Privacy Policy

1. Introduction

P3RSON™, Inc., a Delaware corporation and subsidiary of P3RSON Investment Trust ("P3RSON," "we," "us," or "our"), operates the P3RSON platform (the "Platform") accessible at p3rson.com and through related mobile applications. This Privacy Policy ("Policy") describes how we collect, use, disclose, and safeguard the personal information of individuals ("User," "you," or "your") who access or use the Platform and our related services (collectively, the "Services").

For purposes of this Policy, the following defined terms shall apply throughout: "Talent" refers to models, actors, UGC creators, brand ambassadors, and other individuals who offer services through the Platform; "Brand" refers to businesses or individuals that book Talent through the Platform; "Fan" refers to individuals who interact with Talent profiles, purchase P3RSON Coins for gifting purposes, or otherwise engage with the Platform; "P3RSON Coins" refers to the virtual currency used within the Platform for gifting, booking, and backing Talent; and "P3RSON Index" refers to the algorithmic score (1–100) assigned to Talent profiles based on performance metrics.

By accessing or using the Services, you acknowledge that you have read, understood, and agree to the collection and use of your information in accordance with this Policy. If you do not agree to this Policy, you must discontinue use of the Services immediately.

2. Information We Collect

2.1 Information You Currently Provide Directly (Pre-Launch)

• Waitlist and founding-tier registration information: email address, first name, last name, selected tier ($49 Founding Talent, $149 Early Access, or $499 Founding Brand Partner), and referral source
• Payment metadata for founding-tier pre-purchases: the transaction identifier, amount, currency, and tier selection returned by Stripe Checkout. P3RSON does not collect, store, or process credit card numbers, CVV codes, bank account numbers, or other sensitive financial instrument data. Full payment details are collected directly by Stripe, Inc. on Stripe-hosted pages
• Customer support correspondence: any email, message, or inquiry you voluntarily send to [email protected], [email protected], or any other P3RSON address, including any personal information you choose to include
• Optional phone number, if you voluntarily provide one to receive SMS updates about the Platform launch

2.2 Information Currently Collected Automatically (Pre-Launch)

• IP address and approximate geolocation (city-level, derived from IP address) as reported by Google Analytics 4 with IP anonymization enabled
• Device and browser information reported by Google Analytics 4 and server logs (device type, operating system, browser type and version, language, and screen resolution)
• Usage data reported by Google Analytics 4 and Plausible Analytics (pages visited, referring URL, session duration, UTM parameters, and engagement events including purchase, lead, and registration conversion events fired on founder, pricing, and checkout pages)
• Cookies and similar technologies (as further described in Section 11), including the GA4 cookies set only after consent where required by applicable law, and the Meta Pixel and TikTok Pixel cookies set only after marketing-cookie consent
• Server log data (access timestamps, request method, response status, and error reports) retained solely for security, abuse detection, and service-reliability purposes

2.3 Additional Information to Be Collected Upon Initial Launch (Forward-Looking)

Once the Platform enters Initial Launch and accounts, profiles, bookings, P3RSON Coins, P3RSON Index, Smart Escrow, and related features become operative, P3RSON expects to additionally collect the following categories of personal information from users who voluntarily create Talent, Brand, or Fan accounts. P3RSON does not collect any of the following categories today:

• Account registration information (full legal name, date of birth, and profile details beyond the waitlist fields described in Section 2.1)
• Profile content (photographs, physical measurements, portfolio items, biographical information, ticker symbol, and social-media statistics) voluntarily uploaded by Talent users
• Platform communications (direct messages between Users, booking inquiries, and in-platform feedback submissions)
• Identity verification documents (government-issued ID, selfie verification, and any additional "know-your-customer" information required for Talent onboarding, Smart Escrow, or payout compliance)
• GPS location data, collected only if and when you explicitly enable location services for Smart Escrow verification, as further described in Section 8
• Biometric identifiers derived from profile photographs or identity verification, including facial geometry metrics (symmetry, golden ratio, canthal tilt, face width-height ratio, jawline, cheekbone, and filtrum measurements) and photo quality audit data (as further described in Section 22)
• Photo audit data including quality validation across five dimensions: clothing detection, face clarity, lighting analysis, hair presentation, and skin quality assessment
• Transaction records relating to P3RSON Coins, bookings, payouts, and Smart Escrow settlements
• Algorithmic inferences and scores, including P3RSON Index (calculated via 4-pillar scouting assessment: bone structure 35%, facial harmony 30%, editorial quality 20%, versatility 15%), talent tier classification (Elite/Professional/Emerging/Developing), market fit recommendations, and AI-powered matching preferences
• Cloud Functions processing logs for photo audit and market fit assessment (processed via serverless computing infrastructure, not stored long-term)

P3RSON will provide conspicuous notice and, where required, obtain additional consent at the point of collection before any of the categories described in this Section 2.3 are collected from you.

2.4 Information from Third-Party Sources

• Payment and transaction metadata from Stripe, Inc. in connection with founding-tier pre-purchases and, upon Initial Launch, payouts and subsequent transactions
• Upon Initial Launch: social-media profile data, when you voluntarily link a third-party social-media account to your P3RSON profile; and publicly available information used to verify identity or detect fraud

2.5 Information Collected from Agencies and Agents

Upon Initial Launch, when Agencies register to manage Talent on the Platform, P3RSON collects:

• Agency registration information (legal business name, physical address, tax identification number, authorized signatory name and contact information)
• Agent credentials (individual full name, email address, assigned role: Admin, Editor, or Scout)
• Agent activity logs (timestamps, actions taken on behalf of Talent accounts, access to Talent data and bookings)
• Commission structure and payout preferences configured by the Agency

This information is collected to enable Agency account management, talent representation, commission processing, and audit trail compliance. Agencies are contractually bound to maintain confidentiality of Talent data and comply with this Privacy Policy.

