This CCPA Privacy Notice (“CCPA Notice”) applies to California residents (“Consumers” or “you”). It describes how Servi Smart Solutions Ltd. d/b/a Duve (together with our subsidiaries and affiliates “Duve”, “us” or “we”), collect, use, disclose and share “Personal Information” (as defined below) of Consumers in operating our business. Any terms defined in the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 effective January 1, 2023 (collectively “CCPA”), have the same meaning when used in this CCPA Notice.

This CCPA Notice is an integral part of our Privacy Policy, and thus, definitions used herein shall have the same meaning as defined in the Privacy Policy. When we refer to “Personal Data” under our Privacy Policy, it shall also mean “Personal Information” as defined under the CCPA.

This CCPA Notice applies to Personal Information, which is collected directly or indirectly while using our Services or in order to provide our Services.

If you wish to learn more about your California privacy rights, you may visit https://oag.ca.gov/privacy/consumer-privacy-resources.

PART I: A COMPREHENSIVE DESCRIPTION OF THE INFORMATION PRACTICES

(A) Categories of Personal Information We Collect & Disclosure of Personal Information for Business Purpose

We collect Personal Information which is defined under the CCPA as any information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household or device, all as detailed in the table below.

Personal Information does not include: Publicly available information that is lawfully made available from government records, that a consumer has otherwise made available to the public; De-identified or aggregated consumer information; Information excluded from the CCPA’s scope, such as: Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPPA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data; Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA) and the Driver’s Privacy Protection Act of 1994.

We may disclose your Personal Information to a contractor or service provider for a business purpose (as such term is defined under the CCPA). When we disclose Personal Information for a business purpose, we enter into a contract that describes the purpose and requires the recipient to both keep that Personal Information confidential and not use it for any purpose except for performing the contract. We further restrict the contractor and service provider from selling or sharing your personal information.

Below we detail the categories of Personal Information that we collect, share for a business purpose and the categories of recipients to whom we disclose (within the last 12 months)

Categories of Personal Information we collect	Collected	Categories of third-party recipients to whom we disclose Personal Information for business purpose
A. Identifiers.	Yes. For example, real name, alias, unique personal identifier, Internet Protocol (IP) address, email address, and social account information.	Service Providers
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).	Yes. For example, name, address, telephone number.	Service Providers
C. Protected classification characteristics under California or federal law.	No.	–
D. Commercial information.	No.	–
E. Biometric information.	No.	–
F. Internet or other similar network activity.	Yes. For example, Prospect’s interaction with our website and Authorized Users’ (as defined in the Privacy Policy) interaction with the Services, including session replies.	Service Providers
G. Geolocation data.	Yes. For example, online identifiers, such as IP address, are further used to generate certain information, for example, extract your approximate location (e.g., country and Zip).	Service Providers
H. Sensory data.	No.	–
I. Professional or employment-related information.	Yes. For example, regarding Prospects, we may gather such information through third party aggregators, that provides contact and business information for marketing and sales promotions and similar sources. This may also include information about your current job position. All such data collection is governed by our internal policies and, where relevant (for job candidates), is subject to the guidelines outlined in our Job Candidate Privacy Notice.	Service Providers
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).	No.	–
K. Inferences drawn from other personal information.	No.	–
L. Sensitive personal information.	No.	–

(B) Categories of Sources of Personal Information

• Information you provide us directly – for example, when you register and create an account or correspond with us.
• Information we receive from third parties – for example, through data enrichment partners or if you access the Services through a third-party connection or log-in, if applicable, such third party may pass certain information about your use of their service to us.
• Information we receive automatically – for example, we will collect your online identifiers and usage data including analytics data (or use third-party measurement and marketing tools) automatically.

(C) Use of Personal Information

We may use the Personal Information collected as identified above, for the following purposes: to fulfill or meet the reason you provided the Personal Information (support, respond to a query, open an account etc.); monitor and improve our Services; provide our Services; marketing our Services; analyzing our Services and your use of the Services; respond to law enforcement; or otherwise as detailed in our Privacy Policy.

We will not collect additional categories of Personal Information or use the Personal Information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

(D) Sale or Share of Personal Information

We do not “sell” information as most people would commonly understand that term, we do not, and will not, disclose your Personal Information in direct exchange for money or some other form of payment.

For retargeting and analytic purposes, when we promote our Services, we use third-party providers and tracking tools, advertising networks and social media. They provide these services by placing cookies, pixel or other tracking technology on our website, and sharing with these vendors the online identifiers and online behavior information. The CCPA defines these actions as “sharing” or “selling”.

Below we detail the categories of Personal Information that we “sell” or “share” in the preceding 12 months for a business purpose (as defined under the CCPA).

Categories of Personal Information (corresponding with the table above)	Categories of third-party recipients	Purpose of Sale or Share
Category A Category F Category G	Analytics providers, advertising networks, social media networks, media providers, and search platforms.	Targeted advertising, cross-contextual behavioral advertising (“CCBA”), promoting the Services, analytics and security services.

(E) Children Under Age 16

Our Services are not intended for use by children and we do not collect or maintain information about anyone under the age of 16.

Please contact us at: dpo@duve.com if you have reason to believe that a child has shared any information with us.

(F) Data Retention

The retention periods are determined according to the following criteria:

1. For as long as it remains necessary in order to achieve the purpose for which the Personal Information was initially processed;
2. To comply with our regulatory obligations;
3. To resolve a claim, we might have or a dispute with you, including any legal proceeding between us, until such dispute will be resolved, and following, if we find it necessary, in accordance with applicable statutory limitation periods.

Please note that except as required by applicable law, we will not be obligated to retain your Personal Information for any particular period, and we may delete it for any reason and at any time, without providing you with prior notice if our intention to do so.

PART II: EXPLANATION OF YOUR RIGHTS UNDER THE CCPA AND HOW TO EXERCISE THEM

(G) Your Rights Under the CCPA

If you are a California resident, you may exercise certain privacy rights related to your Personal Information. You may exercise these rights free of charge except as otherwise permitted under applicable law, by contact us at: dpo@duve.com.

We may limit our response to your exercise of these privacy rights as permitted under applicable law, all as detailed herein.

California Privacy Right	Details
The right to know what Personal Information the business has collected and access right.	You have the right to know what Personal Information the business has collected about the Consumer, including the categories of Personal Information, the categories of sources from which the Personal Information is collected, the business or commercial purpose for collecting, selling, or sharing Personal Information, the categories of third parties to whom the business discloses Personal Information, and the specific pieces of Personal Information the business has collected about the Consumer.
Deletion rights.	You have the right to delete Personal Information that the business has collected from the Consumer, subject to certain exceptions.
Correct inaccurate information	The right to correct inaccurate Personal Information that a business maintains about a Consumer.
Rights related sharing for targeted advertising and sale of Personal Information	You have the right to opt-out of the “sharing” of your Personal Information for “cross-contextual behavioral advertising,” often referred to as “interest-based advertising” or “targeted advertising” and the “sale” of your Personal Information.
Limit the use or disclosure of sensitive personal information	Under certain circumstances, if the business uses or discloses sensitive personal information, you have the right to limit the use or disclosure by the business.
Opt-out of the use of automated decision making	In certain circumstances, you have the right to opt-out of the use of automated decision making in relation to your Personal Information.
Non-discrimination	You have the right not to receive discriminatory treatment by the business for the exercise of privacy rights conferred by the CCPA, including an employee’s, applicants, or independent contractor’s right not to be retaliated against for the exercise of their CCPA rights, denying a consumer goods or services, charging different prices or rates for goods or services, providing you a different level or quality of goods or services, etc. We may, however, charge different prices or rates, or provide a different level or quality of Services, if that difference is reasonably related to the value provided to us by your Personal Information.
Data portability	You may request to receive a copy of your Personal Information, including specific pieces of Personal Information, including, where applicable, to obtain a copy of the Personal Information you provided to us in a portable format.

To learn more about your California privacy rights, please visit https://oag.ca.gov/privacy/privacy-laws

(H) How Can You Exercise The Rights?

You may exercise your rights by contacting our privacy team at: dpo@duve.com.

Note, certain rights can be exercised by you independently without contacting us, for example, depending on your interaction with us:

• You can opt-out from receiving emails from us by clicking the “unsubscribe” link or other opt-out alternatives we make available, as detailed in the marketing communication we sent you or otherwise through the communication preferences settings we make available within your account.
• You can delete, access and correct any information available in your account, through your account settings.
• Opt-out from selling or sharing can be executed at any time, by using the cookie settings tool or the “Do Not Sell or Share my Personal Information” button all available through our website. Also, you do not want to receive interest-based advertisements, you can limit the collection of certain information through your device and browser settings or use the Global Privacy Control (“GPC”) signals.

(I) Notice of Financial Incentive

We do not offer financial incentives to consumers for providing personal information.

(J) Authorized Agents

You can designate an authorized agent to submit requests on your behalf via the methods above. However, we will require written proof of the agent’s permission to do so and verify your identity directly. We will not verify your identity if the agent provides a power of attorney documentation.

(K) Response Timing and Format

We endeavor to respond to a verifiable Consumer request within forty-five (45) days of its receipt. If we require more time (up to an additional forty-five (45) days), we will inform you of the reason and extension period in writing. We will deliver our written response by mail or electronically, at your option. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

(L) Contact Us

By email:dpo@duve.com

By mail: Ha-Khilazon St. 6, Ramat Gan, Israel 5252270

(M) Updates

This notice was last updated on June 5, 2025. As required under the CCPA, we will update the CCPA Notice
every 12 months, if needed. The last revision date will be reflected in the “Last Amended” heading at the top of this CCPA Notice.

PART III: OTHER RIGHTS APPLICABLE TO CALIFORNIA RESIDENTS

California Direct Marketing Requests: California Civil Code Section 1798.83 permits you, if you are a California resident, to request certain information regarding disclosure of Personal Information to third parties for their direct marketing purposes. To make such a request, please contact us at: dpo@duve.com

Do Not Track Settings: Cal. Bus. And Prof. Code Section 22575 also requires us to notify you how we deal with the “Do Not Track” settings in your browser.

As of the effective date listed above, there is no commonly accepted response for Do Not Track signals initiated by browsers. Therefore, we so not respond to the Do Not Track settings. Do Not Track is a privacy preference you can set in your web browser to indicate that you do not want certain information about your web page visits tracked and collected across websites. For more details, including how to turn on Do Not Track, visit: www.donottrack.us.