1.1 Purpose
CastleHill Managed Risk Solutions LLC (“CastleHill”, “we” or “us”) respects the privacy of its customers, business partners and visitors to its Website (as defined below). The CastleHill Privacy Policy (the “Policy”) describes the information that we collect, how we obtain the information, and how we may use or disclose that information. This Policy also describes the measures we take to protect the security of the information and how individuals can contact us about our privacy practices.

2. Scope

This Policy only covers our privacy practices with respect to the collection, use, and disclosure of information obtained through the CastleHill website at www.castlehillrisk.com and in connection with the use of our hosted software applications (the “Subscription Service”) and related support services (“Support Services”), as well as professional services, training and certification (the “Professional Services”) that we provide to Customers. In this Policy, the Subscription Service, Support Services and the Professional Services are collectively referred to as the “Service.”

For the purposes of this Policy:

“Customer” means any entity that purchases the Service.

“Customer Data” means the electronic data uploaded into the Subscription Service by or for Customer or its authorized users.

“Visitor” means a visitor of the Website.

3. Website

3.1 How We Obtain Information
As further described below, we collect several types of information from and about our Visitors.

3.1.1 Information You Provide Us

- - When filling out forms on our Website we collect personal information, including without limitation, name, mailing address, email address and telephone
  - When you post material to our Website, participate in bulletin boards, chat rooms, blogs, comment threads, forums or other interactive features of our Website, register, or request further information or services from
  - When you enter a contest or promotion we
  - When you report a problem with our
  - When you contact
  - When you complete our
  - Other information you may submit to us related to your use of our Website.

3.1.2 Information from Third-Parties
CastleHill may collect and use information we receive from third parties in connection with your use of the Website. For instance, CastleHill uses a third party for reporting and analytics to measure the effectiveness of our Website and marketing efforts, and to identify areas for improvement.

3.1.3 Information we collect as you navigate our website
As you navigate through the Website, we may also collect details about your visits to our Website including, but not limited to, your IP address, usage patterns, traffic data, location data, logs and other communication data and the resources that you access, as well as information about your computer and internet connection, including your operating system and browser type.

3.1.4 Cookies and Other Forms of Automated Collection
We use “cookies” to help us improve our Website. A cookie is a small file stored on the hard drive of your computer. We may use cookies to obtain information about your general Internet usage and to:

- - Estimate our audience size and usage patterns;
  - Store information about your preferences, allowing us to customize our Website;
  - Speed up your searches;
  - Authenticate your access to various areas of our Website;
  - Recognize you when you return to our Website;
  - Track when you respond to surveys.

CastleHill’s third parties may use JavaScript to collect IP addresses from our Visitors and our hosting provider may also collect server logs. Information gathered through these automated means may be associated with the personal information you previously submitted on our Website.

3.2 How We Use Information Collected
We may use information that we collect about Visitors for the following purposes:

- - To present our Website and their contents in a suitable and effective manner for you and for your computer;
  - To diagnose and resolve technical problems with our Website;
  - To improve our Website;
  - To provide you with information, products or services that you request from us;
  - To carry out our obligations and enforce our rights arising from any contracts entered into between you and us, including without limitation, our Website Terms of Use;
  - To notify you about changes to our Website or obtain any required consent;
  - To allow you to participate in interactive features of our Website, when you choose to do so;
  - For industry analysis, benchmarking, analytics, marketing, and other business purposes;
  - To track your browsing behavior, such as the pages you visited over time.

If you ask us to contact you about goods and services that may be of interest to you, we may use your personal information or permit selected third parties to use your personal information to provide you with such services. Visitors may withdraw consent at a later time by clicking on the “unsubscribe” link located in the emails sent by CastleHill. For more information, see Communication Preferences and Choices below.

3.3 How We Use Information Collected
We may use information that we collect about Visitors for the following purposes:

- - Our subsidiaries and affiliates;
  - Contractors, business partners and service providers we use to support our business or who provide services on our behalf;
  - In the event of merger, acquisition, or any form of sale or transfer of some or all of our assets (including in the event of a reorganization, dissolution or liquidation), in which case personal information held by us about our Visitors will be among the assets transferred to the buyer or acquirer.

We may also disclose your personal information to third-parties to:

- - Comply with any court or other legal obligation;
  - Enforce or apply our Website Terms of Use or terms of any other agreement;
  - Protect the rights, property, or safety of CastleHill or others.

We do not sell, rent, or trade information collected through the Website with third-parties for their promotional purposes.

3.4 International Transfer of Data
CastleHill may store and process any information collected in connection with the Website in any country where we have facilities or in which we engage service providers. By using our Website, you consent to the collection, storage, transfer and processing of information outside of your country of residence, including in the United States. When we process personal data received from the EU, UK, or Switzerland, the EU‑U.S. Data Privacy Framework Principles govern our handling of that data. In the event of any conflict between this Policy and the DPF Principles, the Principles prevail.

