Effective May 23, 2026 — Version 1.0

Privacy Policy

Open Americas Inc. (“Open Americas,” “we,” “our,” or “us”) is committed to protecting the privacy of everyone who uses our platform. This policy explains what personal information we collect, how we use and share it, how long we keep it, and the rights you have — wherever you are in the Americas.

This policy covers openamericas.com, wholesale.openamericas.com, and logistics.openamericas.com (collectively, the “Platform”). If you are a user located in Mexico, a Spanish-language version of this notice (Aviso de Privacidad) is available upon request at privacy@openamericas.com.

In This Policy

1. Scope 2. Data We Collect 3. Legal Basis for Processing 4. How We Use Your Data 5. Service Providers 6. International Data Transfers 7. Data Retention 8. Your Rights by Jurisdiction 9. Sensitive Personal Information 10. Automated Decisions 11. Cookies & Tracking 12. Security 13. Children 14. Marketing 15. Data Breach Notification 16. Changes to This Policy 17. Contact & Regulators

1. Scope

This policy applies to all users of the Platform — buyers, sellers, trade coordinators, logistics providers, service partners, and API users — in all 12 countries where Open Americas operates: United States, Mexico, Canada, Colombia, Brazil, Peru, Chile, Argentina, Ecuador, Guatemala, Costa Rica, and the Dominican Republic.

This policy does not apply to third-party websites or services that may be linked from the Platform. Open Americas is the data controller for personal data processed through the Platform.

2. Data We Collect

We collect the following categories of personal information:

Account & Identity Data

Full name, email address, hashed password, phone number, country of residence, account role (buyer / seller / service partner / trade coordinator), profile photo, and preferred language.

Business Verification Data (Sellers & Partners)

Company legal name, country of incorporation, business registration number, tax identification number (EIN, RFC, NIT, RUT, CUIT, or equivalent), beneficial ownership information, export/import licenses, and other compliance documents required for KYC.

Identity Verification Data (KYC)

Government-issued identification documents (passport, national ID, driver’s license), photographs, and biometric data (facial scan) collected by our KYC providers for identity verification purposes. See Section 9 for additional protections for this data.

Financial & Payment Data

Billing address, payment card details (processed and stored exclusively by Stripe — we never receive or store card numbers), and bank account or payout account details submitted through Stripe Connect for seller disbursements.

Transaction & Trade Data

Order details, pricing, quantities, product descriptions, shipping and delivery addresses, escrow records, invoices, customs-related information (HS codes, declared values, shipper/consignee data), and dispute history.

Communications Data

Messages exchanged through the in-platform chat system, support tickets, WhatsApp and SMS messages sent via Twilio, and email correspondence with our team.

Usage & Behavioral Data

Pages and features visited, product searches, filters applied, click events, time spent on pages, order history, and preferences you configure within the Platform.

Technical & Device Data

IP address, browser type and version, operating system, device identifiers, session cookie identifier (oa_session), and referring URL.

3. Legal Basis for Processing

Where data protection law requires a legal basis for processing personal data — including under the GDPR, Brazil’s LGPD, Mexico’s LFPDPPP 2025, and similar laws — we process your data on the following bases:

·Performance of a Contract: Processing necessary to create your account, execute transactions, hold escrow, verify KYC, process payments, track shipments, and provide customer support — all services you have requested.

·Legal Obligation: Processing required to comply with applicable law, including anti-money laundering (AML) regulations, OFAC and international sanctions screening, customs and trade reporting, tax record-keeping, and court orders.

·Legitimate Interests: Processing to prevent fraud, unauthorized access, and abuse; maintain platform security; conduct product analytics; improve our services; and manage our business — where these interests are not overridden by your rights and interests.

·Consent: Processing for marketing emails, WhatsApp/SMS marketing messages, and non-essential communications — where you have given explicit, freely withdrawable consent. You may withdraw consent at any time (see Section 14).

4. How We Use Your Data

·Account management: Creating, maintaining, and authenticating your account and sessions.

·Transaction facilitation: Matching buyers with sellers, processing orders, managing escrow, coordinating logistics, and tracking shipments through customs.

·KYC & compliance: Verifying buyer identities (Stripe Identity) and seller/partner business identities (Truora), screening against OFAC, UN, and applicable national sanctions lists, and meeting AML regulatory requirements.

