PRIVACY POLICY

2. SCOPE

This policy applies to all personal information registered in the databases and systems of Sotrux LLC, which acts as the data controller. It governs data collected from residents of any U.S. state through the following channels:

• Company website and landing pages (sotrux.com/privacy and related domains)
• Meta (Facebook and Instagram) Lead Ad Forms
• Automated SMS communications via registered A2P 10DLC campaigns
• Email marketing and follow-up communications
• WhatsApp Business communications
• Cloud-based data storage and CRM platforms (e.g., Google Sheets, N8N, Make)
• Any other digital or physical form used to collect consumer data in connection with Sotrux Auto's services

This policy is mandatory for all employees, contractors, and service providers with access to personal data collected by Sotrux Auto, regardless of the state or platform through which data is collected.

3. DEFINITIONS

• Consent / Authorization: Prior, express, and informed consent of the data subject for data processing.
• Personal Data / Personal Information: Any information that identifies or could reasonably be linked to an individual.
• Data Controller: The entity that determines the purposes and means of processing personal data (Sotrux LLC).
• Data Processor: A third party that processes data on behalf of the data controller.
• Data Subject / Consumer: The natural person whose personal information is being collected or processed.
• Processing: Any operation on personal data, including collection, storage, use, sharing, transfer, or deletion.
• Lead: A prospective customer who submits personal information through a Sotrux Auto advertising or digital channel.
• Lead Form: An online form—including Meta Lead Ad Forms—used to collect consumer contact and qualification data.
• A2P 10DLC: Application-to-Person 10-Digit Long Code—a registered business SMS channel compliant with FCC and carrier rules.
• Sensitive Personal Information: Data revealing financial account details, precise geolocation, or other categories defined under CCPA/CPRA.
• Opt-Out / Opt-In: A consumer's right to decline (opt-out) or expressly consent (opt-in) to specific data uses or communications.

4. DATA CONTROLLER

The entity responsible for the processing of personal data collected through all Sotrux Auto channels is:

Sotrux LLC

State of Incorporation: Florida, United States of America

Primary Service Area: Florida, California, Texas, and other U.S. states

Website: www.sotrux.com

Privacy Contact Email: privacy@sotrux.com

5. CATEGORIES OF DATA COLLECTED

Sotrux Auto may collect the following categories of personal information, depending on the channel used:

5.1 Contact and Identity Data

• Full name
• Phone number (mobile and/or home)
• Email address
• ZIP code and approximate geographic location

5.2 Financial Qualification Data (for lead routing purposes only—not used for credit decisions)

• Self-reported credit score range or tier (e.g., Non-Prime, Sub-Prime)
• Employment status (W2, self-employed, unemployed)
• Estimated available down payment range

5.3 Vehicle Preference Data

• Type, make, model, and year range of vehicle of interest
• Purpose of purchase (personal, commercial)

5.4 Digital Interaction Data

• SMS opt-in/opt-out status and communication timestamps
• Email open rates and click activity
• Website visit data, cookies, and browser and device information
• Appointment scheduling records

Note: Sotrux Auto does not collect Social Security numbers, government-issued ID numbers, full financial account numbers, or biometric data.

6. PURPOSES OF DATA PROCESSING

Personal data collected by Sotrux Auto is used exclusively for the following purposes:

• To qualify prospective car buyers and route them to appropriate dealership partners based on their financial profile.
• To transfer qualified Lead Data to dealership partners so that the dealer—acting under its own procedures and in compliance with applicable law—may contact the consumer via phone, SMS, email, or WhatsApp to schedule appointments and facilitate a vehicle purchase. Sotrux does not directly contact consumers on behalf of dealers.
• To send follow-up messages regarding vehicle inventory, financing options, and promotional offers—always with the consumer's prior consent.
• To share qualified lead information with dealership clients of Sotrux Auto, strictly to facilitate vehicle sales.
• To perform market research, measure advertising performance, and improve campaign targeting and quality.
• To comply with legal, regulatory, and contractual obligations applicable to Sotrux Auto's operations.
• To manage requests, inquiries, opt-outs, or complaints submitted by data subjects.
• To transmit data to authorized third-party service providers (see Section 9) under written data processing agreements.
• For internal administrative, accounting, and tax purposes.

Sotrux Auto will not use personal data for automated individual decision-making that produces legal or similarly significant effects on data subjects, beyond lead routing and qualification.