3. Legal Bases for Processing (GDPR)

For Users located in the European Economic Area ("EEA"), the United Kingdom, or Switzerland, P3RSON processes personal data on the following legal bases under the General Data Protection Regulation ("GDPR"):

• Contract Performance (Article 6(1)(b)): Processing necessary to perform our contract with you, including account creation, transaction processing, P3RSON Coin operations, Smart Escrow, booking facilitation, and payout processing.
• Consent (Article 6(1)(a)): Processing based on your freely given, specific, informed, and unambiguous consent, including marketing communications, SMS marketing messages, non-essential cookies (analytics and marketing), GPS location collection, and Meta Pixel / TikTok Pixel tracking. You may withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
• Legitimate Interests (Article 6(1)(f)): Processing necessary for our legitimate business interests, provided such interests are not overridden by your fundamental rights and freedoms. This includes fraud detection and prevention, Platform security, service improvement, aggregate analytics (via Google Analytics 4 as the primary analytics platform, and Plausible Analytics for privacy-focused aggregate measurement, in each case where consent is not required under applicable law), enforcement of our Terms of Service, and direct marketing to existing customers (subject to opt-out rights).
• Legal Obligation (Article 6(1)(c)): Processing necessary to comply with applicable legal obligations, including tax reporting, financial recordkeeping, law enforcement requests, and data breach notification requirements.

4. How We Use Your Information

P3RSON uses the information collected for the following purposes:

• To provide, operate, maintain, and improve the Platform and Services
• To process transactions, including P3RSON Coin purchases, gifts, booking payments, and payouts
• To calculate, update, and display your P3RSON Index score
• To match Talent with Brands using our AI-powered matching system
• To verify job completion through GPS-based Smart Escrow
• To send transactional notifications (booking confirmations, payment receipts, account alerts)
• To send marketing communications (with your prior consent; you may opt out at any time)
• To improve our Services, develop new features, and conduct internal research and analytics
• To detect, investigate, and prevent fraud, abuse, and unauthorized access
• To comply with applicable laws, regulations, and legal processes
• To enforce our Terms of Service and protect the rights, property, and safety of P3RSON, our Users, and the public

5. How We Share Your Information

P3RSON does not sell your personal information as defined under the California Consumer Privacy Act ("CCPA") or any applicable state privacy law. We may disclose your information to the following categories of recipients:

• Other Users: Your public profile, P3RSON Index score, tier level, ticker symbol, and portfolio are visible to other Platform Users. Booking details are shared between the Talent and Brand involved in a transaction.
• Payment Processors: Stripe, Inc. processes all payments on behalf of P3RSON. Stripe’s collection and use of payment data is governed by the Stripe Privacy Policy.
• Affiliates: We may share your information with our corporate affiliates, including P3RSON Studios (the marketing and content arm of P3RSON) and other entities under common ownership with P3RSON Investment Trust, for purposes consistent with this Policy, including brand marketing, content production, and audience development. All affiliates are contractually bound to protect your information in accordance with this Policy.
• Service Providers: Third-party vendors and service providers that assist us in operating the Platform (including hosting, cloud storage, analytics, email delivery, form processing, photo audit via AWS Rekognition, and customer support), subject to contractual obligations to protect your data. A non-exhaustive list of material service providers is set forth in Section 6 below.
• Advertising Partners: Meta Platforms, Inc. (via Meta Pixel) and TikTok, Inc. (via TikTok Pixel) may receive browsing behavior data for advertising measurement and retargeting purposes, subject to your cookie consent preferences.
• Legal Requirements: When required by applicable law, regulation, subpoena, court order, or other legal process, or when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of P3RSON, our Users, or the public.
• Business Transfers: In connection with any merger, acquisition, reorganization, sale of assets, or bankruptcy proceeding involving P3RSON, your information may be transferred to the acquiring entity.
• With Your Consent: We may share your information with third parties when you have provided express consent to such disclosure.

5.2 Agent Data Access & Privacy Controls

When a Talent authorizes an Agency to represent them, the Agency’s appointed Agents gain limited access to Talent account data based on their assigned role:

• Admin Agents: Full access to Talent profile, portfolio, bookings, messages, and payout information. Can invite and manage other agents.
• Editor Agents: Access to Talent profile and portfolio for editing; access to bookings and messages for management purposes. Cannot modify payout settings or manage other agents.
• Scout Agents: Read-only access to Talent profile, portfolio, and booking inquiries. Cannot edit or access sensitive data.

All agent access is logged with timestamps and action records. Talent retains the right to audit agent access at any time and to revoke agent permissions immediately.

5.3 Talent Data Ownership & Rights When Managed by Agencies

Talent retains full ownership and control of all personal data associated with their account, regardless of Agency representation. Specifically:

• Talent may revoke Agency access and all agent permissions at any time by updating account settings or contacting P3RSON directly
• Upon removal from an Agency representation, Talent retains full access to all account data, including booking history, messages, and earnings records
• Talent may export all personal data associated with their account in a machine-readable format (JSON or CSV) at any time
• Agencies do not own, retain rights to, or have residual access to Talent data after the representation relationship ends

5.4 Brand Client Data Access Within Talent Book

When Brands manage a Talent Book (client list) through the Platform, they may access information about clients associated with Talent they have booked, including client name, contact information, and booking history (dates, rates, deliverables). This access is limited to facilitating direct communication and booking management with Talent and does not extend to client personal data beyond what is necessary for booking coordination.

6. Third-Party Services & Data Collected Per Service

We use the following third-party services to operate and improve the Platform. Each service receives only the data necessary for its designated function:

