MaxxBets Inc. ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our sports betting analytics platform, including our website (maxxbets.ca) and our mobile application for iOS and Android (collectively, the "Service"). MaxxBets is a sports betting analytics and odds comparison platform. We are NOT a sportsbook, gambling operator, or betting exchange. We do not accept, facilitate, or process wagers of any kind. Our Service provides informational and educational tools only. By using MaxxBets, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our Service.

We collect several types of information from and about users of our Service. To align with Apple's App Privacy guidelines, we categorize this data as follows: Contact Information: • Name and email address (provided during account creation) • Name and email from third-party sign-in providers (Apple Sign-In, Google Sign-In), only when you choose to authenticate via these methods Identifiers: • User ID (unique account identifier) • Device identifiers (Identifier for Vendor on iOS; anonymous device IDs) • Push notification tokens (for delivering notifications to your device) Financial Information: • Subscription status and purchase history (managed by RevenueCat and Apple/Google in-app purchase systems) • Payment information is processed securely through Stripe and Apple/Google payment infrastructure — we do not store credit card numbers or bank details on our servers Usage Data: • Betting opportunities you view and interact with • Features you use, screens you visit, and actions you take within the app • Filters, preferences, and settings you configure • Subscription events (upgrades, downgrades, cancellations) Diagnostics: • Crash reports and error logs • Performance monitoring data (app load times, API response times) • Application version information Device and Technical Information: • Device model, operating system, and version • Browser type (web platform) • IP address and general (coarse) location derived from IP • Network connectivity status Betting Activity: • Bets you choose to track in our system • Sportsbooks you use and your sportsbook preferences • Your betting performance metrics and bankroll settings • Custom tags you create for organizing bets User Content: • Messages you send through our in-app support chat • Support requests and feedback Biometric Authentication (Local Only): • If you enable Face ID or Touch ID, biometric verification is processed entirely on your device by the operating system. We never receive, transmit, or store your biometric data. We do NOT collect: • Actual wagers or money (we are not a sportsbook) • Government-issued ID numbers • Precise GPS location • Contacts, photos, or files from your device • Health or fitness data • Browsing history outside of our Service

We collect information through: Directly from You: • When you create an account (email/password or via Apple Sign-In / Google Sign-In) • When you update your profile or preferences • When you track bets in our system • When you contact our support team via in-app chat • When you subscribe to our service or manage your subscription Automatically: • Analytics events recorded when you interact with the app (via PostHog) • Crash reports and performance data collected when errors occur (via Sentry) • Server logs when you access our platform • Push notification token registration when you enable notifications • Cookies and local storage on our web platform • On-device storage (MMKV) on our mobile app for caching preferences and offline data From Third Parties: • Odds data from our licensed data providers • Subscription and payment status from RevenueCat and Apple/Google in-app purchase systems • Authentication tokens from Apple Sign-In or Google Sign-In when you choose to use these methods • Payment confirmation from Stripe (web subscriptions)

We use your information for the following purposes: Provide Our Service: • Create and manage your account • Process your subscription payments • Display real-time odds and betting opportunities • Track your betting performance and manage your bet history • Deliver push notifications for bet alerts and account updates • Sync your data across devices Improve Our Platform: • Analyze usage patterns to understand which features are most valuable • Identify and fix bugs, crashes, and technical issues • Develop new tools and functionality • Optimize app performance and user experience • Monitor system health and uptime Communicate with You: • Respond to your in-app support requests • Send important account and subscription updates • Notify you of new features or changes to our Service (with your consent) • Share educational content about sports betting analytics Legal and Security: • Comply with legal obligations • Protect against fraud and abuse • Enforce our Terms of Service • Investigate and prevent security incidents We do NOT use your personal data to suggest, recommend, encourage, or influence you to place any specific wager. All analytics and insights provided by the Service are informational and educational only, and are not personalized gambling recommendations or betting instructions. We do NOT use your data for third-party advertising, behavioral advertising, or ad targeting of any kind.