·Payment processing: Initiating, holding, releasing, and disputing escrow payments via Stripe. Issuing seller payouts via Stripe Connect.

·Communications: Sending transactional emails (order confirmations, shipping updates, dispute notifications, password resets) via Resend; real-time in-platform notifications via Pusher; WhatsApp/SMS alerts via Twilio for users who opt in.

·Fraud & risk management: Detecting suspicious transactions, preventing account takeover, blocking fraudulent orders, and maintaining platform integrity.

·Trade compliance: Processing trade data for customs declarations, landed cost calculations (via Zonos), and compliance with import/export regulations.

·Customer support: Responding to inquiries, resolving disputes, and managing support tickets.

·Platform analytics & improvement: Analyzing aggregated usage patterns to improve features, fix bugs, and develop new capabilities.

·Legal compliance: Complying with subpoenas, court orders, regulatory inquiries, and reporting obligations under applicable law.

·Safety & security: Investigating potential policy violations, security incidents, and illegal activity on the Platform.

5. Service Providers

We do not sell your personal data. We share data only with the following service providers, each engaged under data processing agreements that restrict their use of your data to providing services to Open Americas:

Stripe

Payment processing, escrow management, Stripe Connect seller payouts, and buyer identity verification (Stripe Identity). Stripe is a licensed payment processor and money transmitter. Data transferred to US.

Truora

Business KYC and background verification for sellers and service partners, including verification against national registries across Latin America. Data processed in Colombia and the US.

Resend

Transactional and marketing email delivery. Data transferred to US.

Twilio

WhatsApp messaging and SMS notifications for users who opt in. Data transferred to US.

Pusher

Real-time in-platform push notifications and order status updates. Data transferred to US and EU.

Vercel

Application hosting, serverless compute, and edge delivery infrastructure. Data processed in US and global edge locations.

Neon

Serverless PostgreSQL database hosting. Primary data location: US East.

Zonos

Landed cost calculation, HS code classification, and trade duty estimates. Transaction and product data shared to calculate customs charges. Data transferred to US.

Transaction Counterparties: When you transact on the Platform, limited business information (company name, country, contact for order purposes) is shared with your counterparty as necessary to complete the transaction.

Law Enforcement & Regulators: We disclose data when required by valid legal process (subpoena, court order, regulatory demand), or when we believe in good faith that disclosure is necessary to protect our rights, the safety of users, or the public, or to comply with sanctions obligations.

Professional Advisors: Lawyers, accountants, and auditors may access data under confidentiality obligations in the course of providing professional services to Open Americas.

Corporate Transactions: In the event of a merger, acquisition, or sale of substantially all assets, your data may be transferred to the acquiring entity, subject to the same privacy protections.

6. International Data Transfers

Open Americas is incorporated in the United States. Our platform infrastructure is hosted primarily in the United States. By using the Platform, you acknowledge that your personal data will be transferred to and processed in the United States.

When we transfer data internationally, we apply the following protections depending on where you are located:

·European Economic Area, United Kingdom & Switzerland: Transfers are made under Standard Contractual Clauses (SCCs) approved by the European Commission, or UK/Swiss equivalents. We maintain updated SCCs with all sub-processors who may receive EEA personal data.

·Brazil (LGPD): Transfers are made subject to contractual clauses providing an equivalent level of protection to that required under the Lei Geral de Proteção de Dados Pessoais (LGPD, Law No. 13,709/2018), in accordance with Article 33. Affected users may contact us to obtain a copy of applicable transfer mechanisms.

·Mexico (LFPDPPP 2025): Cross-border data transfers comply with Chapter V of Mexico's Federal Law on Protection of Personal Data Held by Private Parties (as amended effective March 21, 2025). International transfers are made under consent, contractual necessity, or contractual clauses ensuring equivalent protection. The SABG (Secretaría Anticorrupción y Buen Gobierno) is the supervisory authority.

·Canada (PIPEDA): Transfers comply with PIPEDA and applicable provincial privacy laws. Our contracts with sub-processors require equivalent protection. Canadian users may obtain information about our cross-border transfer practices by contacting us.

·Colombia (Ley 1581 de 2012): Transfers comply with Colombia's data protection law. Data transferred outside Colombia is protected by contractual clauses approved by the Superintendencia de Industria y Comercio (SIC).

