Last Updated: May 12, 2026

This Privacy Policy describes how Gridline Holdings, Inc. and its affiliates (“Gridline,” “we”, “us” or “our”) handle personal information that we collect through the website that links to this Privacy Policy (the “Site”), our online investment platform, and related services, as well as through social media, our marketing activities, our live events, and other activities described in this Privacy Policy. This policy applies to all affiliates of Gridline Holdings, Inc., including Gridline Advisors, LLC, a Georgia-registered investment adviser.

Gridline Holdings, Inc. and its affiliates are committed to protecting your privacy and maintaining the confidentiality and security of your personal information in accordance with applicable laws and regulations, including applicable state privacy laws, international data protection laws (where applicable), the Gramm-Leach-Bliley Act (GLBA), SEC Regulation S-P (as amended), and anti-money laundering (AML) and know-your-customer (KYC) requirements, among others.

For Gridline customers with a registered account on the Service (“Registered Users”), please also refer to our Gramm-Leach-Bliley Act (GLBA) Privacy Notice, available here, which covers how we handle the personal information we collect from you in our capacity as a financial institution subject to the GLBA.

Gridline may provide additional or supplemental privacy policies to individuals for specific products or services that we offer at the time we collect personal information.

Information you provide to us. Personal information you may provide to us through the Site or otherwise includes:

• Contact data, such as your name and email address.
• Communications that we exchange with you, including when you contact us through the Site, social media, or otherwise.
  
• Marketing data such as your preferences for receiving our marketing communications and details about your engagement with them.
  
• Other data not specifically listed here, which we will use as described in this Privacy Policy or as otherwise disclosed at the time of collection.
  
  

Third-party sources. We may combine personal information we receive from you with personal information we obtain from other sources, such as:

• Public sources, such as government agencies, public records, social media platforms, and other publicly available sources.
• Data providers, such as information services and data licensors that provide demographic and other information.
• Marketing partners, such as joint marketing partners and event co-sponsors.
  
  

Automatic data collection. We, our service providers, and our business partners may automatically log information about you, your computer or mobile device, and your interaction over time with the Site, our communications, and other online services, such as:

• Device data, such as your computer or mobile device’s operating system type and version, manufacturer and model, browser type, screen resolution, RAM and disk size, CPU usage, device type (e.g., phone, tablet), IP address, unique identifiers (including identifiers used for advertising purposes), language settings, mobile device carrier, radio/network information (e.g., Wi-Fi, LTE, 3G), and general location information such as city, state, or geographic area.
• Online activity data, such as pages or screens you viewed, how long you spent on a page or screen, the website you visited before browsing to the Site, navigation paths between pages or screens, information about your activity on a page or screen, access times and duration of access, and whether you have opened our emails or clicked links within them.
  
  

We may use your personal information for the following purposes or as otherwise described at the time of collection:

Site delivery. We may use your personal information to:

• provide, operate, and improve the Site and our business;
• communicate with you about the Site, including by sending announcements, updates, security alerts, and support and administrative messages;
• understand your needs and interests, and personalize your experience with the Site and our communications; and
• provide support for the Site, and respond to your requests, questions, and feedback.

Research and development. We may use your personal information for research and development purposes, including to analyze and improve the Site and our business.

Marketing and advertising. We, our service providers, and our third-party advertising partners may collect and use your personal information for marketing and advertising purposes:

• Direct marketing. We may send you direct marketing communications. You may opt-out of our marketing communications as described in the Opt-out of marketing section below.
• Interest-based advertising. Our third-party advertising partners may use cookies and similar technologies to collect information about your interaction (including the data described in the automatic data collection section above) with the Site, our communications and other online services over time, and use that information to serve online ads that they think will interest you. This is called interest-based advertising. We may also share information about our users with these companies to facilitate interest-based advertising to those or similar users on other online platforms. For California residents, this disclosure of personal information to third-party advertising partners may constitute “sharing” for cross-context behavioral advertising as defined under the CCPA, and you have the right to opt out of such sharing. You can learn more about your choices for limiting interest-based advertising, including how to exercise your CCPA opt-out rights, in the Your choices section below.