We use the following third-party service providers to operate our platform. Each provider receives only the data necessary to perform its function, and each is contractually obligated to protect your data with the same or equal level of protection as described in this policy. Supabase (Database and Authentication): • Hosts our database and manages user authentication • Receives: email, encrypted password, user profile data, bets, preferences, push tokens • Data location: Cloud infrastructure (US/Canada regions) PostHog (Product Analytics): • Helps us understand how users interact with our app to improve features • Receives: user ID, email, screen views, feature usage events, device type • Data is used solely for our internal product improvement — not shared with other parties • Data location: US (us.i.posthog.com) Sentry (Error and Performance Monitoring): • Captures crash reports and performance issues so we can fix bugs • Receives: user ID, email, crash logs, stack traces, device/OS information, navigation breadcrumbs • Data location: US (sentry.io) Intercom (Customer Support): • Powers our in-app support chat • Receives: user ID, email, name, chat messages, device push tokens for chat notifications • Identity verified via HMAC to prevent impersonation • Data location: US (intercom.io) RevenueCat (Subscription Management): • Manages in-app subscriptions and purchase verification • Receives: user ID, subscription status, purchase history, entitlement checks • Data location: US (api.revenuecat.com) Stripe (Payment Processing — Web): • Processes subscription payments on our web platform • Receives: payment method details, billing address, transaction records • We do not store credit card numbers — Stripe handles all payment data directly • PCI DSS Level 1 certified Vercel (Web Hosting): • Hosts our web platform • Receives: server request logs, IP addresses Apple and Google (In-App Purchases and Authentication): • Process in-app subscription payments via their respective app stores • Provide authentication tokens when you use Apple Sign-In or Google Sign-In • Governed by Apple's and Google's respective privacy policies Expo / EAS (Mobile App Updates): • Delivers over-the-air updates to our mobile application • Receives: device metadata for update targeting (app version, platform) All third-party providers are bound by their respective privacy policies and data processing agreements. We regularly review our providers to ensure they maintain appropriate data protection standards.

We do not sell, rent, or trade your personal information. Beyond the third-party service providers listed in Section 5, we may share your information only in the following circumstances: Legal Requirements: • When required by law, regulation, or legal process • To protect our rights, property, or safety, or the rights, property, or safety of others • To enforce our Terms of Service • In response to lawful requests by public authorities, including law enforcement Business Transfers: • In connection with a merger, acquisition, or sale of assets • Users will be notified via email and/or a prominent notice on our Service of any change in ownership or use of personal information Aggregated Data: • We may share anonymized, aggregated statistics about our users • This data cannot be used to identify individual users We do NOT share your personal or behavioral data with: • Sportsbooks, sportsbook affiliates, or betting operators • Advertising networks or data brokers • Third-party AI or machine learning services for training, profiling, or inference • Any commercial partner for the purposes of marketing, player profiling, behavioral targeting, or wagering influence

MaxxBets does NOT engage in tracking as defined by Apple's App Tracking Transparency (ATT) framework. Specifically, we do not: • Link your data with data from other companies' apps or websites for advertising purposes • Share your data with data brokers • Use the Advertising Identifier (IDFA) for any purpose • Use device fingerprinting to identify you across apps • Share identifiers or personal data with advertising or ad measurement networks Our analytics (PostHog) and error tracking (Sentry) are used solely for our own product improvement and do not constitute cross-app tracking. These services do not use your data to track you across other companies' apps or websites. We use the Identifier for Vendor (IDFV) solely for internal analytics and crash reporting attribution within our own app.

