retention, Disposal, and Legal Hold

GNOMI retains information only for as long as reasonably necessary for the purpose for which it was collected or processed, including product delivery, user account management, security, fraud prevention, analytics, legal compliance, financial records, contractual obligations, dispute resolution, and legitimate business operations.

• Personal data must be deleted, anonymized, or securely disposed of when no longer required, subject to legal, regulatory, contractual, security, or legitimate business retention needs.
• User deletion and account closure requests are handled in accordance with applicable privacy laws and GNOMI’s retention requirements.
• Backups and logs are retained and disposed of according to defined lifecycle practices and may be subject to delayed deletion due to technical, security, or legal requirements.
• Legal holds may suspend deletion or disposal when necessary to preserve information for legal, regulatory, audit, investigation, or dispute purposes.
• Financial integration data and AI-generated financial insights must be deleted, anonymized, restricted, or token-revoked when no longer required for authorized functionality, subject to lawful retention requirements.

16. Personnel Security and Training

GNOMI personnel and contractors with access to company systems, production assets, or sensitive data must follow this policy and applicable security procedures. Personnel are expected to protect credentials, use approved systems, report suspected security incidents, and handle data according to classification and need-to-know requirements.

Security and privacy awareness may be provided through onboarding, role-specific guidance, internal communications, and ongoing updates as GNOMI’s products, risks, and compliance obligations evolve.

Personnel with access to financial integration systems or user-authorized financial data may receive additional guidance regarding financial-data handling, privacy obligations, secure processing, phishing prevention, token security, and incident escalation procedures.

17. Business Continuity and Availability

GNOMI maintains reasonable measures to support continuity and availability of critical services. Controls may include cloud resilience, backups, monitoring, incident escalation, vendor dependency review, disaster recovery planning, and operational response procedures based on system criticality and risk. Business continuity planning should consider dependencies on Plaid and other financial integration providers, including availability risks, vendor outages, token failures, and financial integration service disruptions.

18. Exceptions

Any exception to this policy must be approved by appropriate GNOMI management based on business need, risk, compensating controls, duration, and legal or contractual requirements. Exceptions must be documented where appropriate and reviewed periodically until remediated or formally accepted.

19. Enforcement

Failure to comply with this policy may result in access revocation, remediation requirements, vendor action, disciplinary action, contract termination, or other measures appropriate to the nature and severity of the violation. GNOMI may investigate suspected violations and take corrective action to protect company systems, users, partners, and data.