Effective Date: December 20, 2025 (v3.2)

This Global Privacy Notice explains how OneCity Group, Inc. (“OneCity,” “Company,” “we,” “us,” or “our”) collects, uses, discloses, and protects information when you access or use our websites, applications, programs, platforms, and related services (collectively, the “Services”).

This Notice applies globally. Depending on where you live, you may have additional rights under applicable privacy laws, which are described in Your Privacy Rights below.

Nothing in this Notice transfers ownership of OneCity’s platform, methodologies, frameworks, diagnostics, derived insights, or system designs.

If you do not agree with this Notice, do not use the Services.

1. Company Information

Legal Entity: OneCity Group, Inc.

Address: 3631 Truxel Road #1056, Sacramento, CA 95834, United States

Website: https://www.joinonecity.com

Email: privacy@joinonecity.com

2. Scope and Roles

2.1 Individual Users and Organizations

This Notice applies to individuals who access the Services on their own behalf or on behalf of an organization.

2.2 Public Sector and Institutional Programs

When OneCity provides Services in connection with a government entity, municipality, chamber of commerce, or economic development organization, data handling, security, reporting, and privacy obligations may also be governed by a separate written agreement, pilot scope, or memorandum of understanding. Where such an agreement exists, it controls to the extent of any conflict with this Notice.

Nothing in this Notice is intended to override public-sector privacy laws, public records obligations, records-retention requirements, or institutional governance policies.

OneCity does not independently determine whether information is subject to public records disclosure. Any disclosure determinations are made by the applicable public agency in accordance with law.

OneCity’s primary hosting and data processing environments are located in the United States, using reputable cloud service providers. OneCity does not intentionally store municipal or participant data outside the United States unless expressly agreed in writing.

OneCity does not require the City to provide resident personal information, and OneCity does not request or process City confidential data unless explicitly scoped in a written agreement.

OneCity’s Services are designed to minimize collection of government-originated data in order to reduce public-sector records exposure. Any public records obligations remain governed by applicable law and the parties’ written agreements.

Security requirements, audit rights, incident response terms, and data processing obligations for institutional partners are addressed in written agreements and supporting exhibits, not solely in this public notice.

3. Information We Collect

We collect information from (a) you, (b) your device and use of the Services, and (c) service providers that support the Services.

3.1 Information You Provide

Depending on how you interact with the Services, you may provide:

• Account information: name, email address, phone number, organization name, role, and login credentials
• Participation information: program enrollment details, submissions, responses, progress updates, messages, and content you choose to provide
• Transaction information: purchases, subscriptions, billing details, and payment status (payment processing is handled by third-party processors; we do not store full payment card numbers)
• Support communications: information you provide when contacting us for assistance
• Recruiting information: job application materials, where applicable

3.2 Information Collected Automatically

When you access the Services, we may collect:

• Device and technical data: IP address, browser type, operating system, device identifiers
• Approximate location: derived from IP address (not precise geolocation unless you enable it)
• Usage data: pages viewed, features used, timestamps, referring and exit pages, performance logs, and error reports
• Cookie and tracking data: identifiers and similar technologies (see Cookies and Tracking)

3.3 Information From Service Providers

We may receive information from vendors that support the Services, such as payment confirmation, fraud signals, or aggregated analytics.

We do not ingest data from government systems, public records databases, or municipal IT platforms unless expressly agreed to in writing.

3.4 Information We Do Not Intentionally Collect

The Services are not designed to require:

• Social Security numbers or government-issued identification numbers
• Government employee credentials for internal municipal systems
• Protected health information
• Bank account numbers (other than limited data handled by payment processors)

For purposes of the Services, “Confidential Information” includes non-public business operational details, financial performance information, customer lists, project plans, and any data designated confidential by the submitting party.

Please do not submit sensitive information unless explicitly requested through a secure method for a specific purpose.

4. How We Use Information

We use information for the following purposes:

4.1 Service Delivery and Operations

• Create and manage accounts
• Deliver programs, tools, and community features
• Provide customer support and respond to requests

4.2 Improvement and Security

• Monitor and improve functionality and performance
• Diagnose and resolve technical issues
• Detect, prevent, and respond to fraud, abuse, or security incidents
• Enforce applicable terms and policies

4.3 Communications

• Send administrative messages such as service updates and account notices
• Send marketing communications where permitted by law and subject to your preferences

4.4 Legal and Compliance

• Comply with legal obligations
• Respond to lawful requests and legal process
• Protect the rights, safety, and property of OneCity and others

4.5 Aggregated and De-Identified Insights

We may create aggregated, de-identified information to understand participation trends and improve the Services. De-identification and aggregation are performed using reasonable measures designed to reduce the likelihood of re-identification. OneCity does not attempt to re-identify de-identified information.

