Privacy Notice

Last Updated: November 13, 2025

This Privacy Notice applies to the processing of personal information by Crop Guard, Inc. and its subsidiaries d/b/a Thombar ("Thombar," "we," "us," or "our") including on our website available at https://www.thombar.ag/ and our other online or offline offerings that link to, or are otherwise subject to, this Privacy Notice (collectively, the "Services").

Disclosure Regarding Customer Data. This Privacy Notice does not apply to the personal information that we process on behalf of our customers pursuant to a written agreement we have entered into with such customers ("Customer Data"). Our customers' respective privacy notices or policies govern their collection and use of Customer Data. Our processing of Customer Data is governed by the contracts that we have in place with our customers, not this Privacy Notice. Any questions or requests relating to Customer Data should be directed to our customer.

Disclosure Regarding Non-Public Information. This Privacy Notice does not apply to the nonpublic personal information ("NPI") we process on behalf of regulated financial institutions in connection with financial products or services. The collection, use, and sharing of NPI is governed by the applicable financial institution's GLBA Privacy Notice and by the written agreements we have in place with that institution. Our processing of NPI is performed solely as a service provider acting on behalf of the financial institution and in accordance with its instructions. Additional details regarding our processing of NPI may be found in our GLBA Addendum. Any questions or requests relating to NPI should be directed to the applicable financial institution.

Table of Contents:

  1. UPDATES TO THIS PRIVACY NOTICE
  2. PERSONAL INFORMATION WE COLLECT
  3. HOW WE USE PERSONAL INFORMATION
  4. HOW WE SHARE PERSONAL INFORMATION
  5. YOUR PRIVACY CHOICES AND RIGHTS
  6. INTERNATIONAL TRANSFERS OF PERSONAL INFORMATION
  7. RETENTION OF PERSONAL INFORMATION
  8. CHILDREN'S PERSONAL INFORMATION
  9. CONTACT US

GLBA ADDENDUM

1. UPDATES TO THIS PRIVACY NOTICE

We may update this Privacy Notice from time to time in our sole discretion. If we do, we'll let you know by posting the updated Privacy Notice on our website, and we may also send other communications.

2. PERSONAL INFORMATION WE COLLECT

We collect personal information that you provide to us, personal information we collect automatically when you use the Services, and personal information from third-party sources, as described below.

A. Personal Information You Provide to Us Directly

We may collect personal information, including sensitive personal information, you provide to us.

  • Account Information. We may collect personal information in connection with the creation or administration of your account. This personal information may include, but is not limited to, your name, username, password, contact information (such as your personal or work postal or email address and phone number), employment information, marketing preferences, personal and/or business financial account information (such as your account numbers, billing and shipping addresses), demographic information (such as your gender, race, ethnicity, veteran status, and date of birth), and other information you store with your account.
  • Transactions. We may collect personal information and details associated with your transactions on the Services, including payment information. Any payments made via our Services are processed by third-party payment processors. We do not directly collect or store any payment card information entered through our Services, but we may receive information associated with your payment card information (e.g., your billing details).
  • Your Communications with Us. We, and our service providers, may collect the information you communicate to us, such as through email or a web chat tool we or our service providers offer.
  • Surveys. We may contact you to participate in surveys. If you decide to participate, we may collect personal information from you in connection with the surveys.
  • Interactive Features. We and others who use our Services may collect personal information that you submit or make available through our interactive features (e.g., messaging features, commenting functionalities, forums, blogs, and social media pages). Any information you provide using the public sharing features of the Services will be considered "public."
  • Sweepstakes or Contests. We may collect personal information you provide for any sweepstakes or contests that we offer. In some jurisdictions, we are required to publicly share information of sweepstakes and contest winners.
  • Conferences, Trade Shows, and Other Events. We may collect personal information from individuals when we attend or host conferences, trade shows, and other events.
  • Business Development and Strategic Partnerships. We may collect personal information from individuals and third parties to assess and pursue potential business opportunities.
  • Job Applications. If you apply for a job with us, we will collect any personal information you provide in connection with your application, such as your contact information and resume or CV.

