The margins you bid
are yours to keep.

RALCO TERMS OF SERVICE

Last Updated: February 1, 2026

1. Introduction and Acceptance

These Terms of Service ("Terms") constitute a binding agreement between Ralco Compliance Limited, a company incorporated in Ireland (company number 759312), with its registered office at 17 Percy Place, Dublin 4, D04 V250, Ireland ("RALCO," "we," "us," or "our"), and you or the company or other legal entity you represent ("Customer," "you," or "your"). These Terms govern your access to and use of the RALCO platform, including the website at https://ralco.io and the RALCO Worker mobile application (collectively, the "Service").

By signing an Order Form, clicking "I Accept," or otherwise accessing or using the Service, you acknowledge that you have read, understood, andagreeto be bound by these Terms.If you are accepting these Terms on behalf of a company or other legal entity, you represent and warrant that you have the authority to bind that entity to these Terms.

If you do not agree to these Terms, you may not access or use the Service.

2. Definitions

"Billable Active User"means any user that has clocked in within the applicable 30-day billing period.

"Customer Data"means all data, including personal information, that Customer or its End Users submit to the Service or that is collected through the Service in connection with Customer's use.

"Data Processing Agreement" or "DPA"means the Data Processing Agreement between RALCO and Customer governing the processing of personal data, which is incorporated into these Terms by reference and available at [link/upon request].

"End User"means an individual authorized by Customer to use the Service, such as Customer's employees, contractors, or workers.

"Order Form"means an ordering document executed by Customer that specifies the services purchased, pricing, subscription term, and other commercial terms, which incorporates these Terms by reference.

"Software"means the software applications provided by RALCO as part of the Service, including the RALCO Worker mobile application.

3. The Service

3.1 Provision of Service

Subject to these Terms and payment of applicable fees, RALCO grants Customer a non-exclusive, non-transferable right to access and use the Service during the applicable subscription term for Customer's internal business operations. RALCO will provide the Service in accordance with the specifications set forth in the applicable Order Form and documentation.

3.2 End User Access

Customer may permit End Users to access and use the Service, subject to these Terms. Customer is responsible for: ensuring that End Users comply with these Terms; all acts and omissions of End Users; maintaining the confidentiality of End User login credentials; and promptly notifying RALCO of any unauthorized use of the Service.

3.3 Service Modifications

RALCO may modify the Service from time to time, including adding or removing features. If RALCO makes a material change that significantly reduces the functionality of the Service, RALCO will provide Customer with reasonable prior notice. Customer's continued use of the Service following such notice constitutes acceptance of the modified Service.

3.4 Beta Features

RALCO may offer access to features designated as "beta" or similar. Beta features are provided "as is" without warranty, may be changed or discontinued at any time, and should not be relied upon for production use.Customershould back up all data used in connection with beta features.

4. Customer Responsibilities

4.1 Compliance

Customer is responsible for: compliance with all applicable laws and regulations in connection with its use of the Service, including employment, labor, and workplace safety laws; providing all notices required by law to End Users, including any notices required regarding electronic monitoring under applicable state law; and ensuring that Customer has all necessary rights, consents, and authorizations to submit Customer Data to the Service and to permit RALCO to process such data as contemplated by these Terms.

4.2 Biometric Data

The Service may collect biometric information from End Users, including facial recognition data and electronic signatures, for identity verification purposes. Customer acknowledges that:

• RALCO's collection and use of biometric data is governed by RALCO's Biometric Information PrivacyPolicy;

• Customer is responsible for ensuring that End Users have received required disclosures and provided valid consent before enrolling in biometric features;

• and Customer will promptly notify RALCO when an End User's employment terminates so that RALCO can process the destruction of that End User's biometric data in accordance with applicable law and RALCO's Biometric Information Privacy Policy.

4.3 Account Information

Customerwill provide accurate, current, and complete registration and account information, and will promptly update such information as necessary. Customer is responsible for maintaining the security of account credentials and will notify RALCO immediately of any unauthorized access.

5. Acceptable Use

Customerwill not, and will not permit any End User or third party to:

• Use the Service in violation of any applicable law or regulation, or in a manner that infringes the rights of any third party;

• upload, transmit, or store any content that is unlawful, defamatory, threatening, harassing, obscene, or otherwise objectionable;

• introduce malware, viruses, or other harmful code into the Service;

• attempt to gain unauthorized access to the Service or its related systems;

• interfere with or disrupt the integrity, security, or performance of the Service;

• reverse engineer, decompile, disassemble, or otherwise attempt to derive the source code of the Software;

• copy, modify, or create derivative works of the Software or Service;

• sublicense, sell, rent, lease, or otherwise transfer access to the Service;

• use the Service to build a competitive product or service; or use the Service in any application where failure could result in death, personal injury, or significant property or environmental damage.

6. Fees and Payment

6.1 Fees

Customer will pay the fees specified in the applicable Order Form. Unless otherwise stated in the Order Form, the Service is billed in advance on a monthly or annual basis. For any Billable Active Users addedin excess ofthe quantity specified in the Order Form, Customer will be charged the applicable per-user feeon a monthly basis.

6.2 Payment Terms

Customer authorizes RALCO to charge the payment method on file for all applicable fees. If payment fails, RALCO will notify Customer and Customer agrees to pay all amounts due withinthirty (30) days of such notice. RALCO reserves the right to suspend access to the Service for any account with overdue payments.

6.3 Taxes

All fees are exclusive of taxes. Customer is responsible for all applicable taxes, including sales, use, and value-added taxes, excluding taxes based on RALCO's net income. If RALCO is required to collect taxes, such taxes will be invoiced to Customer.

6.4 Fee Changes

RALCO may change its fees upon at least thirty (30) days' prior notice to Customer. Fee changes will apply to the next renewal term unless Customer terminates before the renewal effective date.

7. Term and Termination

7.1 Term

The initial term of the Service is specified in the applicable Order Form. Unless either party provides written notice of non-renewal at least thirty (30) days before the end of the then-current term, the subscription will automatically renew for successive periods equal to the initial term (or one year, if shorter).

7.2 Termination by Customer

Customer may terminate the Service at any time by providing thirty (30) days' written notice to RALCO. For annual subscriptions, Customer will receive a pro-rata refund for any complete unused months remaining in the subscription term. Partial monthly refunds are not available.

7.3 Termination by RALCO

RALCO may terminate or suspend Customer's access to the Service immediately upon written notice if: Customer breaches any material term of these Terms; Customer fails to pay any fees when due and does not cure such failure within fifteen (15) days of notice; Customer's use of the Service poses a security risk or may subject RALCO to liability; or Customer becomes insolvent, files for bankruptcy, or ceases operations.

7.4 Effect of Termination

Upon termination or expiration of the Service: Customer's right to access and use the Service will immediately cease; RALCO will make Customer Data available for export for a period of thirty (30) days following termination, after which RALCO may delete Customer Data; Customer will pay all fees accrued through the termination date; and the following sections will survive termination: Definitions, Intellectual Property, Confidentiality, Limitation of Liability, Indemnification, and General Provisions.