·Chile (Ley 21719): Transfers are made in compliance with Chile's new data protection law effective 2026, under appropriate contractual safeguards.

·Other Americas Countries: We apply contractual safeguards consistent with international standards for cross-border transfers, including applicable data protection requirements of Argentina (Ley 25326), Peru (Ley 29733), Ecuador, Guatemala, Costa Rica, and the Dominican Republic.

Note: USMCA Article 19.11 prohibits data localization requirements for digital trade services between the US, Mexico, and Canada. Our cross-border data flows within North America are consistent with this framework.

7. Data Retention

We retain personal data for as long as necessary to fulfill the purposes described in this policy, or as required by applicable law. Our retention periods are:

Category	Retention Period
Account & profile data	Duration of account + 90 days after account closure
KYC / identity verification documents	5 years after account closure (AML regulatory requirements across jurisdictions)
Financial records (transactions, escrow, invoices, payouts)	7 years (US tax code, Mexico SAT, DIAN Colombia, Receita Federal Brazil, and equivalent authorities)
Dispute records	7 years (legal claim periods)
Platform communications (chat, support tickets)	3 years
Customs & trade documentation	5 years (US CBP, ANAM Mexico, and equivalent customs authorities)
Usage & analytics data (identifiable)	90 days, then anonymized
Usage & analytics data (anonymized)	2 years
Marketing consent records	3 years after opt-out or account closure
Security logs (IP, session)	90 days

We may retain data longer when required by a legal hold, ongoing litigation, regulatory investigation, or other legal obligation. When we no longer need data, we securely delete or anonymize it.

8. Your Rights by Jurisdiction

Your privacy rights depend on your location. Below we describe the rights available to you under applicable law. To exercise any right, contact us at privacy@openamericas.com. We will respond within 30 days (or the timeframe required by applicable law).

8a. All Users — Universal Rights

·Access: Request a copy of the personal data we hold about you.

·Correction / Rectification: Request correction of inaccurate or incomplete personal data. Many corrections can be made directly in your account settings.

·Restriction: Request that we restrict processing of your data in certain circumstances (e.g., while accuracy is disputed).

·Portability: Receive a copy of certain data you provided to us in a structured, machine-readable format.

·Complaint: Lodge a complaint with the relevant data protection authority in your country (see Section 17).

8b. California Residents (CCPA / CPRA)

California residents have the following rights under the California Consumer Privacy Act (as amended by the CPRA):

·Right to Know: Request disclosure of the categories of personal information collected, sources, purposes, and third parties to whom it has been disclosed in the past 12 months.

·Right to Delete: Request deletion of personal information we have collected, subject to legal exceptions.

·Right to Correct: Request correction of inaccurate personal information.

·Right to Opt-Out of Sale or Sharing: Open Americas does not sell personal information and does not share personal information for cross-context behavioral advertising. You do not need to opt out.

·Right to Limit Use of Sensitive Personal Information: Request that we limit the use of sensitive personal information to purposes specified by the CPRA. We only use sensitive personal information for the disclosed purposes of KYC, fraud prevention, and legal compliance.

·Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

Submit requests via email to privacy@openamericas.com. We will verify your identity before processing. Authorized agents may submit requests with written proof of authorization.

8c. Mexican Users — ARCO Rights (LFPDPPP 2025)

Under Mexico’s Federal Law on Protection of Personal Data Held by Private Parties (as amended effective March 21, 2025), you have the following ARCO rights:

·Acceso (Access): Solicitar acceso a los datos personales que tenemos sobre usted y conocer el tratamiento que se da a los mismos.

·Rectificación (Rectification): Solicitar la corrección de sus datos personales cuando sean inexactos o incompletos.

·Cancelación (Cancellation / Deletion): Solicitar la cancelación de sus datos personales cuando considere que no son necesarios para los fines del tratamiento, estén siendo utilizados para finalidades no consentidas, o el tratamiento esté dando lugar a daños o perjuicios.

·Oposición (Opposition): Oponerse al tratamiento de sus datos personales para fines específicos cuando existan causas legítimas para ello.

Envíe sus solicitudes ARCO a privacy@openamericas.com. Responderemos dentro de los 20 días hábiles siguientes a la recepción de su solicitud. Tiene derecho a presentar una queja ante la SABG (Secretaría Anticorrupción y Buen Gobierno) si considera que su solicitud no fue atendida correctamente.