B. Personal Information Collected Automatically

We may collect personal information automatically when you use the Services.

  • Device Information. We may collect personal information about your device, such as your Internet protocol (IP) address, user settings, cookie identifiers, other unique identifiers, browser or device information, Internet service provider, and location information (including, as applicable, an approximate location derived from the IP address and precise geo-location information).
  • Usage Information. We may collect personal information about your use of the Services, such as the pages that you visit, items that you search for, the types of content you interact with, information about the links you click, the frequency and duration of your activities, and other information about how you use the Services.
  • Cookie Notice (and Other Technologies). We, as well as third parties, may use cookies, pixel tags, and other technologies ("Technologies") to automatically collect personal information through your use of the Services.
    • Cookies. Cookies are small text files stored in device browsers.
    • Pixel Tags/Web Beacons. A pixel tag (also known as a web beacon) is a piece of code embedded in the Services that collects personal information about use of or engagement with the Services. The use of a pixel tag allows us to record, for example, that a user has visited a particular web page or clicked on a particular advertisement. We may also include web beacons in emails to understand whether messages have been opened, acted on, or forwarded.

See "Your Privacy Choices and Rights" below to understand your choices regarding these Technologies.

C. Personal Information Collected from Third Parties

We may collect personal information about you from third parties. For example, if you access the Services using a third-party website, application, service, products, or technology (each a "Third-Party Service"), we may collect personal information about you from that Third-Party Service that you have made available via your privacy settings. In addition, users of the Services may upload or otherwise provide personal information about others.

3. HOW WE USE PERSONAL INFORMATION

We use personal information for a variety of business purposes, including to provide the Services, for administrative purposes, and to provide you with marketing materials, as described below.

A. Provide the Services

We use personal information to provide the Services, such as:

  • Providing access to certain areas, functionalities, and features of the Services;
  • Communicating with you;
  • Answering requests;
  • Sharing personal information with third parties as needed to provide the Services; and
  • Processing your financial information and other payment methods.

B. Improve the Services and Develop New Products and Services

We use personal information to improve the Services and to develop new products and services, such as:

  • Developing, training, and fine-tuning models, algorithms, and artificial intelligence technologies; and
  • Improving, upgrading, or enhancing the Services.

C. Operate Our Business

We use personal information to operate our business, such as:

  • Pursuing our legitimate interests such as direct marketing, research and development (including marketing research), network and information security, and fraud prevention;
  • Carrying out analytics;
  • Creating de-identified and/or aggregated information;
  • Processing applications if you apply for a job we post on our Services;
  • Allowing you to register for events;
  • Enforcing our agreements and policies; and
  • Carrying out activities that are required to comply with our legal obligations.

D. Marketing

We may use personal information to tailor and provide you with marketing and other content.

California Shine the Light: If you are a California resident, you may annually submit a request to us to find out whether we have shared your personal information with third parties for the third parties' direct marketing purposes. If you would like to submit such a request, please "Contact Us."

E. With Your Consent or Direction

We may use personal information: (i) for other purposes that are clearly disclosed to you at the time you provide the personal information, (ii) with your consent, or (iii) as otherwise directed by you.

F. Automated Decision-Making

We may engage in automated decision-making, including profiling.

4. HOW WE SHARE PERSONAL INFORMATION

We share personal information with third parties for a variety of business purposes, including to provide the Services, to protect us or others, or in connection with a major business transaction such as a merger, sale, or asset transfer, as described below.

A. Disclosures to Provide the Services

We may share any of the personal information we collect with the categories of third parties described below.

  • Service Providers. We may share personal information with service providers that assist us with the provision of the Services. This may include, but is not limited to, service providers that provide us with hosting services, customer service, AI or machine learning services, analytics, marketing services, IT support, and related services. In addition, personal information and chat communications may be shared with service providers that help provide our chat features.

