Tilli Consolidated Privacy Policy

1. Scope and Policy Owner

This Privacy Policy applies to Tilli websites, landing pages, contact forms, downloads, demos, support interactions, partner and vendor interactions, recruiting interactions, and Tilli software products and production services, including XDEX, TilliPay, tilliX, TilliBeacon, tilliArch, Nudge, JAREIS-enabled features, related APIs, portals, and support channels.

This policy is intended to be a public-facing umbrella privacy policy. It may be supplemented by a data processing addendum, business associate agreement, customer contract, cookie notice, job applicant notice, product-specific privacy notice, or another signed or expressly incorporated privacy addendum. If a more specific signed or expressly incorporated document conflicts with this policy for a defined processing activity, the more specific document controls for that activity.

2. Roles and Context

Tilli may act in different roles depending on the relationship and the product workflow, including as a controller or business collecting information directly, as a processor or service provider handling customer-directed data, or as an independent compliance actor for fraud, sanctions, AML, or security review where required by law, payment network requirements, processor requirements, or Tilli's legitimate operational needs.

3. Categories of Information We Collect

Depending on the interaction, Tilli may collect information you provide directly, information collected automatically, and information received from third parties.

• Name, email address, phone number, mailing address, employer, title, and business contact details.
• Account registration, login, administrative profile, billing, payment, invoice, remittance, support, and communication records.
• Marketing preferences, demo requests, surveys, event registrations, job application materials, and recruiting information.
• Identity-verification, onboarding, fraud, or compliance information where relevant to a payment, vendor, or regulated workflow.
• IP address, device identifiers, browser type, operating system, approximate geolocation, logs, page views, clickstream data, telemetry, diagnostics, and configuration data.
• Information from customers, partners, integrations, payment processors, verification services, cloud providers, analytics tools, CRM providers, and publicly available business-intelligence sources.

4. How We Use Personal Information

Tilli may use personal information to provide, operate, maintain, support, and secure the Site and Services; manage accounts and customer relationships; process transactions, onboarding, support, and contract administration; send operational messages and security notices; power workflow, orchestration, analytics, and AI assistance requested by customers; improve performance, reliability, and usability; prevent fraud, abuse, spam, sanctions breaches, or account misuse; comply with law; and conduct marketing and sales activities in accordance with applicable law and preferences.

5. Legal Bases and Processing Grounds

Where applicable law requires a legal basis for processing, Tilli may rely on performance of a contract, steps requested before entering into a contract, compliance with legal or regulatory obligations, Tilli's legitimate interests, consent, or another basis permitted under applicable law.

6. How We Disclose Information

Tilli may disclose personal information to affiliates, service providers, subprocessors, contractors, advisors, payment processors, banks, networks, verification vendors, fraud and sanctions tools, cloud providers, AI or telecom providers, customers and authorized users where necessary to deliver the Services, third-party integrations at Customer direction, regulators or law enforcement where required or appropriate, and parties involved in a corporate transaction.

Tilli does not sell personal information for money. If Tilli engages in targeted advertising or similar activity covered by specific privacy laws, Tilli will address those activities through the applicable notice, consent, or opt-out mechanisms.

7. Cookies, Analytics, and Similar Technologies

Tilli may use cookies, pixels, SDKs, and similar technologies to remember preferences, operate core website and product functionality, analyze traffic and performance, support marketing attribution, and improve content, security, and user experience. Tilli may provide cookie preference tools where required and may honor browser or device-level controls to the extent required by applicable law and technically supported.

8. Customer Data and Service Provider Processing

Where Tilli handles personal information on behalf of a customer through the Services, Tilli generally acts as a processor, service provider, or similar vendor and processes that information in accordance with customer instructions, the applicable contract, and Tilli's operational, security, fraud, compliance, and legal obligations.

Customers are responsible for determining whether the Services are appropriate for their use cases, providing legally required notices to end users, obtaining valid permissions or consent where required, configuring retention and workflow settings appropriately, and reviewing AI-generated or workflow-generated CTAs before relying on them in regulated or customer-facing contexts where human review is warranted.

9. Data Retention

Tilli retains personal information for as long as reasonably necessary to provide the Site and Services, maintain business and contractual records, meet legal, tax, accounting, security, and compliance obligations, investigate fraud or incidents, enforce contracts, or preserve evidence. Retention periods may vary by product, data category, customer configuration, jurisdiction, and legal obligation.

10. Security

Tilli maintains reasonable administrative, technical, and organizational safeguards designed to protect personal information against unauthorized access, use, disclosure, alteration, or destruction.

11. International Data Handling

Tilli may process and transfer personal information in the United States, India, and other jurisdictions where Tilli, its affiliates, subprocessors, or service providers operate. Where required, Tilli may use contractual, organizational, or technical mechanisms intended to support lawful cross-border processing.

12. Privacy Rights and Choices

Depending on applicable law and the person's relationship to Tilli, individuals may have rights to request access, correction, deletion, restriction, portability, objection, withdrawal of consent, or opt-out of certain marketing or advertising-related processing. These rights are not absolute and may be limited by law, legal privilege, security concerns, trade secret protection, fraud prevention, contractual commitments, or Tilli's obligations to customers or regulators.

Marketing emails may generally be opted out of using unsubscribe links or by contacting Tilli. Operational or transactional communications may still be sent where necessary.

13. Children's Information

Tilli's Site and Services are not directed to children, and Tilli does not knowingly collect personal information directly from children except where information is provided through a customer-controlled workflow and the customer is responsible for the lawful basis and required notices.

14. Changes to This Policy

Tilli may update this policy from time to time to reflect changes in law, operations, products, data practices, or risk posture. When required, Tilli will post the updated policy date and provide additional notice or consent mechanisms.

15. Contact Information