7. META LEAD ADS—SPECIFIC DISCLOSURES

Sotrux Auto uses Meta Lead Ad Forms on Facebook and Instagram to collect consumer information as part of its advertising operations. The following disclosures are required by Meta's Lead Ads Terms:

• By submitting a Meta Lead Form, the consumer expressly consents to having their information collected and used by Sotrux Auto and authorized car dealers for the purposes stated in Section 6.
• Meta's own data collection and processing are governed by Meta's Privacy Policy (https://www.facebook.com/privacy/policy/), which is separate and independent from this policy.
• Sotrux Auto acts as an independent data controller for all data received through Lead Forms and is solely responsible for its use of that data.
• By submitting a Lead Form, the consumer consents to being contacted by Sotrux Auto and authorized car dealers via SMS, phone, email, or WhatsApp for vehicle financing inquiries and appointment scheduling.
• Consent to be contacted is voluntary and is not a condition of any purchase.
• Consumers may withdraw consent at any time using the methods described in Section 10.
• Sotrux Auto does not use Meta Lead Ad data for credit decisions, employment decisions, housing decisions, or any purpose prohibited under the Equal Credit Opportunity Act (ECOA) or Fair Housing Act.
• Sotrux Auto does not sell data collected through Meta Lead Forms to data brokers or third parties for purposes unrelated to facilitating a vehicle purchase. The transfer of lead data to dealership partners in exchange for payment is disclosed in Section 9 and Section 10.2 of this policy.

8. CONSUMER CONTACT BY DEALERSHIPS

When a consumer submits a Lead Form through a Sotrux Auto advertising channel, they expressly consent to being contacted by the dealership partner to whom their lead is assigned. Sotrux Auto transfers qualified lead data to dealership partners solely for the purpose of following up with the consumer regarding vehicle financing and purchase. The dealership, as the direct point of contact, is responsible for complying with all applicable communication laws, including the Telephone Consumer Protection Act (TCPA), when reaching out to the consumer. Sotrux Auto contractually requires all dealership partners to honor consumer contact preferences and applicable opt-out requests.

What the consumer may be contacted about:

• Vehicle financing options and available inventory
• Appointment scheduling and follow-up
• Promotional offers related to the vehicle of interest

Your rights regarding dealer contact:

• You may request that a dealership stop contacting you at any time by informing them directly or by notifying Sotrux Auto at privacy@sotrux.com.
• Upon receiving a do-not-contact request, Sotrux Auto will notify the assigned dealership partner and remove the consumer's data from active lead distribution within 10 business days.
• Consent to be contacted by a dealership is voluntary and is never a condition of any purchase or service.
• Dealership partners are contractually required to comply with all applicable communication laws, including TCPA, when contacting consumers.

9. DATA SHARING AND THIRD PARTIES

Sotrux Auto may share personal data only with the following categories of recipients and only for the purposes stated in this policy:

9.1 Dealership Partners

Independent and franchise used car dealers operating in Florida, California, Texas, and other U.S. states who purchase qualified leads from Sotrux Auto exclusively to facilitate vehicle sales. All dealership partners must execute the Sotrux Auto Lead Data Use Agreement (LDUA) prior to receiving any lead data. Under the LDUA, dealers are solely responsible for all consumer contact, communication law compliance, and data retention obligations arising from their use of Lead Data. Data shared with dealers is limited to contact and qualification information sufficient for the dealer to follow up with the consumer.

9.2 Technology Service Providers (Data Processors)

• Messaging: Twilio (SMS), WhatsApp Business API
• Advertising: Meta Platforms (Facebook/Instagram Lead Ads)
• Automation and CRM: Google Workspace, Make (Integromat), N8N
• Analytics: Google Analytics, Meta Pixel

All third-party processors operate under written data processing agreements and are prohibited from using data for their own marketing purposes.

9.3 Legal and Regulatory Authorities

Government agencies, courts, or legal counsel when disclosure is required by law, regulation, subpoena, or court order.

9.4 Business Transfers

In the event of a merger, acquisition, or asset sale, personal data may be transferred to the successor entity under the same protections described in this policy.

Sotrux Auto transfers personal data to dealership partners in exchange for payment, which constitutes a sale under CCPA/CPRA. Sotrux Auto does NOT sell or transfer personal data to data brokers, marketing aggregators, or any third party for purposes unrelated to facilitating a vehicle purchase for the consumer.

10. YOUR RIGHTS

Depending on the state in which you reside, you may have some or all of the following rights. Sotrux Auto extends all of these rights to all consumers regardless of state:

10.1 Universal Rights (All States)

• Access: Request a copy of the personal information we hold about you.
• Correction: Request that inaccurate or incomplete data be corrected.
• Deletion: Request deletion of your personal data, subject to legal retention obligations.
• Opt-Out of SMS: Reply STOP to any message or contact us directly.
• Opt-Out of Email: Click Unsubscribe in any email or contact us directly.
• Non-Discrimination: You will not be penalized for exercising any of these rights.

10.2 California Residents—Additional Rights under CCPA/CPRA

• Right to Know: Request the specific pieces and categories of personal information collected, including sources and business purposes.
• Right to Delete: Request deletion of personal information, subject to legal exceptions.
• Right to Opt-Out of Sale or Sharing: Sotrux Auto transfers qualified lead data to dealership partners in exchange for payment, which constitutes a "sale" of personal information under CCPA/CPRA. California residents have the right to opt out of this sale at any time by contacting privacy@sotrux.com. Upon receiving a valid opt-out request, Sotrux Auto will not transfer that consumer's data to any dealership partner, thereby waiving the opportunity to receive offers on vehicles of interest to you.
• Right to Limit Use of Sensitive Personal Information: Request that Sotrux Auto limit use of sensitive data to necessary purposes.
• Authorized Agent: A California consumer may designate an authorized agent to make requests on their behalf.
• Response Timeline: Sotrux Auto responds to California rights requests within 45 calendar days, with one possible 45-day extension.