    Some of the service providers we may use include:

    • Google Analytics. For more information about how Google uses your personal information, please visit Google Analytics' Privacy Policy. To learn more about how to opt out of Google Analytics' use of your personal information, please click here.
    • Slack. For information about how Slack uses and shares your personal information, please visit Slack's Privacy Policy. To request how to opt out of Slack's use of your personal information, please email privacy@slack.com.
  • Other Users You Share or Interact With. The Services may allow Thombar users to share personal information or interact with other users of the Services.
  • Third-Party Services You Share or Interact With. The Services may link to or allow you to interface with, interact with, share information with, direct us to share information with, access, and/or use a Third-Party Service. Any personal information shared with a Third-Party Service will be subject to the Third-Party Service's privacy policy. We are not responsible for the processing of personal information by Third-Party Services.
  • Business Partners. We may share your personal information with business partners we work with to provide you with a product or service you have requested. We may also share your personal information with business partners with whom we jointly offer products or services.

    Once your personal information is shared with our business partner, it will also be subject to our business partner's privacy policy. We are not responsible for the business partner's processing of your personal information.

  • Thombar Customers (Authorized Users Only). In cases where you use our Services as an employee, contractor, or other authorized user of a Thombar customer, we may share any information associated with your use of the Services with the Thombar customer, including, but not limited to, account information, usage information, files, and the contents of the communications associated with your account. Your personal information may also be subject to the Thombar customer's privacy policy. We are not responsible for the Thombar customer's processing of your personal information.
  • Affiliates. We may share your personal information with our corporate affiliates.
  • Advertising Partners. We may share your personal information with third-party advertising partners. These third-party advertising partners may set Technologies on our Services to collect personal information regarding your activities and your device (e.g., IP address, cookie identifiers, page(s) visited, location, time of day). These advertising partners may use this personal information (and similar information collected from other services) to tailor and deliver personalized ads to you when you visit digital properties within their networks. This practice is commonly referred to as "interest-based advertising," "personalized advertising," or "targeted advertising."

B. Disclosures to Protect Us or Others

We may share your personal information and related information with external parties if we, in good faith, believe doing so is required or appropriate to comply with law enforcement requests, national security requests, or other government requests; comply with legal process, such as a court order or subpoena; protect your, our, or others' rights, property, or safety; enforce our policies or contracts; collect amounts owed to us; or assist with an investigation or prosecution of suspected or actual unauthorized or illegal activity.

C. Disclosure in the Event of Merger, Sale, or Other Asset Transfers

If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, receivership, purchase or sale of assets, transition of service to another provider, or other similar corporate transaction, your personal information may be shared, sold, or transferred as part of such a transaction.

5. YOUR PRIVACY CHOICES AND RIGHTS

Your Privacy Choices

The privacy choices you may have about your personal information are described below.

  • Email Communications. If you receive an unwanted email from us, you can use the unsubscribe functionality found at the bottom of the email to opt out of receiving future emails. Note that you will not be able to opt out of certain communications (e.g., communications regarding the Services or updates to this Privacy Notice).
  • Text Messages. If you receive an unwanted text message from us, you may opt out of receiving future text messages from us by following the instructions in the text message you have received from us or by otherwise contacting us as set forth in "Contact Us" below.
  • Mobile Devices. We may send you push notifications through our mobile application. You may opt out of receiving these push notifications by changing the settings on your mobile device. With your consent, we may also collect precise location-based information via our mobile application. You may opt out of this collection by changing the settings on your mobile device. To request deletion of your account, please use the standard deletion functionality available via the Services or contact us using the information set forth in "Contact Us" below.
  • "Do Not Track." Do Not Track ("DNT") is a privacy preference that users can set in certain web browsers. Please note that we do not respond to or honor DNT signals or similar mechanisms transmitted by web browsers.
  • Cookies. You may stop or restrict the placement of Technologies on your device or remove them by adjusting your preferences as your browser or device permits. However, if you adjust your preferences, the Services may not work properly.

