ONBOARDING PORTAL PRIVACY ADDENDUM

Effective Date: April 22, 2026

Applies to: The Lobster Ferret Onboarding Portal at onboard.lobsterferret.com

This Addendum supplements the Lobster Ferret Privacy Policy at https://lobsterferret.com/privacy-policy and describes specifically how Lobster Ferret ("we," "us," or "our") handles information when our clients ("you") use the Onboarding Portal ("Portal") to grant us access to third-party platforms as part of our digital marketing services.

In the event of a conflict between this Addendum and the main Privacy Policy, this Addendum controls with respect to the Portal.

1. WHAT THE PORTAL DOES

The Portal is a secure web application that allows Lobster Ferret clients to:

• Submit business information required to begin our services

• Grant Lobster Ferret access to platforms including Google Ads, Google Analytics 4, Google Search Console, Google Tag Manager, Google Business Profile, Google Drive, Meta (Facebook) Pages and Ad Accounts, and other third-party platforms as needed to perform our services

• Upload brand assets (logos, photos, brand guidelines)

• Track the status of their onboarding process

2. INFORMATION WE COLLECT THROUGH THE PORTAL

a. Business and Contact Information

When you complete the onboarding intake form, we collect information including:

• Legal business name, DBA, business address, and year founded

• Primary, billing, and operational contact names, emails, and phone numbers

• Services you offer, service areas, business hours, and operational details

• Existing platform URLs (website, social profiles)

• Competitors, unique selling points, and marketing context you choose to share

b. Platform Authorization Credentials

When you authorize Lobster Ferret to access a third-party platform through the Portal, we receive and store:

• OAuth access tokens and refresh tokens issued by the platform provider (Google, Meta, etc.)

• Platform-specific account identifiers (such as Google Ads Customer ID, GA4 Property ID, Facebook Page ID)

• The specific scopes and permission levels you granted us

• Metadata returned by the platform at the time of authorization (such as authorizing user email, account name)

We do NOT receive your passwords for any third-party platform. The OAuth protocol used by Google, Meta, and other platforms allows you to grant us delegated access without sharing your credentials.

c. Brand Assets and Uploaded Files

Files you upload through the Portal (logos, photos, brand documents) are streamed directly to a Google Drive folder controlled by Lobster Ferret and dedicated to your business. We do not maintain a separate copy.

d. Portal Activity Data

We log your interactions with the Portal, including:

• Which checklist items you completed and when

• Which OAuth authorizations were granted and when

• IP address and browser information used during authentication, for security and audit purposes

3. HOW WE USE THIS INFORMATION

We use the information we collect through the Portal to:

• Perform the digital marketing services you engaged us for (campaign management, SEO, analytics, reporting, etc.)

• Access your authorized third-party accounts on your behalf, strictly within the scopes you granted

• Communicate with you about your account, service progress, and deliverables

• Maintain audit logs for security, compliance, and troubleshooting

• Improve the reliability and functionality of the Portal

We do NOT use information collected through the Portal to:

• Train artificial intelligence or machine learning models

• Sell, rent, or trade your information to third parties

• Market unrelated products or services to your customers

• Access any data outside the scopes you explicitly authorized

4. GOOGLE API SERVICES USER DATA POLICY

Lobster Ferret's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy (https://developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements.

Specifically, we affirm the following with respect to data obtained from Google APIs:

• We use the data only to provide or improve user-facing features of our services that are prominent in the requesting application

• We do not transfer the data to others unless doing so is necessary to provide or improve user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users

• We do not use the data for serving advertisements, including retargeting, personalized advertising, or interest-based advertising

• We do not allow humans to read the data unless we have your explicit consent, it is necessary for security purposes, to comply with applicable law, or the data has been aggregated and anonymized and is used for internal operations

5. HOW WE SHARE INFORMATION

We do not sell your information. We share it only in the limited circumstances described below.

a. Cloud Infrastructure Providers

The Portal is operated with the help of cloud infrastructure and service providers that host our application, database, email delivery, analytics, and error monitoring. These providers have access to your information only to the extent necessary to perform services for us and are contractually bound to protect your information.

A current list of our sub-processors is available on request by emailing info@lobsterferret.com.

b. Platform Providers

When you grant platform access through the Portal, information flows between your platform account (Google, Meta, etc.) and Lobster Ferret as authorized by you. Each platform's own privacy policy governs how that platform handles the relevant data.

c. Legal Requirements

We may disclose information when required by law, valid legal process, or to protect the rights, property, or safety of Lobster Ferret, our clients, or the public.

d. Business Transfers

In the event of a merger, acquisition, or sale of Lobster Ferret's assets, information may be transferred to the successor entity, subject to the protections described in this Addendum.

6. DATA SECURITY

We take commercially reasonable measures to protect information in the Portal, including:

• Encryption of OAuth tokens and sensitive fields at rest using industry-standard AES-256-GCM encryption

• Encryption of all data in transit using TLS

• Role-based access controls limiting team access to client data on a need-to-know basis

• Audit logging of all material actions

• Regular review of access and permissions

No security measure is perfect. If we become aware of a breach affecting your information, we will notify you in accordance with applicable law.

7. DATA RETENTION

We retain information collected through the Portal for the duration of your engagement with Lobster Ferret and for two (2) years following the conclusion of that engagement (the "Retention Period"). This period allows us to:

• Support re-engagement if you return as a client

• Respond to post-engagement requests (such as transitioning campaigns to a new agency)

• Meet our tax, accounting, and legal record-keeping obligations

After the Retention Period, we delete or anonymize information we no longer have a legitimate business reason to retain. Some information may be retained longer if required by law.

You may request earlier deletion under Section 8.

8. YOUR RIGHTS AND CHOICES

a. Revoking Platform Access

You may revoke Lobster Ferret's access to any third-party platform at any time by:

• Removing our account as a user/manager within that platform's settings, or

• Emailing us at info@lobsterferret.com to request revocation

Revocation takes effect immediately on the platform; it may take up to 30 days for us to purge associated stored tokens.

b. Accessing and Correcting Information

You may request a copy of information we hold about you, or request corrections, by emailing info@lobsterferret.com.

c. Deletion

You may request deletion of your information before the end of the Retention Period by emailing info@lobsterferret.com. We will honor such requests unless we have a legal obligation or legitimate business reason to retain the information, in which case we will explain the reason.

d. Do Not Sell

Lobster Ferret does not sell personal information. No opt-out is necessary.

9. INTERNATIONAL USERS

The Portal is operated from the United States. If you access the Portal from outside the United States, your information will be transferred to and processed in the United States, which may have different data protection laws than your country. By using the Portal, you consent to this transfer.

10. CHILDREN'S PRIVACY

The Portal is designed for business clients. We do not knowingly collect information from anyone under 18. If you believe we have collected information from a minor, please contact us and we will delete it.

11. CHANGES TO THIS ADDENDUM

We may update this Addendum from time to time. We will post the updated Addendum at this URL and update the "Effective Date" at the top. For material changes, we will notify active clients by email.

12. CONTACT US

For questions about this Addendum or the Portal's privacy practices:

Lobster Ferret

633 W. Davis St. #283

Dallas, TX 75208

Email: info@lobsterferret.com

Phone: (214) 810-2124