• comply with applicable laws and regulatory requirements, respond to lawful requests and legal process, such as to respond to subpoenas or requests from government authorities;
• verify your identity, conduct due diligence, and monitor for suspicious activity as required by law;
• protect our, your, or others’ rights, privacy, safety, or property (including by making and defending legal claims);
• audit our internal processes for compliance with legal and contractual requirements or our internal policies;
• enforce the terms and conditions that govern the Site; and
• prevent, identify, investigate, and deter fraudulent, harmful, unauthorized, unethical, or illegal activity, including cyberattacks and identity theft.

With your consent. In some cases, we may specifically ask for your consent to collect, use, or share your personal information, such as when required by law.

To create anonymous, aggregated, or de-identified data. We may create anonymous, aggregated, or de-identified data from your personal information and other individuals whose personal information we collect. We make personal information into anonymous, aggregated, or de-identified data by removing information that makes the data identifiable to you. We employ industry-standard technical and administrative measures designed to prevent re-identification of such de-identified data. Once data has been de-identified so that it can no longer reasonably be associated with you, an individual, a company, or confidential information, such de-identified data is no longer considered personal information under this Privacy Policy. We may use this anonymous, aggregated, or de-identified data and share it with third parties for our lawful business purposes, including to analyze and improve the Site and our services, promote our business, and enhance the quality and functionality of our services, including AI-powered features and platform capabilities.

For the avoidance of doubt, the use of de-identified data for AI-powered features as described above is distinct from the AI model training commitment below: de-identified data that can no longer reasonably be linked to any individual may be used to improve our services and features, but identifiable personal information and customer data are never used to train AI models.

AI Model Training. We do not use your personal information or customer data (such as account information, transaction records, or documents you provide to us) to train artificial intelligence models. We will not disclose or use your customer data for any commercial purpose unrelated to providing our services to you without your written consent.

Cookies and similar technologies. In addition to the other uses included in this section, we may use the Cookies and similar technologies described above for the following purposes:

• Technical operation. To allow the technical operation of the Site.
• Functionality. To enhance the performance and functionality of our services.
• Advertising. To help our third-party advertising partners collect information about how you use the Site and other online services over time, which they use to show you ads on other online services they believe will interest you and measure how the ads perform.
• Analytics. To help us understand user activity on the Site, including which pages are most and least visited and how visitors move around the Site, as well as user interactions with our emails. For example, we use Google Analytics for this purpose. You can learn more about Google Analytics and how to prevent the use of Google Analytics relating to your use of our Site here.
  

Artificial Intelligence Technologies. Certain of our services, including our Gridline Insights platform, leverage artificial intelligence and machine learning technologies to process and analyze information. Our AI systems process user inputs, including documents, data, and queries, to generate outputs such as compliance analyses, document reviews, regulatory summaries, and other analytical content.

Ai Limitations and Disclaimers. You should be aware of the following limitations inherent in AI technologies:

• Potential inaccuracies. AI-generated outputs may contain errors, inaccuracies, or incomplete information.
• Hallucinations. AI systems may generate fabricated information that appears credible but is not based on actual data or facts.
• Outdated information. AI models are trained on historical data and may not reflect the most current laws, regulations, or market conditions.
• Inherent biases. AI outputs may reflect biases present in training data or algorithmic design choices.
• No human review. AI-generated outputs are delivered to you without prior human review or verification by our personnel.

User Responsibility. You are solely responsible for independently verifying, validating, and reviewing all AI-generated outputs before relying on them for any purpose. You should not use AI outputs as a substitute for your own judgment, expertise, or independent analysis.

Not Professional Advice. Our AI platform and any AI-generated outputs do not constitute legal advice, compliance advice, tax advice, investment advice, or any other form of professional advice. You should consult with qualified professionals before making decisions based on AI outputs

We may share your personal information with the following parties and as otherwise described in this Privacy Policy or at the time of collection.

Affiliates. With our parent, subsidiaries, and affiliates, for purposes consistent with this Privacy Policy.

Service providers. Third parties that provide services on our behalf or help us operate the Site or our business (such as hosting, information technology, compliance, customer support, email delivery, marketing, consumer research and website analytics). We conduct due diligence and maintain written agreements requiring service providers to implement appropriate safeguards, promptly notify us of data breaches, and comply with applicable privacy and security requirements, including SEC Regulation S-P.