• Stripe, Inc.: Payment processing for founding-tier pre-purchases and, upon Initial Launch, all Platform payments, payouts, and Smart Escrow settlements. Stripe receives your payment card details, billing address, email address, transaction amounts, currency, and, where applicable, identity verification data directly on Stripe-hosted checkout pages. P3RSON does not store payment card numbers on its servers. P3RSON uses, or expects to use, the following Stripe product lines as sub-processors: Stripe Checkout (hosted payment pages), Stripe Payments (card and alternative payment method processing), Stripe Radar (automated fraud detection and scoring, which may process IP address, device fingerprint, and behavioral signals), Stripe Link (optional one-click checkout that may save payment details across Stripe-enabled merchants), and, upon Initial Launch, Stripe Connect (payout and marketplace settlement), Stripe Identity (identity verification), and Stripe Tax (sales tax calculation). Stripe’s collection, use, and cross-border transfer of personal data is governed by the Stripe Privacy Policy and, where applicable, the Stripe Data Processing Agreement.
• Mailchimp (Intuit Inc.): Email marketing and newsletters. Receives your email address, first and last name, and email engagement data (open rates, click-through rates) when you subscribe to marketing communications.
• Google Analytics 4 (Google LLC): Website usage analytics. P3RSON operates a GA4 property with measurement ID G-SFHDK4C63L that collects pseudonymized browsing data including pages visited, session duration, bounce rate, traffic source / medium, UTM parameters, device type, operating system, browser type and version, screen resolution, approximate geographic location (city-level, derived from IP address), and user interaction events. In addition to standard automatic events, P3RSON configures GA4 to record the following custom conversion events: page_view (every page load), scroll and engagement metrics, registration (waitlist sign-ups), lead (founder-form, brand-form, and newsletter submissions), begin_checkout (clicks on Stripe Checkout buttons on the pricing and founder pages, together with the associated tier name and price), and purchase (completed Stripe Checkout sessions confirmed via Stripe’s hosted success page, together with transaction amount and currency). Google Analytics uses cookies (_ga, _gid, _gat, and the GA4 session cookie _ga_G-SFHDK4C63L) with configurable retention periods. IP anonymization is enabled, and analytics cookies are set only after consent where required by applicable law. Google’s data practices are governed by the Google Privacy Policy.
• Google LLC (Apps Script / Workspace): Backend form processing and automation. Receives email address, first name, last name, referral source, and related form data submitted through the Platform (including waitlist and founding-tier registrations) for the purpose of routing submissions to downstream services such as Mailchimp. Form submissions may be transiently logged in Google Apps Script execution logs and, where applicable, a Google Sheet serving as an intake log, in each case retained on Google infrastructure subject to Google’s default retention policies and P3RSON’s internal retention schedule described in Section 9. Google’s data practices are governed by the Google Privacy Policy.
• Microsoft Corporation (Microsoft 365): Hosted corporate email for the p3rson.com domain, including customer support, legal, and privacy inboxes (e.g., [email protected], [email protected]). Microsoft processes incoming and outgoing correspondence, including privacy rights requests, customer support inquiries, and DMCA notices. Microsoft’s data practices are governed by the Microsoft Privacy Statement.
• Firefall, Inc. (Platform Development Partner): Engineering, infrastructure, and product development services engaged to build, test, and deploy the P3RSON Platform. As of the Last Updated date of this Policy, Firefall has not yet commenced processing of end-user personal information on behalf of P3RSON; Platform development is in a pre-launch phase and Firefall’s engagement covers codebase, infrastructure configuration, and internal staging data only. Upon Initial Launch, and prior to Firefall’s first processing of any personal information of Platform end users, P3RSON and Firefall shall enter into a written data processing agreement compliant with GDPR Article 28 and applicable U.S. state privacy laws that restricts Firefall’s use of personal information to the purposes of providing development, hosting, and maintenance services to P3RSON. P3RSON will update this Section 6 to reflect the scope of Firefall’s processing activities at that time.
• Plausible Analytics (Plausible Insights OÜ): Privacy-focused, cookieless website analytics used as a secondary aggregate measurement tool alongside Google Analytics 4 (which is the primary analytics platform described above). Collects aggregate page view counts, referral sources, browser type, operating system, and device type without setting cookies and without collecting personal identifiers or full IP addresses. Plausible does not track individual Users across sessions. Plausible’s data practices are governed by the Plausible Privacy Policy.
• Meta Pixel (Meta Platforms, Inc.): Advertising measurement and retargeting. May collect browsing behavior, page URLs visited, button click events, purchase conversion data, device information, and IP address for the purpose of ad delivery, measurement, and optimization on Meta platforms (Facebook, Instagram). Sets the _fbp cookie. Data is subject to Meta’s Data Policy.
• TikTok Pixel (TikTok Inc.): Advertising measurement and retargeting. May collect browsing behavior, page URLs visited, conversion events, device information, and IP address for the purpose of ad delivery and optimization on TikTok. Sets the _ttp cookie. Data is subject to TikTok’s Privacy Policy.
• Mailchimp SMS (Intuit Inc.): We use Mailchimp's SMS capabilities for transactional and marketing text messages. Your phone number and message content are shared with Mailchimp solely to facilitate message delivery. Mailchimp's data practices are governed by the Intuit Privacy Statement.

7. AI & Automated Decision-Making

P3RSON uses artificial intelligence and algorithmic systems in the following ways:

• P3RSON Index: Your score (1–100) is calculated automatically based on Reliability (30%), Market Activity (25%), Demand Signal (20%), Profile Readiness (15%), and Community Engagement (10%). This score affects your visibility, search ranking, and matching priority with Brands.
• AI Matching: Our algorithm matches Talent with Brand opportunities based on availability, location, style, P3RSON Index score, and other profile attributes.
• Recommendations: We may use automated systems to surface relevant Talent, bookings, or content to Users.

Right to Explanation: You have the right to request a meaningful explanation of how automated decisions affect you, including the factors that contributed to your P3RSON Index score. To request an explanation, contact [email protected].

Right to Contest: If you believe an automated decision has adversely affected you, you may request human review by contacting us at [email protected]. We shall acknowledge your request within five (5) business days and provide a substantive response within thirty (30) days.

Synthetic Media in Marketing

P3RSON (including through its marketing arm, P3RSON Studios) uses AI-generated personas, voices, likenesses, imagery, and video in its own marketing, advertising, and brand communications distributed on third-party platforms such as Meta (Facebook, Instagram) and TikTok. These personas are fictional and do not represent real individuals. Where such content features a persona that a reasonable consumer might believe to be a real person, P3RSON shall disclose, clearly and conspicuously within the content or accompanying caption, that the persona is AI-generated, in accordance with the U.S. Federal Trade Commission’s Guides Concerning the Use of Endorsements and Testimonials in Advertising (16 C.F.R. Part 255) and applicable state synthetic-media disclosure laws. P3RSON does not use the personal information of Platform Users to train, fine-tune, or personalize the generative models that produce this marketing content without separate, explicit consent.

