Purpose

This policy sets out the requirements at Stack AV Co. (“Stack”, “we”, “us”) regarding what personal information we collect and why, to whom we disclose it, and how we protect it, as well as your respective privacy rights under applicable laws.

Scope

This policy applies to all Stack directors, officers, employees, and all those doing business on behalf of Stack (collectively, “Stack personnel”).

Exceptions & Approvals

Exceptions to this policy are permitted only by a Company Officer or the VP of People.

Summary

Stack wants to provide you information about what personal information we collect and why, to whom we disclose it, and how we protect it, as well as your respective privacy rights under applicable laws. This data protection notice and privacy policy (the “Notice”) applies to you in your capacity as a Stack employee, non-employee staff, or job candidate. We may revise this Notice from time to time at our sole discretion. We will communicate changes and updates to this Notice by posting an updated version of the Notice (with an updated date) on our intranet, job board, and/or providing you a copy or a link to the Notice via email. In case of a conflict between this Notice and applicable law, applicable law will govern.

Policy

We collect personal information at various stages during our working relationship with you, such as when you apply for a role with Stack, when we create a personnel file or engagement record, and through our management of our relationship with you. If you do not provide the personal information we request from you, we may not be able to hire or retain you or provide you with certain employee benefits.

For example, depending on our working relationship with you, we collect the following types of personal information:

• basic information (e.g., name, employee identification number, work and home contact details);
• benefits administrative information (e.g., employment dates, salary, bonus, equity, other compensation, work location, bank account details, leave status, other benefits, marital status, dependent information);
• emergency contacts;
• financial information (e.g., information relating to your investment holdings if relevant to your role, directorship/outside business interests of you and your family members, travel and expenses);
• government identification or immigration details as required to comply with our obligations under law (e.g., date of birth, gender, sex, driver's license or other government identification information, passport data, residency, work permit);
• talent management information (e.g., degrees, licenses, certifications, training records, professional references, work experience, job titles and duties, seniority, performance evaluations, driver information and licenses for permitting and compliance purposes);
• location-related data (e.g., office location, badge access swipes, room reservations, CCTV, IP address, business travel data); and
• audio, visual, or other similar information (e.g., photos for our corporate directory or internal communications, audio-visual recordings, video conference recordings).

We may also collect, under certain circumstances and to the extent permitted by local law, sensitive personal information which is a subset of personal information. Sensitive personal information varies under applicable law but generally includes information about your ethnicity, health, trade union membership, religious beliefs, and sexual orientation. We sometimes need to collect sensitive personal information to manage certain activities or comply with safety regulations in connection with our business activities. For instance, we may collect information related to health to manage a workplace accommodation or sickness absence, or where permitted by applicable law, we collect data related to drug and alcohol use, motor vehicle record screenings, or criminal proceedings and offenses to perform background checks or to investigate behavior that may go against Stack's values or violate Stack's policies, professional and safety standards, or the law.

As an autonomous vehicle company, we develop and use technology installed on test vehicles (“Test Vehicles”). Our Test Vehicles are outfitted with equipment to detect the Test Vehicle's environment and surroundings, and in connection with the use of such Test Vehicles, we may, for our research purposes, collect and use:

• Vehicle Telemetry Data. The Test Vehicles are equipped with cameras and sensors to detect and record its surroundings through electromagnetic, optical, and acoustic waves (e.g., radar, video, lidar, GPS, and microphones) to train and improve the ability of the Test Vehicles to safely drive autonomously as well as Electronic Logging Devices (“ELD”) that automatically record various data points related to the Test Vehicle's operations to comply with Hours of Service regulations applicable to our commercial motor vehicle drivers. The data includes Test Vehicle engine hours, vehicle information, driver status, origin and destination, speed, direction, miles driven, route information, and the date and time of recorded events. Except for driver information logged by the ELD to determine the driver of the Test Vehicle, this information is not used to identify any individuals.
• Video Camera and Audio Data. The Test Vehicles are equipped with video cameras and microphones to record their surroundings. Any image, audio recording, or other indication of a person (or a pet, house, mailbox, stop sign, etc.) is used only for research and operation of the Automated Driving System (“ADS”) to identify and classify static and dynamic objects and respond appropriately. Except as otherwise explained in the Consent to Safety Technology and Biometrics Form, this information is not used to identify any individuals.
• Geolocation data. The above information is accompanied by geolocation data, which is necessary to improve software so that the ADS can identify and classify static and dynamic objects and respond appropriately. This information is not used to identify any individuals.

