Solsta Privacy Notice (Global)Effective date: March 1, 2026

Who we are: Solsta Inc. (“Solsta”, “we”, “us”, “our”)

1) Scope
This Privacy Notice explains how we collect, use, disclose, and protect personalinformation specifically in connection with our Early Access form, related marketingcommunications, and any downstream processing such as lead qualification and CRM transfer. It does not cover general website browsing or cookie use — for those activities, please see our Privacy Policy. We provide this information at or before the point ofcollection to meet applicable transparency requirements.

2) Controller Contact
Controller: Solsta Inc.,1 N. 1st Street, Suite 654Phoenix, AZ 85004
Phone: (602) 889-3074
Privacy contact: privacy@solsta.io

3) What we collect
Information you provide:
• Identifiers (first name, last name, email) submitted via the Early Access form.
• Any information included in free‑text fields.

Information collected automatically:
• Device/usage data (IP address, browser type/version, pages viewed, timestamps)collected via Google Analytics (Google LLC, USA). Google Analytics uses cookies to help us understand how visitors interact with our site. Depending on yourcookie preferences, this data may be shared with Google. See our Cookie Notice for details and to manage your preferences.

4) Purposes and Legal Bases
We process your information only for specific, explicit purposes and rely on a lawful basis for each processing activity.
• Respond to your Early Access request and related operational communications (e.g., scheduling a call or provisioning access).o
Legal basis: Legitimate interests (to answer your request) or Contract (totake steps at your request before entering a contract).
• Email marketing & automated nurturing sequences via Mailchimp (e.g.,product updates, launch announcements, onboarding tips), includingsegmentation and tags to improve relevance.
Legal basis: Consent (opt‑in). Consent must be freely given, specific,informed, unambiguous, and is separate from other terms. You canwithdraw consent at any time.
• Lead qualification and pipeline movement (e.g., segmenting contacts byengagement level and transferring qualified leads from Mailchimp to our CRM,Attio, for sales follow-up and direct outreach.)
Legal basis: Consent — this transfer is covered by your opt-in at the pointof collection. You may withdraw consent at any time by contacting privacy@solsta.io, which will stop further processing for this purpose.
• Analytics and service improvement (e.g., understanding page performance,measuring campaign effectiveness).Legal basis: Legitimate interests; where non‑essential cookies/trackersare used, we obtain consent first.
• Compliance and protection (e.g., complying with legal obligations, enforcingterms, protecting security).o Legal basis: Legal obligation / Legitimate interests.

5) Email marketing, unsubscribe, and your choices
• We send marketing emails only if you opt in on the form (checkbox not pre-ticked). You may withdraw consent at any time by clicking Unsubscribe inour emails or by contacting us. We keep records showing what you consented toand when.
• If you have also consented to CRM transfer, withdrawing your marketing consentwill also stop your data from being moved to our sales CRM. If your data hasalready been transferred to our CRM prior to withdrawal, please contact privacy@solsta.io to request deletion of that record.
• Our marketing emails include an unsubscribe link and our physical mailing address (CAN-SPAM). We honor opt-out requests promptly.
(If you are an existing customer in the UK, PECR’s “soft opt-in” may apply to similarproducts/services if you were given a clear opt-out at collection and in every message;otherwise we rely on consent.)

6) Profiling, segmentation, and automation
We use Mailchimp (Rocket Science Group LLC, USA) to run automated onboarding and nurture email sequences and to segment contacts based on the information you provide and your engagement with our communications. This section explains how that worksand what it means for you.

What we automate: Once you submit the Early Access form and opt in, you will beenrolled in a pre-defined sequence of emails. The timing, content, and continuation ofthose emails may be influenced by your engagement behavior — for example, whetheryou open emails or click links.

How we segment: We use engagement signals (such as email opens, link clicks, and inactivity) alongside the information you submitted in the form (such as product interest) to assign you to segments. These segments determine which messages youreceive and how frequently.

What this means for you: Based on your engagement level and form responses, you may be identified as a qualified lead. If so, your contact information and engagement data may be transferred from Mailchimp (Rocket Science Group LLC, USA) to our CRM (Attio Ltd., UK) for direct sales follow-up. This is the primary practical consequence ofthe segmentation process.
‍
What we do not do: We do not make decisions that produce legal or similarly significant effects solely by automated means. A member of our team reviews leads before any transfer to our sales CRM occurs. Your choices: You can opt out of automated communications at any time by clicking Unsubscribe in any of our emails or by contacting privacy@solsta.io. If you wish toobject to being profiled for lead qualification purposes, you may also contact us at thataddress and we will assess your request.

