Data Processing Addendum

This Data Processing Addendum (the "DPA") forms part of, and is incorporated into, the Geocast Operator Terms of Service available at geocast.ai/legal/operator-terms (the "Agreement"). The DPA governs Geocast's processing of personal data on behalf of operators in connection with the Geocast service.

Auto-execution. This DPA is incorporated by reference into the Agreement. When you accept the Agreement, you accept this DPA. No separate signature is required for the DPA to be binding between you and Geocast.

Countersigned version available on request. If your internal compliance program requires a signed paper or electronic version of the DPA for your records, you may request one at legal@geocast.ai. Geocast will provide a countersigning-ready version that is substantively identical to this published version. The countersigned document does not modify the rights and obligations described here; it provides an executed copy for your records.

Non-negotiable. This DPA is published as standing terms applicable to all operators. Geocast does not modify the DPA on a per-operator basis. Operators with substantive DPA modification requirements should contact Geocast at legal@geocast.ai to discuss whether enterprise terms are appropriate for their situation.

In the event of any conflict between this DPA, the Agreement, the Privacy Policy, and any annexes, the order of precedence is: SCCs (where applicable), this DPA, the Agreement, the Privacy Policy, the annexes.

The annexes are descriptive and supportive; the operative terms are in the body of the DPA and the Agreement.

Capitalized terms used but not defined in this DPA have the meanings given in the Agreement or in the applicable data protection law. The following definitions apply for purposes of this DPA:

• "Applicable Data Protection Law" means all data protection and privacy laws applicable to the processing of personal data under the Agreement, including: the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"); the United Kingdom General Data Protection Regulation as incorporated into UK law by the Data Protection Act 2018 ("UK GDPR"); the Swiss Federal Act on Data Protection ("revFADP"); the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"); the Virginia Consumer Data Protection Act ("VCDPA"); the Colorado Privacy Act ("CPA"); the Connecticut Data Privacy Act ("CTDPA"); the Utah Consumer Privacy Act ("UCPA"); the Texas Data Privacy and Security Act ("TDPSA"); the Oregon Consumer Privacy Act ("OCPA"); and any other state, federal, or international privacy and data protection laws applicable to the processing of personal data under the Agreement.
• "Controller" has the meaning given in GDPR Article 4(7) and includes the equivalent term "business" under CCPA/CPRA.
• "Data Subject" has the meaning given in GDPR Article 4(1) and includes the equivalent term "consumer" under US state privacy laws.
• "EU SCCs" means the Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, currently available at the European Commission's website.
• "Operator Personal Data" means personal data processed by Geocast on behalf of the Operator in connection with the service, including the personal data of the Operator's guests, the Operator's team members, and other natural persons whose personal data is processed through the Operator's use of the service.
• "Personal Data" has the meaning given in GDPR Article 4(1) and includes "personal information" as defined under CCPA/CPRA and US state privacy laws.
• "Personal Data Breach" has the meaning given in GDPR Article 4(12).
• "Processor" has the meaning given in GDPR Article 4(8) and includes the equivalent term "service provider" under CCPA/CPRA.
• "Standard Contractual Clauses" or "SCCs" means the EU SCCs, as supplemented by the UK Addendum and the Swiss Addendum where applicable.
• "Sub-processor" means any third party engaged by Geocast to process Operator Personal Data.
• "Supervisory Authority" has the meaning given in GDPR Article 4(21) and includes equivalent regulatory authorities under other Applicable Data Protection Law.
• "Swiss Addendum" means the addendum to the EU SCCs adopted by the Swiss Federal Data Protection and Information Commissioner for transfers governed by the revFADP.
• "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office for transfers governed by UK GDPR.

2.1Scope

This DPA applies to Geocast's processing of Operator Personal Data on behalf of the Operator in connection with the service. It supplements but does not replace the privacy commitments in the Geocast Privacy Policy at geocast.ai/legal/privacy.

2.2Roles

For Operator Personal Data processed by Geocast on behalf of the Operator:

• The Operator is the Controller. The Operator determines the purposes and means of processing in connection with their use of the service, including which experiences they run at their property and which guest interactions they enable.
• Geocast is the Processor. Geocast processes Operator Personal Data on behalf of the Operator and according to the Operator's documented instructions, which are reflected in the Operator's configuration of the service and in the Agreement.

For Operator personal data that Geocast collects and uses for its own purposes (account administration, billing, security, service improvement, fraud prevention), Geocast is the Controller. Such processing is governed by the Privacy Policy, not by this DPA.