    Please note that cookie-based opt-outs are not effective on mobile applications. However, you may opt out of certain tracking on some mobile applications by following the instructions for Android, iOS, and other mobile operating systems.

    The online advertising industry also provides mechanisms that may allow you to opt out of receiving targeted ads from organizations that participate in self-regulatory programs. To learn more, visit the Network Advertising Initiative and the Digital Advertising Alliance.

    Please note you must separately opt out in each browser and on each device.

Your Privacy Rights

In accordance with applicable law, you may have the right to:

  • Request Access to or Portability of Your Personal Information;
  • Request Correction of Your Personal Information;
  • Request Deletion of Your Personal Information;
  • Request Restriction of or Object to Our Processing of Your Personal Information;
  • Request to Opt Out of Certain Processing Activities, including, as applicable, if we process your personal information for "targeted advertising" (as "targeted advertising" is defined by applicable privacy laws), if we "sell" your personal information (as "sell" is defined by applicable privacy laws), or if we engage in "profiling" in furtherance of certain "decisions that produce legal or similarly significant effects" concerning you (as such terms are defined by applicable privacy laws); and
  • Withdraw Your Consent to Our Processing of Your Personal Information. Please note that your withdrawal will take effect only for future processing and will not affect the lawfulness of processing before the withdrawal.

If you would like to exercise any of these rights, please contact us as set forth in "Contact Us" below.

We will process such requests in accordance with applicable laws.

Some laws may allow you to appeal our decision if we decline to process your request. If applicable laws grant you an appeal right, and you would like to appeal our decision with respect to your request, you may do so by informing us of this and providing us with information supporting your appeal.

6. INTERNATIONAL TRANSFERS OF PERSONAL INFORMATION

All personal information processed by us may be transferred, processed, and stored anywhere in the world, including, but not limited to, the United States or other countries, which may have data protection laws that are different from the laws where you live. These countries may or may not have adequate data protection laws as defined by the data protection authority in your country.

7. RETENTION OF PERSONAL INFORMATION

We store the personal information we collect as described in this Privacy Notice for as long as you use the Services, or as long as necessary to fulfill the purpose(s) for which it was collected, or as long as necessary to pursue our business purposes.

To determine the appropriate retention period for personal information, we may consider applicable legal requirements; the amount, nature, and sensitivity of the personal information; certain risk factors; the purposes for which we process your personal information; and whether we can achieve those purposes through other means.

8. CHILDREN'S PERSONAL INFORMATION

The Services are not directed to children under 18 (or other age as required by local law outside the United States), and we do not knowingly collect personal information from children.

If you are a parent or guardian and believe that your child has uploaded personal information to the Services in violation of applicable law, you may contact us as described in "Contact Us" below.

9. CONTACT US

If you have any questions about our privacy practices or this Privacy Notice, or to exercise your rights as detailed in this Privacy Notice, please contact us at: customerrelations@thombar.ag

GLBA ADDENDUM

Introduction

This GLBA Addendum consolidates all Gramm-Leach-Bliley Act ("GLBA") disclosures applicable to Thombar when it provides services involving financial products and services offered by GLBA-regulated entities including banks (such as i3 Bank, Member FDIC ("i3 Bank")) and regulated lenders (such as Quantum LS LLC.). This Addendum applies exclusively to nonpublic personal information ("NPI") processed in connection with these financial products and services.

Financial Institution Status and Roles

Thombar is a financial technology company and is not a bank. Banking services made available through the Thombar platform, including deposit accounts, savings products, debit cards, and other regulated financial services, are provided by i3 Bank. Lines of credit and other lending products are provided by third-party lenders such as Quantum LS LLC. For GLBA purposes, i3 Bank and those lenders are the "financial institutions."

Thombar's Role as a GLBA Service Provider

Thombar acts solely as a "service provider" under GLBA when processing NPI on behalf of i3 Bank or other regulated lenders. Thombar processes NPI only in accordance with the written instructions of the applicable financial institution and only for purposes permitted under GLBA.