7.5 Early Termination by RALCO for Breach

If RALCO terminates for Customer's material breach or non-payment, Customer will remain liable for all fees that would have been due for the remainder of the subscription term, less any fees actually paid.

8. Data and Privacy

8.1 Customer Data

As between the parties, Customer retains allright,title, and interest in Customer Data. Customer grants RALCO a non-exclusive, worldwide license to use, copy, store, transmit, and display Customer Data solely to provide the Service and as otherwise permitted by these Terms.

8.2 Privacy

RALCO’s collection and use of personal information is governed by RALCO’s Privacy Policy, Biometric Information Privacy Policy, and Data Processing Agreement, each of which is incorporated into these Terms by reference.Customer acknowledgesthatit hasreviewed these policies. To the extent that Customer Data includes personal data within the meaning of the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the processing of such data shall be governed by the DPA. RALCO is established in Ireland and is subject to the GDPR as a data processor. Customer, as data controller, is responsible for ensuring that it has a lawful basis for the processing of personal data and has provided all required notices and obtained all necessary consents from End Users.

8.3 Data Security

RALCO will implement and maintain reasonable administrative, technical, and physical safeguards designed to protect Customer Data from unauthorized access, use, or disclosure. In the event of a security breach affecting Customer Data, RALCO will notify Customer without unreasonable delay.

8.4 Aggregated Data

RALCO may create and use aggregated, anonymized data derived from Customer Data for purposes such as improving the Service, provided such data does not identify Customer or any individual.

8.5 Data Processing Agreement

The parties agree that the DPA governs the processing of personal data in connection with the Service. The DPA sets out the roles of the parties (Customer as controller and RALCO as processor), the categories of personal data processed, the security measures implemented by RALCO, sub-processor arrangements, data breach notification procedures, audit rights, and data subject rights obligations. In the event of any conflict between these Terms and the DPA with respect to the processing of personal data, the DPA shall prevail. Customer agrees to execute the DPA concurrently with these Terms or the applicable Order Form.

8.6 International Data Processing

Customer acknowledges that RALCO is incorporated in Ireland and that Customer Data is stored on servers located in the United States (Amazon Web Services). RALCO personnel in Ireland may access Customer Data remotely in connection with the provision of the Service. The DPA addresses the applicable data transfer mechanisms and safeguards for such processing.

9. Intellectual Property

RALCO and its licensors retain allright, title, and interest in the Service, Software, documentation, and all related intellectual property rights. These Terms do not grant Customer any rights to use RALCO's trademarks, logos, or branding. Customer will not remove or alter any proprietary notices on the Service or Software.

10. Confidentiality

Each party agrees to maintain the confidentiality of any non-public information disclosed by the other party that is designated as confidential or that reasonably should be understood to be confidential ("Confidential Information"). Confidential Information does not include information that: is or becomes publicly available through no fault of the receiving party; was known to the receiving party prior to disclosure; is independently developed by the receiving party; or is rightfully obtained from a third party without restriction.

The receiving party may disclose Confidential Information if required by law, provided it gives the disclosing party reasonable prior notice (where permitted) and cooperates with efforts to obtain protective treatment.

The terms of any Order Form, including pricing, fees, and discounts, shall be deemed Confidential Information of both parties.

11. Warranties and Disclaimers

11.1 Mutual Warranties

Each party represents and warrants that: it has the legal power and authority toenter intothese Terms; its acceptance and performance of these Terms does not violate any other agreement to which it is bound; and these Terms constitute a legal, valid, and binding obligation.

11.2 RALCO Warranty

RALCO warrants that the Service will perform materially in accordance with its documentation during the subscription term. Customer's sole remedy for breach of this warranty is, at RALCO's option, correction of the non-conforming Service or termination of the affected Service and refund of prepaid fees for the period following termination.

11.3 Disclaimer

EXCEPT AS EXPRESSLY PROVIDED IN SECTION 11.2, THE SERVICE IS PROVIDED "AS IS" AND "AS AVAILABLE." RALCO DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING IMPLIED WARRANTIES OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. RALCO DOES NOT WARRANT THAT THE SERVICE WILL BE UNINTERRUPTED, ERROR-FREE, OR SECURE.

RALCO MAKES NO WARRANTY REGARDING COMPLIANCE WITH THE DEFENSE CONTRACT AUDIT AGENCY (DCAA) REQUIREMENTS. CUSTOMERS SUBJECT TO DCAA AUDIT REQUIREMENTS ARE ENCOURAGED TO SEEK INDEPENDENT ADVICE REGARDING COMPLIANCE.

12. Limitation of Liability

12.1 Exclusion of Damages

TO THE MAXIMUM EXTENT PERMITTED BY LAW, NEITHER PARTY WILL BE LIABLE TO THE OTHER FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES, INCLUDING DAMAGES FOR LOST PROFITS, LOST REVENUE, LOST DATA, OR BUSINESS INTERRUPTION, ARISING OUT OF OR RELATED TO THESE TERMS, REGARDLESS OF THE THEORY OF LIABILITY AND EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

12.2 Liability Cap

EXCEPT FOR OBLIGATIONS UNDER SECTION 13 (INDEMNIFICATION) OR A PARTY'S BREACH OF SECTION 5 (ACCEPTABLE USE) OR SECTION 10 (CONFIDENTIALITY), EACH PARTY'S TOTAL CUMULATIVE LIABILITY ARISING OUT OF OR RELATED TO THESE TERMS WILL NOT EXCEED THE AGGREGATE FEES PAID OR PAYABLE BY CUSTOMER TO RALCO IN THE TWELVE (12) MONTHS PRECEDING THE CLAIM.

12.3 Basis of the Bargain

The limitations inthis Section12 reflect the allocation of risk between the parties and are an essential basis of the bargain. The Service would not be provided without these limitations.

13. Indemnification

13.1 Indemnification by Customer

Customer will defend, indemnify, and hold harmless RALCO and its officers, directors, employees, agents, affiliates, successors, and assigns from and againstany and allthird-party claims, demands, actions, suits, proceedings, damages, losses, liabilities, costs, and expenses (including reasonable attorneys' fees and court costs) arising out of or relating to:

(a) Customer Data, including any claim that Customer Data infringes, misappropriates, or violates any third-party intellectual property, privacy, or otherrights;

(b) Customer's use of the Service, including any use by EndUsers;

(c) Customer's breach of these Terms, including any breach of Customer's representations andwarranties;

(d) Customer's violation of applicable law, including employment, labor, workplace safety, and electronic monitoring notificationlaws;

(e) Customer's failure to obtain required consents, authorizations, or releases from End Users, including consent for biometric data collection as required by applicablelaw;

(f) any claim brought by an End User against RALCO arising out of or relating to the End User's employment or engagement with Customer, Customer's use of data obtained through the Service, or Customer's employment decisions oractions;

(g) any claim arising under the Illinois Biometric Information Privacy Act, the Texas Capture or Use of Biometric Identifier Act, or any similar state or federal biometric privacy law, to the extent arising from Customer's failure to provide required notices, obtain requiredconsents, or comply with its obligations under Section 4.2 of these Terms; and

(h) any claim that Customer's instructions, specifications, or requirements caused RALCO to violate any third-party rights or applicable law.

