Privacy Policy

================================================================================

PP-LEGAL-PRIV-001 · PRIVACY POLICY · VERSION 0.4.2 Privacy Policy How Planck Power Corporation collects, uses, shares, and protects personal information. Applicable globally, with regional supplements for the EU/UK, Canada, and California. DOCUMENT METADATA DOCUMENT ID PP-LEGAL-PRIV-001 VERSION 0.4.2 (Counsel Review Draft) EFFECTIVE DATE April 20, 2026 CONTROLLER Planck Power Corporation, a Delaware corporation DEPLOYMENT LAYER Stage 1 (footer link); cross-referenced from Stages 2 and 3 REGIONAL SUPPLEMENTS EU/UK GDPR · Canada PIPEDA · California CCPA/CPRA SUPERSEDES All prior versions of this Policy, including v0.3 CLASSIFICATION Public PRIORITY RANK Rank 4 of 5: above the Disclaimer; below the NDA and the profile-specific supplementary agreements (see §12 of PP-LEGAL-DISC-001 v0.9)

HOW TO REACH US Questions about this Privacy Policy or about how we handle your personal information may be directed to the Office of the General Counsel, Planck Power Corporation, c/o WeWork, 2700 Post Oak Boulevard, Houston, Texas 77056, or to the privacy contact electronic mail address designated at https://www.planckpower.com/privacy-contact. Where you have a right under applicable law to make a privacy request, the procedures for doing so are set out in Section 10 and in the regional supplement applicable to your jurisdiction.

1. Scope and Application; Coordination with Other Documents THE COORDINATION PROVISION 1.1 Who We Are This Privacy Policy is issued by Planck Power Corporation, a Delaware corporation (the "Corporation," "we," "our," or "us"), and applies to personal information that we collect from or about natural persons in the course of our business operations. Where this Privacy Policy refers to "we" in connection with the processing of personal information, the reference is to the Corporation acting as the data controller (or the equivalent term under applicable law). Our operating subsidiary, Planck Power, LLC, and our intellectual-property holding subsidiary, Planck Power IP, LLC, may process personal information on our behalf in their capacity as data processors. 1.2 What This Policy Covers This Privacy Policy covers personal information that we collect through: (a) our public website at https://www.planckpower.com (the "Website"); (b) the Prime Radiant platform (the "Platform"); (c) the access-request flow at Stages 1 through 3 of the user journey, as documented in PP-UX-001; (d) electronic-mail and other direct communications between us and you; (e) virtual or physical meetings, calls, and conferences in which we participate; and (f) due-diligence and onboarding processes in connection with prospective transactions. References in this Privacy Policy to "the Platform" include the Website to the extent the Website collects personal information. 1.3 Coordination with Other Documents TWO-AXIS ARTICULATION UPDATED IN v0.4 — MIRRORS NDA v0.3 §14.4 This Privacy Policy operates within the Corporation's broader legal-document architecture. The order of precedence among that architecture is established in Section 12 of the Comprehensive Disclaimer (PP-LEGAL-DISC-001 v0.9 or successor version) and in Section 14 of the Comprehensive Non-Disclosure Agreement (PP-LEGAL-NDA-001 v0.3 or successor version), which provide, in summary, that Definitive Transaction Documents control over the Comprehensive Non-Disclosure Agreement, which controls over the profile-specific supplementary agreements, which control over this Privacy Policy, which controls over the Comprehensive Disclaimer, in each case only with respect to matters within the scope of the higher-ranked document. The practical effect for personal-information handling is as follows. Under v0.9 of the Comprehensive Disclaimer and v0.3 of the Comprehensive Non-Disclosure Agreement, all Platform Content (including any personal information rendered through the Platform) constitutes Confidential Information of the Corporation from the moment of rendering, and is subject to the confidentiality and use obligations set forth in the Comprehensive Non-Disclosure Agreement. Separately, where personal information is exchanged under a Definitive Transaction Document, the confidentiality and use restrictions in that document also apply. Where personal information is processed by the Corporation for a purpose specified in this Privacy Policy, this Privacy Policy governs the substantive privacy obligations (lawful basis, retention, data-subject rights, cross-border transfer, sensitive personal information handling, and similar matters), even where the same information is also subject to a higher-ranked confidentiality obligation. Confidentiality and privacy operate on different axes: (a) Confidentiality Axis. The Comprehensive Non-Disclosure Agreement (and, where applicable, Definitive Transaction Documents and profile-specific supplementary agreements) governs the contractual confidentiality of information disclosed by the Corporation to you and received by you. Where such instruments impose additional confidentiality obligations on the Corporation's receipt of your personal information, those obligations operate in addition to (and, where in conflict with respect to a matter within their scope, override) the confidentiality-adjacent portions of this Privacy Policy. The confidentiality axis governs the contractual status of information. (b) Privacy Axis. This Privacy Policy governs the substantive privacy obligations of the Corporation (including lawful basis for processing, retention, data-subject rights, cross-border transfer safeguards, and Sensitive Personal Information handling). Nothing in any confidentiality instrument — including without limitation the Comprehensive Non-Disclosure Agreement — limits, waives, or reduces your rights as a data subject under this Privacy Policy or under applicable privacy law, and nothing in any such instrument limits the Corporation's substantive privacy obligations. This §1.3 mirrors, and is intended to operate consistently with, §14.4 of the Comprehensive Non-Disclosure Agreement (PP-LEGAL-NDA-001 v0.3). 1.4 What This Policy Does Not Cover This Privacy Policy does not cover: (a) information that is not personal information under applicable law (for example, fully de-identified or aggregated data); (b) information collected by third parties whose websites or services may be linked from the Website or the Platform (which third parties have their own privacy practices); or (c) information governed exclusively by a Definitive Transaction Document or other separate agreement. 2. Information We Collect We collect the following categories of personal information. 