2.3Operator obligations as Controller

The Operator represents and warrants that:

• The Operator has provided all notices and obtained all consents, authorizations, and other legal bases required under Applicable Data Protection Law to enable Geocast to process Operator Personal Data as described in the Agreement and this DPA
• The Operator's instructions to Geocast comply with Applicable Data Protection Law
• The Operator has the right to disclose Operator Personal Data to Geocast and to authorize Geocast's processing as described in this DPA
• The Operator will respond to data subject requests routed to the Operator and will provide Geocast with reasonable assistance where Geocast cannot fulfill a request without Operator action

2.4CPRA Service Provider terms

This Section 2.4 applies where the Operator is a "business" and Geocast is a "service provider" or "contractor" (as those terms are defined under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, "CCPA/CPRA"), and applies notwithstanding any contrary provision elsewhere in this DPA or the Agreement. Geocast represents, warrants, and certifies the following with respect to personal information of California consumers processed under the Agreement:

• No sale of personal information. Geocast will not sell personal information of California consumers to any party. "Sell" has the meaning given in CCPA/CPRA.
• No sharing of personal information. Geocast will not share personal information of California consumers with any party for cross-context behavioral advertising. "Share" has the meaning given in CCPA/CPRA.
• Limited retention, use, and disclosure. Geocast will not retain, use, or disclose personal information of California consumers for any purpose other than for the specific business purposes described in the Agreement and this DPA, including the purposes set out in CCPA Regulation 11 CCR § 7050(a). Geocast will not retain, use, or disclose personal information outside of the direct business relationship between Geocast and the Operator.
• No combining with outside personal information. Geocast will not combine personal information received from the Operator with personal information received from or on behalf of other persons, or collected from Geocast's own interactions with consumers, except as expressly permitted under CCPA Regulation 11 CCR § 7050(b) (which permits limited combination to perform a business purpose, to detect security incidents, or to comply with law).
• Notification of inability to comply. If Geocast determines that it can no longer meet its obligations under CCPA/CPRA with respect to personal information of California consumers, Geocast will notify the Operator promptly in writing.
• Operator's right to take action. The Operator has the right, upon reasonable notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of personal information of California consumers by Geocast or its Sub-processors.
• Cooperation with consumer requests. Geocast will provide reasonable cooperation and assistance to enable the Operator to fulfill its obligations to respond to verified consumer requests under CCPA/CPRA, including requests to know, delete, correct, opt out of sale or sharing, and limit the use of sensitive personal information.
• Sub-processor flow-down. Geocast will engage Sub-processors only under written contracts that impose obligations on the Sub-processor that are no less protective than those set out in this Section 2.4 with respect to personal information of California consumers.
• Audit rights. The Operator's audit rights under Section 06 of this DPA include the right to take reasonable and appropriate steps to ensure that Geocast uses personal information of California consumers in a manner consistent with the Operator's obligations under CCPA/CPRA.

The provisions of this Section 2.4 are intended to satisfy the contractual requirements of CCPA Section 1798.140(ag), CCPA Section 1798.100(d), and the implementing regulations at 11 CCR § 7050 et seq. Where the requirements of CCPA/CPRA evolve, this Section 2.4 will be interpreted to comply with the then-current requirements.

Geocast certifies that it understands the restrictions in this Section 2.4 and will comply with them.

3.1Documented instructions

Geocast processes Operator Personal Data only on documented instructions from the Operator. The Operator's instructions are set out in:

• The Agreement
• This DPA
• The Operator's configuration of the service in the admin app
• Any additional written instructions the Operator provides to Geocast that Geocast accepts in writing

Geocast will inform the Operator if, in Geocast's opinion, an instruction infringes Applicable Data Protection Law.

3.2Purpose limitation

Geocast processes Operator Personal Data only for the purposes described in the Agreement, the Privacy Policy, and this DPA, and only for the duration of the Agreement plus any wind-down and retention periods described in the Agreement Section 11.4 and the Privacy Policy.

3.3AI training prohibition and AI pipeline operation

Geocast does not use Operator Personal Data, Operator Content, or guest personal data to train, fine-tune, retrain, distill, or otherwise improve any general-purpose, foundation, or pre-trained AI model, whether owned by Geocast or by a Sub-processor.

This prohibition applies to:

• All Operator Personal Data, including the personal data of the Operator's team members, billing contacts, voice subjects, and guests
• All Operator Content (uploaded photographs, archival materials, drafted stories before publication, internal notes, configuration data, communications with Geocast)
• All guest personal data, including device identifiers, session tokens, story interaction data, location data, beacon proximity events, ratings, and feedback
• All audio content, voice samples, and voice models

Operator Personal Data is not included in any training corpus, fine-tuning dataset, evaluation dataset, prompt-tuning dataset, or other dataset used to modify the parameters or capabilities of any AI model. Operator Personal Data is not shared with Sub-processors (including Anthropic, ElevenLabs, and other AI providers) for any purpose other than the per-session inference operations described below.

