Charm Security Privacy Policy

Effective Date: April 28, 2026

This Privacy Policy ("Privacy Policy") governs the data collection practices of Charm Security Inc., ("Charm", "we," "us," or "our") when you or your organization install or use the Fraud Prevention Browser Extension (the "Extension") and related services (the "Services"). It also describes your privacy choices and rights. This policy is designed to meet the Chrome Web Store Developer Program Policies, including the Privacy Policy and Limited Use requirements, as well as applicable privacy laws.

This Privacy Policy contains important disclosures on how we collect, share, and use your personal data or information as further detailed below. To the extent permitted by applicable laws, this Privacy Policy is an integrated part of the binding Terms of Use ("Terms of Use"). Definitions herein shall have the same meaning as defined in the Terms of Use.

PLEASE DO NOT DOWNLOAD, INSTALL, OR ADD THE EXTENSION TO YOUR BROWSER, OR USE THE SERVICES IN ANY MANNER BEFORE YOU READ AND ACKNOWLEDGE THIS PRIVACY POLICY. THE USE OF INFORMATION RECEIVED FROM THE GOOGLE API THROUGH THE EXTENSION WILL ADHERE TO THE CHROME WEB STORE USER DATA POLICY INCLUDING THE LIMITED USE REQUIREMENTS THEREIN.

Scope and Controller​

This policy applies to the Extension available through the Chrome Web Store and to any related Services we provide in connection with the Extension. We act as the data controller for Personal Data (as defined below) processed through the Extension unless otherwise stated in an enterprise agreement with your organization or in the relevant data processing agreement.

For any question, inquiry or concern related to this Privacy Policy or the processing of your Personal Data, you may contact us by email: privacy@charmsecurity.com.

Amendments​

We may update this Privacy Policy from time to time and recommend that you check back periodically for the latest version as indicated by the date at the end of the Privacy Policy. Where required by applicable laws, we will provide you with notice of material changes to this Privacy Policy.

Information We Collect and the Purposes of Collection​

We use information only to provide or improve the Extension's single purpose and user-facing features, including operating the Extension, prevent and investigate fraud or abuse, ensure security, perform diagnostics, measure performance, and improve user experience. We limit any collection and use of web browsing activity to what is required for these user-facing features. We do not use information for unrelated purposes.

Depending on how you configure and use the Extension, we may process, collect and share "Personal Information" or "Personal Data", as defined under applicable privacy laws, including, without limitations contact information, online identifiers and information that can reasonably identify you (collectively hereinafter "Personal Data"). Personal Data does not include non-identifiable information collected or generated via your use of the Extension and Services that is not linked or linkable to you and could not be used to identify you, whether directly or indirectly with reference to other information ("Non-Personal Data"), such as technical information about your browser or device (type of browser, device, language preference, country level location, etc.) and other information that we aggregate or de-identify consistent with applicable law.

We may use and disclose Non-Personal Data related to our business and the Services for quality control, analytics, research, development, and other purposes. Some of this information may be considered "de-identified" under U.S. privacy laws (i.e., data that is no longer linked or reasonably linkable to an identified or identifiable consumer). Where we rely on data that has been "de-identified" as defined by U.S. privacy laws, we will: (i) take reasonable measures to ensure that the de-identified information cannot be associated with an individual, household, or device; (ii) commit to maintain and use the information in a de-identified form and not attempt to re-identify the information; and (iii) contractually obligate any further recipient not to re-identify the de-identified data.

The following categories of Personal Data may be processed by us, depending on the Services you receive, strictly consistent with the Extension's single, user-facing purpose of fraud prevention and associated enterprise features, and are set out in the table below. Where the EU General Data Protection Regulation ("GDPR") is relevant to the jurisdiction from which you use the Extension, the applicable legal bases for such processing are also described below. In jurisdictions where consent is the only or primary legal basis for collecting certain data, we collect such data based on your consent. You are not legally required to provide Personal Data, but if you choose not to provide it (or withdraw consent), we may be unable to provide certain features or Services that depend on that data.

Account Data​

Data Set: When you log in, create an account, sign in to an organizational account (for example, using a business email) to enable enterprise features, access control, or license checks, or otherwise contact us for an inquiry or support, we will collect basic account and authentication data such as email address(es), full name, username, business email address, credentials, and login and password information.

Purpose of Processing: We process the Account Data for the following purposes:

• Authentication: to enable you to log in or create an account.
• Support: to provide relevant support when you contact us.
• General Inquiries: to respond to your inquiries about the Extension or the Services.
• Security: to promote the security of our Services by tracking the use of our Services, enforcing our terms and policies, investigating, and preventing fraudulent, suspicious or illegal activities.
• Direct Marketing: to send you information about our Services and offerings, which we think may be of interest to you.
• Complying with our legal obligations, including law enforcement requests.