13.2 Indemnification by RALCO

Subject to the limitations and exclusions in this Section 13, RALCO will defend Customer from any third-party claim that the Service, as provided by RALCO and used in accordance with these Terms, directly infringes a valid United States patent, registered copyright, or registered trademark, and will pay any damages finally awarded by a court of competent jurisdiction or agreed to in settlement, provided that:

(a) Customer provides RALCO with prompt written notice of the claim, and in no event later than fifteen (15) days after Customer becomes aware of the claim (failure to provide timely notice will relieve RALCO of its obligations under this Section 13.2 to the extent RALCO is prejudiced by such failure);

(b) RALCO has sole and exclusive control of the defense and settlement of the claim (provided that RALCO will not settle any claim in a manner that admits liability on Customer's behalf or imposes obligations on Customer without Customer's prior written consent, not to be unreasonably withheld);

(c) Customer provides reasonable cooperation and assistance to RALCO at RALCO's expense; and

(d) Customer does not admit liability, make any statement, or take any action thatprejudicesthe defense of the claim without RALCO's prior written consent.

13.3 Exclusions from RALCO's Indemnification

RALCO will have no obligation under Section 13.2 for any claim arising from or relating to:

(a) Customer Data or any content provided by Customer or EndUsers;

(b) modifications to the Service not made or authorized in writing byRALCO;

(c) combination of the Service with any products, services, software, data, or materials not provided by RALCO, where the claim would not have arisen but for suchcombination;

(d) Customer's use of the Service in violation of these Terms or applicablelaw;

(e) Customer's use of the Service after RALCO has notified Customer to cease such use due to an infringementclaim;

(f) use of any version of the Service other than the then-current version, if the claim would have been avoided by use of the currentversion;

(g) any beta feature, free trial, or no-charge access to theService;

(h) anyopen sourcesoftware or third-party component, to the extent governed by separate licenseterms;

(i) any claim based on trade secrets or confidential information; or

(j) Customer's instructions, specifications, or requirements, where the claim arises from RALCO's compliance therewith.

13.4 Remediation

If the Service becomes, or in RALCO's reasonable opinion is likely to become, the subject of an infringementclaimunder Section 13.2, RALCO may at its sole option and expense:

(a) obtain the right for Customer to continue using theService;

(b) modify or replace the Service to make it non-infringing while providing substantially equivalent functionality; or

(c) if neither (a) nor (b) is commercially practicable, terminate the affected Service upon written notice and refund to Customer any prepaid fees for the period following termination.

This Section 13.4 states Customer's sole and exclusive remedy, and RALCO's entire liability, for any claim that the Service infringes or misappropriates any third-party intellectual property rights.

13.5 Limitation on RALCO's Indemnification Liability

Notwithstanding anything to the contrary in these Terms, RALCO's aggregate liability under Section 13.2, including all defense costs, settlements, and damages awarded, will not exceed the greater of (a) the aggregate fees paid or payable by Customer to RALCO in the twelve (12) months preceding the first claim giving rise to indemnification, or (b) fifty thousand dollars ($50,000 USD).

13.6 Indemnification Procedures

A party seeking indemnification (the "Indemnified Party") must: (a) promptly notify the other party (the "Indemnifying Party") in writing of any claim for which indemnification is sought; (b) give the Indemnifying Party sole control of the defense and settlement; and (c) provide reasonable cooperation at the Indemnifying Party's expense. The Indemnified Party may participate in the defense at its own expense with counsel of its choice, but the Indemnifying Party will have sole control of the defense and any settlement negotiations. The Indemnifying Party will not consent to any settlement that imposes liability or obligations on the Indemnified Party without the Indemnified Party's prior written consent.

14. Force Majeure

Neither party will be liable for any failure or delay in performance due to causes beyond its reasonable control, including acts of God, natural disasters, war, terrorism, riots, government action, labor disputes, or Internet service interruptions. The affected party will promptly notify the other party and use reasonable efforts to mitigate the impact.

15. General Provisions

15.1 Governing Law and Jurisdiction

These Terms are governed by the laws of the State of New York, without regard to conflict of law principles. For matters relating to GDPR compliance and the processing of personal data under the DPA, the relevant provisions of EU/EEA law shall apply to the extent required. Any dispute arising out of these Terms will be resolved exclusively in the state or federal courts located in New York County, New York, and each party consents to the personal jurisdiction of such courts.

15.2 Notices

Notices to RALCO must be sent to 17 Percy Place, Dublin 4, D04 V250, Ireland / legal@ralco.io or legal@ralco.io. Notices to Customer will be sent to the email address associated with Customer's account. Notices are effective upon delivery.

15.3 Assignment

Customer may not assign these Terms or any rights hereunder without RALCO's prior written consent, except to an affiliate or in connection with a merger, acquisition, or sale of all or substantially all of Customer's assets. RALCO may assign these Terms freely. Any attempted assignment in violation of this section is void.

15.4 Amendments

RALCO may amend these Terms by posting updated Terms on its website and providing notice to Customer. Material changes will be effective thirty (30) days after notice, unless Customer terminates before the effective date. Continued use of the Service after the effective date constitutes acceptance of the amended Terms.

15.5 Waiver

No failure or delay by either party in exercising any right under these Terms will constitute a waiver of that right. Any waiver must be in writing and signed by the waiving party.

15.6 Severability

If any provision of these Terms is held invalid or unenforceable, that provision will be modified to the minimum extent necessary to make it enforceable, and the remaining provisions will continue in full force and effect.

15.7 Entire Agreement

These Terms, together with any applicable Order Form, Data Processing Agreement, Privacy Policy, and Biometric Information Privacy Policy, constitute the entire agreement between the parties regarding the subject matter hereof and supersede all prior agreements, understandings, and communications. In the event of a conflict, the Order Form will control over these Terms, the DPA will control over these Terms with respect to the processing of personal data, and these Terms will control over the Privacy Policy and Biometric Information Privacy Policy.

15.8 Independent Contractors

The parties are independent contractors. Nothing in these Terms creates a partnership, joint venture, agency, or employment relationship.

15.9 Third-Party Beneficiaries

There are no third-party beneficiaries to these Terms. End Users are not third-party beneficiaries and have no rights under these Terms.

16. Contact Information

For questions about these Terms, please contact:

Ralco Compliance Limited

17 Percy Place, Dublin 4, D04 V250, Ireland

Email: legal@ralco.io

Phone: +353 (0)1 513 4400

RALCO PRIVACY POLICY

Last Updated: February 1, 2026

1. Introduction

Ralco Compliance Limited (“RALCO,” “we,” “us,” or “our”) is a company incorporated in Ireland (company number 759312) with its registered office at 17 Percy Place, Dublin 4, D04 V250, Ireland. RALCO is the parent company of Ralco Inc., a Delaware corporation. RALCO operates the RALCO platform, including the website at https://ralco.io and the RALCO Worker mobile application (collectively, the “Service”). RALCO provides workforce management solutions to construction companies and other businesses (our “Customers”). If you are an employee or worker of one of our Customers who uses the RALCO Worker app, you are an “End User” of our Service.