2.1 Information You Provide This category includes information that you provide to us directly, including without limitation: name; professional title; organizational affiliation; business address; business electronic-mail address; business telephone number; jurisdiction of residence; account credentials and authentication factors; biographical information (such as professional background, areas of interest, and prior investment or commercial activity); and the contents of any communication you send us. 2.2 Information Collected Automatically This category includes information collected automatically by our infrastructure when you access the Website, the Platform, or our other systems, including without limitation: internet protocol address; user-agent string and other browser and device characteristics; operating system; date and time of access; pages or screens accessed; click-stream data; session duration; referring URL; cookie identifiers and other persistent or session identifiers; and security-event data (including authentication outcomes, error events, and indicators of suspected misuse). 2.3 Information Provided by Third Parties This category includes information that we receive from third parties, including without limitation: information from accredited-investor verification service providers (with respect to natural-person investors who undergo verification under Rule 506(c) of Regulation D); information from background-check, sanctions-screening, and know-your-customer service providers; information from professional-network and corporate-information services; and information from advisors, intermediaries, or counterparties acting on your behalf. 2.4 Inferred Information This category includes information that we infer or derive from other information, including without limitation inferences regarding your access profile (Investor, Customer, Research, Government, Internal), your areas of likely interest, and the categories of Platform Content most likely to be relevant to you. 2.5 Sensitive Personal Information In limited circumstances, we collect categories of information that are designated as "sensitive" under one or more applicable privacy regimes (collectively, "Sensitive Personal Information" or "SPI"). The principal SPI collection contexts and categories are summarized in Section 11. 3. Sources of Information We collect personal information from the following sources: • directly from you, when you submit information through the Website, the Platform, the access-request flow, or any communication with us; • automatically from your device and browser when you access the Website or the Platform; • from third-party service providers that we engage (for example, accredited-investor verification, sanctions screening, identity verification, and analytics providers); • from your authorized advisors, intermediaries, or representatives; • from publicly available sources (for example, public company filings, professional-network profiles, and trade publications); and • from cookies and similar technologies, as described in Section 5. 4. Purposes and Lawful Bases for Processing 4.1 Purposes We process personal information for the following purposes: • operating, maintaining, and securing the Website, the Platform, and the access-request flow; • evaluating access requests submitted at Stage 2 of the user journey, routing approved registrants to the appropriate Profile, and granting Stage 3 access; • verifying eligibility, including without limitation accredited-investor status, professional or institutional affiliation, sanctions and export-control screening, and other compliance-related determinations; • delivering personalized Platform Content based on your Profile and your stated areas of interest; • communicating with you regarding the Corporation, the Platform, the SLM-X Technology, transactions in which you have expressed interest, and related matters; • conducting due diligence and onboarding in connection with prospective investments, commercial transactions, research collaborations, government engagements, and personnel relationships; • complying with legal, regulatory, audit, and risk-management obligations applicable to the Corporation; • maintaining audit-trail and security-event records as described in Section 9 of the Comprehensive Disclaimer (PP-LEGAL-DISC-001); • responding to lawful requests by governmental authorities and to legal process; and • establishing, exercising, and defending legal claims. 4.2 Lawful Bases (EU/UK and Other GDPR-Type Regimes) Where the General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"), the United Kingdom General Data Protection Regulation ("UK GDPR"), or any analogous regime applies, we rely on the following lawful bases for the processing described in Section 4.1: • performance of a contract to which you are a party or to take steps at your request prior to entering into a contract (for example, processing your access request); • compliance with a legal obligation to which we are subject (for example, sanctions screening and securities-law compliance); • our legitimate interests or those of a third party (for example, evaluating prospective transactions, maintaining the security of our systems, and developing the Corporation's business), where such interests are not overridden by your interests or fundamental rights and freedoms; and • your consent, where required (for example, for certain SPI processing as described in Section 11), which you may withdraw at any time without affecting the lawfulness of processing prior to withdrawal. 4.3 Special Category (Sensitive) Personal Information — Article 9 GDPR Conditions Where the GDPR, the UK GDPR, or an analogous regime applies, processing of "special category" personal information (which overlaps substantially with, but is not identical to, the Sensitive Personal Information categories described in Section 11) requires, in addition to an Article 6 lawful basis identified in Section 4.2, a separate Article 9(2) condition. We rely on the following Article 9(2) conditions, in each case only for the specific processing purpose identified and only with respect to the specific category of special category data implicated: • Explicit consent (Article 9(2)(a)), for accredited-investor verification where such verification requires collection of financial-account information, net-worth information, or government-issued identifier numbers; and for biometric identity verification. Explicit consent is obtained through the Stage 2 or Stage 3 access-request and verification flows. You may withdraw consent at any time in accordance with Section 11.4. • Substantial public interest with a basis in law (Article 9(2)(g)), for sanctions screening, anti-money-laundering compliance, know-your-customer checks, and other compliance-driven processing that we are required or authorized to perform under applicable law to prevent financial crime, protect market integrity, and enforce economic sanctions. • Establishment, exercise, or defense of legal claims (Article 9(2)(f)), for the processing of special category data in connection with actual or reasonably anticipated litigation, regulatory proceedings, or arbitration, including maintaining litigation-hold records, responding to subpoenas or court orders, and defending against claims relating to the Platform or any transaction. • Manifestly made public by the data subject (Article 9(2)(e)), for the processing of professional biographical information, prior investment activity, or other data that you or an authorized source have placed in the public domain (for example, in a public company filing or public professional-network profile). Where a specific processing activity does not fit within any of the foregoing conditions, we will not process special category data for that activity, or we will obtain a separate Article 9(2) condition tailored to the activity. The Article 9(2) conditions in this Section 4.3 operate in addition to, not in substitution for, the Article 6 lawful bases in Section 4.2; both an Article 6 basis and an Article 9(2) condition are required for the processing of special category data. This Section 4.3 applies, with appropriate jurisdictional adaptation, to the processing of sensitive, special, or analogous categories of personal information under any privacy regime that maintains a comparable two-step lawful-basis structure. 