8d. Brazilian Users (LGPD — Lei 13.709/2018)

Under Brazil’s General Data Protection Law, you have the right to:

·Confirmation of whether we process your data

·Access to your data

·Correction of incomplete, inaccurate, or outdated data

·Anonymization, blocking, or deletion of unnecessary or excessive data or data processed in non-compliance with the LGPD

·Portability of data to another service provider

·Information about entities with which we have shared your data

·Information about the possibility of not providing consent and the consequences

·Withdrawal of consent

·Review of automated decisions

Submit requests to privacy@openamericas.com. You may also file a complaint with the ANPD (Autoridade Nacional de Proteção de Dados) at gov.br/anpd.

8e. Canadian Users (PIPEDA)

Under the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws (Quebec Law 25, PIPA Alberta/BC), you have the right to access personal information we hold about you, challenge its accuracy, withdraw consent for processing where consent is the legal basis, and file a complaint with the Office of the Privacy Commissioner (OPC) at priv.gc.ca.

Canadian users also have rights under CASL regarding commercial electronic messages — see Section 14.

8f. Other Latin American Users

Users in Colombia, Chile, Argentina, Peru, Ecuador, Guatemala, Costa Rica, and the Dominican Republic have rights under their respective national data protection laws, including rights of habeas data (access, correction, deletion, and opposition). To exercise these rights, contact privacy@openamericas.com. The relevant supervisory authorities are: Colombia — SIC (Superintendencia de Industria y Comercio); Chile — Agencia de Protección de Datos Personales; Argentina — AAIP (Agencia de Acceso a la Información Pública); Peru — ANPD (Autoridad Nacional de Protección de Datos Personales).

8g. EEA, UK, and Swiss Users (GDPR / UK GDPR / Swiss nFADP)

While the Platform is focused on the Americas, users in the EEA, UK, or Switzerland who access the Platform have additional rights under the GDPR (or equivalent): right to erasure (“right to be forgotten”), right to object to processing based on legitimate interests, and right not to be subject to solely automated decisions with significant legal effects. You may file a complaint with your local supervisory authority (e.g., the ICO in the UK at ico.org.uk).

9. Sensitive Personal Information

To comply with KYC and AML requirements, we collect certain categories of sensitive personal information:

·Government-issued identification numbers (passport, national ID, RFC, CURP, NIT, CUIT, CPF, or equivalent)
·Biometric data — specifically, facial scan data processed by Stripe Identity for buyer identity verification
·Financial account information (bank account and routing numbers for seller payouts via Stripe Connect)
·Business ownership structures and beneficial ownership information

We apply the following heightened protections to sensitive data:

·We collect biometric data only for the purpose of identity verification — we do not use it to track, profile, or market to you
·Biometric data is processed by Stripe under its own privacy controls and is not stored on Open Americas' servers
·Sensitive data is accessible only by personnel with a legitimate business need
·We never sell or share sensitive personal information with third parties for their own marketing purposes
·California users: we limit our use of sensitive personal information to the purposes specified in this policy, consistent with the CPRA

10. Automated Decision-Making

We use automated systems to assist with two types of decisions that may significantly affect you:

·Fraud risk scoring: Automated signals may flag transactions or accounts for additional review. Flagged cases are reviewed by a human team member before any account restriction is applied.

·KYC verification: Stripe Identity and Truora use automated processes to verify identity documents and business registrations. These systems may generate a pass, fail, or review result. Adverse outcomes are subject to human review upon request.

If you believe an automated decision has significantly and adversely affected you, you have the right to request human review. Contact privacy@openamericas.comwith the subject line “Automated Decision Review Request.”

11. Cookies & Tracking Technologies

We use a minimal set of cookies to operate the Platform:

Cookie	Type	Purpose
oa_session	Essential	Maintains your authenticated session. Required to use the Platform. Session token is SHA-256 hashed before storage.
Stripe cookies	Functional	Set by Stripe on payment pages for fraud detection and payment processing. Governed by Stripe’s privacy policy.

We do not use advertising cookies, cross-site tracking pixels, third-party analytics (e.g., Google Analytics), or any non-essential tracking technology. If we introduce any in the future, we will update this policy and provide appropriate consent mechanisms.