3.5 Communication Preferences and Choices
We provide certain choices regarding the information Visitors provide to us. We have created mechanisms to provide you with the following control over your information when using our Website. If you do not wish to have your e-mail address used for promotional purposes by CastleHill, you may withdraw consent at a later time by clicking on the “unsubscribe” link located in the emails sent by CastleHill.

CastleHill complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, as set forth by the U.S. Department of Commerce. We have certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, CastleHill commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

Our firm may process personal data on behalf of clients, employees, vendors, and other stakeholders in order to deliver risk‑assessment, mitigation, and advisory services. We are a self‑certified participant in the EU‑U.S. Data Privacy Framework (DPF) and therefore bind ourselves to the framework’s core and supplemental principles, the FTC’s enforcement authority, and the DPF‑mandated dispute‑resolution mechanisms. CastleHill acknowledges that, as a DPF participant, it is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). We will cooperate fully with any FTC inquiry, and violations of the DPF Principles may lead to enforcement actions, including civil penalties, under the FTC Act.

Choice – Sensitive Information

Opt‑in for Sensitive Information – Before we collect any data classified as “sensitive” (health, biometric, financial, or other protected categories), we obtain a clear affirmative consent (opt‑in) from the individual. The consent request explains the specific purpose, retention period, and any downstream sharing. Individuals may manage or withdraw each consent at any time by emailing privacy@castlehillrisk.com; revocation will be effected within five (5) business days and will halt further processing of the withdrawn data, except where retention is required by law.

Opt‑out Options – For non‑essential disclosures (e.g., sharing risk‑assessment summaries with third‑party service providers for ancillary services) individuals may opt‑out at any time by contacting privacy@castlehillrisk.com.

Right to Invoke Arbitration – An individual may invoke binding arbitration to resolve “residual” claims (claims that remain unremedied after other DPF recourse steps). To do so, the individual must:

Follow the pre‑arbitration requirements outlined in Annex I (e.g., filing a claim with the International Centre for Dispute Resolution‑American Arbitration Association – ICDR‑AAA); and

Meet any additional conditions set forth in Annex I (such as fee contributions).

To initiate arbitration, an individual must provide written notice of intent within 30 days of the alleged violation. The notice must be sent to the Privacy Officer at privacy@castlehillrisk.com and must include a concise description of the claim. Prior to arbitration, the individual must first utilize the free, independent recourse mechanism provided the International Centre for Dispute Resolution‑American Arbitration Association (ICDR‑AAA). If the dispute remains unresolved after that step, the parties will proceed to binding arbitration administered by the International Centre for Dispute Resolution‑American Arbitration Association (ICDR‑AAA) in accordance with Annex I of the DPF Principles. The FTC‑administered arbitration fund will cover the organization’s portion of the arbitration costs, and the award will be final and binding on both parties, with each side bearing its own attorney’s fees unless otherwise ordered by the arbitrator.

Our Obligation – Upon receipt of a valid notice, we are obligated to arbitrate the claim in accordance with the terms of Annex I and will bear the portion of costs stipulated for the organization (the FTC‑administered arbitration fund).

Outcome – The arbitrator may issue remedial orders (e.g., corrective actions, monetary awards) but no damages, costs, or attorney‑fees are awarded beyond the statutory limits; each party bears its own attorney’s fees.

Contractual Safeguards – Whenever we transfer personal data received under the DPF to a third‑party processor or sub‑processor, we must enter into a contractual agreement that:

Mirrors the DPF core principles (notice, choice, security, etc.) for the onward recipient;

Requires the onward recipient to provide the same level of protection as we are obligated to provide; and

Includes liability clauses holding us accountable for any breach caused by the onward recipient’s failure to meet those standards.

Each onward‑transfer agreement includes a DPF‑compliant Data Processing Addendum that obligates the third‑party processor to uphold all seven core DPF principles and the relevant supplemental principles, including security, choice, and access. Prior to entering into any such contract, we perform due‑diligence verification of the processor’s DPF certification status and retain documentation of that verification. Should a downstream breach occur because the processor failed to meet these obligations,

Organizational Liability – Our firm remains liable for any violations arising from onward transfers, even if the breach originates with a third party, unless we can demonstrate that we exercised reasonable due diligence and the third party complied with the contractual obligations. This aligns with the DPF’s Obligatory Contracts for Onward Transfers requirement.

Personal data is retained only as long as necessary to fulfill the purpose, comply with legal obligations, or as otherwise required by contract.

Upon a valid request, we delete or anonymize data promptly, except where retention is mandated by law (e.g., tax or financial‑recordkeeping).