7) Who we share information with (recipients)
We share personal information only with:

Service providers acting on our instructions:
• Mailchimp (Rocket Science Group LLC, USA) email delivery, contactmanagement, and automated nurture sequences. Mailchimp Privacy Global Policy / Data Processing Term so
•  Attio (Attio Ltd., UK) CRM for qualified leads and sales pipelinemanagement. Attio Privacy Policy
• Google Analytics (Google LLC, USA) — website analytics to understand visitor behavior and site performance. Data sharing with Google's other products and services is disabled. Data is retained for 2 months. Google Privacy Policy
• Authorities when legally required.

Disclosing categories of recipients is required.
‍
We do not sell personal information. We do not share personal information with any third parties other than the service providers listed above and authorities where legally required, and only for the purposes described in this Notice.

8) International Transfers
If your information is transferred from the UK/EEA to countries without an adequacydecision — for example, to Rocket Science Group LLC (Mailchimp) in the USA — we useappropriate safeguards such as Standard Contractual Clauses (SCCs). Attio (Attio Ltd.) is based in the United Kingdom. The UK maintains an adequacy decisionfor data transfers from the EEA. For transfers of personal data from Solsta (USA) to Attio (UK), appropriate contractual safeguards are in place.

9) Retention
We retain personal information only as long as necessary for the purposes described above:
• Early-Access inquiries: 12 months after last interaction.
• Marketing contacts: until you unsubscribe/withdraw consent or after 12 months of no engagement (then delete or anonymize).
• CRM lead records: per our sales operations schedule 3 years or as required bylaw.
• Analytics: 2 months We disclose retention periods/criteria to satisfy transparency requirements.

10) Your Rights
Depending on where you live, you may have rights to access, correct, delete, restrict, object (including to direct marketing), port your data, and withdraw consent at any time without affecting prior lawful processing. You also have the right to lodge a complaint with a supervisory authority (EEA/UK).
• To exercise rights or preferences, contact: privacy@solsta.io
• For California rights, see California Notice at Collection below.

11) Security
We use administrative, technical, and organizational measures (e.g., encryption intransit, access controls, least-privilege, vendor due diligence) to protect personalinformation. No system is 100% secure, but we continually improve protections.

12) Children
Our site and services are not directed to children. Do not submit personal information ifyou are under the age where consent requires parental authorization under applicablelaws.

13) Changes
We will update this Notice when needed and indicate the effective date above. Ifchanges materially affect you, we will notify you by reasonable means (e.g., email or website notice).

California Notice at Collection (CCPA/CPRA)
This Notice at Collection applies to California residents and describes what we collect at or before the time of collection, why, how long we keep it, and whether we sell or share it.

1) Categories of personal information we collect
From the Early Access form and your use of our site, we may collect:
• Identifiers: first name, last name, email address.
• Internet / network activity: page views, clicks, IP address, device/browser info.
• Inferences we derive (e.g., product interest segments or engagement levels from email opens/clicks) to tailor communications. We do not intentionally collect sensitive personal information via this form. (If this changes, we will update this Notice and provide appropriate choices.)
• Professional information: company or organization name, where provided voluntarily via the Early Access form.

We do not intentionally collect sensitive personal information via this form. (If this changes, we will update this Notice and provide appropriate choices.)

2) Purposes for collection and use
We use these categories for:
• Responding to your Early Access request and related operationalcommunications.
• Email marketing and automated lead-nurture sequences (with your opt-in),including segmentation and measuring engagement.
• Analytics and service improvement.
• Security and fraud prevention; compliance with law.

3) Retention periods
• Early-Access inquiries: 12 months from last interaction.
• Marketing contacts: until you unsubscribe or 12 months of no engagement.
• Logs/analytics: 2 months.

4) Selling or sharing personal information
• We do not sell personal information.
• We do not share personal information for cross-context behavioral advertising.

5) Disclosure to service providers
We disclose personal information to service providers that support our operations, suchas Mailchimp (Rocket Science Group LLC, USA) and Attio (Attio Ltd., UK). These providers may only use personal information to provide services to us and not for theirown purposes.
• Mailchimp (Rocket Science Group LLC, USA) email delivery, contactmanagement, and automated nurture sequences. Mailchimp Privacy Global Policy / Data Processing Terms
• Attio (Attio Ltd., UK) CRM for qualified leads and sales pipeline management. Attio Privacy Policy

6) Your CCPA/CPRA rights
California residents have the right to know, access, delete, correct, and limit the use ofsensitive personal information (if collected), and the right to opt out of sale or sharing of personal information. We will not discriminate against you for exercising your rights.
How to exercise your rights:
• Email: privacy@solsta.io