Thank you for choosing CommonPoint Inc. (“CommonPoint,” “we,” “us,” or “our”). We are a B2B, technology‑enabled professional services company that helps insurance carriers, MGAs, self‑insureds, risk managers, brokers, and other enterprise clients evaluate and manage third‑party administrators (TPAs) and related claims vendors. This Privacy Policy explains how we collect, use, disclose, and protect Personal Data in connection with our websites (including commonpoint.com and any subdomains), web‑based and cloud‑hosted services, portals and applications, marketing activities, and professional services (together, the “Services”).

• ‍B2B focus: We provide Services to business customers. We create individual user accounts and professional profiles for employees and representatives of our customers and partners. This policy covers Personal Data about those users (“Business Users”) as well as visitors to our public websites and prospective customers, suppliers, and job applicants.
• ‍Role: Depending on the engagement, we may process Personal Data as a controller (e.g., for our own account creation, billing, product improvement, and marketing) and as a processor/service provider (e.g., when our enterprise clients ask us to process Personal Data on their behalf inside our platform or through our advisory work). Our Data Processing Addendum (DPA) governs processor‑mode obligations with clients and is available upon request.

1) Scope & Relationship to Other Notices

• This Privacy Policy applies when we act as a controller of Personal Data.
• When we act as a processor/service provider, our processing is governed by our contract with the applicable enterprise client (including our DPA). In those cases, that client’s privacy notice will describe how they handle Personal Data. If you are a Business User whose employer is a CommonPoint client, please contact your employer (the controller) for any rights requests about data we process on their behalf.
• We may publish additional notices (for example, a Cookie Notice, Notice at Collection, or Job Applicant Privacy Notice). If those notices conflict with this one, the more specific notice controls for its scope.

2) Notice at Collection (Summary)

Below is a high‑level summary of the categories of Personal Data we may collect, the sources, purposes, retention, and whether we “sell” or “share” it for cross‑context behavioral advertising (CCBA). Detailed descriptions appear in Sections 3–7.

We do not knowingly collect or use Sensitive Personal Information for purposes that require a right to limit under California law. We do not sell Personal Data and we do not “share” it for cross‑context behavioral advertising. If this ever changes, we will update this policy, honor browser‑based opt‑out signals (e.g., Global Privacy Control) where required, and provide clear opt‑out mechanisms.

3) Personal Data We Collect

• Business Contact & Account Data: name, work email and phone, employer, title, department, role, SSO/IdP identifiers, account IDs, and access permissions.
• Professional Profile Data: profile photo (optional), skills and experience fields, preferences, saved searches, and collaboration history.
• Platform & Usage Data: device and browser type, IP address, language, referring/exit pages, timestamp, pages viewed, links clicked, feature usage, diagnostic and crash data, and coarse geolocation derived from IP.
• Cookies & Similar Technologies: pixels, tags, SDKs, and local storage used for authentication, session management, security, analytics, and product improvement. See Section 7 and our Cookie Notice for details.
• Due Diligence & Vendor Vetting Data: information about business registrations, licensing, compliance attestations, sanctions screening, litigation or enforcement records, and key contacts at vendors or TPAs.
• Communications & Support Data: content of emails, chats, survey responses, webinars, and support calls (we will provide just‑in‑time notice if recordings are made, and comply with applicable consent laws).
• Marketing & Events Data: lead records, campaign engagement, conference scans, and partner referrals.
• Payment & Billing Data: invoicing contacts, transaction metadata, and tax information. If card payments are accepted, our payment processor handles card numbers; we do not store full card details.
• Job Applicant Data: CV/resume, employment history, education, references, and any information you provide during recruiting.

We obtain Personal Data directly from you, from your employer, from our clients, partners, service providers, and from public/commercial sources to maintain accurate, current business records.

We do not seek to collect government identifiers (e.g., SSN), precise geolocation, financial account numbers, or health information through our controller‑mode Services. If a client requests processing that involves such data in our processor role, we do so only under contract and instructions, with appropriate safeguards.

4) How We Use Personal Data (Purposes)

We use Personal Data to:

1. Provide and secure the Services (create accounts; authenticate users; enable single sign‑on; administer roles and permissions; monitor availability; prevent fraud and abuse; secure our systems).
2. Operate our platform and professional workflows (PX customization and personalization, vendor discovery and scoring, benchmarking, collaboration, notifications, and audit trails).
3. Support and communicate (respond to inquiries; provide customer success; manage webinars, trainings, and events).
4. Improve and develop the Services (analytics, diagnostics, user research, A/B testing, and feature development using aggregated/de‑identified data where possible).
5. Market to business prospects (B2B outreach, newsletters, invitations—always with opt‑out).
6. Comply with law and enforce rights (tax and accounting, contract management, security investigations, legal requests, and compliance obligations).