12. Security

We implement technical and organizational security measures appropriate to the risk, including:

·TLS encryption for all data in transit
·SHA-256 hashing of session tokens stored in the database
·Role-based access controls — each user type sees only the data relevant to their role
·Webhook signature verification on all inbound payment and KYC webhooks
·Parameterized database queries to prevent SQL injection
·Dependency monitoring and regular security reviews

While we take security seriously, no system is completely secure. We cannot guarantee that your information will not be accessed, disclosed, altered, or destroyed. If you discover a potential security vulnerability, please report it to security@openamericas.com.

13. Children

The Platform is intended solely for users who are 18 years of age or older. We do not knowingly collect personal information from anyone under 18. In compliance with the Children’s Online Privacy Protection Act (COPPA) and equivalent laws in other jurisdictions, if we learn that we have collected personal information from a person under 18 without verified parental consent, we will promptly delete that information. If you believe a minor has registered on our Platform, please contact privacy@openamericas.com immediately.

14. Marketing Communications

We will only send you marketing communications if you have opted in. We comply with the following frameworks:

·Email (CAN-SPAM, US): Every marketing email includes a clearly visible unsubscribe link and our physical mailing address. You can unsubscribe at any time. Opt-out requests are processed within 10 business days.

·Email (CASL, Canada): We obtain your express consent before sending commercial electronic messages to Canadian users. Consent is documented and may be revoked at any time.

·WhatsApp & SMS (Twilio): We only send WhatsApp or SMS messages to users who have explicitly opted in. Reply STOP at any time to unsubscribe. Standard carrier message rates may apply.

·Mexico: We honor PROFECO and LFPDPPP 2025 requirements for commercial communications. You may opt out at any time.

We do not share your contact information with third-party marketers. To manage your communication preferences, visit your account settings or email privacy@openamericas.com.

15. Data Breach Notification

We maintain a breach response plan. In the event of a personal data breach, we will:

·Notify affected users promptly — within the timeframe required by applicable law, and no later than 72 hours after discovery where feasible
·Notify the relevant supervisory authorities within the required timeframes: GDPR (72 hours to supervisory authority); LGPD Brazil (72 hours to ANPD and affected users); LFPDPPP Mexico (notification to SABG and affected users); CCPA (expedient notice); PIPEDA (notification to OPC when there is real risk of significant harm)
·Describe in the notification: the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed to address the breach
·Cooperate fully with any regulatory investigation

To report a potential security incident or data breach, contact security@openamericas.com.

16. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes — those that significantly affect how we use your data or your rights — we will provide at least 30 days’ notice via email and a prominent notice on the Platform before the changes take effect. For non-material clarifications, we will update the policy and revise the “Effective” date at the top. Continued use of the Platform after the notice period constitutes your acceptance of the updated policy. We encourage you to review this page periodically.

17. Contact & Regulatory Authorities

For privacy questions, data subject requests, or concerns about how we handle your personal data:

Open Americas Inc.

Incorporated in Delaware, United States of America

Privacy: privacy@openamericas.com

Legal: legal@openamericas.com

Security: security@openamericas.com

We aim to respond to all requests within 30 days. Some jurisdictions allow up to 45 days with extension.

Data Protection Supervisory Authorities

·US (California): California Privacy Protection Agency (CPPA) — cppa.ca.gov

·Mexico: Secretaría Anticorrupción y Buen Gobierno (SABG) — gob.mx/sabg

·Brazil: Autoridade Nacional de Proteção de Dados (ANPD) — gov.br/anpd

·Canada: Office of the Privacy Commissioner (OPC) — priv.gc.ca

·Colombia: Superintendencia de Industria y Comercio (SIC) — sic.gov.co

·Chile: Agencia de Protección de Datos Personales

·Argentina: Agencia de Acceso a la Información Pública (AAIP) — argentina.gob.ar/aaip

·Peru: Autoridad Nacional de Protección de Datos Personales (ANPD) — minjus.gob.pe

·EU / EEA: Your local Data Protection Authority (find yours at edpb.europa.eu)

·UK: Information Commissioner's Office (ICO) — ico.org.uk

Effective May 23, 2026 — Open Americas Inc., Delaware, USA — Version 1.0