How Operator Personal Data interacts with the AI pipeline

During an active service session, the AI tools used in the service (the Story Writing Agent, the Property Research Agent, the Imagery Agent, Geocast AI, the Story Interviewer, and others) may include Operator Content and other Operator Personal Data in the prompt context sent to a Sub-processor's model inference endpoint. This is necessary to generate content responsive to the Operator's request. Geocast operates this pipeline under the following commitments:

• Zero-retention sub-processor calls. API calls to AI Sub-processors (Anthropic, ElevenLabs, and others) are configured to use zero-data-retention endpoints where the Sub-processor offers them. Inputs and outputs are not retained by the Sub-processor beyond the lifecycle of the request, are not used to improve the Sub-processor's models, and are not logged for purposes other than abuse monitoring required by law.
• No customer-specific or per-Operator model training. Geocast does not maintain customer-specific models trained on a single Operator's data. Geocast does not maintain per-Operator fine-tuned models trained on Operator Personal Data.
• No Retrieval-Augmented Generation across Operator boundaries. Where Geocast uses retrieval to enrich prompt context, the retrieval scope is limited to the Operator's own content for that Operator's sessions. Operator A's content is never retrieved to enrich Operator B's prompts.
• Prompt caching. Where prompt caching is used to reduce inference latency or cost, caches are scoped per-Operator and are subject to the same retention, security, and deletion commitments as other Operator Personal Data.
• Output handling. Generated Content (as defined in the Agreement Section 4.3) produced by the AI tools is owned by Geocast under the Agreement and is retained per the retention schedule in this DPA and the Privacy Policy. Generated Content is not provided as input to Sub-processor model training.

Narrow operational exception

Geocast may use aggregated, anonymized statistical analysis derived from service usage to improve service operation (for example, tuning beacon proximity detection, refining recommendation logic, or identifying bugs through operational telemetry). This exception is bounded as follows:

• The analysis operates on aggregated, anonymized data that has been processed such that re-identification is not reasonably likely, considering all means reasonably likely to be used to attempt re-identification (consistent with the standard in GDPR Recital 26), applying privacy-engineering techniques including the removal of direct identifiers, the removal or generalization of quasi-identifiers, aggregation thresholds, and granularity limits
• The analysis does not produce any model that is shared with Sub-processors or used outside Geocast's service operation
• The analysis does not generate content for any other Operator's property
• The aggregate signals never identify any individual data subject

The Privacy Policy at geocast.ai/legal/privacy describes these commitments in additional context for non-contractual reference. In any conflict between the Privacy Policy and this Section 3.3, this Section 3.3 controls.

3.4Confidentiality of personnel

Geocast ensures that personnel authorized to process Operator Personal Data are bound by confidentiality obligations, whether by contract or by statutory duty.

3.5Security

Geocast implements appropriate technical and organizational measures to protect Operator Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. The current technical and organizational measures are described in Annex II.

The Operator acknowledges that the security measures in Annex II are appropriate to the nature of the Operator Personal Data and the risks to data subjects, and that Geocast may update the measures from time to time provided that the level of security is not materially decreased.

3.6Data subject rights assistance

Taking into account the nature of the processing, Geocast assists the Operator by appropriate technical and organizational measures, insofar as possible, in fulfilling the Operator's obligation to respond to requests from data subjects exercising their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction of processing, data portability, objection to processing, and rights related to automated decision-making).

If a data subject contacts Geocast directly with a request relating to Operator Personal Data, Geocast will:

• Notify the Operator of the request within three (3) business days of Geocast's receipt of the request, with sufficient detail for the Operator to identify the relevant data subject and the nature of the request
• Where lawful and practical, direct the data subject to the Operator as the appropriate party to fulfill the request
• Not respond substantively to the request on behalf of the Operator without the Operator's authorization, except where Geocast can fulfill the request directly without compromising the Operator's interests or violating Applicable Data Protection Law (in which case Geocast may do so, with notice to the Operator)
• Provide the Operator with reasonable assistance in responding to the request, including providing access to or copies of the relevant Operator Personal Data within Geocast's systems, in a structured, commonly used, and machine-readable format

The three-business-day notification SLA applies to requests Geocast receives directly from data subjects. Requests routed through the Operator are governed by the Operator's own response timelines under Applicable Data Protection Law.