10.3 Texas Residents—Additional Rights under TDPSA

• Right to access, correct, delete, and obtain a portable copy of personal data.
• Right to opt out of targeted advertising based on personal data.
• Right to Appeal: If your request is denied, you may appeal. Sotrux Auto will respond to appeals within 60 days.
• Response Timeline: Sotrux Auto responds to Texas rights requests within 45 calendar days.

10.4 How to Submit a Request

Email: privacy@sotrux.com   |   Subject: Privacy Rights Request—[Your State]

We will verify your identity before processing any request. Requests will be acknowledged within 5 business days and fully resolved within the applicable legal deadline.

11. COOKIES AND WEBSITE TRACKING

The Sotrux Auto website and associated landing pages use cookies and similar tracking technologies for the following purposes:

• Essential cookies: Required for the website to function correctly.
• Analytics cookies: Used to understand how visitors interact with our site (e.g., Google Analytics).
• Advertising cookies: Used to measure ad performance and enable retargeting (e.g., Meta Pixel, Google Ads Tag).

California residents: Under CCPA/CPRA, sharing data via advertising cookies may constitute sharing of personal information for cross-context behavioral advertising. You may opt out at any time at privacy@sotrux.com or via the Do Not Sell or Share My Personal Information link on our website.

You may also manage cookies through your browser settings or opt out of Google Analytics at: https://tools.google.com/dlpage/gaoptout

12. DATA RETENTION

Sotrux Auto retains personal data only as long as necessary for the stated purposes and applicable legal obligations:

• Lead contact and qualification data: Up to 24 months from date of collection.
• SMS and email communication records: Sotrux does not send SMS or email communications to consumers. All consumer contact is conducted by dealership partners under their own procedures. Dealers are contractually required under the Sotrux Lead Data Use Agreement to retain SMS opt-in records for a minimum of 4 years (TCPA) and email opt-in/opt-out records for a minimum of 3 years (CAN-SPAM).
• Consumer consent records (Lead Form submissions and opt-in timestamps): Minimum 4 years, retained by Sotrux as evidence of the consumer's consent to be contacted by a dealership partner.
• Appointment and transaction records: Up to 5 years for contractual and legal purposes.
• Website analytics data: Per Google Analytics retention settings (default 14 months).

Data is securely deleted or anonymized at the end of the applicable retention period.

13. DATA SECURITY / SEGURIDAD DE LOS DATOS

Sotrux Auto implements commercially reasonable technical, administrative, and physical safeguards to protect personal data, including:

• Access controls limiting data access to authorized personnel only
• Encryption of data in transit using TLS/SSL protocols
• Secure, access-logged cloud storage
• Regular review and updating of security practices and vendor agreements

In the event of a data breach that creates a risk of harm to consumers, Sotrux Auto will notify affected individuals and relevant authorities as required by the Florida Information Protection Act (FIPA), California Civil Code Section 1798.82, Texas Business and Commerce Code Section 521, and other applicable state breach notification laws.

14. CHILDREN'S PRIVACY

Sotrux Auto's services and advertising are directed exclusively at adults aged 18 or older. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected data from a child under 13, we will promptly delete it in compliance with COPPA. Please contact privacy@sotrux.com if you believe we may have collected information from a minor

15. INTERNAL OBLIGATIONS

Sotrux Auto and all authorized personnel acting as data controllers must:

• Always guarantee data subjects’ full and effective exercise of their privacy rights.
• Obtain and retain records of consent for data collection and SMS opt-in.
• Inform data subjects clearly about the purpose of data collection and their rights.
• Store data under security conditions necessary to prevent unauthorized access, alteration, or loss.
• Ensure that data shared with processors is accurate, complete, and up to date.
• Correct information when inaccurate and communicate corrections to relevant processors promptly.
• Process all rights requests and complaints within the legally required timeframes.
• Notify authorities and affected individuals in the event of a qualifying data breach.
• Ensure all dealership partners who receive Lead Data execute and comply with the Sotrux Auto Lead Data Use Agreement (LDUA) prior to receiving any leads. The LDUA governs each dealer's obligations regarding permitted use, consumer contact, data protection, retention, deletion, and TCPA compliance.

16. POLICY UPDATES

Sotrux Auto reserves the right to update this Privacy Policy at any time to reflect changes in applicable law, business practices, or data processing activities. When material changes are made, we will update the Last Updated date and, where appropriate, provide notice via our website or by email. Continued use of our services after any change constitutes acceptance of the updated policy.

17. CONTACT AND PRIVACY REQUESTS

For any questions, rights requests, opt-outs, or complaints related to this Privacy Policy, contact:

Sotrux LLC—Privacy and Data Protection

Email: privacy@sotrux.com

Subject line for rights requests: Privacy Rights Request—[Your State]

Website: www.sotrux.com/privacy

Response timeline: 5 business days (acknowledgment) | 30-45 calendar days (full response)