8. GPS & Location Data

P3RSON uses GPS location data solely for Smart Escrow verification—confirming that Talent has arrived at a booking location to trigger payment release. Location data is:

• Collected only when you explicitly grant permission and have an active booking requiring check-in verification
• Used only at the moment of check-in verification during active bookings
• Not continuously tracked, monitored, or stored beyond the verification event
• Deleted from our systems promptly upon completion of the booking verification
• Never sold, licensed, or disclosed to third parties for advertising or marketing purposes

Opting Out: You may revoke location permissions at any time through your device settings or by contacting us at [email protected]. Please note that disabling location services shall prevent you from using the Smart Escrow check-in feature, and alternative verification methods may be required to complete bookings.

9. P3RSON Index & Public Data

Your P3RSON Index score (1–100), tier level, and ticker symbol are public by design. These are core features of the Platform that enable Talent discovery, booking, and marketplace transparency. By creating a profile, you consent to the public display of this information.

Gifting activity, booking history details, and earnings are private and visible only to you unless you affirmatively choose to share them.

10. Virtual Currency (P3RSON Coins)

When you use P3RSON Coins, we collect and store the following data:

• Coin balance and transaction history (purchases, gifts sent and received, booking payments)
• Payout history and amounts
• Transaction timestamps and associated User interactions

P3RSON Coins constitute a limited license, not a property right. Coins hold no monetary value outside the Platform, are not legal tender, are not a stored-value instrument under applicable state or federal money transmitter laws, and may not be redeemed for cash or any other form of compensation except as expressly provided in the Terms of Service. Coin transaction data is retained for as long as your account is active and for a minimum of seven (7) years thereafter as required for legal, tax, and regulatory compliance purposes.

11. Cookies & Tracking Technologies

We use cookies and similar tracking technologies to operate the Platform, analyze usage, and deliver targeted advertising. You may disable non-essential cookies through our consent banner or your browser settings, though some features may not function properly without them.

Cookie Categories

• Strictly Necessary Cookies: Required for login, session management, cookie consent preferences, security (CSRF protection), and load balancing. These cookies are essential for the Platform to function and cannot be disabled. Legal basis: legitimate interest / contract performance.
• Functional Cookies: Enable enhanced functionality and personalization, such as remembering your language preference, display settings, and recently viewed profiles. These cookies are not strictly necessary but improve your experience. You may opt out of functional cookies.
• Analytics Cookies: Help us understand how visitors interact with the Platform. This includes cookies set by Google Analytics 4, specifically: _ga (expires: twenty-four (24) months), _gid (expires: twenty-four (24) hours), and _gat (expires: one (1) minute); and a session-level persistence identifier (_ga_*) scoped to our configured GA4 property (expires: twenty-four (24) months). Plausible Analytics does not set cookies. We shall request your consent before setting analytics cookies where required by applicable law.
• Marketing / Advertising Cookies: Used to deliver relevant advertising and measure ad effectiveness. This includes cookies set by the Meta Pixel (_fbp, expires: ninety (90) days) and TikTok Pixel (_ttp, expires: thirteen (13) months) for retargeting purposes. We shall request your consent before setting marketing cookies.

Managing Cookies

When you first visit P3RSON, you shall be presented with a cookie consent banner allowing you to accept or decline non-essential cookies by category. You may update your preferences at any time through the cookie settings link in our footer. You may also control cookies through your browser settings, install browser extensions that block tracking, or use Google’s opt-out tools for Analytics.

12. SMS Communications

If you provide your phone number and consent to receive SMS messages, we may send you:

• Transactional messages: Booking confirmations, payment notifications, account verification codes, and Smart Escrow alerts
• Marketing messages: Promotions, new features, and Platform updates (only with your explicit opt-in consent)

Frequency: Message frequency varies based on your activity. Transactional messages are sent as needed; marketing messages shall not exceed four (4) per month.

Opt-Out: You may opt out of SMS messages at any time by replying STOP to any message. You may also manage your SMS preferences in your account settings or by contacting [email protected].

Rates: Message and data rates may apply. Consult your wireless carrier for details.

SMS Provider & Number: SMS messages are delivered through Mailchimp (Intuit Inc.) from +1 (917) 947-3315. Your phone number is shared with Mailchimp solely for message delivery purposes.

13. Data Security

We implement reasonable administrative, technical, and physical security measures appropriate to the nature and sensitivity of the personal information actually collected at each stage of the Platform’s development. As of the Last Updated date of this Policy, and consistent with the Pre-Launch Scope Notice in Section 2, such measures include encryption in transit (TLS 1.2 or higher) for all data submitted through p3rson.com; secure payment processing through Stripe, Inc. (which is certified as PCI DSS Level 1 compliant); access controls inherited from our hosting and productivity sub-processors, including Microsoft 365 and Google Workspace administrative role-based access controls; and vendor-managed encryption at rest for data stored within Stripe, Mailchimp, Google Workspace, and Microsoft 365. Prior to Initial Launch and the collection of the additional categories of personal information described in Section 2.3, P3RSON shall implement additional technical and organizational security measures appropriate to those categories, including, as applicable, encryption at rest for biometric and identity-verification data, periodic security assessments (including a formal third-party security review prior to Initial Launch), and documented incident-response procedures. However, no method of electronic transmission or storage is completely secure, and we cannot guarantee absolute security.

14. Data Breach Notification

In the event of a data breach involving your personal information that is reasonably likely to result in a risk to your rights and freedoms, P3RSON shall:

• Notify affected Users without undue delay, and in any event within seventy-two (72) hours of becoming aware of the breach (as required under GDPR Article 33), or within the timeframe required by applicable state law (e.g., sixty (60) days under CCPA, as applicable)
• Notify the relevant supervisory authority (for EEA Users) within seventy-two (72) hours of becoming aware of the breach
• Provide a description of the nature of the breach, the categories and approximate number of individuals affected, the likely consequences of the breach, and the measures taken or proposed to address the breach
• Deliver notification via email to the address associated with your account, and where required by law, through additional means such as postal mail or conspicuous posting on the Platform

15. Data Retention

We retain your account data for as long as your account remains active or as necessary to provide the Services. If you delete your account, we shall remove your personal information within thirty (30) days, except where we are required to retain it for legal, tax, or compliance purposes. Specifically:

• Profile data and User content are deleted within thirty (30) days of account closure
• Transaction and payment records are retained for seven (7) years for tax and legal compliance
• GPS verification data is deleted promptly after booking completion
• Communication logs may be retained for up to one (1) year for dispute resolution
• Anonymized and aggregated data (which does not constitute personal information) may be retained indefinitely for analytics and service improvement

16. Your Rights

Depending on your jurisdiction, you may have the right to:

• Access the personal information we hold regarding you
• Request correction of inaccurate or incomplete information
• Request deletion of your information (subject to legal retention requirements)
• Object to or restrict processing of your information
• Data portability (receive your data in a structured, commonly used, machine-readable format such as JSON or CSV)
• Withdraw consent for marketing communications at any time
• Lodge a complaint with your applicable data protection authority

To exercise any of these rights, contact us at [email protected]. We shall verify your identity before processing your request and respond within the timeframe required by applicable law.