Please note that any collection and use of personal information captured through our Test Vehicles are incidental to our research and training purposes. We do not collect images or other data via our Test Vehicles for the purpose of applying facial recognition or other personally identifying technology. We may allow our enterprise partners to use our ADS, and we may collect and maintain vehicle telemetry data, video camera and audio data, and geolocation data for them. If we do, we will handle the information as required and permitted in our agreements with them.

If you operate Test Vehicles, please carefully review the Consent to Safety Technology and Biometrics Form for more information on Stack's Test Vehicle in-cabin technologies.

We collect your personal information from a variety of sources. We get our information from you, for example, in your job application, forms you fill out for us, assessments you complete, surveys you submit, and any other information you provide during the course of your relationship with us and from your spouse or dependent with respect to their own personal information.

We also collect information from:

• what's internally generated, for example, we may generate performance evaluations, hours worked, and other information about you;
• our affiliated companies, for example, if you employee work on a cross-enterprise team;
• business partners in relation to a training, webinar, conference, corporate event, deal, or transaction in which Stack is involved and/or in which you will be participating service providers (e.g., vendors, professional employer organizations or staffing agencies, law firms, job references, business partners, insurance and other benefits companies);
• public internet sources, for example, social media, job boards, and other public online sources;
• public records or public authorities, for example, court records and credentialing and licensing organizations; government agencies; law enforcement;
• automated technologies on Stack's electronic resources (e.g., to track RSVPs, logins, or activity across our network or applications);
• recording technologies installed by Stack (e.g., CCTV in common areas of Stack's facilities, voicemail technologies, webcams, audio-visual recording technologies, Bluetooth technologies, Test Vehicles).

If you disclose any personal information relating to other people to us, you represent that you have the authority to do so and to permit us to use the information in accordance with this Notice.

We use your personal information for the following purposes:

• managing our workforce, including performance management, administering compensation, honoring contractual benefits, performing background checks, conducting and analyzing employee surveys, training, addressing disciplinary matters, grievances, and terminations, managing travel, expenses, and reimbursements, maintaining company directories, facilitating corporate communications;
• facilitating and protecting our business operations, including managing company assets and finances, complying with internal policies and procedures, addressing corporate governance matters, complying with recordkeeping and reporting responsibilities, complying with tax obligations, conducting internal audits, monitoring and managing risk, managing corporate re-organizations, conducting strategic planning, business continuity, and crisis management;
• maintaining the safety and security of our employees, staff, visitors, and the public (in case of emergency);
• monitoring, safeguarding, and managing IT infrastructure, laptops and computer equipment, mobile devices, office facilities, and other company property;
• protecting Stack's legal rights, including monitoring staff performance and conduct, assessing compliance with policies and procedures, monitoring telephone, email, internet and other company resources, conducting investigations including reporting of allegations of wrongdoing, policy violations, fraud, or financial reporting concerns;
• complying with legal and other requirements applicable to our businesses in all jurisdictions in which we operate, such as tax deductions, incident response, permitting, record-keeping and reporting obligations, conducting audits, compliance with government inspections and other requests from government or other public authorities, responding to legal process such as subpoenas, pursuing legal rights and remedies, defending litigation, and managing any internal or external complaints or claims (including those received through the company hotline or email);
• arranging and managing Stack-sponsored events, public service activities, and other events and activities to facilitate and maintain company culture;

Stack processes your personal information to comply with our legal obligations, manage our contractual relationships, protect life or physical safety, and based on our legitimate interest to operate and protect our business (unless your fundamental rights outweigh our interests). In certain instances, we may process personal information based on your consent if (i) consent to the processing described in this Notice is required by local law, (ii) the processing involves sensitive personal information, or (iii) the specific processing activity is not required in connection with the purposes described above. Subject to applicable law, some processing may also be necessary so that we can perform a contract with you or because it is required by law.