3.7Assistance with data protection compliance

Geocast assists the Operator, taking into account the nature of the processing and the information available to Geocast, in complying with the Operator's obligations under GDPR Articles 32 to 36 and equivalent provisions of other Applicable Data Protection Law, including:

• Security of processing
• Personal data breach notification
• Data protection impact assessments
• Prior consultation with supervisory authorities

3.8Personal Data Breach notification

Geocast notifies the Operator of any Personal Data Breach affecting Operator Personal Data without undue delay and in any event within 72 hours after Geocast becomes aware of the breach.

For purposes of this Section 3.8, Geocast "becomes aware" of a Personal Data Breach when Geocast has confirmed, after reasonable investigation, that a Personal Data Breach has occurred. An automated security alert, an unconfirmed report, or a suspected anomaly that has not yet been investigated does not by itself constitute awareness. Geocast will conduct any necessary investigation expeditiously and in good faith, and will not extend the investigation period to delay notification.

Notification will be sent to the Operator's billing contact email address and via a banner in the admin app, and will include, to the extent available:

• The nature of the breach, including the categories and approximate number of data subjects affected and the categories and approximate number of records affected
• The name and contact information of Geocast's data protection point of contact
• The likely consequences of the breach
• The measures Geocast has taken or proposes to take to address the breach and to mitigate its possible adverse effects

Where the information cannot be provided at the same time, Geocast will provide it in phases without undue delay.

Geocast's Personal Data Breach notification obligation is in addition to any direct notification obligation Geocast may have to data subjects under Applicable Data Protection Law, including under GDPR Article 34 and equivalent state law provisions.

3.9Records of processing

Geocast maintains records of processing activities under its responsibility as required by GDPR Article 30(2) and equivalent provisions of other Applicable Data Protection Law. These records are available to the Operator and to Supervisory Authorities on request.

4.1General authorization to engage Sub-processors

The Operator provides general written authorization for Geocast to engage Sub-processors to process Operator Personal Data, subject to the conditions in this Section 04.

4.2Sub-processor obligations

Geocast enters into a written contract with each Sub-processor that imposes data protection obligations on the Sub-processor that are no less protective than those in this DPA, including obligations relating to security, confidentiality, sub-processor engagement, data subject rights, breach notification, and audit rights, where applicable. Geocast remains liable to the Operator for the acts and omissions of its Sub-processors.

For Sub-processors that handle Operator Personal Data in a substantive way (referred to as "critical data-handling Sub-processors," including Geocast's hosting providers, AI inference providers, payment processors, and other Sub-processors with direct access to Operator Personal Data at scale), Geocast obtains and reviews the Sub-processor's most recent third-party security attestation (such as a SOC 2 Type II report, ISO 27001 certification, or equivalent independent assessment) before onboarding the Sub-processor and at least annually thereafter for so long as the Sub-processor continues to handle Operator Personal Data. Where a critical data-handling Sub-processor does not produce a recognized third-party attestation, Geocast performs an equivalent diligence review based on the Sub-processor's published security documentation, contractual commitments, and operational track record.

Geocast retains records of these reviews and makes summary information available to Operators on request, subject to confidentiality obligations Geocast owes to its Sub-processors.

4.3Sub-processor list

The current list of Sub-processors is published at geocast.ai/legal/sub-processors and is incorporated into this DPA by reference. The list is updated as Sub-processors change.

4.4Notice and right of objection

When Geocast adds or replaces a Sub-processor that handles Operator Personal Data, Geocast provides at least 30 days' advance notice via a banner in the admin app and by updating the Sub-processor page at geocast.ai/legal/sub-processors. Operators who wish to receive Sub-processor changes by email can subscribe to the Sub-processor change feed from the admin app. The Operator has the right to object to a Sub-processor change during the 30-day notice period (measured from the banner posting and the Sub-processor page update) on reasonable data protection grounds.

If the Operator objects and Geocast cannot reasonably accommodate the objection, the Operator may terminate the affected portion of the service without penalty. Upon such termination:

• Geocast will refund the Operator a pro-rated amount of fees paid for the unused portion of the current billing term, calculated as the fees paid multiplied by the percentage of the billing term remaining as of the termination effective date
• The refund will be credited to the Operator's payment method or, at the Operator's election, issued as a credit against future invoices, within 30 days of the termination effective date
• The Operator's wind-down rights under Section 07 of this DPA and Section 11.4 of the Agreement apply

This refund mechanism is incorporated into this DPA directly and is not contingent on the Agreement's separate provisions; the Operator's right to terminate and receive a pro-rated refund for an unaccommodated Sub-processor objection is binding under the DPA. Section 6.4 of the Agreement is consistent with this Section 4.4; in the event of any conflict, the more protective provision for the Operator controls.