17. GDPR Rights (European Users)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and applicable local implementing legislation. Data Protection Officer: P3RSON has conducted a formal assessment of its obligation to appoint a Data Protection Officer (“DPO”) pursuant to Article 37 of the GDPR. Based on P3RSON’s current scale and nature of processing activities, P3RSON has determined that mandatory DPO appointment is not required at this time. P3RSON will reassess this determination upon any material change in processing activities, including any large-scale processing of special categories of personal data or systematic monitoring of data subjects at scale. Data protection inquiries may be directed to [email protected] with the subject line “Data Protection Inquiry.”

• Right of Access (Article 15): You may request a copy of the personal data we hold regarding you.
• Right to Rectification (Article 16): You may request that we correct any inaccurate or incomplete personal data.
• Right to Erasure (Article 17): You may request that we delete your personal data, subject to certain legal exceptions (e.g., compliance with legal obligations, establishment or defense of legal claims).
• Right to Restrict Processing (Article 18): You may request that we limit how we use your data in certain circumstances.
• Right to Data Portability (Article 20): You may request your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Right to Object (Article 21): You may object to processing based on legitimate interests, including profiling and automated decision-making (such as the P3RSON Index).
• Right Not to Be Subject to Automated Decision-Making (Article 22): You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you, except where such processing is necessary for contract performance, authorized by law, or based on your explicit consent.
• Right to Withdraw Consent (Article 7): Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.

To exercise any GDPR right, contact us at [email protected] with the subject line “GDPR Request.” We shall respond within thirty (30) days. You also have the right to lodge a complaint with your local data protection supervisory authority. EU/UK Representative: As of the Last Updated date of this Policy, P3RSON operates a public pre-launch marketing website and waitlist, does not offer the Platform’s paid services to data subjects in the European Economic Area or the United Kingdom, and does not monitor the behavior of EEA or UK data subjects within the meaning of Article 3(2) of the GDPR or the equivalent provision of the UK GDPR, and therefore takes the position that the representative-appointment obligation under Article 27 of the GDPR and Article 27 of the UK GDPR is not currently triggered. If and when P3RSON offers the Platform’s paid services to, or intentionally monitors the behavior of, data subjects in the EEA or the United Kingdom on a scale that triggers Article 27, P3RSON shall, prior to such activities, designate in writing a representative established in the European Union and a representative established in the United Kingdom, and shall update this Policy to identify each such representative and provide contact information. In the interim, EEA and UK data protection inquiries may be directed to P3RSON, Inc. at [email protected] with the subject line “EU/UK Data Protection Inquiry.”

18. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act ("CCPA") and the California Privacy Rights Act ("CPRA") provide you with additional rights regarding your personal information:

Categories of Personal Information Collected

Currently Collected (Pre-Launch). As of the Last Updated date of this Policy, and consistent with the Pre-Launch Scope Notice in Section 2, in the preceding twelve (12) months P3RSON has collected only the following categories of personal information from California residents who have visited the public marketing website, subscribed to the waitlist, or pre-purchased a founding tier: (i) identifiers, consisting of email address, first name, last name, referral source, optional phone number, IP address, and pseudonymous online identifiers associated with cookies and pixels; (ii) commercial information, consisting of the transaction identifier, amount, currency, and tier selection returned by Stripe Checkout for founding-tier pre-purchases; and (iii) internet or electronic network activity information, consisting of Google Analytics 4 and Plausible Analytics event data, server logs, and Meta Pixel / TikTok Pixel events set only after marketing-cookie consent. P3RSON has not, in the preceding twelve (12) months, collected any biometric information, precise geolocation, professional information, education information, or sensitive personal information from California residents through the Platform.

To Be Collected Upon Initial Launch (Forward-Looking). Once the Platform enters Initial Launch and the features described in Section 2.3 become operative, P3RSON expects to additionally collect the following categories of personal information from California residents who voluntarily create Talent, Brand, or Fan accounts: identifiers (full legal name, date of birth, phone number, and account credentials); additional commercial information (P3RSON Coin balances, booking history, payout history, and Smart Escrow transaction records); additional internet or electronic network activity information (in-platform browsing and engagement data); precise geolocation (GPS data, only where explicitly enabled for Smart Escrow verification); biometric information (facial geometry derived from profile photographs and identity verification, as further described in Section 22); professional or employment-related information (portfolio items, physical measurements, and Talent profile content voluntarily submitted by Users); and inferences drawn from the foregoing (P3RSON Index scores and AI matching preferences). P3RSON will update this Section 18 and provide conspicuous notice upon commencing collection of any of the foregoing categories.

Sensitive Personal Information (CPRA)

Under the California Privacy Rights Act ("CPRA"), certain categories of personal information are designated as "sensitive personal information" ("SPI"). P3RSON collects or expects to collect the following SPI from California residents:

• Precise Geolocation: GPS coordinates collected only when explicitly enabled for Smart Escrow check-in verification
• Biometric Identifiers: Facial images and extracted face geometry metrics (symmetry, golden ratio, canthal tilt, FWHR, jawline, cheekbone, filtrum) used for talent assessment and scouting
• Health Data (Implicit): Physical characteristics and measurements voluntarily submitted in talent profiles (under Washington My Health My Data Act definition)

Under CPRA § 1798.121, California residents have the right to limit use and disclosure of sensitive personal information to purposes necessary to perform the Services you requested or otherwise permitted by law. You may exercise this right by: (a) clicking the "Limit the Use of My Sensitive Personal Information" link in our website footer; or (b) contacting [email protected] with the subject line "Limit Sensitive PI Request." P3RSON shall honor all verified requests within forty-five (45) days, with a single forty-five (45)-day extension available if reasonably necessary.