When GDPR/UK GDPR applies, our lawful bases include: performance of contract, legitimate interests (e.g., to secure and improve our Services, B2B marketing to corporate emails, fraud prevention), consent (where required for certain cookies/marketing), and legal obligation.

We do not use Personal Data to make decisions that produce legal or similarly significant effects about individuals based solely on automated processing. If that changes, we will provide the required disclosures and rights.

5) How We Disclose Personal Data

We disclose Personal Data to:

• Service Providers / Processors / Sub‑processors that host, support, or operate our Services; provide analytics, communications, payments, security, and other functions (bound by contract and limited to instructed purposes).
• Clients (as controllers) when we provide Services under their instructions (processor mode).
• Business Partners involved in joint offerings or events (with notice and, where required, your choice).
• Professional advisors (lawyers, auditors, insurers) under confidentiality.
• Corporate transaction parties (e.g., merger, acquisition, financing) subject to appropriate safeguards.
• Authorities to comply with law, legal process, or to protect rights, safety, and security.

We do not sell Personal Data and do not share it for CCBA. We also do not knowingly allow third parties to collect Personal Data on our Services for CCBA.

6) International Data Transfers

We are headquartered in the United States and may transfer Personal Data to countries that may have different data protection laws than your country of residence. Where required (e.g., for EEA/UK/Swiss data), we use approved Standard Contractual Clauses (SCCs) and implement additional safeguards. If we later self‑certify to the EU‑U.S. Data Privacy Framework (and the UK/Swiss extensions), we will update this policy and our transfer mechanisms accordingly.

7) Cookies, Analytics & Signals

We use first‑party and service‑provider cookies and similar technologies for authentication, security, performance, and analytics. In jurisdictions where consent is required for non‑essential cookies, we will provide a consent banner and honor your choices.

• Preferences: You can manage cookies through your browser settings and (where available) our on‑site cookie controls. Disabling cookies may affect site functionality.
• Opt‑out signals: Where required by law, we honor browser‑based signals such as Global Privacy Control (GPC) and other recognized Universal Opt‑Out Mechanisms for opt‑outs from “sale,” “sharing,” or targeted advertising.

8) Your Privacy Rights

U.S. State Privacy Rights (e.g., CA, CO, CT, VA, UT, TX and others)

Depending on your state, you may have rights to access, correct, delete, port, and opt out of certain processing (sale/sharing/targeted advertising and, in some states, profiling in furtherance of decisions with legal or similarly significant effects). California residents also have the right to limit the use/disclosure of Sensitive Personal Information in certain cases.

How to exercise: Submit a request to privacy@commonpoint.com or through our web form (if provided). Please tell us your state of residence and the right you wish to exercise. We will verify your identity and respond within the time required by applicable law. You may also designate an authorized agent to submit a request on your behalf (we may require proof of authorization). You have the right to appeal our decision if we decline to act—appeal instructions will be provided in our response.

We will not discriminate against you for exercising your privacy rights.

GDPR/UK GDPR Rights (when applicable)

You may have rights to access your Personal Data, rectify inaccuracies, erase it, restrict or object to processing, and data portability. Where we rely on consent, you may withdraw it at any time (this does not affect processing prior to withdrawal). You also have the right to lodge a complaint with a supervisory authority in your country/region.

• Controllers & Contacts: CommonPoint Inc. is the controller for processing described in this policy unless we state otherwise. If required, we will appoint an EU/UK representative and update this notice.

9) Security

We implement appropriate administrative, technical, and physical safeguards designed to protect Personal Data, including encryption in transit, access controls, logging and monitoring, and vulnerability management. No system can be 100% secure; if we learn of a security incident affecting your data, we will notify you and regulators as required by law and our contracts.

10) Retention & De‑Identification

We retain Personal Data for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, enforce agreements, and for other legitimate and lawful business purposes. Where feasible, we aggregate or de‑identify data for analytics and product improvement. We will not attempt to re‑identify de‑identified data except to assess whether our de‑identification processes satisfy applicable legal standards.

11) Children’s Privacy

Our Services are intended for professionals and are not directed to children under 16. We do not knowingly collect Personal Data from children under 16.

12) Third‑Party Sites, Integrations & Social Features

Our Services may include links to third‑party sites or integrations with third‑party tools (e.g., single sign‑on, analytics, communications, project management). Those third parties’ privacy practices are governed by their own policies. Please review their notices before providing them with Personal Data.

13) Changes to This Policy

We may update this Privacy Policy from time to time. We will post the updated version and change the “Last updated” date. If changes are material, we will take additional steps to notify you.

14) Contact Us

CommonPoint Inc.
Attn: Privacy Officer
privacy@commonpoint.com

If you are located in the EEA/UK/Switzerland, you may also contact your local supervisory authority. If we designate an EU/UK representative, we will update this section.

15) Supplemental Disclosures

A. California Notice (CPRA)

• We provide the Notice at Collection in Section 2 and on relevant screens where we collect Personal Data.
• We do not sell Personal Data and do not “share” it for CCBA. We do not use or disclose Sensitive Personal Information for purposes requiring a “right to limit.”
• We honor Global Privacy Control signals where required. California residents may use an authorized agent to submit requests.

B. Colorado Notice (CPA)

• We do not process Personal Data for targeted advertising or sale. If that changes, we will provide a clear opt‑out and honor approved Universal Opt‑Out Mechanisms.

C. Processor‑Mode Processing

• When a client engages CommonPoint to process Personal Data on their behalf, CommonPoint acts as a service provider/processor under applicable laws. Our DPA governs such processing (purpose limitation; confidentiality; security; sub‑processor controls; data subject assistance; return/deletion at end of term; audits; and cross‑border transfer mechanisms). Business Users seeking to exercise privacy rights for data handled under processor mode should contact the relevant client (controller).

D. Job Applicants

• If you apply for a role at CommonPoint, we process your application and related data to evaluate your candidacy, communicate with you, and comply with law. We may retain your application materials for a period permitted by law to consider you for future roles. Additional details are provided in our Job Applicant Privacy Notice (if available) or upon request.

16) Key Definitions

• “Personal Data/Personal Information” means information that identifies, relates to, describes, or can reasonably be linked to an identified or identifiable individual.
• “Sensitive Personal Information” includes data such as precise geolocation, government identifiers, financial account credentials, and similar categories defined by law.
• “Sale,” “Share,” and “Targeted Advertising” have the meanings given in applicable privacy laws.
• “Controller/Business” and “Processor/Service Provider” have the meanings in applicable privacy laws.

This Privacy Policy is intended to be informative and transparent. It does not create contractual or legal rights beyond those required by applicable law or existing contracts with our customers.

1. Cookie Notice

Last Updated: September 29, 2025

CommonPoint uses cookies and similar technologies to operate our Services, improve performance, and analyze usage.

• Essential Cookies: Required for login, security, and service stability. Cannot be disabled.
• Analytics Cookies: Help us understand usage trends to improve our Services.
• Marketing Cookies: Currently not in use. If this changes, we will update this notice and request consent.

Your Choices: - Manage cookies through your browser settings. - In the EEA/UK/Switzerland, non-essential cookies require your consent via our cookie banner. - We honor browser-based opt-out signals such as Global Privacy Control (GPC) where required.

For more details, see our Privacy Policy above.

2. Sub-Processor List

Last Updated: September 29, 2025

To deliver our Services, CommonPoint uses trusted sub-processors who process limited Personal Data under contract:

• Amazon Web Services (AWS) – cloud hosting and storage
• Auth0/Okta – authentication and identity management
• Google Analytics / Mixpanel – analytics (IP anonymization applied)
• SendGrid – email delivery
• Stripe – payment processing

Updates: - We will update this list before engaging new sub-processors. - Clients may object to a new sub-processor for legitimate data protection reasons, as provided in our Data Processing Addendum (DPA).

For more information, please contact privacy@commonpoint.com.

3. DSAR Contact

For requests to access, correct, or delete your information, please contact us at privacy@commonpoint.com.

By accessing or using the websites, portals, and services provided by CommonPoint Inc. (“CommonPoint,” “we,” “us”), including commonpoint.com and related applications (the “Services”), you agree to these Terms of Service. The Services are offered exclusively for business use by insurance carriers, MGAs, self-insureds, risk managers, brokers, and related enterprise clients, and their authorized representatives. Individual accounts are tied to professional roles within client organizations. You represent and warrant that you are using the Services on behalf of your business and in compliance with applicable laws.

You may use the Services only as permitted under applicable agreements with CommonPoint, these Terms, and our Privacy Policy (above). We retain all intellectual property rights in the Services, including proprietary software, benchmarking tools, workflows, and related materials. Except as expressly permitted by CommonPoint, you may not copy, reverse-engineer, resell, or otherwise misuse the Services. Accounts are personal to the designated Business User and must be kept secure; you are responsible for activities conducted under your login.

The Services are provided “as is” and “as available” without warranties of any kind, except as otherwise set forth in a written agreement between you and CommonPoint. To the fullest extent permitted by law, CommonPoint disclaims liability for indirect, incidental, or consequential damages arising from use of the Services. These Terms are governed by the laws of the State of North Carolina, without regard to conflict of law principles. Any disputes will be resolved in the courts located in Orange County, North Carolina, unless otherwise agreed in writing. We may update these Terms from time to time, and continued use of the Services constitutes acceptance of the updated Terms.