Lawful Basis (GDPR): We process the Account Data for the purpose of logging in, creating an account, organizational sign-in and support, under contract necessity as determined in our Terms of Use. Otherwise, we will process the information based on our legitimate interests. Where required by applicable law, we will obtain your consent prior to sending you any direct marketing. We may also have a legal obligation to collect or otherwise use your Account Data, for example in order to comply with a law enforcement order or other legal obligations.

Communication Data​

Data Set: If and when you contact us, voluntarily, the communication may include Personal Data, such as Contact Information as detailed above. We may collect and maintain a record of your contact details, communications, and our responses. We also maintain information you provide to us related to any customer support requests.

Purpose of Processing: Such information will be used solely to communicate with and support you, and will not be shared with any third parties except service providers (as detailed below). We collect the Communication Data to respond to your inquiries. We may use the information for improving and enhancing the Services, promoting the security of our Services, enforcing our terms and policies, investigating, and preventing fraudulent, suspicious or illegal activities, preventing unauthorized access to the Services, complying with judicial proceedings, court orders or legal processes or to respond to lawful requests.

Lawful Basis (GDPR): We process your information under contract necessity and as determined in our Terms of Use for support services. Otherwise, we will process the information based on our legitimate interests that are not overridden by your interests or fundamental rights and freedoms, for example when responding to your inquiry, when necessary for security purposes, to understand, enhance and improve the Services. We may also have a legal obligation to collect or otherwise use your Contact Information, for example in order to comply with a law enforcement order under our legal obligations.

Online Identifiers​

Data Set: We may process Internet Protocol (IP) addresses, which are trimmed and hashed (irreversibly encrypted) on a daily basis, and thus are not and cannot be traced back to an individual or used in any way to identify an individual; globally unique identification number, which is a random number we generate to keep track of the data sets we collect and if required, enable us to execute your data rights requests as further detailed below; user agent, device ID, etc.

Purpose of Processing: Online Identifiers may be used to promote the security of our Services by tracking the use of our Services to detect abnormal user behavior, for enforcing our terms and policies, investigating, and preventing fraudulent, suspicious or illegal activities, and preventing unauthorized access to the Services. This information may also be used to improve and enhance the Services.

Lawful Basis (GDPR): We process such information on the basis of our legitimate interests to ensure the security of our Services. We have conducted our assessments to ensure that our processing is reasonable and that our interests are not overridden by your interests, fundamental rights or freedoms.

Usage Data​

Data Set: When you use our Services we will collect certain telemetry data regarding your interaction with the Services, time spent, features used, logs (i.e., time of access and duration of use), crashes, and analytic data.

Purpose of Processing: We collect your information for the purpose of providing and improving the Services. This information helps us monitor the security and performance of our Services, understand how the Services are used, optimize user engagement and customize and enhance your experience.

Lawful Basis (GDPR): Usage Data is processed based on our legitimate interests that are not overridden by your interests or fundamental rights and freedoms.

Browsing and Activity Data​

Data Set: This data includes URL referrer, URLs viewed or visited, pages ads viewed or clicked, ad URL, search engine results page data (keyword, order or index of results, links of results, title, description, and ads displayed).

Purpose of Processing: We use Browsing and Activity Data to provide the Services. We also may use and disclose the Browsing and Activity Data for market intelligence or analytics purposes.

Lawful Basis (GDPR): For the purpose of providing the Services as set forth in the Terms of Use, the Browsing and Activity Data is processed for contract necessity. Otherwise, the secondary use of the de-identified, filtered, anonymized and aggregated Browsing and Activity Data, is carried out based on your consent, where such consent is required by applicable laws.

AI Tool Inputs and Outputs​

Data Set: This information includes prompts, queries, content, files, and other inputs that you may enter, upload, transmit, or otherwise submit when using any artificial intelligence (AI) tools made available through the Services, and any results, responses, recommendations, or other outputs that you may receive from such AI tools. We are only interested in the input and output terms or results of your interaction with these AI tools. Considering the nature and general scope of inputs and outputs that are typical to AI tools, sensitive personal data may be inadvertently included in such inputs and, as a result, may be processed in the course of providing the Services. However, the aim of the processing is not the collection of Personal Data or data that could identify you. While we cannot guarantee that all Personal Data is removed, we take steps to remove or filter out identifiers and Personal Data that you may enter or submit to these AI tools.

Purpose of Processing: We use the AI Tool Inputs and Outputs to provide the Services.

Lawful Basis (GDPR): To provide the Services as set forth in the Terms of Use, the AI Tool Inputs and Outputs are processed as necessary for the performance of a contract. Any secondary use of the de-identified, filtered, anonymized, and aggregated AI Tool Inputs and Outputs is carried out based on your consent where such consent is required by applicable law. To the extent that sensitive personal data is inadvertently processed, such data will be processed on the basis of your consent where required by applicable law.

Please note that the actual processing operation per each purpose of use and lawful basis detailed above may differ. Such processing operation usually includes a set of operations made by automated means, such as collection, storage, use, disclosure by transmission, erasure, or destruction.

In addition, we may use certain Personal Data to prevent potentially prohibited or illegal activities, fraud, misappropriation, infringements, identity thefts, and any other misuse of our Services, and to enforce our Terms of Use, agreements and other policies, as well as to protect the security or integrity of our databases all systems, and to take precautions against legal liability. Such processing is based on our legitimate interests.

How We Collect Personal Data​

• Directly from you: Personal Data provided voluntarily by you, when you provide it to us by reaching out or signing in.
• Automatically while using the Extension or Services: Personal Data collected automatically or inferred about you while using the Services such as Usage Data or Online Identifiers.
• From third parties on your or your organization's behalf: Personal Data provided to us by your organization or by parties acting on behalf of your organization (such as the organization's service providers, contractors, or similar third parties).

Cookies and Similar Tracking Technologies​

We may use cookies, other similar tracking technologies or technologies used for authentication, session management and security ("Cookies") to gather, store, track and process certain information related to your access and interaction with our Extension. Cookies are very helpful and may be used for a variety of different purposes. These purposes for which we use Cookies include (without limitation), allowing you to navigate between pages more efficiently, enabling the automatic activation of certain features, remembering your preferences and making the interaction between you and our Services quicker and easier, to secure, prevent fraud and protect our Services.

These Cookies enable core functionality of the service and are necessary for the operation of the Extension. You may disable these by changing your browser settings, but that will affect how the Services function and may cause certain features of the Extension not to work properly.

Please visit www.allaboutcookies.org to learn more about cookies.

Sharing and Transfers​

We may disclose Personal Data to the following parties for the following purposes:

• Vendors and Service Providers. We may share Personal Data we collect with our Services providers, processors, and vendors acting on our behalf to allow us to provide the Services (for example: cloud hosting providers).
• With your organization (or parties acting on its behalf): If you use the Extension on behalf of, or through an account provided by, an organization that has engaged us, we may share Personal Data about you and your use of the Extension with that organization (and/or parties acting on its behalf). Such sharing and the organization's use of your Personal Data are governed by the organization's own privacy policy and the notices it has provided to you.
• Business Partners. We may also share certain Personal Data as necessary prior to the completion of a transaction or corporate transactions such as financings or restructurings, merger, acquisition transaction, to lenders, auditors, and third-party advisors, including attorneys and consultants, as part of due diligence or as necessary to plan for a transaction.
• Others, as permitted or required by applicable law. We may disclose Personal Data to third parties (authorities, legal representatives, regulators, government entities, and law enforcement) to the extent permitted or required by applicable laws. It may also include certain disclosures that we are required to make. We may disclose your Personal Data when we believe it is appropriate to do so to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person, violations of our Terms of Use, or as evidence in litigation in which we are involved.

Transfers of your Personal Data will be made in accordance with applicable laws. We will take the necessary steps to ensure that international transfers of Personal Data meet all requirements under applicable data protection laws. When Personal Data is transferred outside the country where it was originally collected, we will take the steps necessary (and to the extent required by applicable laws) to ensure that sufficient safeguards are provided for such data during its transfer and processing. Some of the measures implemented to safeguard your Personal Data include ensuring that the recipient is bound by specific contractual clauses approved by relevant data protection authorities to provide adequate protection for Personal Data.

Data Retention Policy and Data Minimization​

Unless you instruct us otherwise, we retain the data we collect only for as long as necessary to provide the Services, comply with our legal obligations, and protect the security and integrity of the Extension. We apply data minimization principles by collecting and retaining only the data we genuinely need, and only for the period required. Consistent with this approach, the Extension requests only the narrowest set of permissions necessary to operate its current user-facing features (we do not request permissions for potential future functionality).

Security​

We endeavour to use security methods and encryption when handling data (i.e., we handle the user data securely, including by transmitting it via modern cryptography). We have implemented and maintain appropriate technical and organizational security measures, policies and procedures designed to reduce the risk of accidental destruction or loss, or the unlawful or unauthorized destruction, loss, alteration, disclosure or access to your Personal Data. However, we cannot guarantee the security of information transmitted through the internet. As the security of information depends in part on the security of the computer you use to communicate with us and the security you use to protect your user IDs and passwords, please take appropriate measures to protect this information.

Please contact us at privacy@charmsecurity.com if you feel that your privacy was not dealt with properly, in a way that was in breach of our Privacy Policy, or if you become aware of a third party's attempt to gain unauthorized access to any of your Personal Data. We will make a reasonable effort to notify you and the appropriate authorities (if required by applicable law) if we discover a security incident related to your Personal Data.