Your CCPA/CPRA Rights

• Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected regarding you, the categories of sources, the business or commercial purposes for collection, and the categories of third parties with whom we share your information.
• Right to Delete: You may request that we delete your personal information, subject to certain exceptions permitted by law.
• Right to Correct: You may request that we correct inaccurate personal information.
• Right to Opt Out of Sale/Sharing ("Do Not Sell or Share My Personal Information"): P3RSON does not sell your personal information as defined by the CCPA. P3RSON does not share your personal information for cross-context behavioral advertising as defined by the CPRA. If our practices change, we shall provide a conspicuous “Do Not Sell or Share My Personal Information” link on our homepage and honor all opt-out requests.
• Right to Non-Discrimination: We shall not discriminate against you for exercising any of your CCPA/CPRA rights, including by denying goods or services, charging different prices, or providing a different level of quality.
• Right to Limit Use of Sensitive Personal Information: P3RSON collects certain categories of sensitive personal information (“SPI”) as defined under the CPRA, including without limitation: precise geolocation data (collected for Smart Escrow verification); biometric identifiers (profile photographs and identity verification data); and physical characteristics (as voluntarily provided in Talent profiles). You have the right to direct P3RSON to limit its use and disclosure of your SPI to that which is necessary to perform the Services, or as otherwise permitted under Cal. Civ. Code § 1798.121. To exercise this right, you may: (i) submit a written request to [email protected] with the subject line “Limit Sensitive PI Request”; or (ii) use the “Limit the Use of My Sensitive Personal Information” link located in the footer of our website. P3RSON will honor all verified requests within forty-five (45) days of receipt, with a single forty-five (45)-day extension available where reasonably necessary upon prior notice to you.

To exercise any of these rights, contact us at [email protected] with the subject line “California Privacy Request.” We shall verify your identity before processing your request and respond within forty-five (45) days. This period may be extended by an additional forty-five (45) days where reasonably necessary, with prior notice to you.

You may also designate an authorized agent to submit requests on your behalf. We may require proof of written authorization and identity verification before processing an agent-submitted request.

California “Shine the Light” (Civil Code § 1798.83)

California residents may request information regarding the disclosure of personal information to third parties for their direct marketing purposes. As stated above, P3RSON does not disclose personal information to third parties for their direct marketing purposes.

19. Additional U.S. State Privacy Rights

If you are a resident of Virginia, Colorado, or Connecticut, you may have additional rights under applicable state privacy legislation:

Virginia Consumer Data Protection Act (VCDPA)

Virginia residents have the right to: access their personal data; correct inaccuracies; delete personal data; obtain a portable copy of personal data; and opt out of the processing of personal data for targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects. To exercise these rights, contact [email protected] with the subject line “Virginia Privacy Request.” We shall respond within forty-five (45) days. You may appeal a denial of your request by contacting us, and we shall respond to the appeal within sixty (60) days.

Colorado Privacy Act (CPA)

Colorado residents have the right to: access their personal data; correct inaccuracies; delete personal data; obtain a portable copy of personal data; and opt out of the processing of personal data for targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects. To exercise these rights, contact [email protected] with the subject line “Colorado Privacy Request.” We shall respond within forty-five (45) days. You may appeal a denial of your request, and we shall respond to the appeal within forty-five (45) days.

Connecticut Data Privacy Act (CTDPA)

Connecticut residents have the right to: access their personal data; correct inaccuracies; delete personal data; obtain a portable copy of personal data; and opt out of the processing of personal data for targeted advertising, sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects. To exercise these rights, contact [email protected] with the subject line “Connecticut Privacy Request.” We shall respond within forty-five (45) days. You may appeal a denial of your request, and we shall respond to the appeal within sixty (60) days.

20. International Data Transfers

P3RSON is headquartered in the United States. If you access the Platform from outside the United States, your personal information may be transferred to, stored, and processed in the United States and other countries that may not provide the same level of data protection as your home jurisdiction.

For transfers of personal data from the EEA, United Kingdom, or Switzerland to the United States, P3RSON relies on the following data transfer mechanisms:

• EU-U.S. Data Privacy Framework: P3RSON is actively evaluating certification under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework as administered by the U.S. Department of Commerce. Until such certification is obtained and verified, P3RSON does not rely on the Data Privacy Framework as a transfer mechanism and will update this Policy upon completion of formal certification. In the interim, international data transfers are governed exclusively by the Standard Contractual Clauses and supplementary measures described below.
• Standard Contractual Clauses (SCCs): P3RSON relies on the European Commission’s Standard Contractual Clauses (as adopted under Commission Implementing Decision (EU) 2021/914) as its primary cross-border transfer mechanism for personal data originating in the EEA, United Kingdom, and Switzerland. Such Standard Contractual Clauses are, as applicable, incorporated by reference into, and form part of, the Data Processing Agreements published by P3RSON’s sub-processors, including without limitation Stripe, Inc. (Stripe DPA), Google LLC (Google Cloud and Workspace Processor Terms), Microsoft Corporation (Microsoft Products and Services DPA), Intuit Inc. (Mailchimp), Meta Platforms, Inc., and TikTok Inc., in each case as accepted by P3RSON as part of its engagement with such sub-processor. Upon Initial Launch and at any time a new sub-processor that transfers personal data outside the EEA is engaged, P3RSON shall ensure that an appropriate SCC-based or other Chapter V-compliant transfer mechanism is in place prior to commencing such transfers.
• Supplementary Measures: Where necessary, we implement additional technical and organizational measures (including encryption, pseudonymization, and access controls) to ensure an essentially equivalent level of protection for transferred data.

By using the Platform, you acknowledge and consent to the transfer of your information to the United States and other jurisdictions as described in this Section. You may contact [email protected] to request a copy of the applicable Standard Contractual Clauses.

