Effective Date: July 14, 2025
Last Updated: April 30, 2026

ACE Media & Marketing (“Company,” “we,” “us,” or “our”) is committed to protecting the privacy, confidentiality, and integrity of Personal Data processed in connection with The Deck™ platform, our websites, and related services (collectively, the “Platform”). This Privacy Policy (“Policy”) is intended to provide a comprehensive explanation of how Personal Data is collected, used, disclosed, retained, and otherwise processed by the Company, and to inform individuals of their rights under applicable data protection and privacy laws.

This Policy is designed to comply with applicable legal frameworks, including but not limited to the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”), and other applicable U.S. state privacy laws.

This Policy does not form part of any contract unless expressly incorporated into applicable terms.

By accessing or using the Platform, you acknowledge that you have read and understood this Policy.

1. Scope and Applicability

This Privacy Policy applies to all Personal Data processed by the Company in the course of operating its business, including Personal Data collected directly from individuals as well as data processed on behalf of Clients through the Platform. This includes, without limitation, individuals who visit Company-controlled websites, register for or use the Platform, communicate with the Company, or whose Personal Data is otherwise processed within the Platform environment.

This Policy does not apply to third-party services, integrations, or platforms that are not owned or controlled by the Company, even where such services may be accessed through or in connection with the Platform. Users are encouraged to review the privacy policies of such third parties independently.

2. Role of the Company

The Company operates in a dual capacity with respect to Personal Data, acting in certain contexts as a data controller and in other contexts as a data processor (or service provider under U.S. law). Where the Company collects Personal Data directly—for example, in connection with the Platform account registration, billing, or website usage—it acts as a data controller, determining the purposes and means of processing such data.

Conversely, where the Company processes Personal Data on behalf of its Clients within The Deck™ Platform—such as customer records, leads, communications, and campaign data—the Company acts as a data processor (or service provider) and processes such data solely in accordance with the instructions of the Client. In this context, the Client retains full responsibility for the legality of the data processing, including establishing a lawful basis for processing and obtaining any necessary consents.

3. Categories of Personal Data Collected

The Company may collect and process various categories of Personal Data depending on the nature of the interaction with the Platform. Personal Data collected directly from users may include identifying information such as names, email addresses, telephone numbers, and business contact details. This information is typically provided during account registration, onboarding, or communication with the Company.

In addition, the Company collects commercial and transactional information necessary to facilitate billing and account management, including payment-related data processed through secure third-party payment processors. The Company does not store full payment card details but may retain limited billing records necessary for accounting and compliance purposes.

The Company also automatically collects certain technical and usage-related data when individuals interact with the Platform. This may include IP addresses, device identifiers, browser types, operating systems, and detailed logs of user activity within the Platform. Such information is collected to support system performance, ensure security, and enable ongoing improvement of the Platform.

Furthermore, the Platform enables Clients to upload and process Personal Data relating to their own customers, prospects, or users. This Client Data may include contact information, communication records, CRM data, and marketing-related information. The Company does not control the nature, scope, or accuracy of such data and processes it solely as a service provider.

4. Purposes of Processing

The Company processes Personal Data only for specific, explicit, and legitimate purposes that are directly related to the provision, operation, and improvement of the Platform. Such processing is conducted in a manner that is compatible with the purposes for which the Personal Data was originally collected and in accordance with applicable data protection laws.

In its capacity as a data controller, the Company processes Personal Data to facilitate the administration of user accounts, support and service activities, billing, service-related communications (including promotions and announcements, where permitted by law), software updates, and other relevant communications between the Company and its Clients and users.

For operation of the Platform, the Company processes Personal Data to enable core CRM functionality, activity histories, marketing and support communications, and all lawful data processing operations. This processing allows Clients to manage relationships with their own customers, prospects, and users, and to maintain structured records of communications, compliance, marketing and business activities. For Client Data processing, the Company acts solely as a processor and performs such activities strictly in accordance with Client instructions, manual or automated, within the Platform.

This includes the routing, delivery, logging, and storage of communication records for purposes of system operation, auditability, and dispute resolution. Such processing is subject to applicable legal and regulatory requirements governing electronic communications, including those described in the SMS and Messaging Compliance Addendum, and related retention practices as outlined in the Data Retention section of this Policy.

Personal Data is processed to support workflow automation and system-triggered actions configured by Clients, including automated messaging sequences, task assignments, lead routing, and status updates. The Company does not independently determine the content, recipients, or legality of such automated workflows and processes such data solely to execute the configurations defined by the Client within the sequences available in the Platform.

The Company also processes Personal Data to generate analytics, reports, and performance insights related to Platform usage, campaign activity, and system operations. This includes aggregating and analyzing data to improve Platform functionality, optimize system performance, and develop new features. Such processing is conducted in a manner designed to minimize the use of identifiable data where possible and is subject to the security and retention practices described in this Policy.

The Company also processes Personal Data for purposes of maintaining the security, integrity, and reliability of the Platform. This includes monitoring system activity, detecting and preventing unauthorized access, investigating suspicious behavior, and enforcing applicable terms and policies.

Where required, the Company processes Personal Data to comply with applicable legal obligations, including financial reporting, regulatory compliance, and responses to lawful requests.

The Company does not process Personal Data for purposes materially different from those described without notice or consent where required.

5. Legal Bases for Processing

Where the General Data Protection Regulation (EU) 2016/679 (“GDPR”) applies, the Company processes Personal Data only where it has a valid legal basis to do so under Article 6 of the GDPR. The applicable legal basis for any given processing activity depends on the nature of the Personal Data involved and the specific context in which it is processed.

In circumstances where the Company acts as a data controller, Personal Data is processed on one or more of the following lawful bases:

• Performance of a Contract. The Company processes Personal Data where such processing is necessary for the performance of a contract to which the individual is a party, or in order to take steps at the request of the individual prior to entering into a contract. This includes, without limitation, processing necessary to provide access to the Platform, manage user accounts, deliver services, and fulfill contractual obligations.

• Legitimate Interests. The Company may process Personal Data where such processing is necessary for the purposes of its legitimate business interests, provided that such interests are not overridden by the fundamental rights and freedoms of the individual. These legitimate interests may include maintaining the security and integrity of the Platform, preventing fraud or misuse, improving functionality and performance, conducting analytics, and managing internal business operations. In relying on this legal basis, the Company undertakes a balancing assessment to ensure that its interests do not unduly impact the privacy rights of individuals.

• Consent. The Company relies on consent where required by applicable law, including in connection with certain marketing communications, the use of cookies and similar tracking technologies, and other processing activities where consent is mandated. Where consent is relied upon, individuals have the right to withdraw such consent at any time. Withdrawal of consent shall not affect the lawfulness of processing conducted prior to such withdrawal.

• Compliance with Legal Obligations. The Company may process Personal Data where necessary to comply with applicable legal and regulatory requirements, including but not limited to financial reporting obligations, tax laws, and responses to lawful requests from governmental or regulatory authorities.

In limited circumstances, the Company may also process Personal Data where necessary to protect the vital interests of an individual or another natural person, or where processing is carried out in the public interest or in the exercise of official authority, although such bases are not typically relied upon in the ordinary course of the Company’s operations.

Where the Company acts as a data processor or service provider on behalf of its Clients, the Company does not independently determine the legal basis for processing Personal Data. Instead, such determination is made by the Client as the data controller. In such cases, the Company processes Personal Data solely in accordance with the documented instructions of the Client and in compliance with the Data Processing Addendum.

The Company does not intentionally process special categories of Personal Data (as defined under Article 9 of the GDPR), such as data revealing racial or ethnic origin, political opinions, religious beliefs, or health information. To the extent that such data is processed within the Platform by Clients, the Company does so solely in its capacity as a processor and subject to the Client’s instructions and legal obligations.

6. Disclosure and Sharing of Personal Data

The Company may disclose Personal Data to third parties where such disclosure is necessary for the operation, delivery, and support of the Platform and its related services. This includes, without limitation, disclosures to service providers and vendors that perform functions on behalf of the Company, such as cloud hosting providers, payment processors, analytics services, customer-integrated applications, and communication infrastructure providers.

The Platform relies in part on third-party software and infrastructure, and Personal Data may be transmitted to or processed by such providers in connection with the provision of services. All such disclosures are subject to contractual safeguards designed to limit the use of Personal Data to specified purposes, require appropriate confidentiality and security measures, and prohibit unauthorized use or disclosure of such data.

The Company may also disclose Personal Data where required to do so by applicable law, regulation, or legal process, including in response to subpoenas, court orders, or lawful requests from governmental or regulatory authorities, or where such disclosure is necessary to enforce the Company’s legal rights, prevent fraud or abuse, or protect the safety and security of the Platform, its users, or third parties.

The Company does not sell Personal Data as that term is defined under applicable privacy laws, including the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”), and does not exchange Personal Data for monetary or other valuable consideration. The Company further does not “share” Personal Data for purposes of cross-context behavioral advertising, including the tracking of individuals across websites, services, or applications for targeted advertising purposes.

Personal Data disclosed to service providers is provided solely for the purpose of enabling the Company to deliver the Platform and is not disclosed for independent use by such third parties. Service providers are contractually prohibited from retaining, using, or disclosing Personal Data for any purpose other than those necessary to perform services on behalf of the Company, as further described in the Data Processing Addendum.

To the extent the Company processes Personal Data on behalf of Clients within the Platform, such disclosures are made solely as a processor or service provider and in accordance with Client instructions. The Company does not use Client Data for its own independent commercial purposes, including advertising, data monetization, or profiling, as further described in Sections 2 (Role of the Company) and 4 (Purposes of Processing).

7. Data Retention

The Company retains Personal Data only for as long as necessary to fulfill the purposes for which it was collected and processed, including to provide the Platform, comply with legal obligations, resolve disputes, enforce contractual rights, and maintain system security and integrity.

Retention periods vary depending on the nature of the data and the context in which it is processed. Account-related and Platform usage data is generally retained for the duration of the Client’s active subscription and for a limited period thereafter to facilitate account closure, data export, and administrative purposes. Following termination, such data is typically retained for approximately sixty (60) days, after which it is subject to deletion or anonymization, unless retention is required by law or for legitimate business purposes.

Personal Data processed on behalf of Clients within the Platform (“Client Data”) is retained in accordance with Client instructions and the duration of the Client’s use of the Platform. The Company does not independently determine retention periods for Client Data beyond what is necessary to provide the Platform and comply with its legal obligations, as further described in the Data Processing Addendum.

Certain categories of data may be retained for longer periods where required by applicable law or operational necessity. This includes billing and financial records, which may be retained for up to seven (7) years in accordance with tax and accounting requirements, and messaging records, which may be retained for up to twenty-four (24) months to support compliance, auditability, and dispute resolution. System logs and security-related data are typically retained for shorter durations, generally ranging from thirty (30) to one hundred eighty (180) days, unless extended retention is required for security investigations, development, or legal compliance.

Backup copies of Personal Data are created and maintained as part of the Company’s disaster recovery and business continuity processes. Such backups are generated on a periodic basis and retained for a limited duration in accordance with standard industry practices.

Backup data is typically maintained on a rolling basis for a period not exceeding approximately ninety (90) days, after which it is automatically overwritten or deleted as part of routine system operations. Backup retention periods may vary based on system requirements, operational considerations, and legal or regulatory obligations.

Backup data is stored in secure environments and is not used for active processing, business operations, or client access. Access to backup systems is restricted to authorized personnel for the sole purpose of system restoration or recovery.

Where Personal Data has been deleted from active systems, such data may persist temporarily within backup systems until it is removed in accordance with the applicable backup rotation schedule. During this period, such data remains isolated from active processing and is not accessible for operational use.

8. International Data Transfers

Personal Data processed by the Company may be transferred to, stored in, or accessed from jurisdictions outside of the individual’s country of residence, including the United States, where data protection laws may differ from those of the originating jurisdiction.

Where Personal Data originates from the European Economic Area (“EEA”), the United Kingdom, Switzerland, or other regions with restrictions on cross-border data transfers, the Company implements appropriate safeguards to ensure such data is afforded an adequate level of protection in accordance with applicable laws. These safeguards may include the use of Standard Contractual Clauses (“SCCs”), equivalent contractual protections, and the implementation of technical and organizational measures designed to protect Personal Data.

Such transfers may occur in connection with the use of third-party service providers and infrastructure necessary to operate the Platform. The Company takes reasonable steps to ensure that such providers are contractually bound to process Personal Data in a manner consistent with applicable data protection requirements.

By using the Platform, and to the extent permitted by applicable law, individuals acknowledge that their Personal Data may be transferred to and processed in jurisdictions that may not provide the same level of data protection as their country of residence.

9. Data Security

The Company implements reasonable and appropriate technical and organizational measures designed to protect Personal Data against unauthorized access, loss, misuse, or alteration. Such measures are aligned with generally accepted industry practices and reflect the nature and scope of the Platform.

These measures include the use of secure authentication mechanisms, role-based access controls, and encryption of data in transit. The Platform is supported by secure cloud-based infrastructure and communications systems, including those operating under the LeadConnector framework, which incorporate network-level security controls, restricted access protocols, and system-level protections.

The Company also utilizes system monitoring and activity tracking mechanisms to support operational oversight and security awareness. Access to Personal Data is limited to authorized users and personnel based on business need.

To the extent Personal Data is processed through third-party infrastructure providers, the Company relies on contractual safeguards and commercially reasonable efforts to ensure such providers maintain appropriate data protection and security practices.

Notwithstanding the foregoing, no method of transmission over the internet or electronic storage is completely secure, and the Company cannot guarantee absolute security of Personal Data.

10. Data Subject Rights

Subject to applicable data protection laws, including the General Data Protection Regulation (“GDPR”) and relevant U.S. state privacy laws, individuals have certain rights in relation to their Personal Data. These rights may include the right to access, correct, or delete Personal Data, the right to restrict or object to certain processing activities, the right to data portability, and the right to withdraw consent where processing is based on consent.

Individuals may also have the right to lodge a complaint with a competent supervisory authority if they believe their Personal Data has been processed in violation of applicable law. Where applicable, individuals may have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects.

To exercise applicable rights, individuals may submit a request to [email protected]. The Company may require verification of identity prior to fulfilling any such request and will respond within the timeframes required by applicable law.

Where the Company processes Personal Data on behalf of Clients within the Platform, it acts solely as a data processor or service provider. In such cases, requests relating to Client Data may need to be directed to the relevant Client as the data controller. The Company will provide reasonable assistance to Clients in responding to such requests in accordance with applicable law and the Data Processing Addendum.

The Company reserves the right to limit or deny requests where permitted by applicable law, including where requests are manifestly unfounded, excessive, or where the Company is legally required to retain the data.

11. U.S. Privacy Rights

Residents of certain U.S. states, including California, Virginia, Colorado, Connecticut, and Florida, may have rights under applicable privacy laws with respect to their Personal Data. Such rights may include, subject to applicable law, the right to request access to Personal Data, request deletion, correct inaccuracies, obtain a copy of Personal Data, and opt out of certain data processing activities, including, where applicable, the sale or sharing of Personal Data.

As described in Section 6, the Company does not sell or share Personal Data for cross-context behavioral advertising. The Company does not use Personal Data for independent profiling or data monetization purposes.

Individuals may exercise applicable rights by submitting a request in writing to [email protected]. The Company may take reasonable steps to verify the identity of the requestor prior to fulfilling any request and will respond within the timeframes required by applicable law.

Where Personal Data is processed on behalf of Clients within the Platform, the Company acts solely as a service provider and does not independently control such data. Requests relating to such data may need to be directed to the relevant Client as the data controller, as further described in Section 2 (Role of the Company).

The Company will not discriminate against any individual for exercising their rights under applicable privacy laws.

12. Cookies and Tracking Technologies

The Company uses cookies and similar tracking technologies to support the operation, security, and performance of the Platform. These technologies may include cookies, web beacons, pixels, and local storage, which are used to maintain user sessions, authenticate users, remember preferences, and enable core functionality.

The Company may also use such technologies to analyze usage patterns, monitor system performance, and improve the functionality and user experience of the Platform. Where applicable, these technologies may collect technical and usage information, such as IP address, device type, browser information, and interactions with the Platform.

To the extent required by applicable law, including the General Data Protection Regulation (“GDPR”) and certain U.S. state privacy laws, the Company will obtain consent prior to the use of non-essential cookies or tracking technologies. Users may manage or disable cookies through their browser settings or device controls; however, doing so may limit or impair certain features or functionality of the Platform.

The Company does not use cookies or tracking technologies for cross-context behavioral advertising or similar tracking activities, as further described in Section 6 (Disclosure and Sharing of Personal Data).