5. Cookies, Beacons, and Similar Technologies The Website and the Platform use cookies, web beacons, local-storage objects, and similar technologies (collectively, "Cookies") for the purposes set out in this Section 5. The Cookie Notice (PP-LEGAL-COOK-001) provides additional detail and is incorporated by reference. 5.1 Categories of Cookies • Strictly necessary Cookies, which are required for the operation of the Website and the Platform (including session-management, authentication, and security functions); • performance and analytics Cookies, which collect information about how visitors use the Website and the Platform (for example, which pages are visited and any error messages received); • functional Cookies, which remember choices you make (for example, language preference); and • targeting Cookies, only to the extent (if any) deployed by the Corporation, which may be used to deliver content that is more relevant to your interests. 5.2 Consent and Reject-All Parity Where required by applicable law, we present a regional consent banner with reject-all parity, meaning that the option to reject non-strictly-necessary Cookies is presented with equivalent prominence to the option to accept. Strictly necessary Cookies are deployed without consent because they are required for the Website and the Platform to function. 5.3 Do-Not-Track and Global Privacy Control Where applicable law requires us to respond to the Global Privacy Control signal or analogous browser-based opt-out signals, we honor such signals as required by such law. The Corporation does not currently respond to legacy Do-Not-Track signals. 6. Sharing and Disclosure of Personal Information We share personal information only as described below. We do not sell personal information for monetary consideration. Where applicable law defines "sale" or "sharing" more broadly than monetary consideration (for example, certain provisions of California law), see the regional supplement in Section A of the Annexes for our specific disclosures and your rights. 6.1 Within the Corporation Group We share personal information among the members of the Corporation Group (Planck Power Corporation, Planck Power LLC, and Planck Power IP LLC) for the purposes described in Section 4.1. 6.2 With Service Providers We share personal information with third-party service providers that process personal information on our behalf for the purposes described in Section 4.1, including without limitation: cloud-infrastructure providers; authentication and identity-verification providers; accredited-investor verification providers; sanctions-screening providers; analytics providers; legal, accounting, and tax advisors; and electronic-signature and document-management providers. We require service providers to maintain personal information in confidence, to process it only for the purposes for which it is shared, and to apply appropriate technical and organizational safeguards. 6.3 With Counterparties and Their Advisors In connection with prospective transactions, we may share personal information with counterparties and their advisors as necessary for due diligence, negotiation, and execution. Where the recipient is bound by a non-disclosure agreement (including without limitation PP-LEGAL-NDA-001), the receipt and use of personal information by such recipient are also subject to the confidentiality terms of that agreement. Nothing in this §6.3 limits the confidentiality obligations of any recipient of your personal information, and where PP-LEGAL-NDA-001 applies (as a universal Stage 3 click-through gate under v0.3), the recipient's confidentiality obligations include the two-tier Confidential / Restricted regime set forth in §7 of that Agreement. 6.4 In Connection with Corporate Transactions If we are involved in a merger, acquisition, financing, reorganization, sale of assets, dissolution, or similar corporate transaction, personal information may be transferred to the counterparty or successor entity as part of the transaction. We will provide notice of any such transfer as required by applicable law. 6.5 Legal and Compliance Disclosures We may disclose personal information where required by applicable law, lawful governmental request, court order, or other legal process; where disclosure is necessary to protect the rights, property, or safety of the Corporation, our personnel, our users, or any other person; and where disclosure is necessary to investigate, prevent, or take action regarding suspected or actual unlawful activity, breaches of our policies, or threats to the security of our systems. 6.6 With Your Consent We may share personal information for any other purpose with your consent. 7. Cross-Border Data Transfers The Corporation is established in the United States, and our principal data-processing operations occur in the United States. Where we transfer personal information from one jurisdiction to another (for example, from the European Economic Area, the United Kingdom, Canada, or another non-United States jurisdiction to the United States), we apply the safeguards required by applicable law. 7.1 Transfers from the EU/UK Where personal information is transferred from the European Economic Area or the United Kingdom to the United States or to any other jurisdiction that has not been recognized as providing an adequate level of data protection, we rely on appropriate transfer mechanisms, which may include the European Commission Standard Contractual Clauses (the "EU SCCs"), the United Kingdom International Data Transfer Addendum (the "UK Addendum"), supplementary measures where required by the Schrems II decision, or, where applicable and certified, the EU-U.S. Data Privacy Framework, the UK Extension thereto, and the Swiss-U.S. Data Privacy Framework. 7.2 Transfers from Canada Where personal information is transferred from Canada to the United States or any other jurisdiction, we comply with the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5) ("PIPEDA") and applicable provincial privacy law (including without limitation Quebec's Act respecting the protection of personal information in the private sector, as amended by Law 25). We use contractual measures with our service providers to require comparable levels of protection in the recipient jurisdiction. 