Scholars Privacy Notice

Scholars ("Scholars", "we", "our", or "us") is a workforce management and contractor onboarding platform operated by iMerit Inc. For purposes of applicable data protection laws (including the EU General Data Protection Regulation (GDPR) and UK GDPR), iMerit Inc., 160 West Santa Clara St., Suite 600, San Jose, CA 95113, United States, acts as the Data Controller for personal data processed through the Scholars platform. This Privacy Notice explains how we collect, use, store, and protect personal data when individuals create an account or use Scholars. Data Protection Officer (DPO) iMerit Inc. has appointed a Data Protection Officer. DPO Contact: georgeo.p@imerit.net You may contact the DPO for any data protection concerns.

This Privacy Notice applies to: • Individuals who create a Scholars account • Contractors participating in projects • Assessment participants • Visitors to our website • Users interacting with Scholars systems Minimum Age Requirement Scholars is not intended for individuals under 18 years of age (or the age of majority in their jurisdiction, if higher). We do not knowingly collect personal data from minors.

We collect only the information necessary to operate the platform and support onboarding, compliance, and participation. A. Account & Contact Information • First and last name • Email address • Phone number • Country of residence • Date of birth B. Professional Information • Education history • Work history • Portfolio links (e.g., GitHub) • Resume/CV uploads C. Media & Assessment-Related Content • Profile photograph (if uploaded) • Proctoring recordings (video and/or audio) • Assessment session metadata (timestamps, activity logs) Proctoring recordings may include image, voice, screen activity, and assessment behavior. D. Technical Information • IP address • Device/browser metadata • Authentication logs • Platform activity logs E. Compliance Status Information • Payment setup status • Tax form status • Identity verification (IDV) status • Background check (BCG) status Data We Do Not Store Scholars does not store: • Government ID numbers • Passport images • Tax forms • Bank account details • Full background check reports These are processed directly by trusted third-party providers (see Section 6).

We use cookies and similar technologies to: • Enable authentication and session management • Maintain platform security • Analyze performance • Improve user experience We may use: • Strictly necessary cookies • Functional cookies • Analytics cookies Where required by law (e.g., EU/UK), non-essential cookies are deployed only after consent. You may withdraw cookie consent at any time via your browser settings or platform controls.

Under GDPR, we rely on the following legal bases: • Account creation & participation — Contractual necessity (Art. 6(1)(b)) • Project eligibility evaluation — Contractual necessity • Identity verification & background screening — Legal obligation and/or contractual necessity • Payment & tax coordination — Legal obligation • Platform security & fraud prevention — Legitimate interest (Art. 6(1)(f)) • Proctoring & assessment integrity — Legitimate interest and/or consent • Platform improvement & analytics — Legitimate interest • Regulatory compliance — Legal obligation Where we rely on legitimate interests, we conduct a balancing assessment to ensure our interests do not override your fundamental rights. Proctoring & Biometric Processing (Article 9) Scholars does not intentionally conduct biometric identification for the purpose of uniquely identifying individuals. If facial comparison or biometric analysis is performed by a third-party identity provider during proctoring: • It is limited to fraud prevention and identity verification. • Where required, we rely on explicit consent (GDPR Art. 9(2)(a)). • Such data is not retained beyond verification unless legally required. Right to Withdraw Consent Where processing is based on consent, you may withdraw your consent at any time without affecting prior lawful processing.

Certain onboarding and compliance functions are performed by independent providers, including: • Trolley – payment setup and tax processing • Veriff – identity verification • Certn – background screening • Hubspot - Service Desk / Support and communication These providers process sensitive information directly. Scholars receives only workflow status confirmations necessary for participation management. We require appropriate contractual safeguards and data protection commitments.

Scholars does not make solely automated decisions that produce legal or similarly significant effects. Automated systems may: • Flag suspicious activity • Generate compliance status indicators Final decisions regarding participation involve human review.

Personal data may be processed in the United States, European Union, or other jurisdictions. Where data is transferred internationally, we implement safeguards such as: • Standard Contractual Clauses (SCCs) • Contractual data protection obligations • Transfer impact assessments where required

We retain personal data only as long as necessary for defined purposes: • Account data: duration of account + up to 24 months • Resume/CV files: deleted within 30 days of account deletion • Proctoring recordings: retained 90–180 days unless dispute or legal hold applies • Audit logs: minimum 12 months • Compliance records: up to 7 years where legally required • Inactive accounts: deleted or anonymized after 24 months Retention may be extended where required by law.

Certain personal data is required to: • Create and maintain an account • Participate in projects • Receive payments • Meet legal obligations Failure to provide required information may result in inability to participate in Scholars projects.

We implement technical and organizational safeguards including: • Role-based access controls • Multi-factor authentication • Encryption in transit and at rest • Restricted access to proctoring recordings • Centralized logging and monitoring • Periodic access reviews In the event of a personal data breach, we will notify affected individuals and authorities where required by law.

Depending on your jurisdiction, you may have the right to: • Access your personal data • Request correction • Request deletion • Restrict or object to processing • Request data portability • Withdraw consent • Lodge a complaint with a supervisory authority We respond to verified requests within one month, extendable where legally permitted. California (CCPA/CPRA) California residents may: • Request disclosure of collected information • Request deletion • Request correction • Request limitation of sensitive personal information • Opt-out of sale or sharing (Scholars does not sell personal data) • Not be discriminated against for exercising rights Brazil (LGPD), Canada (PIPEDA/CPPA), and Other Jurisdictions We honor applicable rights under local data protection laws, including access, correction, deletion, and consent withdrawal where required.

To submit a data subject request: ango.support@imerit.net Subject line: "Scholars Data Request" Please include: • Full name • Account email • Country of residence • Description of request We may verify your identity before fulfilling the request.

We may update this Privacy Notice periodically. When material changes occur, we will notify users within the platform and may require acknowledgment of the updated version.

Privacy Team iMerit Inc. 160 West Santa Clara St., Suite 600 San Jose, CA 95113 Email: ango.support@imerit.net