4.5Operational categories

Changes within operational Sub-processor categories described in the Privacy Policy (application monitoring, web analytics, customer support tooling, DNS/security/CDN edge services) do not trigger the advance-notice obligation if the change does not materially expand the categories of personal data processed or the regions of processing.

4.6Routine changes

Changes that do not affect the categories of personal data processed, the purposes of processing, or the regions of processing (such as a Sub-processor renaming itself, restructuring corporate ownership, or moving offices within the same region) are reflected on the Sub-processor page without separate notification.

5.1General

Geocast may transfer Operator Personal Data to countries outside the country of origin in connection with providing the service, including transfers to the United States and other regions where Geocast's Sub-processors operate. All such transfers comply with Applicable Data Protection Law.

5.2EU and EEA transfers (GDPR)

Where Geocast transfers Operator Personal Data from the European Economic Area to a country that has not been the subject of an adequacy decision under GDPR Article 45, the EU SCCs (Module 2, Controller to Processor) apply and are incorporated into this DPA by reference.

For purposes of the EU SCCs:

• The Operator is the data exporter and Geocast is the data importer
• Clause 7 (docking) is included
• Clause 9, Option 2 (general authorization for Sub-processor engagement) applies, with notice as described in Section 4.4
• Clause 11 does not include the optional independent dispute resolution mechanism
• Clause 17 (governing law): the law of Ireland applies
• Clause 18 (forum and jurisdiction): the courts of Ireland have jurisdiction
• Annex I, Annex II, and Annex III to the EU SCCs are populated as set out in the annexes to this DPA

5.3UK transfers (UK GDPR)

Where Geocast transfers Operator Personal Data from the United Kingdom to a country that has not been the subject of an adequacy regulation under UK GDPR, the UK Addendum applies and is incorporated into this DPA by reference. The UK Addendum modifies the EU SCCs as set out in the UK Addendum's Mandatory Clauses.

For purposes of the UK Addendum:

• Table 1 (Parties): completed using the same party information as the EU SCCs annexes
• Table 2 (Selected SCCs): EU SCCs Module 2 with the options selected in Section 5.2
• Table 3 (Appendix Information): completed using Annexes I, II, and III to this DPA
• Table 4 (Ending the Addendum): neither party may end the Addendum when the Approved Addendum changes, except as provided in the Mandatory Clauses

5.4Swiss transfers (revFADP)

Where Geocast transfers Operator Personal Data from Switzerland to a country that has not been recognized as providing an adequate level of data protection under the revFADP, the Swiss Addendum applies and is incorporated into this DPA by reference. The Swiss Addendum modifies the EU SCCs as appropriate to address the requirements of the revFADP, including by extending the protections to legal persons where applicable under Swiss law and by adjusting references to Supervisory Authority to refer to the Swiss Federal Data Protection and Information Commissioner.

5.5Other jurisdictions

For transfers from Canada, Brazil, Australia, or other jurisdictions with international transfer rules, Geocast relies on adequacy decisions, contractual safeguards, or other lawful mechanisms as required by the applicable law.

5.6Supplementary measures

In addition to the SCCs, Geocast implements supplementary measures appropriate to the nature of the transfer and the destination country's legal regime, including encryption in transit and at rest, access controls, and contractual restrictions on Sub-processor disclosure to government authorities. The current supplementary measures are described in Annex II.

5.7Government access requests

Geocast maintains and follows internal policies designed to protect Operator Personal Data from unwarranted government access requests. Specifically:

• Scrutinize and challenge. Geocast scrutinizes every government request for Operator Personal Data for legal validity, scope, and proportionality. Geocast will challenge requests that Geocast determines are overbroad, lack legal basis, or are otherwise improper, including by engaging counsel to file motions to quash or modify the request where appropriate.
• Redirect to the Operator. Where a government agency requests Operator Personal Data from Geocast, Geocast will, where lawfully permitted, direct the agency to request the data directly from the Operator, on the basis that the Operator is the controller of the data and is the appropriate party to receive and respond to such requests.
• Notify the Operator. Geocast will notify the Operator of any government request affecting Operator Personal Data without undue delay where lawfully permitted to do so. Notification will provide the Operator with sufficient information to assess the request and to seek any legal remedies the Operator wishes to pursue.
• Challenge gag orders. Where a government request includes a gag order or other legal restriction prohibiting Geocast from notifying the Operator, Geocast will challenge the gag order or restriction where Geocast has a good-faith basis to do so, including by seeking judicial review of the restriction. Geocast will notify the Operator at the earliest moment that lawful notification becomes permissible.
• Minimum compliance. Where Geocast must comply with a valid and unchallengeable government request, Geocast will produce only the minimum personal data necessary to comply, will preserve a record of the request and the production for the Operator's later review, and will not retain produced data beyond the period necessary to comply.