21. Data Processing Agreements

Where P3RSON processes personal data on behalf of Brand Users (i.e., as a data processor), or where Brands process personal data obtained through the Platform, P3RSON shall enter into a Data Processing Agreement ("DPA") that complies with applicable data protection laws, including GDPR Article 28. The DPA shall set forth the subject matter and duration of processing, the nature and purpose of processing, the types of personal data processed, the categories of data subjects, and the obligations and rights of the controller.

Brand Users that require a DPA may request one by contacting [email protected] with the subject line “DPA Request.”

22. Biometric Data & Face Geometry Analysis

P3RSON uses sophisticated artificial intelligence to analyze profile photographs and extract face geometry metrics for talent assessment, matching, and scouting purposes. This section describes how we collect, use, retain, and protect biometric data in compliance with applicable state and international laws, including the Illinois Biometric Information Privacy Act ("BIPA"), the Texas Capture or Use of Biometric Identifier Act ("CUBI"), the Washington My Health My Data Act, the California Consumer Privacy Act ("CCPA")/California Privacy Rights Act ("CPRA"), and the EU General Data Protection Regulation ("GDPR").

22.1 Categories of Biometric Data Collected

Digital Audit Photos. When you upload profile photographs, portfolio content, or submit identity verification photos, P3RSON collects the original image files. These photos are subject to a five-validator digital audit system that assesses: (1) clothing detection, (2) face clarity, (3) lighting quality, (4) hair presentation, and (5) skin quality. This audit ensures profile photographs meet professional standards and provides users with actionable feedback for improvement.

Face Geometry Metrics. P3RSON extracts seven deterministic biometric metrics from profile photographs using AWS Rekognition API integration with landmark-based facial geometry analysis:

• Symmetry Score: Bilateral comparison of facial landmarks (left vs. right side) normalized to 0–100 scale
• Golden Ratio Analysis: Assessment of 8–12 facial proportion ratios (eyes, nose, mouth, jawline, cheekbones) compared to the ideal 1.618 proportion
• Canthal Tilt: Angle measurement of inner vs. outer eye corner positions (in degrees), indicating eye shape and elevation
• Face Width-Height Ratio (FWHR): Bone structure assessment derived from the ratio of bizygomatic (cheekbone) width to lower face height
• Jawline Score: Analysis of gonial angle and depth variation along the mandibular edge
• Cheekbone Score: Zygomatic prominence detection and vertical projection measurement
• Filtrum Proportion: Measurement of distance from nose tip to upper lip midpoint, relative to lower face height

These metrics are deterministic and explainable—each score is calculated algorithmically and does not involve black-box machine learning. The metrics are based on established modeling and talent industry standards and are not correlated with ethnicity or other protected characteristics.

Face Geometry Storage. Extracted face geometry metrics are stored separately from the original image file. The metrics themselves do not permit reconstruction of facial likeness and serve solely as mathematical scores for talent assessment algorithms.

22.2 Collection Notice and Consent

Pre-Collection Disclosure (BIPA & Similar Laws). Prior to the collection of biometric data from residents of Illinois, Texas, Washington, or other jurisdictions with biometric privacy laws, P3RSON shall present a separate, standalone written disclosure at the point of photo upload that includes: (a) the specific purpose(s) for which biometric data is being collected; (b) the specific length of term for which such data will be retained; (c) the circumstances under which such data may be disclosed or sold; and (d) a separate written release executed by the individual.

Express Consent. By uploading a profile photograph or identity verification photo to the Platform, you:

• Affirmatively and voluntarily consent to P3RSON’s collection, extraction, and use of biometric data (photographs and face geometry metrics) for the purposes described in this Section
• Acknowledge that you have read this Biometric Data Section and understand the purposes, retention period, and usage rights
• Represent and warrant that you are the individual depicted in any photographs you submit, or that you have obtained all necessary consents from depicted individuals

22.3 Purpose and Use of Biometric Data

P3RSON uses biometric data (photographs and extracted face geometry metrics) exclusively for the following purposes:

• Profile identity verification (ensuring the submitted photo belongs to the account holder)
• Talent scouting assessment, including the 4-pillar scouting model: bone structure (35%), facial harmony (30%), editorial quality (20%), versatility (15%)
• P3RSON Index score calculation (composite of AI scouting 60%, fan consensus 25%, activity metrics 15%)
• Algorithmic tier determination (Elite / Professional / Emerging / Developing)
• Market fit recommendation engine (matching talent to appropriate agencies and booking opportunities)
• Digital audit validation (ensuring photos meet professional standards for presentation)
• Fraud detection and prevention (flagging inconsistencies between identity verification and profile photos)
• Platform security and abuse prevention

P3RSON does not use biometric data for: advertising, marketing, sale to third parties, facial recognition surveillance, continuous behavioral monitoring, or any purpose not explicitly listed above.

22.4 Retention and Deletion of Biometric Data

Biometric data is retained only for as long as necessary to fulfill the stated purposes, subject to applicable law minimums:

• Active Account: While your account is active, original photos are retained to support ongoing talent assessment and scouting updates
• Face Geometry Metrics: Extracted metrics are retained for 365 days (12 months) from collection to support analytics, P3RSON Index recalculation, and market fit recommendations
• Account Closure: Upon account deletion request, original photographs and face geometry metrics are permanently deleted within 30 days, unless legal or regulatory requirements mandate retention
• Permanent Destruction: Deletion employs cryptographic erasure or physical destruction of storage media to prevent recovery
• Third-Party Service Providers: All sub-processors (including AWS Rekognition) are subject to written data processing agreements requiring equivalent retention and destruction standards

22.5 Disclosure and Transfer Restrictions

P3RSON does not sell, lease, trade, rent, or otherwise profit from biometric data. Biometric data is disclosed to third parties only in the following circumstances:

• Service providers acting as data processors (e.g., AWS Rekognition for face geometry extraction, cloud storage providers), bound by written data processing agreements
• Legal compliance: when required by valid legal process, subpoena, court order, government request, or to prevent imminent harm
• With your explicit, written, informed consent

22.6 AWS Rekognition Integration & Sub-processor Details

P3RSON uses Amazon Web Services (AWS) Rekognition API to perform facial analysis and geometry extraction. AWS Rekognition:

• Processes uploaded photos to extract facial landmarks and derived metrics
• Does not store original images beyond the processing request
• Is governed by the AWS Data Processing Addendum and AWS Privacy Policy
• Does not use your photos to train or improve AWS models without your explicit consent
• Certifies compliance with relevant data protection regulations

22.7 Apple Privacy Manifest Compliance (iOS)

P3RSON's iOS application includes a Privacy Manifest (PrivacyInfo.xcprivacy) that declares biometric data collection and processing in compliance with Apple App Store requirements. The manifest specifies:

• Biometric data categories: facial images and derived face geometry metrics
• Purpose: talent assessment and platform matching
• User tracking: disabled (P3RSON does not track users across apps or websites for biometric purposes)
• Data collection: limited to what is necessary for the declared purposes

22.8 User Rights & Data Subject Requests

Right to Know. You have the right to request information about what biometric data P3RSON has collected, how it is used, and with whom it has been shared. To submit a Right to Know request, contact [email protected] with the subject line "Biometric Data Request."

Right to Delete. You have the right to request deletion of your biometric data at any time, subject to exceptions for legal compliance or ongoing litigation. Deletion shall occur within 30 days of verification of your identity and request.

Right to Data Portability. You have the right to export all biometric data (original photos and associated metrics) in a machine-readable format (ZIP archive of images, JSON metadata) by contacting [email protected] with the subject line "Biometric Data Export."

Right to Limit Use. Under the California Consumer Privacy Act (CCPA/CPRA), you have the right to limit P3RSON's use and disclosure of your sensitive personal information (which includes biometric data) to purposes necessary to perform the Services or otherwise permitted by law. Submit this request via the "Limit the Use of My Sensitive Personal Information" link in our website footer or contact [email protected].

22.9 State-Specific Biometric Rights

Illinois Residents (BIPA, 740 ILCS 14). Illinois residents have the right to: (i) know whether biometric identifiers or information have been collected or are being stored; (ii) know the specific purpose(s) and the length of term for which biometric data will be retained; (iii) request deletion of biometric data; and (iv) bring a private right of action for violations. To exercise BIPA rights, contact [email protected] with the subject line "BIPA Request."

Texas Residents (CUBI, Tex. Bus. & Com. Code § 503.001). Texas residents have the right to: (i) know the purposes for which biometric identifiers are being collected and used; (ii) consent in writing before collection; (iii) request deletion; and (iv) bring suit for violations. To exercise CUBI rights, contact [email protected] with the subject line "Texas Biometric Rights Request."

Washington Residents (My Health My Data Act, RCW 19.255). Washington residents have the right to: (i) know that a regulated entity collects or uses health data; (ii) consent before processing; and (iii) request deletion. Health data broadly includes biometric identifiers. To exercise these rights, contact [email protected] with the subject line "Washington Health Data Request."

California Residents (CCPA/CPRA). In addition to rights enumerated elsewhere in this Policy (Section 18), California residents have the right to limit use of sensitive personal information (biometric data) and may exercise this right at the link provided in our website footer.

23. Do Not Track

Some browsers include a “Do Not Track” (“DNT”) feature that signals to websites that a user does not wish to have their browsing activity tracked. The Platform does not currently respond to DNT browser signals or similar mechanisms because there is no industry-standard framework for how such signals should be interpreted. We will revisit this policy if a standard for DNT signals is adopted in the future.

Regardless of DNT signals, you may manage your tracking preferences by: (a) adjusting your cookie consent preferences through our cookie consent banner; (b) opting out of Google Analytics using the Google Analytics Opt-Out Browser Add-on; (c) opting out of Meta advertising via your Meta Ad Preferences; or (d) adjusting your browser privacy settings. Plausible Analytics (our primary analytics tool) does not track individual users across sessions and does not use cookies, regardless of DNT settings.

24. Children’s Privacy

The Platform and Services are not intended for, and shall not be used by, individuals under eighteen (18) years of age in the United States, or under sixteen (16) years of age in the European Economic Area. P3RSON does not knowingly collect personal information from individuals below the applicable age threshold. If we become aware that we have collected personal information from a minor below the applicable age threshold, we shall delete such information promptly. If you are a parent or guardian and believe your child has provided us with personal information, please contact us immediately at [email protected].

25. Data Retention & Deletion Schedules

P3RSON retains personal information only for as long as necessary to fulfill the purposes for which it was collected, subject to applicable legal requirements. The following table describes retention schedules for major data categories:

User Data Deletion

You may request deletion of your account and associated personal data at any time by contacting [email protected] with the subject line "Account Deletion Request." Upon verification of your identity, P3RSON shall:

• Mark your account as deleted in our primary systems within 24 hours
• Permanently delete associated personal data within 30 days, except where legal or regulatory retention is required
• Retain transaction records for 7 years as required by tax and accounting law
• Retain anonymized and aggregated data indefinitely (which does not constitute personal information)

Data Archival & Backup

For disaster recovery and business continuity purposes, P3RSON maintains encrypted backup copies of account data. Backup data follows the same retention schedules as active data and is automatically deleted according to the retention schedule above. Backup systems are secure and are not accessible to P3RSON personnel without authorization.

26. Accessibility

P3RSON is committed to ensuring digital accessibility for individuals with disabilities. We endeavor to comply with the Web Content Accessibility Guidelines (WCAG) 2.1 Level AA and applicable provisions of the Americans with Disabilities Act (ADA). If you experience any difficulty accessing any part of the Platform, including this Privacy Policy, please contact us at [email protected] and we shall make reasonable efforts to provide the information in an accessible format.

26. Changes to This Policy

We may update this Privacy Policy from time to time. We shall notify you of material changes by posting the revised Policy on this page, updating the “Last updated” date, and, where required by applicable law, providing notice via email or in-app notification at least thirty (30) days prior to the effective date of material changes. Your continued use of the Platform after the effective date of the revised Policy constitutes your acceptance of the updated terms. If you do not agree with the changes, you must discontinue use of the Services.

27. Contact Us

If you have questions regarding this Privacy Policy, wish to exercise your privacy rights, or need to report a data protection concern, contact us at: