Privacy Policy

This Privacy Policy ("Policy") describes how Back Room Inc. ("Back Room", "we", "us", or "our"), a company registered in New Zealand, collects, uses, stores, discloses, and protects information in connection with the Geri platform, accessible at askgeri.ai (the "Service").

This Policy applies to CPA firms and professional services entities ("Licensees") that access and use the Service under a Services License Agreement with Back Room, and to individuals authorised by Licensees to use the Service ("Authorised Users").

This Policy should be read together with the Geri Services License Agreement. In the event of any inconsistency between this Policy and the Services License Agreement on matters of data privacy, this Policy prevails.

Back Room is committed to protecting the confidentiality and security of the information entrusted to it. By accessing or using the Service, Licensee agrees to the terms of this Policy on its own behalf and on behalf of its Authorised Users.

1. WHO WE ARE AND HOW TO CONTACT US

Back Room Inc. is the operator of the Geri platform and the data controller in respect of Authorised User account information and platform usage data collected directly by Back Room. In respect of Licensee Data (including any End-Client Data contained therein), Back Room acts as a data processor on behalf of the Licensee, which is the data controller.

Registered Office: Back Room Inc., New Zealand

Privacy enquiries: [privacy@backroominc.com]

General contact: [support@askgeri.ai]

If you have any questions, concerns, or requests relating to this Policy or the handling of your information, please contact us using the details above.

2. INFORMATION WE COLLECT

2.1 Information Collected Directly from Licensees and Authorised Users

When a CPA firm enters into a Services License Agreement with Back Room and Authorised Users access the Service, Back Room collects the following categories of information:

• Account Information: The names, email addresses, and professional roles of Authorised Users, as provided by the Licensee during account setup and onboarding.
• Authentication Credentials: Usernames and encrypted passwords or authentication tokens used to access the Service.
• Support Communications: The content of communications between Authorised Users and Back Room's support team, including the nature of the support request, correspondence records, and contact details provided in the course of seeking support.

Back Room does not collect any personal information from individuals through the use of cookies, behavioural tracking, analytics platforms, or any other automated collection mechanism beyond what is necessary to operate and secure the Service.

2.2 Licensee Data (Uploaded Content)

The Service is designed for Licensees to upload financial documents and related materials for AI-assisted review. Such uploads may include, without limitation:

• (a) Financial statements, general ledger data, trial balances, and workpapers;
• (b) Notes, correspondence, and supporting documentation relating to client engagements;
• (c) Any other materials submitted by Authorised Users for processing through the Service.

Collectively, this is referred to in this Policy as "Licensee Data." Licensee Data is uploaded at the Licensee's direction and remains the property of the Licensee at all times. Back Room processes Licensee Data solely as a processor acting on the Licensee's instructions, and only to the extent necessary to provide and maintain the Service.

Licensee Data may contain personal information relating to the Licensee's own clients, their employees, directors, or other individuals ("End-Client Data"). Back Room does not seek to collect such personal information independently and processes it solely because it is embedded in materials submitted by Licensee.

2.3 Information We Do Not Collect

Back Room does not collect the following through the Service:

• (a) Cookies, pixel tags, or web beacons for tracking or advertising purposes;
• (b) Browser metadata, device fingerprints, or IP addresses beyond what is automatically generated in standard server access logs for security purposes;
• (c) Personal information from the end-clients of Licensees directly or independently of Licensee uploads;
• (d) Sensitive personal information (such as health, financial, or identity data) except where such information is incidentally contained in Licensee Data uploaded by Licensee.

3. HOW WE USE INFORMATION

3.1 Use of Account Information and Support Data

Back Room uses account information and support communications for the following purposes:

• Service Delivery: To create and manage Authorised User accounts, authenticate users, and provide access to the Service.
• Support: To respond to support requests, troubleshoot issues, and communicate with Authorised Users about their use of the Service.
• Security and Compliance: To monitor for unauthorised access, investigate security incidents, and comply with applicable legal obligations.
• Service Improvement: To improve the performance, reliability, and functionality of the Service based on aggregate, de-identified usage patterns. Back Room will not use individually identifiable account data for product improvement without consent.

3.2 Use of Licensee Data

Back Room processes Licensee Data solely for the following purposes:

• AI-Assisted Review: To pass Licensee Data through the Service's AI capabilities (powered by Anthropic's Claude) to generate review notes, analytical outputs, and other AI Outputs as requested by Authorised Users.
• Service Operation: To store, retrieve, and manage Licensee Data as necessary to operate the Service and enable Authorised Users to access and review their uploaded materials and AI Outputs.
• Security: To protect Licensee Data against unauthorised access, loss, or alteration.

Back Room will not use Licensee Data for any purpose other than those set out above. In particular, Back Room will not:

• (a) Use Licensee Data to train, fine-tune, develop, or improve any AI model or system without Licensee's prior written consent;
• (b) Disclose Licensee Data to any other Licensee or third party, except as set out in Section 5 of this Policy;
• (c) Use Licensee Data for marketing, advertising, or any commercial purpose unrelated to the provision of the Service.

3.3 Aggregate and De-Identified Data

Back Room may generate and use aggregate, de-identified data derived from platform usage and performance metrics (such as system response times, feature usage rates, and error frequencies) for the purpose of improving and maintaining the Service. Such data does not identify any Licensee, Authorised User, or End-Client and is not subject to the restrictions applicable to Licensee Data under this Policy.

4. LEGAL BASIS FOR PROCESSING

Back Room processes personal information on the following legal bases, consistent with the New Zealand Privacy Act 2020 and other applicable privacy laws:

• Contractual Necessity: Processing of Authorised User account information and Licensee Data is necessary to perform the Services License Agreement between Back Room and Licensee.
• Legitimate Interests: Processing for platform security, fraud prevention, and aggregate service improvement is carried out on the basis of Back Room's legitimate interests, where such interests are not overridden by the privacy rights of the individuals concerned.
• Legal Obligation: Back Room may process personal information where required to comply with applicable laws, regulations, or orders of a court or regulatory authority.
• Consent: Where Back Room seeks to use personal information for a purpose not covered above (such as training AI models on Licensee Data), Back Room will obtain Licensee's prior written consent.

In respect of End-Client Data contained within Licensee Data, Licensee is the data controller and is responsible for identifying and relying on the appropriate legal basis for processing such data through the Service.

5. DISCLOSURE OF INFORMATION

5.1 Sub-Processors

Back Room uses the following third-party sub-processors that may access or process personal information or Licensee Data in the course of providing the Service:

• Amazon Web Services (AWS) — Singapore: Cloud infrastructure and hosting provider. All Licensee Data is stored on AWS servers located in Singapore. AWS processes Licensee Data solely as directed by Back Room and is bound by appropriate data processing terms.
• Anthropic, Inc. (Claude): The AI model provider that powers Geri's review capabilities. Licensee Data is passed to Anthropic's Claude API solely to generate AI Outputs as directed by Authorised Users. Anthropic processes such data as a sub-processor under data processing terms that prohibit the use of submitted data for model training. Licensee Data is not retained by Anthropic beyond the processing of individual requests.
• Third-Party Email Support Platform: A third-party email platform used to manage support communications. Only Authorised User contact details and the content of support communications are shared with this provider. No Licensee financial data or End-Client Data is transmitted through this platform.

Back Room will not engage additional sub-processors that access Licensee Data without providing prior written notice to Licensee and, where required by applicable law, obtaining Licensee's consent.

5.2 Disclosure Required by Law

Back Room may disclose personal information or Licensee Data to a government authority, regulator, court, or law enforcement agency where required to do so by applicable law, regulation, or binding legal order. Where permitted by law, Back Room will use reasonable efforts to notify Licensee prior to making such a disclosure so that Licensee may seek a protective order or equivalent relief.

5.3 Business Transfers

In the event of a merger, acquisition, sale of all or substantially all of Back Room's assets, or other corporate restructuring, Licensee Data and personal information held by Back Room may be transferred to the acquiring entity, subject to equivalent confidentiality and data protection obligations. Back Room will provide Licensee with reasonable prior notice of any such transfer and will ensure the receiving entity is bound by terms no less protective than those in this Policy.

5.4 No Sale of Personal Information

Back Room does not sell, rent, or trade personal information or Licensee Data to any third party for commercial purposes, and has not done so at any time.

6. DATA STORAGE, SECURITY, AND RETENTION

6.1 Data Storage and Location

All Licensee Data is stored on Amazon Web Services (AWS) infrastructure located in Singapore. Back Room does not currently impose specific data residency restrictions beyond this hosting arrangement. Licensees with specific data residency requirements should contact Back Room prior to entering into a Services License Agreement.

Authorised User account information and support communications may be stored in Back Room's operational systems, which may be located in New Zealand or such other jurisdictions as Back Room operates from time to time, subject to equivalent data protection standards.

6.2 Security Measures

Back Room implements and maintains commercially reasonable technical and organisational security measures designed to protect personal information and Licensee Data against unauthorised access, disclosure, alteration, loss, or destruction. These measures include, without limitation:

• (a) Encryption of data in transit using industry-standard TLS protocols;
• (b) Encryption of data at rest on AWS infrastructure;
• (c) Logical segregation and ring-fencing of Licensee Data on a per-client basis, ensuring no Licensee can access another Licensee's data;
• (d) Access controls limiting Authorised User access to their own Licensee's data only;
• (e) Internal access controls restricting Back Room personnel access to Licensee Data on a need-to-know basis.

While Back Room takes reasonable steps to protect information held by it, no method of electronic transmission or storage is completely secure. Back Room cannot guarantee absolute security and encourages Licensees to take appropriate steps to protect their own systems and credentials.

6.3 Data Retention

Back Room retains personal information and Licensee Data for the following periods:

• During the Subscription Term: Back Room retains all Licensee Data for the duration of the active Subscription.
• Post-Termination Retention Period: Upon termination or expiry of the Services License Agreement, Back Room will retain Licensee Data for a period of thirty (30) days (the "Retention Period"). During this period, Licensee may request an export or download of its data.
• Permanent Deletion: At the end of the Retention Period, Back Room will permanently and irreversibly delete all Licensee Data from its systems and from the systems of its sub-processors, except to the extent that retention of specific data is required by applicable law or regulation.
• Authorised User Account Data: Account information for Authorised Users (name, email, role) will be deleted within thirty (30) days of termination of the relevant account or of the Subscription Term, whichever is earlier.
• Support Records: Records of support communications may be retained for up to two (2) years from the date of the communication for quality assurance and dispute resolution purposes.

Notwithstanding the above, Back Room may retain personal information for longer periods where required by applicable New Zealand law or any other law to which Back Room is subject, provided that such retention is limited to the minimum period required by law.

6.4 Early Deletion on Request

Licensee may, at any time, submit a written request to Back Room for the early deletion of all or specified portions of its Licensee Data. Back Room will action such requests within thirty (30) days of receipt, subject to any legal obligation to retain specific data for a longer period. Back Room will confirm in writing once deletion has been completed.

7. RIGHTS OF LICENSEES AND AUTHORISED USERS

Subject to the New Zealand Privacy Act 2020 and other applicable privacy laws, Licensees and Authorised Users have the following rights in respect of personal information held by Back Room:

• Right of Access: You may request confirmation of whether Back Room holds personal information about you, and a copy of that information.
• Right of Correction: You may request that Back Room correct any personal information held about you that is inaccurate, incomplete, or out of date.
• Right of Deletion: You may request deletion of your personal information, subject to Back Room's legal retention obligations. Requests for deletion of Licensee Data should be made by the Licensee as the data controller.
• Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time. Withdrawal of consent will not affect the lawfulness of processing carried out prior to withdrawal.
• Right to Complain: You have the right to make a complaint to the Office of the Privacy Commissioner of New Zealand (www.privacy.org.nz) if you believe Back Room has interfered with your privacy.

To exercise any of these rights, please contact Back Room at [privacy@backroominc.com]. Back Room will respond to all requests within twenty (20) working days of receipt, in accordance with the New Zealand Privacy Act 2020.

Please note that in respect of End-Client Data embedded in Licensee Data, Back Room acts as a data processor on Licensee's instructions. Requests from individuals relating to their End-Client Data should be directed to the relevant Licensee (CPA firm) as the data controller, not to Back Room.

8. INTERNATIONAL DATA TRANSFERS

As described in Section 5.1, Licensee Data is hosted on AWS infrastructure in Singapore and is processed by Anthropic (a US-based entity) for the purpose of generating AI Outputs. By using the Service, Licensee acknowledges and consents to the transfer of Licensee Data to Singapore and to the United States for these purposes.

Back Room takes reasonable steps to ensure that such transfers are subject to appropriate safeguards, including contractual data processing terms with AWS and Anthropic that require them to protect Licensee Data to a standard equivalent to that required under New Zealand law.

Licensees operating in jurisdictions with specific cross-border data transfer restrictions (including but not limited to EU member states subject to GDPR) should assess their own obligations before uploading data containing personal information of individuals in those jurisdictions. Back Room does not represent that the Service is compliant with the requirements of any specific jurisdiction beyond New Zealand.

9. CHILDREN'S PRIVACY

The Service is intended solely for use by professional CPA firms and their authorised professional staff. The Service is not directed at, and Back Room does not knowingly collect personal information from, individuals under the age of 18. If Back Room becomes aware that it has inadvertently collected personal information from a minor, it will take prompt steps to delete such information.

10. CHANGES TO THIS POLICY

Back Room reserves the right to update or modify this Policy at any time. Where changes are material, Back Room will provide Licensee with at least thirty (30) days' prior written notice before the changes take effect. Notice will be provided by email to the primary contact address on record for the Licensee.

The updated Policy will be made available at askgeri.ai and will display the "Last Updated" date at the top of the document. Continued use of the Service after the effective date of any updated Policy constitutes Licensee's acceptance of the updated terms.

Where required by applicable law, Back Room will obtain Licensee's affirmative consent before implementing material changes that affect the processing of Licensee Data.

11. RELATIONSHIP WITH THE SERVICES LICENSE AGREEMENT

This Policy forms part of the contractual relationship between Back Room and Licensee as governed by the Geri Services License Agreement. The data processing obligations, restrictions, and protections described in this Policy are in addition to, and consistent with, the confidentiality and data handling obligations set out in the Services License Agreement.

In the event of any conflict between this Policy and the Services License Agreement on a matter of data privacy or data processing, this Policy shall prevail. In all other respects, the Services License Agreement governs the relationship between the parties.

12. GOVERNING LAW

This Policy is governed by the laws of New Zealand. Any dispute arising out of or in connection with this Policy shall be subject to the dispute resolution process set out in the Geri Services License Agreement, including the requirement to attempt resolution through good faith negotiation before referring any dispute to arbitration under the Arbitration Act 1996 (New Zealand).

Back Room's primary privacy regulator is the Office of the Privacy Commissioner of New Zealand. Contact details for the Office of the Privacy Commissioner are available at www.privacy.org.nz.

13. CONTACT US

If you have any questions, concerns, or requests in relation to this Policy or Back Room's handling of your personal information, please contact:

Back Room Inc.

Privacy Officer: [Name / Title]

Email: [privacy@backroominc.com]

Address: [Registered Office Address, New Zealand]

Back Room is committed to resolving privacy concerns promptly and in good faith. If you are not satisfied with our response, you may escalate your concern to the Office of the Privacy Commissioner of New Zealand.