Web Platform: We use cookies and similar technologies on our website: Essential Cookies: • Maintain your login session • Remember your preferences • Enable core platform functionality Analytics Cookies: • Understand how users interact with our platform • Identify popular features and areas for improvement • Measure performance and load times You can control cookies through your browser settings. However, disabling essential cookies may affect your ability to use certain features. We do NOT use: • Third-party advertising cookies • Cross-site tracking cookies • Behavioral advertising networks Mobile Application: Our mobile app uses on-device storage (MMKV) to: • Cache your preferences and filter settings for faster access • Store offline data so the app works without an internet connection • Persist your React Query cache for a smoother experience • Remember your onboarding completion state This data is stored locally on your device and is deleted when you uninstall the app or clear app data.

We implement industry-standard security measures to protect your information: Technical Safeguards: • Encryption of all data in transit (HTTPS/TLS) • Encryption of sensitive data at rest • Secure password hashing (bcrypt) • Certificate pinning on mobile for critical API endpoints (Supabase, PostHog, RevenueCat, Sentry) • HMAC-based identity verification for support chat (Intercom) • Firewall protection and DDoS mitigation • Row Level Security (RLS) policies on our database to prevent unauthorized data access Authentication Security: • JWT-based session authentication with secure token storage • Optional biometric authentication (Face ID / Touch ID) — processed entirely on-device • Secure token management for Apple Sign-In and Google Sign-In Organizational Measures: • Limited employee access to personal data on a need-to-know basis • Regular security training for our team • Incident response and breach notification procedures However, no method of transmission over the Internet is 100% secure. While we strive to protect your personal information, we cannot guarantee absolute security.

You have the following rights regarding your personal data: Access and Portability: • Request a copy of your personal data • Export your betting history and tracked bets • Receive data in a commonly used, machine-readable format Correction: • Update your profile information at any time through your account settings • Request correction of inaccurate personal data Deletion: • Delete your account directly from within the app (Account > Profile > Delete Account) • Upon deletion, we will remove your personal data within 30 days • Some data may be retained beyond 30 days where required by law (see Section 14, Data Retention) • Important: If you have an active subscription through the Apple App Store or Google Play Store, deleting your account does NOT automatically cancel your subscription. You must cancel your subscription separately through your device's subscription management settings (Settings > Apple ID > Subscriptions on iOS, or Google Play Store > Subscriptions on Android) to avoid continued billing. • If you subscribed via our website through Stripe, we will cancel your subscription upon account deletion. Opt-Out: • Unsubscribe from marketing communications (transactional account emails remain active) • Disable push notifications through your device settings • Disable non-essential cookies on our web platform Revoke Consent: • You may revoke your consent to data processing at any time by deleting your account • If you signed in with Apple, we will revoke your Sign in with Apple tokens upon account deletion as required by Apple GDPR Rights (for EU/EEA users): • Right to access, rectify, and erase your data • Right to object to or restrict processing • Right to data portability • Right to withdraw consent at any time • Right to lodge a complaint with your local data protection supervisory authority CCPA/CPRA Rights (for California residents): • Right to know what data we collect and how it is used • Right to request deletion of your data • Right to opt-out of the sale or sharing of personal information (we do not sell or share data for cross-context behavioral advertising) • Right to non-discrimination for exercising your rights PIPEDA Rights (for Canadian residents): • Right to access your personal information • Right to challenge the accuracy and completeness of your data • Right to withdraw consent (subject to legal or contractual restrictions) To exercise any of these rights, contact us at support@maxxbets.ca or use the in-app account management features.

Our Service is strictly intended for adults only. You must be at least 18 years of age (or the legal age for sports betting in your jurisdiction, whichever is higher) to create an account and use MaxxBets. We do not knowingly collect personal information from anyone under the age of 18. We do not target, market to, or design features for minors. Age Verification: • During account creation, users confirm they meet the minimum age requirement • We reserve the right to request proof of age at any time and to suspend or terminate accounts that do not meet age requirements • If we learn that we have collected personal information from a person under 18, we will delete that information immediately If you are a parent or guardian and believe your child has created an account or provided personal information to MaxxBets, please contact us immediately at support@maxxbets.ca and we will promptly delete the account and all associated data.

