Privacy Policy.

1. Scope and Controller Identity.

This Privacy Policy (“Policy”) describes how Agentic Secure Group Inc., a Delaware corporation doing business as Bolde (“Company,” “we,” “us,” or “our”), collects, uses, discloses, and retains personal information when you visit bolde.ai or interact with any pre-launch property we operate for a United States audience (collectively, the “Site”).

This Policy applies exclusively to the pre-launch marketing site. It does not describe how the eventual Bolde commercial product will handle customer data processed within a customer's own deployment environment. That will be governed by a separate Service Privacy Notice and, where applicable, a Data Processing Agreement published with the commercial product.

By using the Site or subscribing to Bolde Updates, you acknowledge that you have read and understood this Policy.

2. Information We Collect.

We collect the following categories of information:

2.1 Information You Provide.

• Email address. When you submit the Bolde Updates form, you provide your email address. This is the primary personal identifier we collect. We do not require your name, phone number, company, or any other information to subscribe to Bolde Updates, though you may optionally include additional context in free-text fields if provided. Anything you voluntarily type into such fields is also collected.
• Referral source. If you arrive via a referral link, we may record which referral code was used in order to credit the referrer. We do not collect the referring person's identity without their own separate consent.

2.2 Information Collected Automatically.

• Request metadata (for security and rate limiting). When your browser loads a page or submits the Bolde Updates form, our edge infrastructure (Cloudflare Workers) receives standard HTTP request metadata: your IP address, browser user agent string, the time of the request, and the requested URL. We use this information solely to detect and mitigate abuse, enforce rate limits, and protect the integrity of Bolde Updates. IP addresses are hashed before storage in any persistent log and are not linked to your email address in any durable record.
• Cloudflare Turnstile challenge signals. The Bolde Updates form uses Cloudflare Turnstile for bot detection. Turnstile may analyze browser characteristics and behavioral signals to distinguish human visitors from automated submissions. This analysis occurs within the Cloudflare network and does not create a persistent profile associated with your identity. See the Cloudflare Privacy Policy at cloudflare.com/privacypolicy for details on how Cloudflare processes data.
• Cookieless aggregate analytics. We use Cloudflare Web Analytics, which does not set cookies, does not use fingerprinting to identify individual users across sessions, and does not build a personal profile. It provides us with aggregate metrics—such as page view counts, referrer domains, and device type distribution—to understand which content resonates. No personal identifier is associated with any analytics record.

2.3 What We Do Not Collect. We do not collect: payment information, biometric data, government identifiers, precise geolocation data, health information, phone numbers, social media handles, advertising identifiers, or any sensitive personal information as defined by the CCPA/CPRA, except as you voluntarily provide it in a free-text field. We do not use tracking pixels, retargeting tags, or advertising network SDKs on the Site.

3. How We Use Your Information.

We use the information we collect for the following purposes and no others:

• Bolde Updates management. To confirm your subscription, send product progress updates and launch announcements, and invite you to early access, beta, or design-partner programs when they open.
• Double opt-in confirmation. To send a confirmation email verifying that the submitted email address belongs to you before adding it to our active Bolde Updates list.
• Security and abuse prevention. To detect, investigate, and mitigate fraud, spam, bot submissions, and other abuse of the Site or Bolde Updates infrastructure.
• Site improvement. To understand aggregate traffic patterns and content performance in order to improve the Site. This is based entirely on cookieless, non-personal aggregate analytics.
• Legal compliance. To comply with applicable law, respond to lawful requests from public authorities, enforce our Terms of Service, or protect the rights, property, or safety of the Company, our users, or others.

We do not use your email address or any other personal information for purposes unrelated to the above without obtaining your separate consent.

4. No Sale or Sharing of Personal Data.

The Company does not:

• sell your personal information to any third party for any price or consideration, now or in the future;
• share your personal information with third parties for cross-context behavioral advertising;
• rent, license, or otherwise make your email list available to any third party for their own marketing or promotional purposes;
• use your personal information to train, fine-tune, or benchmark any AI or machine-learning model, including our own;
• include you in joint mailings, co-registration programs, or any marketing partnership list without your explicit consent.

Because we do not sell or share personal information in the manner contemplated by the CCPA/CPRA, the “Do Not Sell or Share My Personal Information” right under California law is satisfied as a default—there is nothing to opt out of.