7.3 Onward Transfers We require our service providers and other downstream recipients to apply contractual safeguards before any onward transfer of personal information. 8. Data Retention and Disposition We retain personal information for the period necessary to fulfill the purposes described in Section 4.1, unless a longer retention period is required or permitted by applicable law (for example, to comply with statutory record-retention obligations, to establish, exercise, or defend legal claims, or to maintain audit-trail integrity). By way of indicative guidance, our standard retention periods are as follows. Actual retention periods may vary based on the specific circumstances and applicable legal obligations. Category Retention period Access-request data (PP-UX-REG-001) 24 months from request, then anonymized statistics retained indefinitely Approved-account profile data Duration of account plus 7 years Stage 3 audit-trail records (CloudTrail) 7 years from event Accredited-investor verification records Period required by Rule 506(c) (currently 5 years from sale) plus reasonable margin Communication records 7 years from last interaction Sanctions-screening records 10 years from screening event Marketing-list records Until you opt out, plus a short suppression-list retention period

Upon expiration of an applicable retention period, we either delete the personal information or de-identify it such that it can no longer be associated with you. 9. Information Security 9.1 Safeguards We maintain technical and organizational safeguards designed to protect personal information against unauthorized access, use, alteration, disclosure, loss, or destruction. Our safeguards include access controls, encryption of personal information in transit and at rest, network segmentation, security monitoring and logging, vulnerability management, secure-development practices, vendor due diligence, and personnel training. We perimeter-protect the Website using Cloudflare Zero Trust and similar controls. Our session-management and audit infrastructure is implemented with Amazon CloudTrail. 9.2 No Absolute Security No information-security program can guarantee absolute protection. We cannot warrant that personal information will not be subject to unauthorized access, use, alteration, disclosure, loss, or destruction, and we expressly disclaim any such warranty. 9.3 Breach Notification If we determine that a personal-data breach has occurred and that notification is required by applicable law, we will provide notification in accordance with applicable law and our internal incident-response protocol. 10. Your Rights and How to Exercise Them 10.1 Rights Generally Depending on your jurisdiction of residence and the applicable privacy regime, you may have any or all of the following rights with respect to your personal information: (a) the right to be informed about our processing; (b) the right of access to personal information that we hold about you; (c) the right to rectification of inaccurate personal information; (d) the right to deletion or erasure (subject to applicable exceptions); (e) the right to restriction of processing; (f) the right to data portability; (g) the right to object to processing (including direct-marketing processing and processing based on legitimate interests); (h) the right to withdraw consent (where processing is based on consent), without affecting the lawfulness of pre-withdrawal processing; (i) the right not to be subject to automated decisions producing legal or similarly significant effects; (j) the right to opt out of "sale" or "sharing" as those terms are defined under applicable law; (k) the right to limit the use and disclosure of Sensitive Personal Information as described in Section 11; and (l) the right to lodge a complaint with a supervisory or regulatory authority. 10.2 How to Exercise Your Rights You may submit a request to exercise any of the rights identified in Section 10.1 by contacting us at the address designated in the click-through banner above this section, or by using any privacy-request mechanism that we may make available on the Website. We will verify your identity using procedures appropriate to the sensitivity of the information requested. We will respond to verified requests within the time period required by applicable law (typically thirty to forty-five days, subject to extension where permitted). 10.3 No Discrimination We will not discriminate against you for exercising any right under applicable privacy law. However, in some cases your exercise of a right may have practical consequences (for example, deletion of an account will terminate your access to the Platform). 10.4 Authorized Agents Where applicable law permits, you may designate an authorized agent to submit a privacy request on your behalf. We will require evidence of the agent's authority and may require independent verification of your identity. 10.5 Appeals Where applicable law provides a right to appeal a decision on a privacy request, the appeal procedure is described in the regional supplement applicable to your jurisdiction or will be communicated in our response to your initial request. 11. Sensitive Personal Information THE SPI PROVISION — INCLUDES THE ACCREDITED-INVESTOR VERIFICATION FLOW 11.1 Categories of SPI We May Collect Depending on the context of your interaction with us, we may collect the following categories of SPI: • government-issued identifier numbers (such as social-security number, taxpayer identification number, passport number, or driver's license number), where required for accredited-investor verification, sanctions screening, or counterparty onboarding; • financial-account information and net-worth information, where required for accredited-investor verification or to comply with anti-money-laundering or know-your-customer obligations; • citizenship and immigration-status information, where required for export-control or sanctions-compliance purposes; • biometric information for identity verification, only where you have affirmatively consented and only in connection with a third-party verification service that maintains direct privacy obligations to you; • information regarding security clearances or government affiliations, where required for the Government Profile; • precise geolocation, only where you have affirmatively enabled it on your device; and • information regarding professional credentials, employment history, and prior investment activity, to the extent characterized as SPI under any applicable regime. 