MaxxBets is an analytics and odds comparison tool — not a gambling platform. We do not accept bets, process wagers, or provide gambling services. However, we recognize that our users may engage in sports betting through licensed sportsbooks, and we are committed to promoting responsible gambling practices: • Our tools are designed to provide data-driven insights, not to encourage excessive gambling • We do not use persuasive design patterns, push notifications, or personalized nudges to encourage users to place bets • We do not profit from the volume or frequency of bets our users place • Users are encouraged to set personal limits and use responsible gambling resources provided by their sportsbooks • If you or someone you know has a gambling problem, we encourage contacting the National Council on Problem Gambling helpline at 1-800-522-4700 or visiting www.ncpgambling.org We comply with all applicable regulations in jurisdictions where our Service is available.

MaxxBets does NOT share your personal data with any third-party artificial intelligence (AI) or machine learning (ML) services for training, inference, profiling, or any other purpose. Our odds comparison algorithms and analytics calculations are performed using deterministic mathematical formulas — they do not use AI/ML models trained on user data. If we introduce any AI or ML features in the future that involve processing personal data, we will: • Update this Privacy Policy before any such feature is launched • Clearly disclose what data is processed and by which service • Obtain your explicit consent before any personal data is shared with third-party AI services This disclosure is made in accordance with Apple's App Store Review Guidelines (Section 5.1.2).

MaxxBets Inc. is incorporated in the State of Delaware, United States. Your information is primarily processed in the United States, where our service providers also operate (see Section 5 for details). If you are accessing our Service from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States, which may have different data protection laws than your country of residence. We take the following measures to ensure your data is protected during international transfers: • EU-US Data Privacy Framework: Where applicable, our US-based service providers participate in or comply with the EU-US Data Privacy Framework for lawful transfers of personal data from the EU/EEA • Standard Contractual Clauses (SCCs): We use SCCs where required for transfers to or from countries without an adequacy determination • Data Processing Agreements: All third-party service providers are bound by data processing agreements that require appropriate data protection measures By using our Service, you acknowledge that your information may be transferred to and processed in the United States as described in this policy.

We retain your personal information for as long as necessary to provide our Service and fulfill the purposes described in this policy. Specific retention periods: • Account data: Retained while your account is active; deleted within 30 days of account deletion • Betting history: Retained while your account is active; deleted within 90 days of account deletion (to allow for reconciliation) • Payment and subscription records: 5 years after last transaction (tax and legal compliance) • Support chat history (Intercom): 3 years • Analytics data (PostHog): 2 years, then anonymized • Crash reports (Sentry): 90 days • Push notification tokens: Deleted immediately upon account deletion or token de-registration • On-device cached data (MMKV): Deleted when you uninstall the app or clear app data After the retention period expires or upon account deletion, your data will be permanently deleted or irreversibly anonymized. Some data may remain in encrypted backups for up to 90 days following deletion but will not be actively used or accessed for any purpose.

We may update this Privacy Policy from time to time. We will notify you of material changes by: • Posting the revised Privacy Policy on our website and within the app • Updating the "Last Updated" date at the top of this policy • Sending an email notification to your registered email address for significant changes • Displaying an in-app notice for material changes that affect your rights We encourage you to review this Privacy Policy periodically. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated policy. If you do not agree with the revised policy, you should discontinue use of the Service and delete your account.

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: Email: support@maxxbets.ca Mail: MaxxBets Inc., Privacy Department, 1111b South Governors Ave, STE 39538, Dover, Delaware 19904, United States For privacy-specific requests (data access, correction, deletion, or portability), we will respond within 30 days. If we need additional time, we will notify you of the reason and expected timeline. If you are not satisfied with our response, you have the right to lodge a complaint with the applicable data protection authority in your jurisdiction, including: • Office of the Privacy Commissioner of Canada (priv.gc.ca) • Your local EU/EEA Data Protection Authority (for GDPR matters) • The California Attorney General's office (for CCPA/CPRA matters)