3.5.1. Cookies
Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you direct your browser to our Website. You may refuse to accept cookies by activating the appropriate setting on your browser. You may also set your browser to alert you when cookies are being sent. However, if you do so, please note that some parts of our Website may then be inaccessible or function improperly.

3.5.2. Do Not Track
While CastleHill attempts to honor do not track (“DNT”) instructions we receive from a Visitor’s browser, we cannot guarantee that CastleHill will always respond to such signals, in part, because of the lack of common industry standard for DNT technology. We continue to monitor developments in DNT technology and stay apprised of DNT industry standards as they evolve.

3.5.3. Choice
You should review this Policy carefully, because if you do not agree with our practices, your ultimate choice is not to use the Website. Remember, by using any part of our Website, you accept and agree to our privacy practices.

3.6 Accessing and Correcting Your Personal Information
You may send us an e-mail at privacy@castlehillrisk.com to request access to, correct or delete any personal information that you have provided to us in connection with the Website. We will use reasonable efforts to respond to such requests for correction or updates to personal information.

4. Services

4.1 How We Obtain Information
As described below, we collect several types of information from and about our Customers, including:

- - General information, including a Customer’s company name and address and the Customer’s representative’s contact information (“General Information”) for billing and contracting purposes;
  - Information and correspondence, you submit to us in connection with Professional Services or other requests related to our Service;
  - Information we receive from our business partners in connection with your use of the Service or in connection with services provided by our business partners on your behalf, including configuration of the Subscription Service;
  - Quantitative data derived from your use of the Subscription Service, for example and without limitation, the number of active roles within a Customer’s instance. All data collected, used, and disclosed will be in aggregate form only and will not identify Customer or its users;
  - Server logs in support of the Subscription Service.

4.1.1. Cookies
When you use the Subscription Service, we use cookies to:

- - Track session state in the Subscription
  - Authenticate your access to the Subscription
  - Recognize you when you return to the Subscription

4.2 How We Share Information Collected
We do not share, sell, rent or trade information collected through the Service with third parties for their promotional purposes.

We may also disclose your personal information to third parties to:

- - Comply with any court order or other legal obligation;
  - Enforce or apply the terms of the definitive agreement between Customer and CastleHill pursuant to which the Customer purchased access to the Subscription Service (the “Customer Agreement”);
  - Protect the rights, property, or safety of CastleHill, our Customers, or others.

In the event of merger, acquisition, or any form of sale or transfer of some or all of our assets (including in the event of a reorganization, dissolution or liquidation), in which case personal information held by us about our Customers will be among the assets transferred to the buyer or acquirer.

4.3 Collected Data Use
We may use Collected Data to provide a Service, including updating and maintaining Subscription Services, providing Support and providing Professional Services. Notwithstanding anything else to the contrary in this Policy, we will not use, disclose, review, share, distribute, transfer or reference any Collected Data, except as permitted in applicable Agreements or as required by law.

For additional information referencing Information Handling, reference the CastleHill Information Handling Policy. The CastleHill Information Handling Policy specifies how data collected or provided is classified and identifies the criteria for use or release.

5. General

5.1.1. Security Statement
We maintain administrative, organizational, technical and physical safeguards designed to protect the personal information obtained through the Website and in connection with the Service against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use.

- 5.1.2. Third-Party Websites and Applications
  This Website may link to websites that are not owned or controlled by CastleHill. As such, this Policy does not apply to information collected on any third-party site or by any third-party application that may link to or be accessible from the Website. In addition, Customers and other third parties, including consultants, may develop applications or provide services to you or other third parties using our Service. This Policy does not apply to information collected by Customers, third parties or third-party applications or services, even if this information is collected using our Website or Service. This Policy also does not cover the use or disclosure of any information stored in the Subscription Service when hosted by the Customer.
- 5.1.3. Changes to Our Privacy Policy
  CastleHill reserves the right to update or change this Policy from time to time. If we make material changes to this Policy, we will notify you through an appropriate online notice (and obtain your consent where required by applicable law). Your continued use of the Website or Service is deemed to be acceptance of any updates or changes we make to this Policy and as such, we ask that you review the Policy periodically for any updates or changes that we may have made.
- 5.1.4. Contact Information
  To ask questions or comment about this Policy and our privacy practices, or if you need to update, change, or remove your information, contact us at: privacy@Castlehillrisk.com or:
  - CastleHill Managed Risk Solutions
    Attn: Privacy Officer
    105 State Route 101a
    Unit 21
    Amherst NH 03031

Privacy Policy

Privacy Policy Contents

1. Overview

2. Scope

3. Website

4. Services

5. General

At CastleHill, we bring systems together, facilitating seamless communication between risk management processes and technologies.

Services

Resources

Company