11.2 Accredited-Investor Verification SPI Flow Where you undergo accredited-investor verification under Rule 506(c) of Regulation D, the following SPI flow applies. This flow is designed to minimize the Corporation's direct collection of SPI and to allocate SPI processing to a qualified third-party verification provider with direct privacy obligations to you: • You initiate the verification process through the Investor Profile interface and are routed to a qualified third-party accredited-investor verification provider engaged by the Corporation. • The verification provider, as a separate data controller (or, where applicable, as the Corporation's data processor for these purposes), collects and reviews documentation that you provide directly to the provider. Documentation typically consists of one or more of: tax returns; brokerage and bank statements; written confirmation from a licensed advisor; or other documentation specified by Rule 506(c) and the provider's methodology. • The verification provider issues to the Corporation a verification result (typically a binary verified-yes or verified-no determination, accompanied by the date of verification, the basis category, and the period of validity), but does not transmit the underlying SPI documentation to the Corporation in the ordinary course. • The Corporation retains only the verification result and minimum metadata required for compliance and audit purposes. The Corporation does not retain the underlying SPI documentation, except where the verification provider is unable to issue a result and a documented review by the Corporation's authorized personnel is required to complete the determination. • The verification result and metadata are stored within the Corporation's gated environment, with access limited to personnel with a documented need to know and to the audit-trail systems described in Section 9 of the Comprehensive Disclaimer. • Where the verification provider acts as a separate data controller, the provider's privacy notice governs its processing of the underlying SPI documentation. We will identify the active verification provider in our privacy-contact response and at the verification interface. • You may withdraw consent to verification at any time by ceasing the verification process, in which case no verification result is generated and no investor access is granted. 11.3 Use Limitations We use SPI only for the purposes for which it was collected, only for the period necessary to accomplish those purposes, and only with the safeguards described in Section 9. Where applicable law (including without limitation California law) provides a right to limit the use and disclosure of SPI to specified purposes, we honor that right in accordance with the procedures in Section 10. 11.4 Consent and Withdrawal Where the lawful basis for processing SPI is your consent, you may withdraw consent at any time using the contact mechanism designated in the banner above Section 1. Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal and does not require us to delete information that we are required to retain under applicable law (for example, audit-trail records and sanctions-screening records). 12. Automated Decision-Making and Profiling We do not currently use solely automated decision-making (that is, decision-making without meaningful human involvement) that produces legal or similarly significant effects on you. Stage 2 access-request decisions are reviewed by Corporation personnel; Stage 3 access scoping is determined by your accepted Profile and the human-review approval issued in Stage 2. Where we use limited automated processing for routing, content personalization, or fraud prevention, the processing is supportive and does not, on its own, determine outcomes that produce legal or similarly significant effects on you. If we introduce solely automated decision-making with legal or similarly significant effects in the future, we will update this Privacy Policy and provide the disclosures and rights required by applicable law. 13. Children's Privacy The Website and the Platform are not directed to children, and we do not knowingly collect personal information from any child under the age of eighteen (18). Our eligibility representations under Section 2.2 of the Comprehensive Disclaimer require that the user be at least eighteen years of age. If we become aware that we have collected personal information from a child without the consent of a parent or guardian where such consent is required by applicable law, we will delete such information promptly. 14. Changes to This Policy; Contact; Versioning 14.1 Changes We may modify this Privacy Policy from time to time. The current version is identified in the document metadata at the head of this Policy. Where we determine that a modification is material, we will provide notice in a manner reasonably calculated to provide actual notice (which may include in-Platform notification, electronic-mail notification to your registered address, or banner notification on the Website). Where applicable law requires affirmative consent to a modification, we will not apply the modification to you until you have provided such consent. 14.2 Versioning Each version of this Privacy Policy is identified by a version number and a version hash. The version hash enables later reconstruction of the precise text in effect at any given moment, in the same manner described in Section 14 of the Comprehensive Disclaimer. 14.3 Contact To contact us regarding this Privacy Policy or any privacy matter, please use the contact information set out in the banner at the head of this Policy. The Corporation's data-protection inquiries are handled by the Office of the General Counsel. ANNEX A EU/UK General Data Protection Regulation Supplement This Annex applies to personal information of natural persons located in the European Economic Area, the United Kingdom, or Switzerland (collectively, "EEA/UK Persons"). It supplements, and where in conflict controls over, the main body of this Privacy Policy with respect to such persons. A.1 Controller Planck Power Corporation, acting through the Office of the General Counsel at the address designated in the banner at the head of this Policy, is the controller of personal information processed under this Privacy Policy. The Corporation is established in the United States and does not maintain an establishment in the European Union or the United Kingdom. The Corporation relies on the exception set forth in Article 27(2)(a) of the GDPR (and the materially identical exception under the UK GDPR) from the obligation to designate a representative, on the basis that the Corporation's processing of personal information of EEA/UK Persons is (a) occasional rather than regular and continuous, (b) limited in scale relative to the categories and volumes of data processing contemplated by Article 27(2)(a), (c) not a core activity of the Corporation with respect to EEA/UK Persons, and (d) unlikely to result in a risk to the rights and freedoms of natural persons, taking into account the nature, context, scope, and purposes of the processing, the SPI-minimization architecture described in Section 11.2 of the main body of this Privacy Policy, and the gated, authenticated, audit-trailed character of Platform access. The Corporation monitors its EEA/UK-related processing activities on an ongoing basis. If the Corporation's processing crosses the Article 27(2)(a) threshold — for example, through material growth in EEA/UK investor