Advertising partners. Third-party advertising companies for the interest-based advertising purposes described above.

Business and marketing partners. Third parties with whom we co-sponsor events or promotions, with whom we jointly offer products or services, or whose products or services may be of interest to you.

Professional advisors. Professional advisors, such as lawyers, auditors, bankers, and insurers, where necessary in the course of the professional services that they render to us.

Authorities and others. Law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate for the compliance and protection purposes described above.

Business transferees. Acquirers and other relevant participants in business transactions (or negotiations of or due diligence for such transactions) involving a corporate divestiture, merger, consolidation, acquisition, reorganization, sale, or other disposition of all or any portion of the business or assets of, or equity interests in, Gridline or our affiliates (including, in connection with a bankruptcy or similar proceedings).

The Site may contain links to websites, mobile applications, and other online services operated by third parties. In addition, our content may be integrated into web pages or other online services that are not associated with us. These links and integrations are not an endorsement of, or representation that we are affiliated with, any third party. We do not control websites, mobile applications, or online services operated by third parties, and we are not responsible for their actions. We encourage you to read the privacy policies of the other websites, mobile applications, and online services you use.

We employ a number of technical, organizational, and physical safeguards designed to protect the personal information we collect. However, security risk is inherent in all internet and information technologies and we cannot guarantee the security of your personal information.

As required by SEC Regulation S-P, we maintain a written incident response program to detect, respond to, and recover from unauthorized access to or use of customer information, including procedures for timely notification to affected individuals in the event of a data breach. In addition to our obligations under Regulation S-P, we comply with applicable state data breach notification laws, which may require us to notify affected individuals, state attorneys general, or other regulatory authorities within specified timeframes following a qualifying data breach.

We retain personal information as long as necessary for the purposes for which it was collected, to comply with legal and regulatory obligations, and as required by SEC Regulation S-P and other applicable laws. The following general retention criteria apply: (a) account and transaction data is retained for the duration of the customer relationship and for a minimum of five years thereafter, consistent with SEC books and records requirements under 17 CFR § 275.204-2; (b) identity verification, AML/KYC, and suspicious activity records are retained for at least five years from the date of the record, as required by the Bank Secrecy Act and FinCEN regulations under 31 CFR § 1010.430; (c) tax-related records, including IRS Forms W-9, W-8, and K-1, are retained for the period required by applicable IRS regulations; (d) Site usage and analytics data is generally retained for up to 26 months from the date of collection, unless a longer period is required for compliance or security purposes; and (e) marketing and communications preference data is retained until you withdraw your consent or request deletion, subject to any overriding legal retention obligation. We maintain written policies and procedures for the secure disposal of customer and consumer information, including data related to pooled investment vehicles, to protect against unauthorized access or use in connection with its disposal.

We are headquartered in the United States and may use service providers that operate in other countries. Your personal information may be transferred to the United States or other locations where privacy laws may not be as protective as those in your state, province, or country. Where required by law (such as under the General Data Protection Regulation (GDPR) or UK data protection laws), we implement appropriate safeguards for international data transfers, such as the European Commission’s Standard Contractual Clauses (or the UK equivalent, the International Data Transfer Agreement or Addendum), and provide you with rights regarding your personal data.

As required by law, we collect and process personal information to comply with anti-money laundering (AML) and know-your-customer (KYC) obligations, including for investors in pooled investment vehicles. This includes identity verification, screening against government watchlists, and ongoing monitoring to detect and prevent illicit activity.

The Site is not intended for use by anyone under 18 years of age. If you are a parent or guardian of a child from whom you believe we have collected personal information in a manner prohibited by law, please contact us. If we learn that we have collected personal information through the Site from a child without the consent of the child’s parent or guardian as required by law, we will comply with applicable legal requirements to delete the information.

We reserve the right to modify this Privacy Policy at any time. If we make material changes to this Privacy Policy, we will notify you by updating the date of this Privacy Policy and posting it on the Site or by other appropriate means. Any modifications to this Privacy Policy will be effective upon our posting the modified version (or as otherwise indicated at the time of posting). In all cases, your use of the Site after the effective date of any modified Privacy Policy indicates your acceptance of the modified Privacy Policy.