These commitments apply to government requests from any jurisdiction and are intended to provide protections at least equivalent to those expected of major privacy-forward providers serving regulated industries.

6.1Information available

Geocast makes available to the Operator information necessary to demonstrate compliance with this DPA, including the technical and organizational measures in Annex II, the Sub-processor list at geocast.ai/legal/sub-processors, and any audit reports or certifications Geocast has obtained from third parties.

6.2Audit right

The Operator may audit Geocast's compliance with this DPA at the Operator's expense and on at least 30 days' written notice, no more than once per 12-month period (except where Geocast has experienced a Personal Data Breach affecting the Operator's data, in which case the Operator may audit immediately following the breach response). Audits are conducted during normal business hours, do not unreasonably interfere with Geocast's operations, and are subject to confidentiality obligations.

6.3Third-party auditor

The Operator may, at the Operator's expense, engage an independent third-party auditor to conduct the audit on the Operator's behalf, provided that the auditor is bound by confidentiality obligations no less protective than those in the Agreement and is reasonably acceptable to Geocast (Geocast will not unreasonably withhold acceptance).

6.4Reliance on existing reports

To minimize duplication of audit effort and protect the security of Geocast's systems, the Operator agrees to first review any third-party audit reports, security certifications, or compliance attestations Geocast has obtained (such as SOC 2 Type II reports, ISO 27001 certifications, or similar) before requesting an on-site audit. If the existing reports satisfy the Operator's audit requirements, the Operator may rely on them in lieu of conducting an independent audit.

6.5Limitations

The audit right does not extend to:

• Information that would compromise the security of Geocast's systems or other operators' data
• Geocast's commercially sensitive financial or operational information
• Personal data of Geocast personnel or other operators

7.1Termination

Upon termination or expiration of the Agreement, Geocast handles Operator Personal Data in accordance with the Agreement Section 11.4 and the Privacy Policy:

• During the 90-day wind-down period, Operator Personal Data remains accessible in read-only mode and Geocast provides export tooling
• After the wind-down period, Geocast initiates the deletion process for Operator Personal Data from production systems and aims to complete deletion within 30 days
• Backup copies may be retained for up to 12 months for legal hold and disaster recovery, after which they are deleted in the ordinary backup rotation

Export formats

During the wind-down period, Geocast provides export tooling that produces Operator Personal Data and Operator Content in the following formats, at no additional charge:

• Structured data (account information, configuration, story metadata, guide structures, experience definitions, ratings, interaction data summaries, billing records): JSON, formatted per a published schema available to the Operator on request
• Long-form text content (drafted stories, narrative content, internal notes, written publications): Markdown (.md) and plain text (.txt), one file per content unit, with metadata in accompanying JSON files
• Audio content (voice narration outputs, audio renderings of stories, voice cloning sample inputs and resulting voice models): MP3 and WAV at the original encoded quality, with accompanying JSON manifest mapping each audio file to the story or asset it represents
• Imagery (procedural SVG Hero Scenes, hero imagery, raster uploads): SVG for procedurally generated content, original-format raster (PNG, JPEG, etc.) for uploaded imagery
• Aggregate analytics (interaction data, engagement statistics): CSV, with column headers documented in an accompanying README

For each export, Geocast provides a manifest file in JSON listing every exported file with its content type, source category, and any cross-references to other exported files. Exports are provided as a single downloadable archive (ZIP) or, for very large datasets, as a series of archives indexed by the manifest. The Operator may request a specific subset of categories rather than a full export.

Where the Operator requires a format not listed above for compatibility with the Operator's own systems, Geocast will reasonably accommodate the request to the extent feasible, on a best-effort basis.

7.2Operator right to deletion or return

At any time during the term of the Agreement and during the wind-down period, the Operator may request that Geocast return Operator Personal Data to the Operator in a structured, commonly used, and machine-readable format, or that Geocast delete specific Operator Personal Data subject to legal hold and other lawful retention requirements.

7.3Certification of deletion

Upon written request, Geocast provides written certification of deletion of Operator Personal Data following the wind-down period.