5. Disclosure to Third Parties.

We disclose personal information only in the following limited circumstances:

5.1 Service Providers (Processors). We engage a small number of third-party service providers that process personal information on our behalf, under our instructions, and subject to confidentiality obligations consistent with this Policy. As of the date of this Policy, those providers are:

• Cloudflare, Inc. — We use Cloudflare for hosting (Workers and Pages), edge infrastructure, D1 database (Bolde Updates storage), Turnstile (bot detection), and Web Analytics. Cloudflare processes request metadata as a processor on our behalf. Cloudflare is headquartered in San Francisco, CA. Cloudflare's privacy policy is available at cloudflare.com/privacypolicy.
• Transactional email provider. We use a third-party email delivery provider to send Bolde Updates confirmation messages and product updates. The provider's identity will be listed in the footer of any email we send to you. We do not authorize our email provider to use your address for its own marketing.

We will update this list when we add or change material service providers.

5.2 Legal and Safety Disclosures. We may disclose personal information when we believe in good faith that disclosure is necessary to: (a) comply with a valid legal obligation, court order, or government request; (b) enforce our Terms of Service; (c) protect the rights, property, or safety of the Company, our users, or the public; or (d) detect, prevent, or address fraud, security, or technical issues.

5.3 Business Transfers. If the Company undergoes a merger, acquisition, asset sale, reorganization, or similar corporate transaction, personal information we hold may be transferred as part of that transaction. We will provide notice of any such transfer and of any resulting material change to this Policy before personal information becomes subject to different privacy practices, and your continued use of the Service will constitute consent to such practices to the extent permitted by applicable law.

5.4 Aggregate and De-identified Data. We may disclose aggregate or de-identified information that cannot reasonably be used to identify you, without restriction and without notice.

6. Cookies and Tracking Technologies.

The Site does not use tracking cookies. Specifically:

• We do not set first-party or third-party advertising cookies.
• We do not use session-replay tools, heatmap tracking services, or user session recording.
• Cloudflare Web Analytics is cookieless and does not use local storage or fingerprinting to re-identify you across sessions.
• Cloudflare may set a limited number of technical or security cookies as part of its infrastructure services (e.g., for DDoS protection). These are not used for advertising and are governed by Cloudflare's own privacy practices.

Because we do not use tracking cookies, a cookie opt-out mechanism is not required. If Cloudflare's infrastructure sets any functional cookies on your device, you may delete them through your browser settings without affecting your ability to use the Site.

7. Data Retention.

We retain personal information for no longer than necessary for the purposes described in this Policy:

• Bolde Updates email addresses are retained from the date of submission until the earlier of: (a) your request for deletion; (b) the date on which the Bolde commercial product achieves general availability, plus one (1) year thereafter to allow for residual communications and legal compliance; or (c) such shorter period as required by applicable law. After the retention period, email addresses are permanently deleted from our active systems. We maintain a suppression list of deleted addresses to honor your opt-out and prevent re-subscription from automated sources, but this list contains only a hashed token, not the address itself.
• Hashed IP addresses and rate-limit records are retained for up to thirty (30) days for security and abuse-prevention purposes, after which they are automatically purged.
• Aggregate analytics data has no personal record to retain and may be kept indefinitely.
• Legal and compliance records may be retained for up to seven (7) years or as required by applicable law, even after deletion of your personal record, in a form that does not permit identification of you.

8. Security.

The Company implements and maintains commercially reasonable technical and organizational measures designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These measures include:

• all traffic served exclusively over TLS (HTTPS) with modern cipher suites;
• Bolde Updates data stored in Cloudflare D1, which is not accessible from the public internet;
• rate limiting and bot-mitigation controls on all form submission endpoints;
• least-privilege access controls for personnel who can query the Bolde Updates database;
• hashing of IP addresses before any persistent storage;
• single-use, time-limited tokens for email verification links.

No security measure is absolute. The Company does not warrant that the Site or its infrastructure is free from vulnerabilities or that personal information will never be accessed by unauthorized parties. In the event of a data breach affecting your personal information, we will notify you as required by applicable law.

If you discover a security vulnerability, please report it responsibly to legal@bolde.ai rather than publicly disclosing it before coordination.

9. Your Privacy Rights (CCPA/CPRA).

If you are a California resident, the California Consumer Privacy Act (as amended by the California Privacy Rights Act) grants you the following rights with respect to your personal information. These rights apply to the personal information we hold about you as described in this Policy.