This Privacy Policy explains how we collect, use, disclose, and protect information when you use our Service. It applies to both Customers and End Users. If you are an End User, please note that your employer (our Customer) may have its own privacy policy that also applies to you, and your employer controls certain decisions about how your data is used within the Service.

Important:We collect biometric information, including facial recognition data and electronic signatures. Please read Section 4 carefully and review our separate Biometric Information Privacy Policy for detailed information about how we handle biometric data.

2. Data Controller and Processor Roles

Because RALCO is established in Ireland, the General Data Protection Regulation (EU) 2016/679 (“GDPR”) applies to our processing of personal data by virtue of Article 3(1), even though the personal data we process relates primarily to individuals located in the United States and is stored on servers in the United States.

The roles of the parties with respect to personal data are as follows:

• Your employer (our Customer)is the data controller. Your employer decides why and how your personal data is processed through the Service — for example, for time tracking, workforce compliance, and payroll purposes.

• RALCOisthedata processor. We process personal data on behalf of ourCustomersin accordance with their instructions and our Data Processing Agreement (“DPA”). A copy of our standard DPA is available on request.

• Amazon Web Services (AWS)is a sub-processor. AWS provides the cloud infrastructure on which the Service operates, located in the United States (Northern Virginia region).

In certain limited circumstances, RALCO acts as an independent data controller — for example, when we process data for our own account management, billing, product improvement, legal compliance, and security purposes.

3. Information We Collect

3.1 Information Provided by Customers

When a Customer registers for and uses the Service, we collect: account registration information (company name, contact name, email address, phone number, billing address); payment information (processed by our payment processor Stripe — we do not store credit card numbers); and information about End Users that the Customer adds to the platform (such as names, job roles, and contact information).

3.2 Information Provided by End Users

When End Users use the RALCO Worker app, wecollect:account credentials and profile information; biometric information, including facial scans used for identity verification at clock-in and clock-out, and electronic signatures (see Section 4 and our Biometric Information Privacy Policy); and time and attendance records.

3.3 Information Collected Automatically

Usage Data:When you use the Service, we automatically collect information about your device and usage, including IP address, browser type, device type and identifiers, operating system, pages visited, and interaction data.

Location Data:The RALCO Worker app collects location data at the time of clock-in and clock-out to verify work site attendance. We do not continuously track End User location. Location services can be managed through your device settings, though disabling location may prevent you from using certain features of the Service.

Cookies and Similar Technologies:We use cookies (session cookies, preference cookies, and security cookies) and similar tracking technologies to operate and improve the Service. You can control cookies through your browser settings, but disabling cookies may affect Service functionality.

4. Legal Bases for Processing (GDPR)

Where the GDPR applies, we process personal data on the following legal bases:

• Performance of a contract (Article 6(1)(b)):Processing necessary to provide the Service under our agreement with the Customer.

• Legitimate interests (Article 6(1)(f)):Processing for product improvement, security, fraud prevention, and analytics, where those interests are not overridden by the data subject’s rights. Our legitimate interest assessment is available on request.

• Legal obligation (Article 6(1)(c)):Processing necessary to comply with applicable laws, including employment recordkeeping requirements and tax obligations.

• Consent (Article 6(1)(a)):Where required, including for the collection and processing of biometric data. Consent for biometric data is obtained through the clickwrap mechanism at first use of the RALCO Worker app. Consent may be withdrawn at any time, though withdrawal may affect your ability to use certain features of the Service.

Special category data (Article 9):Biometric data used for the purpose of uniquely identifying a natural person constitutes special category data under Article 9 of the GDPR. We process this dataon the basis ofexplicit consent (Article 9(2)(a)), obtained via the clickwrap consent flow.

5. How We Use Information

We use the information we collect to: provide, maintain, and improve the Service; process transactions and send related information; verify End User identity through biometric authentication; provide time, attendance, and workforce management functionality to Customers; send technical notices, updates, security alerts, and administrative messages; respond to comments, questions, and customer service requests; monitor and analyze usage trends to improve user experience; detect, prevent, and address fraud, security issues, and technical problems; and comply with legal obligations.

6. Biometric Information

We collect biometric information from End Users, including facial geometry data (captured through facial scans for identity verification at clock-in and clock-out) and electronic signatures. This biometric data is collected and used solely for the purpose of verifying End User identity and authenticating time and attendance records.

Facial recognition processing is performed using AmazonRekognition, and biometric data is stored on secure Amazon Web Services (AWS) servers located in the United States (Northern Virginia region).

For complete information about our biometric data practices, including collection, use, retention, and destruction policies, and your rights regarding your biometric information, please review our Biometric Information Privacy Policy, which is incorporated into this Privacy Policy by reference.

7. How We Share Information

With Customers:If you are an End User, your employer (our Customer) has access to information about you within the Service, including time and attendance records, location data at clock-in/out, and verification status. Your employer, not RALCO, determines how this information is used for employment purposes.

With Service Providers/ Sub-processors:We share information with third-party vendors.These providers are contractually obligated to use your information only to provide services to us and in accordance with this Privacy Policy and applicable data protection laws. A current list of our sub-processors is maintained in our DPA and is available on request.

For Legal Reasons:We may disclose information if required by law, subpoena, or other legal process, or if we believe disclosure is necessary to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request.

Business Transfers:If RALCO is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or prominent notice on our Service of any change in ownership orusesof your information.

We do not sell your personal information, including biometric information, to third parties.

8. International Data Transfers

RALCO is established in Ireland and is subject to the GDPR. Personal data processed through the Service is stored on servers located in the United States (Amazon Web Services, Northern Virginia region). RALCO personnel in Ireland may access personal data remotelyin order toprovide the Service, perform support, and fulfill its obligations under the DPA.

To the extent that this constitutes an international data transfer under Chapter V of the GDPR, the following safeguards are in place:

• AWS:AWS’s Data Processing Addendum incorporates Standard Contractual Clauses (SCCs) approved by the European Commission, providing appropriate safeguards for the transfer of personal data.

• Stripe:Stripe’s data processing terms incorporate SCCs and/or reliance on the EU-US Data Privacy Framework, as applicable.

[Note: Confirm transfer mechanisms for Google Analytics and any other sub-processors. Google Analytics may require additional assessment following CJEU guidance.]

You may request a copy of the relevant transfer safeguards by contacting us using the details in Section 15.

9. Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Specific retention periods are as follows:

• Biometric data:Retained and destroyed in accordance with our Biometric Information Privacy Policy. Generally, biometric data is permanently destroyed when the initial purpose for collection has been satisfied, or within three (3) years of the End User’s last interaction with the Service, whichever occurs first.

• Time and attendance records:Retained for 5 years from the date of creation, consistent with federal and state recordkeeping requirements (including OSHA and Department of Labor requirements).

• Account and billing information:Retained for the duration of the Customerrelationshipand for 7 years thereafter for tax and accounting purposes.

• Usage data: retained for as long as necessary for analytics and service improvement purposes.

Upon termination of a Customer’s account, Customer data (including End User data associated with that Customer) will be retained for a period of30 days toallow fordata export, after which it will be securely deleted unless retention is required by law or the Customer has requested earlier deletion.

Under the GDPR, personal data shall not be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the personal data is processed (Article 5(1)(e)). The retention periods above are justifiedon the basis ofcontractual necessity, legal obligation, and legitimate interest, and are subject to periodic review.

10. Data Security

We implement and maintain appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage (in accordance with Article 32 of the GDPR). These measures include:

Technical safeguards: Encryption of data in transit and at rest using industry-standard protocols; access controls including multi-factor authentication for administrative access access.

Administrative safeguards:Employee training on data protection; access limited to personnel who need it to perform their job functions; vendor security assessments; and incident response procedures.

Physical safeguards:Data hosted in secure AWS data centers with physical access controls.

No method of transmission over the Internet or electronic storage is completely secure. While we strive to protect your information, we cannot guarantee absolute security.

11. Breach Notification

In the event of a personal data breach (as defined under Article 4(12) of the GDPR), we will:

• Notify affected Customers (as data controllers) without undue delay,in accordance with ourDPA;

• Provide sufficient information to enable the Customer to assess the breach and fulfill its own notification obligations to supervisory authorities (within 72 hours under Article 33 of the GDPR) and toaffecteddata subjects (under Article 34 of the GDPR);

• Cooperate with Customers in investigating, mitigating, and remediating the breach.

To the extent required by US state breach notification laws (including the CCPA/CPRA and applicable state statutes), we will provide Customers with sufficient information to comply with their notification obligations.

Customers are responsible for notifying their End Users, relevant supervisory authorities, and state regulators as required by applicable law.

12. Your Rights

12.1 Rights Under the GDPR

If the GDPR applies to the processing of your personal data, you have the following rights:

• Right ofaccess(Article 15):You have the right to obtain confirmation as to whether your personal data is being processed, and to access that data.

• Right to rectification (Article 16):You have the right to have inaccurate personal data corrected.

• Right to erasure (Article 17):You have the right to request deletion of your personal data in certain circumstances.

• Right to restriction of processing (Article 18):You have the right to request restriction of processing in certain circumstances.

• Right to data portability (Article 20):You have the right to receive your personal data in a structured, commonly used, machine-readable format.

• Right to object (Article 21):You have the right to object to processing based on legitimate interests or for direct marketing purposes.

• Right to withdraw consent (Article 7(3)):Where processing is based on consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.

• Right to lodge a complaint:You have the right to lodge a complaint with a supervisory authority, including the Irish Data Protection Commission (see Section 15 for contact details).

Where RALCO is acting as a processor, we will redirect data subject requests to the relevant Customer (controller) unless otherwise instructed. We will assist the Customer in responding to such requests in accordance with our DPA.

12.2 Rights Under US State Laws

California Residents(CCPA/CPRA):If you are a California resident, you have the right to know what personal information we collect, use, and disclose; the right to request deletion of your personal information; the right to correct inaccurate personal information; the right to opt out of the sale or sharing of your personal information (note: we do not sell personal information); and the right to non-discrimination for exercising your privacy rights. To submit a request, contact us using the information in Section 15. We will verify your identity before processing your request. You may designate an authorized agent to make a request on your behalf.

Biometric Information Rights:For information about your rights regarding biometric data, including rights under the Illinois Biometric Information Privacy Act (BIPA), the Texas Capture or Use of Biometric Identifier Act, and similar state laws, please see our Biometric Information Privacy Policy.

12.3 All Users

Regardless of your location, you may request access to, correction of, or deletion of your personal information by contacting us using the details in Section 15. If you are an End User, certain requests may need to be directed to your employer (our Customer), as they control aspects of your data within the Service.

13. Third-Party Links

The Service may contain links to third-party websites or services that are not operated by us. We have no control over and assume no responsibility for the privacy practices of third parties. We encourage you to review the privacy policy of any third-party site you visit.

14. Children’s Privacy

The Service is not intended for use by anyone under the age of 18. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information promptly.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website with a new “Last Updated” date and, where required by law or where changes are significant, by email to Customers. Your continued use of the Service after such changes constitutes your acceptance of the updated Privacy Policy. Where required by the GDPR, we will obtain fresh consent if changes materially affect the basis on which personal data is processed.

16. Contact Us

If you have questions about this Privacy Policy, wish to exercise your rights, or have a complaint about how your personal data is being processed, please contact us at:

Ralco Compliance Limited

17 Percy Place, Dublin 4, D04 V250, Ireland

Email: privacy@ralco.io

Phone: +353 (0)1 513 4400

Data Protection Officer / Privacy Contact:

Ciara Nolan, Data Protection Officer — privacy@ralco.io

Supervisory Authority:

Irish Data Protection Commission

21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland

Website: www.dataprotection.ie

Phone: +353 (0)1 765 0100 / 1800 437 737

RALCO WORKER APP

END USER TERMS OF USE

Last Updated: February 1, 2026

Welcome

These End User Terms of Use(“Terms”)apply to your use of the RALCO Worker mobile application (the“App”).The App is provided byRalco Compliance Limited (“RALCO,” “we,”or“us”), a company based in Ireland.Your employer has a separate agreement with RALCO that allows you to use the App for work purposes.

You must be at least 18 years old to use the App.

BY USING THE APP, YOU AGREE TO THESE TERMS. IF YOU DO NOT AGREE, DO NOT USE THE APP.

What the App Does

The RALCO Worker App is a workforce management tool that lets you clock in and out at work sites, acknowledge documents and safety forms, and keep records of your time. Your employer uses this information to manage attendance, payroll, and compliance.

Information We Collect

When you use the App, we collect:

Your face scan–We use facial recognition to verify your identity when you clock in and out. This prevents someone else from clocking in for you. We store a mathematical representation of your face (not photos) to make this work.

Your electronic signature–When you sign documents in the App (like Pre-Task Plans or safety forms), we store your signature.

Your location–Whenyou clock in or out, we record your location to verify you are at the work site. We only check your location at clock-in and clock-out times—we do not track your location continuously.

Time and attendance records–The App records when you clock in and out, and this information is shared with your employer.

Face Scans and Biometric Information

IMPORTANT:Before you can use the App, you will be asked to consent to the collection of your face scan. This consent is separate from these Terms. Please read our Biometric Information Privacy Policy carefully—it explains what we collect, why, how long we keep it, and your rights.

Key points about your face scan:

• We only use it to verify your identity at clock-in and clock-out.

• We do not sell it or share it with anyone except the service providers that help us run the App.

• When you stop using the App (for example, if you leave your job), your face scan data will be deleted.

• You can withdraw your consent to face scan collection at any time, but this may mean you can no longer use the App.

YourEmployer’sRole

Your employer—not RALCO—is responsible for decisions about your employment. RALCO provides the technology; your employer decides how to use the information for things like payroll, scheduling, and performance management.

Your employer can see:

• your clock-in and clock-outtimes;

• your location at clock-in and clock-out;

• documents you have signed; and

• whether your identity was successfully verified.

If you have questions about how your employer uses this information, please talk to your employer directly.

Where Your Data Is Stored

Your data is stored on secure servers in the United States, operated by Amazon Web Services (AWS). RALCO is based in Ireland, and our team in Ireland can access your data to provide and support the App. This means your data may be accessed from both the United States and Ireland.

We use security measures to protect your data, including encryption (which scrambles your data so others cannot read it) and strict controls on who can access it. For more details, see our Privacy Policy.

Rules for Using the App

When using the App, you agree to:

• only clock in and out for yourself—never for someoneelse;

• provide accurateinformation;

• not try to trick or bypass the facial recognitionsystem;

• not share your login information withanyone;

• not copy, modify, or try to reverse-engineer the App; and

• follow youremployer’spolicies for using the App.

Your Rights

You have the right to:

• request information about what data we have aboutyou;

• request that we correct any inaccurateinformation;

• request that we delete your data (though this may prevent you from using the App);

• request a copy of your data in a format you can take withyou;

• object to certain uses of yourdata;

• withdraw your consent to biometric data collection at any time; and

• make a complaint to a data protection authority if you believe your data is being misused.

Some of these rights come from European data protection law (known as the GDPR), which applies because RALCO is based in Ireland. Other rights come from US state laws, depending on where you live. You can read more about your rights in our Privacy Policy.

To exercise these rights, contact us at privacy@ralco.io or talk to your employer.Because your employer controls how your data is used in the App, some requests may need to go through your employer.

Data Protection Authority

If you are unhappy with how we handle your data and we cannot resolve the issue, you have the right to complain to the Irish Data Protection Commission:

Irish Data Protection Commission

21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland

Website: www.dataprotection.ie

Phone: +353 (0)1 765 0100 / 1800 437 737

No Warranty

The App is provided“as is.”RALCO is not responsible for employment decisions made by your employer based on data from the App.

Limitation of Liability

To the extent allowed by law, RALCO is not liable for any indirect damages or losses you may experience from using the App, including lost wages or employment disputes. Any claims related to your employment should be directed to your employer.

Changes to These Terms

We may update these Terms from time to time. If we make significant changes, we will notify you through the App. Your continued use of the App after changes means you accept the new Terms.

Governing Law

These Terms are governed by the laws of the State of New York.However, if European data protection law (GDPR) gives you rights that go beyond what is in these Terms, those rights still apply.

Contact Us

If you have questions about these Terms or the App:

Ralco Compliance Limited

Email:privacy@ralco.io

Website: https://ralco.io

Related Policies

These policies also apply to your use of the App:

• Privacy Policy https://ralco.io/legal

• Biometric Information Privacy Policy https://ralco.io/legal

DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) is entered into as of February 1, 2026 by and between:

Controller: [Client Name], [entity type], 17 Percy Place, Dublin 4, D04 V250, Ireland (the “Controller”); and

Processor: Ralco Compliance Limited, a company incorporated in Ireland (company number 759312), with its registered office at 17 Percy Place, Dublin 4, D04 V250, Ireland (the “Processor”).

This DPA governs the Processing of Personal Data by the Processor on behalf of the Controller in connection with the workforce management services provided under the parties’ services agreement (the “Principal Agreement”). This DPA is incorporated into and forms part of the Principal Agreement.

1. Definitions

Capitalized terms not defined herein have the meanings given in the Principal Agreement. In this DPA:

“Applicable Data Protection Laws”means all laws relating to the processing of Personal Data applicable to the Services, including the GDPR, CCPA/CPRA, BIPA, and any other applicable data protection or biometric privacy laws.

“Biometric Data”means biometric identifiers and biometric information as defined under BIPA, including fingerprint scans and facial geometry scans.

“Data Breach”means a breach of security leading to the unauthorized access to, or destruction, loss, or alteration of, Personal Data.

“Personal Data”means any information relating to an identified or identifiable natural person that is Processed by the Processor in connection with the Services, as described in Annex 1.

“Processing”means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion.

“Sub-processor”means any third party engaged by the Processor to Process Personal Data on behalf of the Controller.

2. Roles and Scope

2.1 TheController is the controller of the Personal Data and determines the purposes and means of Processing. The Processor Processes Personal Data solely on behalf of the Controller and in accordance with the Controller’s documented instructions as set out in this DPA and the Principal Agreement.

2.2 TheProcessor shall not Process Personal Data for any purpose other than providing the Services, unless required by applicable law (in which case the Processor shall inform the Controller before Processing, unless prohibited by law).

2.3 Thedetails of the Processing are set out in Annex 1.

3. Controller Responsibilities

The Controller is responsible for: (a) ensuring it has a lawful basis for the Processing; (b) providing all required notices to data subjects; (c) obtaining all necessary consents, including written consent for Biometric Data collection to the extent required by BIPA or other applicable law; and (d) implementing the end-user consent flow for Biometric Data using the clickwrap mechanism provided by the platform.

4. Processor Obligations

The Processor shall:

(a) ProcessPersonal Data only in accordance with the Controller’s documentedinstructions;

(b) ensurethatpersonsauthorized to Process Personal Data are subject to confidentialityobligations;

(c) implementappropriate technical and organizational security measures to protect Personal Data, as described in Section5;

(d) complywith the sub-processor requirements in Section6;

(e) assistthe Controller in responding to data subject requests under Applicable Data ProtectionLaws;

(f) assistthe Controller in complying with its security, breach notification, and data protection impact assessmentobligations;

(g) atthe Controller’s choice, return or delete all Personal Data after the end of the Services (subject to any legal retention requirements); and

(h) makeavailable information necessary to demonstrate compliance with this DPA and allow for audits as described in Section 7.

5. Security

5.1 TheProcessor shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized Processing, accidental loss, destruction, or damage. Such measures shall be appropriate to the sensitivity of the data, including enhanced measures for Biometric Data.

5.2 Inthe event of a Data Breach, the Processor shall notify the Controller without undue delay, including: (a) a description of the breach and data affected; (b) the likely consequences; and (c) measures taken or proposed to address the breach. The Processor shall cooperate with the Controller in investigating and remediating the breach.

6. Sub-processors

6.1 TheController provides general written authorization for the Processor to engage Sub-processors. Current Sub-processors are listed in Annex 2.

6.2 TheProcessor shall notify the Controller at least 30 days before engaging a new Sub-processor. If the Controller objectsonreasonable data protection grounds within 15 days, the parties shall discuss in good faith. If unresolved, the Controller may terminate the affected Services without penalty on 30 days’ notice.

6.3 TheProcessor shall impose data protection obligations on each Sub-processor no less protective than this DPA and shall remain liable for each Sub-processor’s performance.

7. Audits

7.1 TheProcessor shall make available to the Controller, on reasonable request and no more than once per year (unless a Data Breach has occurred), information necessary to demonstrate compliance with this DPA.

7.2 TheProcessor may satisfy an audit request by providing a current SOC 2 Type II report or comparable certification. If the report does not address the Controller’s concerns, the Controller may conduct an on-site audit on 30 days’ notice during business hours.

8. Biometric Data

To the extent the Services involve Biometric Data, the Processor shall: (a) not sell, lease, or profit from Biometric Data except as necessary to provide the Services; (b) not disclose Biometric Data to third parties except approved Sub-processors, with data subject/Controller consent, or as required by law; (c) protect Biometric Data with a standard of care no less protective than that applied to other confidential information; and (d) permanently destroy Biometric Data when the purpose for collection is satisfied or within 3 years of the data subject’s last interaction with the Services, whichever is first.

9. International Data Transfers

Personal Data is stored in the United States (Amazon Web Services). Processor personnel in Ireland may access Personal Data remotely in connection with the Services. To the extentany suchaccess constitutes an international transfer under the GDPR, the parties rely on the Sub-processor’s Standard Contractual Clauses and data processing addenda, or such other transfer mechanism as the parties agree is appropriate.

10. Liability

Liability under this DPA is subject to the limitations and exclusions set out in the Principal Agreement.

11. Term and Termination

11.1 ThisDPA is effective for the duration of the Principal Agreement and for so long thereafter as the Processor continues to Process Personal Data.

11.2 Upontermination of the Principal Agreement, the Processor shall, at the Controller’s election, return all Personal Data in a machine-readable format or securely deleteit,within 30 days. The Processor may retain Personal Data where required by law, subject to continued compliance with this DPA.

12. General

12.1GoverningLaw.This DPA is governed by the laws of the State of New York. For GDPR compliance matters, EU/EEA law applies to the extent required.

12.2Conflict.In the event of conflict between this DPA and the Principal Agreement, this DPA prevails with respect to Personal Data Processing.

12.3Amendments.This DPA may only be amended in writing signed by both parties.

_______________________________________________

ANNEX 1 – Description of Processing

ANNEX 2 – Approved Sub-processors

Note:Confirm whether additional third-party services touch Personal Data (e.g., push notifications, SMS/email providers, analytics, crash reporting, payroll integrations) and add them here.

RALCO BIOMETRIC INFORMATION PRIVACY POLICY

Last Updated: February 1, 2026

1. Purpose

Ralco Compliance Limited (“RALCO,” “we,” “us,” or “our”) is a company incorporated in Ireland (company number 759312) with its registered office at 17 Percy Place, Dublin 4, D04 V250, Ireland. RALCO is the parent company of Ralco Inc., a Delaware corporation. RALCO respects your privacy and is committed to protecting your biometric information. This Biometric Information Privacy Policy (“Biometric Policy”) describes our practices regarding the collection, use, storage, and destruction of biometric identifiers and biometric information (collectively, “Biometric Data”) in connection with the RALCO platform and the RALCO Worker mobile application (the “Service”).

This Biometric Policy is intended to comply with: (a)the Illinois Biometric Information Privacy Act(“BIPA”),740 ILCS 14/1et seq.; (b)the Texas Capture or Use of Biometric Identifier Act, Tex. Bus. & Com. Code § 503.001; (c)other applicable state biometric privacy laws; and (d) the General Data Protection Regulation (EU) 2016/679 (“GDPR”), which applies to RALCO by virtue of its establishment in Ireland.This policy supplements our general Privacy Policy.

2. Definitions

“Biometric Identifier”means a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.

“Biometric Information”means any information, regardless of how it is captured, converted, stored, or shared, based on anindividual’sbiometric identifier used to identify an individual.

“Biometric Data”as used in this policy refers collectively to Biometric Identifiers and Biometric Information.

Under the GDPR, biometric data processed for the purpose of uniquely identifying a natural person constitutes “special category data” within the meaning of Article 9. The processing of Biometric Data under this policy falls within this classification, and RALCO processes such data in accordance with Article 9(2)(a) (explicit consent of the data subject).

3. Biometric Data We Collect

In connection with the Service, RALCO collects the following categories of Biometric Data from End Users (employees and workers of our Customers who use the RALCO Worker app):

Facial Geometry Data:When you enroll in and use the RALCO Worker app, we capture images of your face and use facial recognition technology to create a mathematical representation of your facial geometry (a“faceprint”).This faceprint is used to verify your identity each time you clock in or clock out using the app.

Electronic Signatures:We collect and store electronic signatures that you provide when acknowledging documents, forms, and other records within the Service, including Pre-Task Plans and incident witness statements.

4. Purpose of Collection

RALCO collects, uses, and stores Biometric Data solely for the following purposes:

Identity Verification:To verify your identity at the time of clock-in and clock-out, ensuring accurate time and attendance records and preventing time fraud.

Document Authentication:To authenticate that you have reviewed and acknowledged documents, forms, and other records by applying your stored electronic signature only after your identity has been verified.

Fraud Prevention:To prevent unauthorized individuals from clocking in or out on your behalf or signing documents in your name.

Under the GDPR, the legal basis for processing Biometric Data is your explicit consent (Article 9(2)(a)), obtained through the clickwrap consent mechanism in the RALCO Worker app prior to enrollment.

5. Disclosure of Biometric Data

We do not sell, lease, trade, or otherwise profit from your Biometric Data.

We do not disclose your Biometric Data to any third party except:

Service Providers/ Sub-processors:We use Amazon Web Services (AWS) for secure cloud storage and Amazon Rekognition for facial recognition processing. These service providers process Biometric Data solely on our behalf and pursuant to contractual obligations(including data processing agreements incorporating appropriate safeguards under the GDPR)to maintain the confidentialityand securityof such data. A current list of sub-processors is maintained in our Data Processing Agreement.

With Your Consent:We may disclose Biometric Data if you provide explicit written consent to such disclosure.

Legal Requirements:We may disclose Biometric Data when required by law, valid legal process, or as necessary to comply with a valid warrant, subpoena, or court order.

6. Storage and Security

Biometric Data is stored on secure Amazon Web Services (AWS) servers located in the United States(Northern Virginia region). RALCO personnel in Ireland may access Biometric Data remotely in order to provide technical support and fulfill obligations under our Data Processing Agreement.

We implement and maintain a reasonable standard of care to protect Biometric Data from unauthorized access, acquisition, or disclosure, using safeguards that are the same as or more protective than the manner in which we store, transmit, and protect other confidential and sensitive information. In accordance with Article 32 of the GDPR, these measures include:

• Encryption of Biometric Data both in transit(TLS)and at rest(AES-256 or equivalent);

• Access controls limiting access to Biometric Data to authorized personnelon a need-to-know basis;

• Multi-factor authentication for administrative access to systems containing Biometric Data;

• Regular security assessments, penetration testing,and monitoring; and

• Secure authentication protocols for accessing Biometric Data.

7. Retention Schedule

RALCO retains Biometric Data only for as long as necessary to fulfill the purposes for which it was collected, as described in Section 4 above, or as required by law.In accordance with the GDPR’s data minimization principle (Article 5(1)(e)), Biometric Data shall not be kept in an identifiable form for longer than is necessary.Specifically:

Active Users:Biometric Data is retained while you remain an active End User of the Service (i.e., while your employer maintains an active RALCO account and your user profile remains active within that account).

Inactive Users:If you do not clock in or out using the Service for a period of twelve (12) consecutive months, your Biometric Data will be scheduled for destruction in accordance with Section 8 below, unless your employer (our Customer) confirms your continued employment and expected future use of the Service.

Terminated Users:Upon notification from your employer that your employment has ended, or upon termination of theCustomer’saccount with RALCO, your Biometric Data will be scheduled for destruction in accordance with Section 8 below.

Maximum Retention Period:In no event will Biometric Data be retained for more than three (3) years following your last interaction with the Service, unless a longer retention period is required by law.

8. Destruction of Biometric Data

RALCO will permanently destroy Biometric Data when the initial purpose for collecting such data has been satisfied or within three (3) years of your last interaction with the Service, whichever occurs first, unless:

• alonger retention period is required by applicable law or regulation;

• retention is necessary to comply with a valid legal hold, subpoena, warrant, or court order; or

• you provide written consent to extended retention.

Destruction Timeline:Once Biometric Data is scheduled for destruction pursuant to Section 7 above, RALCO will permanently and irreversibly destroy such data within sixty (60) days.

Destruction Method:Biometric Data will be destroyed by permanently deleting it from our systems and the systems of our service providers, including AWS, such that it cannot be recovered, reconstructed, or otherwise accessed.Destruction will be documented and a record of destruction maintained for audit purposes.

9. Consent

Before collecting any Biometric Data, RALCO will:

• Inform you in writing that Biometric Data will be collected or stored;

• Informyou in writing of the specific purpose and length of time for which your Biometric Data will be collected, stored, and used; and

• Obtainyour written release authorizing RALCO to collect, store, and use your Biometric Data for the purposes described in this Biometric Policy.

This consent is obtained through the RALCO Worker app at the time of enrollment, before any Biometric Data is collected. You must affirmatively acknowledge this Biometric Policy and provide consent before the facial recognition enrollment process begins.

GDPR requirements:Under the GDPR, consent for the processing of special category data must be “explicit” (Article 9(2)(a)). The consent mechanism used in the RALCO Worker app is designed to satisfy this standard, as well as the BIPA written release requirement. Consent is:

• Freely given — presented separately from the general End User Terms of Use;

• Specific — limited to the purposes described in this Biometric Policy;

• Informed — this Biometric Policy is presented in full before consent is requested; and

• Unambiguous — requires an affirmative action (tap/click to consent).

You have the right to withdraw consent at any time (see Section 10 below). Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal.

10. Your Rights

You have the following rights with respect to your Biometric Data:

10.1 Rights Under US State Laws

Right to Information:You may request information about what Biometric Data we have collected about you, the purposes for which it is used, and how long it will be retained.

Right to Deletion:You may request deletion of your Biometric Data. Upon receipt of a valid deletion request, we will permanently destroy your Biometric Data within sixty (60) days, unless retention is required by law. Note that deletion of your Biometric Data may prevent you from using certain features of the Service that require biometric verification.

Right to Withdraw Consent:You may withdraw your consent to the collection and use of Biometric Data at any time by contacting us at the address below. Withdrawal of consent will be treated as a deletion request and processed accordingly.

10.2 Additional Rights Under the GDPR

Because RALCO is established in Ireland, you may also have the following rights under the GDPR:

Right of Access (Article 15):You have the right to obtain confirmation as to whether your Biometric Data is being processed and to access that data, including a copy of your Biometric Data in a commonly used format.

Right to Rectification (Article 16):You have the right to have inaccurate Biometric Data corrected.

Right to Erasure (Article 17):You have the right to request erasure of your Biometric Data where the data is no longer necessary for the purpose for which it was collected, or where you withdraw consent.

Right to Restriction (Article 18):You have the right to request restriction of processing in certain circumstances, such as where you contest the accuracy of the data.

Right to Data Portability (Article 20):You have the right to receive your Biometric Data in a structured, commonly used, machine-readable format.

Right to Object (Article 21):You have the right to object to processing of your Biometric Data in certain circumstances.

Right to Complain:You have the right to lodge a complaint with a supervisory authority, including the Irish Data Protection Commission (details in Section 12 below).

Where RALCO acts as a data processor on behalf of your employer (the data controller), we will redirect data subject requests to your employer unless otherwise instructed. We will assist your employer in responding to such requests in accordance with our Data Processing Agreement.

To exercise any of these rights, please contact us using the information in Section 12 below.

11. Changes to This Policy

We may update this Biometric Policy from time to time. If we make material changes to how we handle Biometric Data, we will notify you through the Service and obtain your consent to the updated practices before they take effect.Under the GDPR, any change to the purposes or scope of Biometric Data processing will require fresh explicit consent.

12. Contact Us

If you have questions about this Biometric Policy, wish to exercise your rights, or need to report a concern about the handling of your Biometric Data, please contact us at:

Ralco Compliance Limited

17 Percy Place, Dublin 4, D04 V250, Ireland

Email: privacy@ralco.io

Phone: +353 (0)1 513 4400

Data Protection Officer / Privacy Contact:

Ciara Nolan, Data Protection Officer — privacy@ralco.io

Supervisory Authority:

Irish Data Protection Commission

21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland

Website: www.dataprotection.ie

Phone: +353 (0)1 765 0100 / 1800 437 737

RALCO BIOMETRIC CONSENT

In-App Consent Language

ENGLISH VERSION

CONSENT TO COLLECTION AND USE OF BIOMETRIC INFORMATION

Ralco Compliance Limited (“RALCO”), a company based in Ireland,collects biometric information to verify your identity when you use the RALCO Worker app. Please read this consent carefully before proceeding.

What We Collect:When you enroll in the app, we will scan your face and create a digital“faceprint” —a mathematical representation of your facial features. We also store your electronic signature.

Why We Collect It:We use your faceprint to verify that you are who you say you are each time you clock in or clock out. This prevents time fraud and ensures accurate attendance records for your employer.

How Long We Keep It:We keep your biometric information while you are an active user of the app. If you do not use the app for 12 consecutive months, or if your employer tellsusyou have left your job, we will permanently delete your biometric information within 60 days. In no event will we keep your biometric information for more than 3 years after you last used the app — unless the law requires us to keep it longer.

Who Sees It:We do not sell your biometric information. We only share it with service providers who help us operate the app (such as our cloud storage provider, Amazon Web Services). These providers are required to keep your information confidential.

Where It Is Stored:Your biometric information is stored on secure servers in the United States. RALCO is based in Ireland, and our team in Ireland may access your data to support the app. We use encryption and strict security controls to protect it.

Your Rights:You can request information about your biometric data, request deletion, or withdraw this consent at any time by contacting privacy@ralco.io. If you withdraw consent, you will not be able to use the app.You also have the right to lodge a complaint with the Irish Data Protection Commission (www.dataprotection.ie) if you believe your biometric data is being misused.

More Information: For complete details, please read our Biometric Information Privacy Policy at https://ralco.io/legal.

[CHECKBOX]I have read and understand this consent.I explicitly consentto the collection, storage, and use of my biometric information (including my faceprint and electronic signature) by RALCO for identity verification purposes as described above and in the Biometric Information Privacy Policy.