OneCity does not permit the use of its Services, content, or outputs for training or improving external AI systems without express written authorization.

5. Sharing and Disclosure

We share information only as described below:

5.1 Service Providers

We share information with vendors that perform services on our behalf, such as hosting, analytics, communications, payment processing, customer support, and security monitoring. These providers are authorized to use information only as necessary to provide services to OneCity.

We maintain categories of service providers that may process personal information on our behalf. Where required by contract or law, we will provide additional information regarding subprocessors.

5.2 Business Transfers

Information may be transferred in connection with a merger, acquisition, financing, reorganization, or sale of assets, consistent with applicable law.

5.3 Legal, Safety, and Rights

We may disclose information to comply with law, respond to lawful requests, enforce policies, or protect rights, safety, and property.

5.4 With Your Direction or Consent

We may share information when you request or authorize us to do so, including participation in joint or partner-hosted programs.

5.5 No Sale of Personal Information

OneCity does not sell personal information. Where “sharing” is defined under certain laws as cross-context behavioral advertising, you may have the right to opt out as described below.

6. Community Reporting, Benchmarks, and Case Studies

6.1 Aggregated Reporting

OneCity may publish or provide aggregated, de-identified reports describing community participation or outcomes, such as completion rates, milestone trends, or cohort-level benchmarks. These reports are designed not to identify individuals or specific organizations.

6.2 Case Studies, Testimonials, and Showcases

If OneCity wishes to highlight a specific individual or organization, we will request written approval and define the scope, channels, and duration of use.

Where a separate written agreement applies, including for public-sector entities, its terms govern attribution, usage, withdrawal rights, and publicity limitations.

7. Cookies and Tracking

We use cookies and similar technologies to:

• Authenticate users and keep accounts logged in
• Remember preferences
• Understand usage and performance
• Help protect against fraud and abuse

Where required, we provide a cookie consent mechanism. You may control cookies through browser settings, though some features may not function properly without them.

Advertising: OneCity may promote its own services using limited marketing tools. We do not use third-party advertising cookies to target individuals based on sensitive categories, and we do not use customer-provided program data or public-sector participation data for third-party advertising or promotional targeting.

8. Data Retention

We retain personal information for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, enforce agreements, and maintain security. Information may be deleted or de-identified when no longer needed.

Upon termination of access, OneCity will handle information in accordance with this Notice, applicable law, and any governing agreement.

9. Security

We use reasonable administrative, technical, and organizational safeguards designed to protect information, including access controls, encryption in transit, and monitoring.

If OneCity becomes aware of a confirmed Security Incident affecting personal information under our control, we will notify affected customers without unreasonable delay and provide information reasonably necessary to support incident response and legal obligations.

No system is completely secure. You are responsible for maintaining the confidentiality of your login credentials.

10. Children’s Privacy

The Services are not intended for children under 13. If we learn that personal information from a child under 13 has been collected, we will take steps to delete it. If you believe this has occurred, contact us using the information below.

11. International Data Transfers

If you access the Services from outside the United States, information may be processed in the U.S. or other jurisdictions where our service providers operate. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses.

12. Your Privacy Rights

Depending on your location, you may have rights to:

• Access personal information we hold about you
• Correct inaccurate information
• Request deletion of information (subject to legal exceptions)
• Opt out of certain processing, including “sharing” where applicable
• Withdraw consent where processing is based on consent
• Request a copy of your information

To exercise your rights: email privacy@joinonecity.com.

We may verify your identity before fulfilling a request.

12.1 California (CCPA/CPRA)

California residents may have rights to access, delete, correct, opt out of sale or sharing, and limit the use of sensitive personal information, where applicable. We respond within the timeframes required by law.

12.2 EU/UK (GDPR/UK GDPR)

EU and UK residents may have rights to access, rectify, erase, restrict, object, data portability, and to lodge a complaint with a supervisory authority.

12.3 Other U.S. States

Residents of certain U.S. states may have similar rights. Contact us to exercise them.

13. Do Not Track

The Services do not currently respond to browser “Do Not Track” signals.

14. Changes to This Notice

We may update this Notice from time to time. The “Effective Date” reflects the most recent version. Material changes may be communicated through the Services or by email where appropriate.

15. Contact

For questions or requests related to this Privacy Notice:

OneCity Group, Inc.

3631 Truxel Road #1056

Sacramento, CA 95834

📧 privacy@joinonecity.com

🌐 https://www.joinonecity.com