7.4Statutory retention

Where Applicable Data Protection Law requires Geocast to retain Operator Personal Data beyond the deletion timelines (for example, for tax or audit purposes), Geocast retains only the minimum data necessary for the required period and continues to apply the security and confidentiality protections of this DPA to the retained data.

8.1General

The liability allocations in the Agreement Section 10 (Limitation of Liability) apply to claims under this DPA, except as modified by this Section 08 and except where Applicable Data Protection Law requires otherwise.

For claims arising from Geocast's breach of this DPA that result in unauthorized access to, disclosure of, loss of, or damage to Operator Personal Data (collectively, "Data Protection Claims"), the aggregate liability of Geocast is capped at two (2) times the standard liability cap in Section 10.1 of the Agreement (the "Data Protection Super Cap"). The Data Protection Super Cap is calculated as two times the fees paid or payable by the Operator under the Agreement in the twelve (12) months preceding the event giving rise to the claim.

The Data Protection Super Cap applies in addition to, and does not displace, the uncapped liability carve-outs identified in the Agreement Section 10.3 (which include, without limitation, indemnification obligations under Section 9 of the Agreement and breach of confidentiality obligations under Section 7 of the Agreement). Where a single set of facts gives rise to claims falling within both an uncapped carve-out and the Data Protection Super Cap, the uncapped carve-out controls.

The Data Protection Super Cap is supported by Geocast's technology errors and omissions insurance coverage. Geocast maintains technology errors and omissions insurance with coverage limits commensurate with this exposure for so long as the Operator's Agreement remains in effect.

8.2SCC liability

Where the SCCs apply, the liability provisions of the SCCs (including Clause 12 of the EU SCCs) apply to claims arising under the SCCs and supersede any conflicting provisions in the Agreement Section 10. For all other claims, the Agreement Section 10 controls.

8.3Third-party rights

Where the SCCs grant data subjects third-party beneficiary rights, those rights apply notwithstanding any contrary provisions in the Agreement.

9.1Order of precedence

The order of precedence is set out in Section 00 above.

9.2Survival

The provisions of this DPA that by their nature should survive termination of the Agreement do survive, including obligations relating to confidentiality, return or deletion of personal data, audit rights for matters arising during the term, and liability.

9.3Governing law and venue

Except where the SCCs require otherwise (per Section 5.2 above), this DPA is governed by the laws of the State of Delaware, in accordance with the Agreement Section 12.1, without regard to conflict-of-laws principles.

9.4Severability

If any provision of this DPA is found unenforceable, the remaining provisions remain in effect, and the unenforceable provision is modified to the minimum extent necessary to be enforceable while preserving the original intent.

9.5Updates

Geocast may update this DPA from time to time to reflect changes in Applicable Data Protection Law, in Geocast's processing operations, or in the underlying SCCs and addenda. Material changes are communicated to active operators with at least 30 days' notice via a banner in the admin app. Operators who do not accept a material change may terminate the affected portion of the service as described in the Agreement Section 13.2.

For DPA-related questions, requests, or notifications:

• Privacy, DPA, and legal: legal@geocast.ai

Data exporter (Controller)

The Operator, as identified in the Operator's account in the Geocast admin app and in the Agreement.

• Name: as provided during account registration
• Address: as provided during account registration
• Contact person: as designated in the Operator's account
• Activities relevant to the data transferred: operating a property using Geocast and configuring guest experiences for that property
• Role: Controller

Data importer (Processor)

• Name: Geocast AI, Inc.
• Address: 70 SW Century Dr, STE 100, PMB 1130, Bend, OR 97702
• Contact person: legal@geocast.ai
• Activities relevant to the data transferred: providing the Geocast software-as-a-service platform, including admin tools, AI content generation, guest-facing experience delivery, beacon proximity services, push notifications, and related infrastructure
• Role: Processor

Categories of data subjects whose personal data is transferred

• Operators (account holders, owners of properties using Geocast)
• Operator team members (managers, content editors, staff with admin access)
• Operator billing contacts
• Voice subjects (individuals whose voices are cloned for narration, where the Operator uses voice cloning)
• Guests (visitors to properties using Geocast, including users of the mobile web experience and the native app)

Categories of personal data transferred

For Operators and team members: account information (name, email, phone, role), authentication data, billing information, usage data, communication data, and content the Operator uploads to the service.

For voice subjects (where applicable): voice samples (audio recordings) and resulting voice models used for narration synthesis. See Privacy Policy Section 1.7.

For guests: device identifiers and session tokens, story interaction data, device and browser information, general location (city/country derived from IP), property context, foreground location while using the mobile web experience, Bluetooth proximity events and (with permission) background location while using the native app, push notification tokens, crash and performance telemetry, and any ratings or feedback the guest submits.