9.1 Right to Know. You have the right to request that we disclose: (a) the categories of personal information we have collected about you; (b) the categories of sources from which it was collected; (c) our business or commercial purpose for collecting it; (d) the categories of third parties with whom we share it; and (e) the specific pieces of personal information we have collected about you. We will respond to verified requests within forty-five (45) days, extendable by an additional forty-five (45) days with notice.

9.2 Right to Delete. You have the right to request deletion of personal information we have collected from you, subject to certain exceptions (e.g., where retention is required to complete a transaction you requested, to detect security incidents, to comply with a legal obligation, or for other legitimate internal uses). We will confirm receipt and process verified deletion requests within forty-five (45) days.

9.3 Right to Correct. You have the right to request correction of inaccurate personal information we hold about you. We will correct verified inaccuracies within forty-five (45) days.

9.4 Right to Opt Out of Sale or Sharing. You have the right to direct us not to sell or share your personal information. As described in Section 4, we do not sell or share personal information. This right is therefore satisfied by default; no opt-out action is required.

9.5 Right to Limit Use of Sensitive Personal Information. We do not collect or use sensitive personal information (as defined by the CPRA) beyond what is necessary to perform the services you request. This right does not require any action on your part.

9.6 Right to Non-Discrimination. We will not discriminate against you for exercising any of your privacy rights. You will not receive a different price, service level, or quality of service as a result of exercising these rights.

9.7 Exercising Your Rights. To submit a verifiable consumer request, contact us by any of the methods listed in Section 11. We may ask you to verify your identity before processing your request. We will not fulfill requests from agents acting on your behalf unless you have authorized the agent in writing or provided a valid power of attorney under California law.

9.8 Shine the Light. California Civil Code § 1798.83 permits California residents to request information about the sharing of personal information with third parties for their direct marketing purposes. Because we do not share personal information for third-party direct marketing, no disclosure is required under this provision.

10. Other User Rights (All US Visitors).

Regardless of your state of residence, you may:

• Unsubscribe from any marketing email by clicking the unsubscribe link in any email we send. Transactional messages (such as the Bolde Updates confirmation) may still be sent until you request full deletion of your record.
• Request deletion of your Bolde Updates record at any time by contacting legal@bolde.ai with your email address and the subject line “Delete My Data.”
• Request a copy of the personal information we hold about you by contacting us at the same address.

We aim to fulfill all non-CCPA deletion and access requests within thirty (30) days.

11. Contact and Data Subject Requests.

For all privacy-related questions, data subject requests, or to exercise any right described in this Policy, contact us at:

• Email: legal@bolde.ai — include “Privacy Request” in the subject line
• Entity: Agentic Secure Group Inc., a Delaware corporation, trading as Bolde

We will acknowledge receipt of all requests within five (5) business days and provide a substantive response within the timeframes required by applicable law (generally forty-five (45) days for CCPA requests, or thirty (30) days for non-CCPA requests).

For suspected security vulnerabilities, do not submit them through a public channel. Email legal@bolde.ai with “Security Disclosure” in the subject line, and we will coordinate a response confidentially.

12. Children's Privacy.

The Site is intended for business professionals and is not directed to children under the age of 18. We do not knowingly collect personal information from anyone under 18. If you believe we have inadvertently collected information from a minor, please contact us at legal@bolde.ai and we will delete it promptly.

13. Third-Party Links.

The Site may contain links to third-party websites, social media platforms, or services. This Policy does not apply to those properties. We are not responsible for the privacy practices of third parties, and we encourage you to read their privacy policies before providing any information.

14. Changes to This Policy.

We may update this Policy from time to time. If we make material changes, we will: (a) update the “Last updated” date at the top of this page; (b) post a prominent notice on the Site; and (c) where feasible, send an email to Bolde Updates subscribers before the change takes effect. Non-material changes (such as clarifications or typographical corrections) will be effective upon posting.

Your continued use of the Site after the effective date of any change constitutes acceptance of the updated Policy. If you do not agree, you may request deletion of your record under Section 10 at any time.

15. Governing Law.

This Policy and any disputes arising out of or related to your rights under it are governed by the laws of the State of Delaware, United States, consistent with the Terms of Service. Nothing in this Policy limits rights that applicable law grants and that cannot be waived by contract.