Privacy Choices​

We acknowledge that different people have different privacy concerns and preferences. Our goal is to be clear about what information we collect so that you can make meaningful choices about how it is used. We allow you to exercise certain choices, rights, and controls in connection with your Personal Data. Depending on your relationship with us, your jurisdiction and the applicable data protection laws that apply to your Personal Data, you have the right to control and request certain limitations or rights to be executed.

The principal rights that may apply to your Personal Data (subject to your jurisdiction and additional conditions) may include:

Right to be informed, right to know, and right to a list of specific third parties​

You may have the right to be provided with information regarding our Personal Data collection and privacy practices. You may also have the right to receive a list of the specific third parties to which we have disclosed either your Personal Data or any Personal Data. This Privacy Policy also details our Personal Data handling practices.

Access rights, right to inspect your Personal Data​

You may have the right to confirm whether we collect Personal Data about you and to know which Personal Data we specifically hold about you, as well as receive a copy of such or access it. If you wish to receive a copy of the Personal Data, contact us at privacy@charmsecurity.com.

Right to correction/rectification​

You may have the right to correct inaccuracies in your Personal Data in the event you found it incorrect, outdated, etc. (or otherwise request its deletion), taking into account the nature and purposes of each processing activity. If you wish to exercise this right, please contact us at privacy@charmsecurity.com.

Right to be forgotten, right to deletion​

You may have the right to request the deletion of certain Personal Data we process, if specific conditions are satisfied, for example, if you think we no longer need to use it for the purpose we collected it; in the event that the collection was based on your consent; where we have used it unlawfully, or; where we are subject to a legal obligation to delete your Personal Data. Deletion request will be subject to our rights and obligations under applicable law. If you wish to exercise this right, please contact us at privacy@charmsecurity.com.

Right to portability​

You may have the right to obtain the Personal Data in a portable, and to the extent technically feasible, readily usable format that allows you to transmit the data to another entity without hindrance. We will select the format in which we provide your copy. If you wish to exercise this right, please contact us at privacy@charmsecurity.com.

Right to withdraw consent. Right to opt out from sale, targeted advertising, and profiling​

(i) "sale" of Personal Data; (ii) Targeted advertising; and (iii) Profiling and automated decision making.

Browsing Data: To the extent applicable, you may withdraw your consent and stop the automated collection and/or sharing of certain Personal Data by adjusting your browser or extension settings (including disabling relevant permissions) and/or using the privacy controls made available by the relevant service provider and/or your organization (as applicable, and subject to your organization's policies and configurations). Please note that if you opt out, disable permissions, or otherwise restrict such collection, some or all features of the services you use may no longer be available or may not function properly.

Sale of Personal Data / Targeted Advertising / Profiling: If and to the extent applicable, you have the right to opt out of the sale of your Personal Data. We do not process Personal Data for the purpose of targeted advertising or profiling and automated decision making. We further do not use any Personal Data for automated decision making.

You are also able to install privacy-controls in the browser's settings to automatically signal the opt-out preference to all websites you visit (such as the Global Privacy Control).

Right to Object​

You may have the right to object to any use of your Personal Data which we have justified by our legitimate interest if you believe your fundamental rights and freedoms to data protection outweigh our legitimate interest.

Right to Restrict Processing​

You may have the right to ask us to restrict or limit the purpose for which we process your Personal Data, where certain conditions are satisfied (for example, where you contest the accuracy of the Personal Data, for a period enabling us to verify its accuracy).

Right to appeal or lodge a complaint​

If we decline to act on your request, we will inform you without undue delay as required under applicable laws. The notification will include a justification for declining to act and instructions on how you may appeal, if applicable. Within the timeframe set under applicable law as of our receipt of your appeal, we will inform you in writing of any action taken or not taken in response to your appeal, including a written explanation of the reasons for the decisions. If the appeal is denied, you may submit a complaint to the applicable authority.

Where the GDPR applies, you have the right to lodge a complaint with the applicable Data Protection Authority in the EU or the Information Commissioner in the UK.

We will investigate and attempt to resolve complaints and disputes and will make every reasonable effort to respect your wish to exercise your rights as quickly as possible and in any event, within the timescales provided by data protection laws.

Global Privacy Control​

Please note that we do not currently respond to or honor "Do Not Track" signals. We do honor legally required browser-based opt out preference signals such as the Global Privacy Control where required under applicable law.

Children​

The Extension is intended for business use and not directed to children. We do not knowingly collect Personal Data from children in connection with the Extension.

Contact Us​

For questions or concerns regarding this Privacy Policy or our privacy practices, please contact us at:

Email: privacy@charmsecurity.com