Under California’s Shine the Light law (California Civil Code Section 1798.83), California residents may ask companies with whom they have formed a business relationship primarily for personal, family, or household purposes to provide the names of third parties to which they have disclosed certain personal information (as defined under the Shine the Light law) during the preceding calendar year for their own direct marketing purposes and the categories of personal information disclosed. You may send us requests for this information to info@gridline.co. In your request, you must include the statement “Shine the Light Request," and provide your first and last name and mailing address and certify that you are a California resident. We reserve the right to require additional information to confirm your identity and California residency. Please note that we will not accept requests via telephone, mail, or facsimile, and we are not responsible for notices that are not labeled or sent properly, or that do not have complete information.

The following disclosures are made pursuant to the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA"), and apply to California residents ("consumers").

In the preceding 12 months, we have collected the following categories of personal information from consumers:

• Identifiers, such as name, email address, postal address, phone number, IP address, and account credentials.
• Personal information described in Cal. Civ. Code § 1798.80(e), such as name, address, telephone number, and financial information.
• Characteristics of protected classifications under California or federal law, such as age and gender, where voluntarily provided.
• Commercial information, such as transaction history, investment preferences, and records of services obtained.
• Internet or other electronic network activity information, such as browsing history, search history, and information regarding interactions with our Site.
• Geolocation data, such as general location derived from IP address.
• Professional or employment-related information, where provided in connection with account verification or investor qualification.
• Sensitive personal information, including government-issued identification numbers (e.g., Social Security number, driver's license number, passport number) and financial account information collected for identity verification, AML/KYC compliance, and account administration purposes.
• Inferences drawn from the above categories to create a profile reflecting preferences, characteristics, and behavior.

We collect personal information from the following categories of sources: directly from you; automatically through your use of the Site; from third-party data providers; from public sources; and from marketing partners.

For more detail, see the "Personal information we collect" section above.

We collect and use personal information for the purposes described in the "How we use your personal information" section above, including to provide and improve our services, communicate with you, conduct marketing and advertising, comply with legal and regulatory obligations, detect and prevent fraud, and for research and development.

In the preceding 12 months, we have disclosed personal information to the categories of third parties described in the "How we share your personal information" section above, including affiliates, service providers, advertising partners, business and marketing partners, professional advisors, government authorities, and business transferees.

We do not "sell" personal information as defined under the CCPA. We may "share" personal information (as defined under the CCPA) with third-party advertising partners for cross-context behavioral advertising purposes. The categories of personal information shared for this purpose include identifiers and internet or other electronic network activity information. You have the right to opt out of this sharing as described below.

We collect sensitive personal information, including government-issued identification numbers and financial account information, solely as necessary to provide our services, comply with applicable legal and regulatory requirements (including AML/KYC and SEC regulations), and as otherwise permitted under the CCPA. We do not use or disclose sensitive personal information for purposes beyond those permitted under Cal. Civ. Code § 1798.121.

We retain each category of personal information for as long as reasonably necessary for the purposes for which it was collected, as described in the "Retention and disposal" section above, and as required by applicable law.

Subject to certain exceptions and limitations, California residents have the following rights under the CCPA:

• Right to Know. You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, the business or commercial purposes for collecting, selling, or sharing it, and the categories of third parties to whom we disclosed it.
• Right to Delete. You have the right to request that we delete personal information we have collected from you, subject to certain exceptions.
• Right to Correct. You have the right to request that we correct inaccurate personal information we maintain about you.
• Right to Opt Out of Sale/Sharing. You have the right to opt out of the sale of your personal information and the sharing of your personal information for cross-context behavioral advertising purposes.
• Right to Limit Use of Sensitive Personal Information. You have the right to limit our use and disclosure of your sensitive personal information to uses that are necessary to provide our services or as otherwise permitted under the CCPA.
• Right to Non-Discrimination. We will not discriminate against you for exercising any of your CCPA rights. We will not deny you goods or services, charge you different prices or rates, provide you a different level or quality of goods or services, or suggest that you will receive a different price or rate or different level or quality of goods or services because you exercised a CCPA right.