13. Children’s Privacy and Processing of Minor Data

The Platform and related services are intended for use by businesses and individuals acting in a commercial or professional capacity. The Company does not knowingly offer, market, or sell access to the Platform to individuals under the age of eighteen (18), and no minor is permitted to create an account, enter into an agreement, or otherwise directly use the Platform as a registered user.

The Company does not intentionally collect Personal Data directly from minors in its capacity as a data controller. However, due to the nature of the Platform as a customer relationship management and marketing automation system, the Company may process Personal Data relating to minors where such data is uploaded, transmitted, or otherwise provided by Clients or their authorized users (“Client Data”). In such circumstances, the Company acts solely as a data processor or service provider and does not determine the purposes or means of processing such data.

Clients who utilize the Platform to collect, store, or process Personal Data relating to minors represent and warrant that they do so in full compliance with all applicable laws and regulations governing the collection and use of children’s data. Such laws may include, without limitation:

• The Children’s Online Privacy Protection Act (“COPPA”) (United States)

• The Family Educational Rights and Privacy Act (“FERPA”) (where applicable to educational data)

• The General Data Protection Regulation (“GDPR”), including provisions relating to children’s consent (Article 8)

• Applicable state privacy laws governing minors’ data (including California and other U.S. state-specific protections)

Clients are solely responsible for:

• Determining whether Personal Data relates to a minor

• Obtaining verifiable parental or guardian consent where required

• Providing all legally required notices regarding data collection and use

• Implementing appropriate safeguards for the protection of minors’ data

• Ensuring that all marketing, messaging, and data processing activities comply with applicable child privacy and consumer protection laws

The Company does not monitor, validate, or verify whether Client Data includes information relating to minors and does not assume any responsibility for identifying such data. The Company expressly disclaims any liability arising from a Client’s failure to comply with applicable laws governing the collection, use, or disclosure of Personal Data relating to minors.

To the extent that the Company becomes aware that Personal Data has been collected directly from a minor in violation of applicable law in its capacity as a data controller, the Company will take reasonable steps to delete such information in accordance with applicable legal requirements.

Nothing in this Policy shall be construed to impose upon the Company any obligation to independently determine the age of individuals whose data is processed within the Platform or to act as a controller of such data where it is processed on behalf of Clients.

14. Client Data Responsibility

Client acknowledges and agrees that it is solely responsible for the legality, accuracy, and appropriateness of all data submitted to or processed through the Platform (“Client Data”), including any Personal Data relating to its customers, prospects, or users.

As between the parties, Client acts as the data controller with respect to Client Data and is solely responsible for determining the purposes and means of processing such data, including ensuring compliance with all applicable data protection, privacy, and marketing laws. The Company acts solely as a data processor or service provider and processes Client Data only in accordance with Client instructions, as further described in Section 2 (Role of the Company) and the Data Processing Addendum.

Client represents and warrants that it has obtained all necessary rights, permissions, consents, and legal bases required under applicable laws to collect, use, and process Client Data, including for communications and marketing activities conducted through the Platform.

The Company does not control or validate Client Data and shall not be responsible for determining whether Client Data is subject to applicable laws or whether Client’s processing activities comply with such laws.

Client agrees to indemnify, defend, and hold harmless the Company from and against any claims, damages, liabilities, fines, penalties, or expenses (including reasonable attorneys’ fees) arising out of or related to Client’s collection, use, or processing of Client Data in violation of applicable laws or third-party rights.

15. Complaints and Regulatory Authority

If an individual believes that their Personal Data has been processed in a manner that does not comply with applicable data protection laws, they have the right to submit a complaint to the Company at [email protected].

Where applicable, individuals also have the right to lodge a complaint with a competent data protection or supervisory authority in their jurisdiction, including within the European Economic Area, the United Kingdom, or other applicable regions.

The Company encourages individuals to contact the Company directly in the first instance so that it may attempt to resolve any concerns promptly and effectively.

14. Changes to This Policy

The Company reserves the right to modify this Privacy Policy at any time. Any changes will be posted on the Company’s website and will become effective upon posting. Continued use of the Platform following such changes constitutes acceptance of the updated Policy.

15. Contact Information

ACE Media & Marketing
283 Cranes Roost Blvd. #111 Altamonte Springs, FL 32701
[email protected]