or counterparty engagement, through the introduction of large-scale processing of special category data (see Section 4.3 of the main body), or through regulatory guidance altering the threshold analysis — the Corporation will designate an Article 27 representative in the European Union and, separately, in the United Kingdom, and will update this Annex and the Corporation's public contact information accordingly. For the avoidance of doubt, the Article 27(2)(a) exception is an exception only from the representative-designation requirement; it does not reduce the Corporation's substantive obligations under the GDPR or the UK GDPR with respect to any processing of personal information of EEA/UK Persons, all of which continue to apply in full. A.2 Lawful Bases The lawful bases on which we rely are identified in Section 4.2 of the main body of this Privacy Policy. A.3 Rights EEA/UK Persons have the rights identified in Section 10.1 of the main body of this Privacy Policy, as further specified in Articles 12 – 22 of the GDPR (or the corresponding UK GDPR provisions). Requests may be submitted using the contact information in Section 14.3 of the main body of this Privacy Policy. A.4 Cross-Border Transfers We rely on the transfer mechanisms described in Section 7.1 of the main body of this Privacy Policy. Copies of the relevant Standard Contractual Clauses, the UK Addendum, or other applicable safeguards may be requested using the contact information in Section 14.3. A.5 Right to Lodge a Complaint You have the right to lodge a complaint with the supervisory authority of your member state, the United Kingdom Information Commissioner's Office, or the Swiss Federal Data Protection and Information Commissioner, as applicable. We would, however, appreciate the opportunity to address your concerns directly before you escalate, and we encourage you to contact us first. ANNEX B California Consumer Privacy Act / CPRA Supplement This Annex applies to natural persons who are residents of the State of California ("California Residents") and supplements, and where in conflict controls over, the main body of this Privacy Policy with respect to such persons. Capitalized terms used and not otherwise defined in this Annex have the meanings assigned to them in the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, the "CCPA"), and its implementing regulations. B.1 Categories of Personal Information Collected In the preceding twelve months, we have collected the categories of Personal Information identified in Section 2 of the main body of this Privacy Policy. Specific CCPA-statutory category mapping is available upon request. B.2 Sources, Purposes, and Disclosures Sources are described in Section 3, business purposes are described in Section 4.1, and categories of recipients are described in Section 6 of the main body of this Privacy Policy. B.3 Sale and Sharing We do not "sell" Personal Information for monetary consideration. To the extent that any disclosure described in Section 6 might constitute a "sale" or "sharing" under the broader CCPA definitions, we honor opt-out requests in accordance with Section B.6 below and we honor the Global Privacy Control signal as required by California regulation. B.4 Sensitive Personal Information We collect the categories of Sensitive Personal Information described in Section 11.1 of the main body of this Privacy Policy. Where applicable, you have the right to limit our use and disclosure of Sensitive Personal Information to those purposes specified in Section 7027(m) of the CCPA regulations and to other purposes for which the right to limit does not apply. To exercise this right, please use the contact information in Section 14.3 of the main body of this Privacy Policy. B.5 Retention Our retention periods are described in Section 8 of the main body of this Privacy Policy. B.6 Your Rights California Residents have the rights to: (a) know the categories and specific pieces of Personal Information collected, the categories of sources, the business or commercial purposes, and the categories of third parties to whom information has been disclosed or sold; (b) deletion of Personal Information, subject to statutory exceptions; (c) correction of inaccurate Personal Information; (d) opt out of "sale" or "sharing"; (e) limit use and disclosure of Sensitive Personal Information; (f) non-discrimination for exercising rights; and (g) appeal a denial of any of the foregoing rights. Requests may be submitted using the contact information in Section 14.3, and we will respond within forty-five (45) days, subject to a one-time extension of up to forty-five (45) additional days where permitted. B.7 Authorized Agents California Residents may designate authorized agents in accordance with Section 10.4 of the main body of this Privacy Policy. ANNEX C Canada PIPEDA and Quebec Law 25 Supplement This Annex applies to natural persons located in Canada ("Canadian Residents") and supplements, and where in conflict controls over, the main body of this Privacy Policy with respect to such persons. C.1 PIPEDA Compliance Our processing of personal information of Canadian Residents complies with the Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5) ("PIPEDA") and applicable provincial private-sector privacy law (including without limitation British Columbia's Personal Information Protection Act, Alberta's Personal Information Protection Act, and Quebec's Act respecting the protection of personal information in the private sector, as amended by Law 25). C.2 Accountability and Privacy Officer Inquiries regarding our compliance with PIPEDA and applicable provincial privacy law may be directed to the Office of the General Counsel using the contact information in Section 14.3 of the main body of this Privacy Policy. C.3 Cross-Border Transfers (Quebec Law 25) Where personal information of Quebec residents is transferred outside Quebec, we conduct a privacy impact assessment as required by Quebec Law 25, and we apply contractual measures to require comparable levels of protection in the recipient jurisdiction. C.4 Right to Complain Canadian Residents have the right to file a complaint with the Office of the Privacy Commissioner of Canada or with the applicable provincial privacy commissioner. We would, however, appreciate the opportunity to address your concerns directly before you escalate, and we encourage you to contact us first. C.5 Person in Charge of the Protection of Personal Information (Quebec Law 25) In accordance with section 3.1 of Quebec's Act respecting the protection of personal information in the private sector, as amended by Law 25, the Corporation has designated a Person in Charge of the Protection of Personal Information (the "Person in Charge"), with responsibility for ensuring the Corporation's compliance with the Act with respect to Quebec residents. The Person in Charge is the Corporation's Office of the General Counsel, and inquiries, requests, and complaints under the Act may be directed to the Person in Charge using the contact information in Section 14.3 of the main body of this Privacy Policy. The title, contact information, and role of the Person in Charge are also published on the Corporation's website. If the role is delegated in writing to a specific individual or to a specific position within the Corporation, that delegation will be reflected on the Corporation's website and in this Annex. C.6 Confidentiality Incidents (Breach Notification) If the Corporation becomes aware of a "confidentiality incident" within the meaning of Quebec's Act respecting the protection of personal information in the private sector, as amended by Law 25 — that is, an unauthorized access to, use of, disclosure of, or loss of personal information, or any other breach of the protection of personal information — and the incident presents a risk of serious injury to a Quebec resident, the Corporation will, without delay: (a) notify the Commission d'accès à l'information du Québec; (b) notify each Quebec resident whose personal information is implicated by the incident; and (c) take reasonable measures to mitigate the risk of injury and to prevent further incidents of the same nature. The Corporation will maintain a register of confidentiality incidents in the form required by the Act and will provide the register to the Commission on request. These Quebec-specific notification obligations operate in addition to, and do not replace, the federal breach-notification obligations under PIPEDA that apply where a breach of security safeguards involving personal information under the Corporation's control creates a real risk of significant harm to an individual, which the Corporation fulfills in accordance with Sections 10.1 and 10.3 of PIPEDA (notification to the Office of the Privacy Commissioner of Canada and to affected individuals, and maintenance of a breach-of-security-safeguards record). Section 9.3 of the main body of this Privacy Policy describes the Corporation's general breach-notification posture; this §C.6 provides the Canada-specific detail. APPENDIX A Counsel Review Notes This Appendix is for internal counsel review and is not part of the operative text of the Privacy Policy. The notes below identify items that counsel should confirm, calibrate, or supplement before publication. v0.4 includes a new Note 9 addressing the architectural-pivot coordination with DISC v0.9 and NDA v0.3; Note 1 is updated to reflect the v0.3 NDA mirror; all other notes preserved from v0.3. Note 1 — Section 1.3 Coordination Provision (UPDATED in v0.4) This provision is the privacy-side articulation of the two-axis framework (confidentiality axis vs. privacy substantive obligations). Under v0.4, §1.3 explicitly mirrors §14.4 of the Comprehensive Non-Disclosure Agreement v0.3, which establishes the parallel articulation from the confidentiality side. The two-axis structure ensures that NDA confidentiality obligations (now applicable universally to all Platform access under v0.3) do not appear to displace data-subject rights or substantive privacy obligations. Counsel should confirm that §14.4 of NDA v0.3 remains synchronized with this §1.3 across any subsequent version bumps. Note 2 — Section 11.2 Accredited-Investor Verification SPI Flow This is the central SPI minimization flow. The architectural choice is to allocate SPI processing to a third-party verification provider with direct privacy obligations to the user, with the Corporation receiving only the verification result and minimal metadata. Confirm with the chosen verification provider (e.g., VerifyInvestor.com, Parallel Markets, or similar) that their service model and privacy posture support this architecture. Where the provider acts as a data processor of the Corporation rather than as a separate controller, the flow description should be updated accordingly and a data-processing addendum should be executed. Note 3 — Section 6.3 Counterparty Sharing (UPDATED in v0.4) This section coordinates with PP-LEGAL-NDA-001 v0.3. The drafting acknowledges that NDA confidentiality terms apply in addition to (not in derogation of) Privacy Policy obligations. v0.4 adds the observation that where PP-LEGAL-NDA-001 applies as a universal Stage 3 click-through gate, the recipient's confidentiality obligations include the two-tier Confidential / Restricted regime set forth in §7 of that Agreement. NDA v0.3 §3 (Confidential Information definition) and §14.4 (two-axis articulation) together provide the reciprocal acknowledgment that nothing in the NDA limits the recipient's privacy obligations under applicable law. Note 4 — Section 7.1 EU/UK Transfer Mechanisms The reference to the EU-U.S. Data Privacy Framework, the UK Extension thereto, and the Swiss-U.S. Data Privacy Framework is included for completeness but should be activated only if the Corporation actually completes self-certification under the framework. Until certification, the operative mechanisms are the EU SCCs and the UK Addendum with supplementary measures. Note 5 — Section 8 Retention Schedule Retention periods are first-cut estimates calibrated to typical industry practice and to known regulatory requirements (Rule 506(c), AML record-keeping, and audit-trail integrity). Confirm with the engaged counsel for each compliance regime that the periods are appropriate and that no longer minimum is mandated. The 7-year Stage-3 audit-trail retention period coordinates with the Trade Secret preservation rationale under DISC v0.9 §6.3 and NDA v0.3 §7.2 (the longer the audit trail, the stronger the reasonable-efforts argument). Note 6 — Section 12 Automated Decision-Making Current operations do not involve solely automated decision-making with legal or similarly significant effects. If the Corporation introduces algorithmic Profile-routing or content personalization with such effects, this section will require revision to provide GDPR Article 22 disclosures and to provide for human-in-the-loop review. Note 7 — Annex Coverage Annexes for EU/UK, California, and Canada are included. Counsel should evaluate whether additional regional supplements are warranted (notably Brazil under the LGPD, Australia under the Privacy Act, China under PIPL, India under DPDP, and the patchwork of US state laws beyond California, e.g., Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others). Note 8 — Children's Privacy The Policy aligns with the eligibility floor in Disclaimer Section 2.2 (age 18). Confirm that no element of the Website or Platform is directed to or appealing to minors. If any future content is so directed, COPPA and analogous laws will require additional disclosures and consent mechanisms. Note 9 — Architectural Pivot Coordination (NEW in v0.4) v0.4 of this Privacy Policy is the lightest document in the v0.9/v0.3/v0.2/v0.4 coordinated revision. The architectural pivot — reversing Platform Content from non-confidential to Confidential Information — is effected in DISC v0.9 §6.1 (inversion), NDA v0.3 §3.2 (inversion and unilateral conversion), and INV v0.2 §10.3 (coordination cross-reference). This Privacy Policy is largely unchanged because the pivot does not alter the Corporation's substantive privacy obligations; it