Sensitive personal data transferred

• Precise geolocation data (beacon proximity events and GPS location data within radii classified as sensitive personal information under CPRA, VCDPA, CPA, CTDPA, and similar laws)
• Biometric data (voice samples and voice models, where the Operator uses voice cloning)

Sensitive personal data is processed only with appropriate consent and only for the limited purposes described in the Privacy Policy.

Frequency of transfer

Continuous, for the duration of the Agreement.

Nature of processing

Hosting, storage, organization, structuring, retrieval, use, disclosure to authorized parties (other team members on the Operator's account, the Operator's audience for published content), AI-driven content generation, voice synthesis, transmission, and (at termination) erasure.

Purposes of processing

Providing the Geocast service to the Operator, including content creation, content delivery to guests, analytics for the Operator, security and fraud prevention, and service improvement, all as described in the Agreement and the Privacy Policy.

Duration of processing

For the term of the Agreement plus the wind-down and retention periods described in the Agreement Section 11.4 and the Privacy Policy.

For data exporters in the European Economic Area, the competent supervisory authority is the supervisory authority of the EU Member State in which the data exporter is established, or, where the data exporter is not established in the European Economic Area, the supervisory authority of the EU Member State in which the data exporter's representative under GDPR Article 27 is established.

Per Clause 13 of the EU SCCs, where there is no representative and no establishment in a single Member State, the competent supervisory authority is the Irish Data Protection Commission.

This Annex describes the technical and organizational measures Geocast has implemented to ensure the security of Operator Personal Data. The measures are reviewed periodically and may be updated, provided that the level of security is not materially decreased.

1Encryption

• Personal data is encrypted in transit using TLS 1.2 or higher
• Personal data is encrypted at rest using AES-256 or equivalent
• Encryption keys are managed under documented key management procedures, including rotation and access controls

2Access controls

• Access to Operator Personal Data is restricted to Geocast personnel who require access for service operation
• Access is granted under a least-privilege principle
• Access is logged and reviewed periodically
• Multi-factor authentication is required for administrative access to systems containing Operator Personal Data

3Authentication and identity management

• Operators authenticate to the admin app using strong passwords and (optionally) two-factor authentication
• Session management uses industry-standard token rotation and expiration
• Failed authentication attempts are logged and rate-limited

4Network security

• Production systems are deployed in network environments with restricted ingress and egress controls
• Public-facing surfaces are protected by web application firewall and DDoS mitigation
• Internal communications between service components use authenticated and encrypted channels

5Vulnerability management

• Regular scanning of production systems for known vulnerabilities
• Patching cadence appropriate to the severity of identified vulnerabilities

6Personnel

• Personnel with access to Operator Personal Data are bound by confidentiality obligations
• Personnel receive training on security and privacy practices appropriate to their role
• Access is revoked promptly upon role change or departure

7Incident response

• Documented incident response process for security events
• Defined escalation criteria and response timelines
• Personal Data Breach notification process in accordance with Section 3.8 of the DPA

8Sub-processor management

• Sub-processors are evaluated for security posture before onboarding
• Periodic review of Sub-processor security and compliance
• Contractual data protection obligations imposed on all Sub-processors

9Data minimization

• Personal data is collected only as necessary for the purposes described in the Privacy Policy
• Retention periods are documented and enforced (see Privacy Policy Section 07)
• Anonymization techniques are applied where appropriate

10Resilience and recovery

• Production systems are deployed with redundancy and automated failover where appropriate
• Backups are taken regularly and are retained per the schedule in the Privacy Policy
• Recovery objectives are documented and tested

11AI-specific safeguards

• AI tools used in the service are configured with safety filters and content moderation appropriate to the use case
• Sub-processor contracts with AI providers (Anthropic, ElevenLabs, others) include data processing protections, including no-training-on-customer-data commitments
• Voice cloning is gated by Operator-attested consent from voice subjects, per Privacy Policy Section 1.7

12Audit and assurance

• Geocast maintains records of processing activities under GDPR Article 30(2)
• Existing audit reports and certifications, where available, are made available to Operators on request

The current list of Sub-processors used by Geocast in connection with the service is published at geocast.ai/legal/sub-processors and is incorporated into this DPA by reference.

The Sub-processor page identifies each Sub-processor by:

• Name
• Function (what processing the Sub-processor performs)
• Region of processing
• Category (data-handling Sub-processor named individually, or operational category as described in the Privacy Policy)

The Sub-processor page is updated as Sub-processors change, in accordance with Sections 4.4 through 4.6 of the DPA.