To exercise any of the rights described above, you may submit a verifiable consumer request by contacting us at:

Email: info@gridline.co
Phone: (470) 795-0282

Only you, or a person you have authorized to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

You may submit a request to know or a request to delete no more than twice within a 12-month period. The verifiable consumer request must provide sufficient information that allows us to reasonably verify that you are the person about whom we collected personal information (or an authorized representative) and describe your request with sufficient detail to allow us to properly understand, evaluate, and respond to it.

We will confirm receipt of your request within 10 business days and will respond to your verifiable consumer request within 45 calendar days of receiving it. If we require more time (up to an additional 45 calendar days), we will inform you of the reason and the extension period in writing.

You may designate an authorized agent to submit a request on your behalf. We may require the authorized agent to provide proof of your written permission and may require you to verify your own identity directly with us.

For purposes of the CCPA, Gridline generally operates as a “business” (as defined under the CCPA) with respect to personal information we collect from consumers who visit our Site, create accounts, or invest through our platform. In limited circumstances where Gridline processes personal information on behalf of its business customers solely at their direction and pursuant to a written agreement, Gridline may act as a “Service Provider” as defined under the CCPA and similar state privacy laws. In that capacity, we process personal information only for the specific purposes set forth in our agreements with such customers and as otherwise permitted by applicable law. When acting as a Service Provider, Gridline does not sell personal information or share personal information for cross-context behavioral advertising purposes.

In addition to the California-specific rights described above, residents of certain other states may have privacy rights under applicable state comprehensive privacy laws, including but not limited to the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, the Texas Data Privacy and Security Act, the Oregon Consumer Privacy Act, the Delaware Personal Data Privacy Act, the New Jersey Data Privacy Act, the Montana Consumer Data Privacy Act, the Minnesota Consumer Data Privacy Act, the Maryland Online Data Privacy Act, the Iowa Consumer Data Protection Act, the Nebraska Data Privacy Act, the New Hampshire Expectation of Privacy Act, the Tennessee Information Protection Act, the Indiana Consumer Data Protection Act, the Kentucky Consumer Data Protection Act, and the Rhode Island Data Transparency and Privacy Protection Act.

Certain state privacy laws exempt financial institutions regulated under the Gramm-Leach-Bliley Act, or exempt data collected, processed, sold, or disclosed pursuant to the GLBA. To the extent that Gridline's processing of your personal information is subject to GLBA requirements and an applicable state law exemption applies, that state law may not apply to such processing. This section applies to our processing of personal information that is not otherwise exempt under an applicable state privacy law.

Depending on your state of residence, you may have some or all of the following rights with respect to your personal information:

• Right to Access/Know. You may request confirmation of whether we are processing your personal information and request access to the categories and specific pieces of personal information we have collected about you.
• Right to Data Portability. You may request a copy of your personal information in a portable and, to the extent technically feasible, readily usable format.
• Right to Delete. You may request that we delete the personal information we have collected from or about you, subject to certain exceptions permitted by law.
• Right to Correct. You may request that we correct inaccurate personal information we maintain about you.
• Right to Opt Out of Sale. You may opt out of the sale of your personal information, as "sale" is defined under applicable state law.
• Right to Opt Out of Targeted Advertising. You may opt out of the processing of your personal information for purposes of targeted advertising, as defined under applicable state law.
• Right to Opt Out of Profiling. You may opt out of profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.
• Right to Non-Discrimination. We will not discriminate against you for exercising any of the rights described in this section.
• Right to Appeal. If we decline to take action on your request, you may appeal our decision. We will provide you with instructions for submitting an appeal at the time we respond to your request.
• Sensitive Data. Where required by applicable state law, we will obtain your consent before collecting or processing sensitive personal information, unless an exemption applies.
• Opt-Out Preference Signals. Where required by applicable state law, we honor opt-out preference signals, such as the Global Privacy Control, as valid requests to opt out of the sale of personal information, the sharing of personal information for targeted advertising, and profiling, as applicable.

To exercise any of the rights described above, please contact us using the methods described in the "How to contact us" section of this Privacy Policy. We will verify your identity before processing your request and will respond within the timeframe required by applicable law (generally 45 days, with the possibility of an extension where permitted). If you are submitting a request through an authorized agent, we may require verification of the agent's authority and your identity.