Categories of Nonpublic Personal Information ("NPI")

Thombar may receive or access the following types of NPI from or on behalf of i3 Bank or other regulated lenders: personal identifiers; financial application information; identity verification data; account numbers; deposit and transaction data; payment and card-use data; lending information; fraud and risk signals; and any related information collected in connection with obtaining, servicing, or maintaining a financial product or service.

Permitted Use of NPI

Thombar may use NPI only to:

  • (a) provide technology and servicing functions to financial institutions;
  • (b) facilitate account opening, identity verification, and KYC/AML procedures;
  • (c) maintain and service customer accounts;
  • (d) support customer communications;
  • (e) perform required operational, reporting, fraud-prevention, and security functions;
  • (f) assist financial institutions with risk, fraud, or operational modeling;
  • (g) comply with applicable law or regulation;
  • (h) provide users with account-based insights, prompts, and recommendations derived from their financial data (for example, alerts regarding eligibility for certain features, perks, pricing tiers, or benefits);
  • (i) with the user's express direction, identify and present user-requested or user-authorized offers from third-party service providers which may include communicating anonymized or de-identified information (such as "a grower in your region with available cash on hand") prior to obtaining user consent to share identifiable information with such third-party service providers; and
  • (j) develop and improve Thombar's own underwriting, risk assessment, and operational models when the user has separately authorized Thombar to use their financial and operational data for these purposes (including data obtained from user-connected third-party accounts).

All use of NPI must directly relate to the user relationship, a financial product or service, or a user-authorized purpose.

Prohibited Uses of NPI

Thombar does not:

  • (a) sell NPI;
  • (b) use NPI to train general commercial AI or machine learning models;
  • (c) use NPI for targeted advertising or cross-context behavioral advertising;
  • (d) share NPI with non-affiliated third parties for their own marketing purposes; or
  • (e) combine NPI with non-financial data for unrelated profiling or product development

provided these prohibitions do not restrict Thombar from using NPI to: (i) generate user-authorized referrals or introductions to third-party service providers; (ii) provide personalized financial insights, or (iii) build Thombar's own underwriting or operational models when expressly authorized by the user.

Artificial Intelligence / Machine Learning Use of NPI

Where Thombar uses AI or machine learning tools to support financial institutions, it does so only for GLBA-permitted purposes such as fraud detection, transaction security, operational reliability, or risk scoring. Thombar does not use NPI to train general-purpose models or for any purpose not expressly permitted by the applicable financial institution.

Sharing of NPI Under GLBA

Thombar may disclose NPI to:

  • (a) i3 Bank, Quantum LS LLC, and other regulated lenders;
  • (b) service providers supporting GLBA-permitted functions;
  • (c) fraud-prevention, identity-verification, and security vendors;
  • (d) government or regulatory authorities as required by law; and
  • (e) any other parties as directed by the applicable financial institution.

Thombar does not disclose NPI to advertising partners or non-affiliated entities for their own marketing use.

Customer Rights Under GLBA

NPI processed by Thombar on behalf of i3 Bank or other regulated lenders is exempt from individual rights provided under state consumer privacy laws, including rights to access, delete, correct, restrict, opt out of targeted advertising, or opt out of the sale of personal information. Customer rights relating to NPI are governed by the financial institution's GLBA Privacy Notice.

Data Safeguards

Thombar maintains administrative, technical, and physical safeguards designed to protect NPI in accordance with the GLBA Safeguards Rule, including secure transmission, encryption, restricted access, monitoring, and secure handling and storage.

Compensation and Referral Arrangements

Thombar may receive compensation or referral fees from i3 Bank or other regulated lenders when users open or maintain financial products or services. These arrangements do not alter customer rights under GLBA or applicable banking regulations.

Retention of NPI

Thombar retains NPI only for as long as necessary to fulfill GLBA-permitted functions, comply with law, support audits, or meet financial institution data retention requirements.

Contact Information

For questions about NPI governed by this GLBA Addendum, please contact the applicable financial institution.