alters only the confidentiality status of Platform Content. The §1.3 update in v0.4 ensures that the two-axis articulation is explicit: the pivot imposes additional confidentiality obligations on recipients, but does not reduce data-subject rights or the Corporation's privacy obligations. Note that the Prior Transparency Determination period (DISC v0.8 / NDA v0.2) did not alter any substantive privacy obligation under this Policy at any time; privacy obligations were continuous throughout. For operational coordination, counsel should confirm that: (a) the PP-LEGAL-TS-MEMO-001 Trade Secret preservation memorandum (recommended by DISC v0.9 CRN Note 3 and NDA v0.3 CRN Note A0.4) addresses how the Corporation's privacy obligations under this Policy — including the SPI minimization flow in §11.2 — operated during the Prior Transparency Determination period, to the extent such operations are relevant to the Trade Secret reasonable-efforts analysis; (b) the clawback / re-acceptance workflow for v0.1 Investor Attestation acceptors (described in INV v0.2 §13.19) does not trigger new privacy-request or data-subject-rights workflows that require notification under applicable law; and (c) any external privacy-notice communications issued in connection with v0.4 deployment are aligned with the material-change notification requirements of §14.1 and of applicable privacy law. APPENDIX B Execution and Deployment Record This Appendix records the Corporation's internal authorization, version control, and deployment history for this Privacy Policy. DOCUMENT ID PP-LEGAL-PRIV-001 VERSION NUMBER 0.4.2 VERSION HASH 13c313e23efbc294aeee67a5272bc0897e3f7a33d33da9389e7ac1847a98dafc VERSION STATUS Counsel Review Draft VERSION 0.4.1 REVISIONS Patch release addressing P1 substantive gaps and one P2 regional-supplement enhancement identified in counsel review of v0.4. Three changes: (1) New §4.3 (Special Category (Sensitive) Personal Information — Article 9 GDPR Conditions) adds the Article 9(2) lawful-basis stack that v0.4 had omitted; §4.2 provided only Article 6 grounds, which is not sufficient for processing of special category data under the GDPR and UK GDPR. New §4.3 identifies the specific Article 9(2) conditions relied on: 9(2)(a) explicit consent for accredited-investor verification and biometric identity verification; 9(2)(g) substantial public interest with a basis in law for sanctions screening, AML, and KYC; 9(2)(f) establishment, exercise, or defense of legal claims for litigation-hold and regulatory-response processing; and 9(2)(e) manifestly made public by the data subject for professional biographical and public-filing data. (2) Annex A §A.1 (Controller) rewritten to take a defensible Article 27 GDPR representative posture: the v0.4 conditional "if our processing activity reaches the threshold… we will appoint" replaced with an affirmative invocation of the Article 27(2)(a) exception, supported by specific reasoning (occasional processing, limited scale, non-core activity, low risk, SPI-minimization architecture, gated/authenticated access), together with a commitment to monitor and designate a representative if the threshold is crossed. (3) Annex C expanded with two new sections: §C.5 (Person in Charge of the Protection of Personal Information) implementing the Quebec Law 25 section 3.1 designation requirement, and §C.6 (Confidentiality Incidents / Breach Notification) implementing the Quebec Law 25 notification obligations to the Commission d'accès à l'information and to affected residents, together with the federal PIPEDA §§10.1 and 10.3 obligations. No change to the substantive privacy obligations or to the two-axis articulation in §1.3; v0.4.1 is a compliance-hardening patch preserving v0.4 in all operative respects. Sibling-document versions (DISC v0.9.1, NDA v0.3.1, INV v0.2.1) unaffected by this patch; no coordinated update required. VERSION 0.4 REVISIONS Lightest of the four coordinated revisions (DISC v0.9 / NDA v0.3 / INV v0.2 / PRIV v0.4). Changes: metadata updated to v0.4; SUPERSEDES row identifies v0.3 as the prior version; PRIORITY RANK annotated by reference to DISC v0.9 §12. §1.3 Coordination provision updated to reflect that Platform Content is now Confidential Information under NDA v0.3; explicit mirror relationship to NDA v0.3 §14.4 stated in text; two-axis articulation restructured into sub-paragraphs (a) Confidentiality Axis and (b) Privacy Axis for clarity. §6.3 updated to note that where NDA v0.3 applies as a universal Stage 3 gate, the recipient's confidentiality obligations include the two-tier Confidential / Restricted regime from NDA v0.3 §7. CRN Note 1 updated to reference the NDA v0.3 §14.4 mirror. CRN Note 3 updated for NDA v0.3 coordination. New CRN Note 9 added: Architectural Pivot Coordination, addressing the privacy-side of the v0.9/v0.3/v0.2/v0.4 coordinated revision and the relationship between this Policy, the Trade Secret preservation memorandum PP-LEGAL-TS-MEMO-001, and the v0.1 clawback / re-acceptance workflow under INV v0.2 §13.19. All other sections (§§2 through 14 and Annexes A, B, C) preserved verbatim from v0.3. AUTHORIZED BY Office of the General Counsel INTERNAL APPROVAL DATE April 20, 2026 EXTERNAL EFFECTIVE DATE April 20, 2026 DEPLOYMENT URL https://www.planckpower.com/privacy AUDIT LOG TARGET Amazon CloudTrail — audit-trail and acceptance-event logging VERIFICATION PROVIDER Third-party verification; provider to be named and disclosed to Investors pursuant to §3.2 upon engagement SUPERSEDES VERSION v0.3 and all prior versions SIBLING VERSIONS DISC v0.9 · NDA v0.3 · INV v0.2 (coordinated revision) PRIOR-EXPOSURE PROTOCOL Coordinated with DISC v0.9 §14.5, NDA v0.3 §16.5, and INV v0.2 §13.19 — see CRN Note 9 NEXT SCHEDULED REVIEW Quarterly, or upon material change in applicable privacy law PP-LEGAL-PRIV-001 · Privacy Policy · Version 0.4.2 · Counsel Review Draft © 2026 Planck Power Corporation. All rights reserved. "Planck Power," "Prime Radiant," and "SLM-X" are trademarks of Planck Power Corporation.

================================================================================

Appendix B — REVISION HISTORY (v0.X.3 ADDITIONS)

================================================================================

The following rows are added to Appendix B of v0.4.3 per the v0.X.3 coordinated patch. Prior Appendix B rows (v0.X and earlier) are preserved from v0.4.2 in the body above.

| Version | Date | Notes |---------|-------------------|------------------------------------------------------- | v0.4.2 | [Apr 2026] | Patch release. [counsel: confirm or adjust this summary to reflect what actually shipped in v0.4.2] | v0.4.3 | 2026-05-12 | Coordinated four-document patch (DISC v0.9.3 / NDA v0.3.3 / INV v0.2.3 / PRIV v0.4.3). Refreshes version hash per PP-LEGAL-HASHCONV-001. The substantive §13.20 → §13.19 cross-references were already applied in v0.4.1 (retained in v0.4.2) and require no further body-text amendment in this patch. No material legal content changes from v0.4.2.

================================================================================