Stack uses monitoring tools to ensure compliance with company policies, assist with our legal, regulatory, and recordkeeping and reporting obligations, safeguard sensitive and confidential information, prevent and address misconduct, maintain network security, and protect our legitimate interests as an employer. Such tools include for example: (i) monitoring technologies to capture employee on-screen and network activity, track location data (e.g., for information security and tax purposes), continually backup corporate data (including employee communications); (ii) supplier and enterprise risk management technologies to ensure compliance with internal policies and procedures and regulatory obligations; (iii) analytical technologies to track use of company resources, manage travel and expenses, monitor financial transactions, conduct internal investigations, respond to compelled disclosures (e.g., subpoenas, litigation). We neither engage in employee profiling nor make personnel-related decisions based solely on automated decision-making without human intervention.

Personal information obtained via our monitoring tools may be disclosed to Stack's Compliance, Legal, Information Security, and/or PeopleOps teams as appropriate, including those of our parent corporation, SoftBank Group Corp. As for the vendors of such tools, we strictly prohibit such vendors from processing or transferring personal information other than where necessary for the purpose of providing us with the relevant services. Monitoring and related activities may be conducted only by authorized Stack employees or third parties acting on their behalf, subject to appropriate safeguards and as consistent with applicable law.

Due to the distributive nature of Stack operations, we disclose personal information to personnel and departments throughout Stack and certain Stack affiliates to fulfill the purposes described in this Notice. Access to personal information within Stack will be limited to those who have a need to know the information, including personnel in People Operations, IT, Legal, Compliance, and Finance. All personnel within Stack will generally have access to your business contact information such as name, position, work telephone number, office location, and work email address.

Stack will need to make personal information available to unaffiliated third parties such as our suppliers and service providers that we have engaged at the local or global level (e.g., benefits, insurance, payroll, travel and expense, background checks); our legal and professional advisers; our business partners in support of business operations; third parties in relation to compelled disclosures (e.g., subpoenas); and government authorities (e.g., for tax purposes, immigration purposes, permitting purposes, incident response, investigations).

In connection with a corporate transaction, sale, or assignment of assets, merger, divestiture, or other changes of control or financial status of Stack or any of its subsidiaries or affiliates, your personal information may be transferred to the acquiring person or entity. We may also disclose personal information with your consent, which you may withdraw your consent at any time.

Some recipients of your information will be located outside your home jurisdiction, including any country in which we or they have operations (e.g., United States, United Kingdom, Japan). We take appropriate measures to protect personal information that are consistent with applicable privacy and security laws and regulations, including requiring service providers to implement technical and organizational measures to protect personal information and entering into data processing and transfer agreements where required.

Stack will not retain your personal information for longer than is necessary in relation to the purposes for which your personal information is processed. We will retain personal information for the period necessary to fulfill the purposes outlined in this Notice unless a longer retention period is required or permitted by law. The criteria used to determine our retention periods are:

• the duration of your employment or service;
• as long as we have an ongoing relationship with you;
• Aas required by a legal obligation to which we are subject; and
• as advisable in light of our legal position (such as in regard of applicable statutes of limitations, litigation, or regulatory investigations).

In some circumstances (depending on the type of personal information), we may retain your personal information after your employment has ended but in no event longer than the period of time permitted or required by applicable law.

Depending on the applicable laws in your country of residence, you may have certain rights related to your personal information, for example, you may have the right to:

• know what personal information we have collected about you;
• request access to your personal information;
• correct your inaccurate, incomplete, or outdated personal information; and
• inform us that you do not wish to receive marketing information

You can seek to exercise your data privacy rights (where applicable) by contacting us at compliance@stackav.com.

To help protect your privacy and security, we will verify and respond to your request consistent with applicable law, taking into account the nature of the request and the applicable circumstances. We will make reasonable attempts to promptly investigate, comply with, or otherwise respond to your requests as may be required by applicable law. Please note that, depending upon the circumstances and the request, we may not be permitted to provide you with access to your personal information or otherwise fully comply with your request.

We will take reasonable organizational, technical, and administrative measures against unlawful or unauthorized processing of your personal information, and against the accidental loss of, or damage to, your personal information. Unfortunately, no data transmission or storage system can be guaranteed to be 100% secure. If you have reason to believe that your interaction with us is no longer secure, please immediately notify us in accordance with the “Questions or complaints” section below.

If you have any questions or complaints regarding Stack's processing of your personal information, please contact us at compliance@stackav.com.

Compliance with this policy is mandatory. Violations of this policy may result in disciplinary action, including termination of employment.