Terms and Conditions - Credit Acuity

Credit Acuity Ltd — Consolidated Terms & Conditions

(Modernised and harmonised master agreement for Business Information, Data Services and SaaS Platform access)

Supplier: Credit Acuity Ltd, a company registered in England and Wales (No. 16784160) with registered office at 35–37 Ludgate Hill, London, EC4M 7JN, United Kingdom.

Contact: customerservices@creditacuity.com

Order of precedence. If there is any conflict or inconsistency, the following order of precedence applies (highest first): (1) the Order Acknowledgement (including any ServiceSpecific Terms stated there); (2) these Terms & Conditions (including Appendices); (3) the Website Terms of Use and Privacy Policy.

1. Definitions

Automated Infrastructure Management (AIM) System means any system comprising hardware, software and networked components that automatically monitors, manages, documents and controls the physical layer of an organisation’s IT infrastructure.

Artificial Intelligence Legislation means all artificial intelligence legislation and regulatory requirements in force from time to time that apply to a party, including (to the extent applicable) Regulation (EU) 2024/1689 (the “EU AI Act”), and any UK legislation or regulatory guidance with equivalent effect.

Artificial Intelligence System (AI System) means any software, system or process that uses machine learning models (supervised, unsupervised or reinforcementbased), neural networks, natural language processing, large language models (LLMs), predictive analytics, computer vision or other automated systems or algorithms that process data, make decisions or generate outputs based on patterns, inferences or probabilistic logic.

Business Information means any UK or international credit report, marketing or prospecting data, risk or exposure data, datasets, databases, scores, indices, analyses, profiles or other business information of any kind supplied by the Supplier under the Contract.

Confidential Information has the meaning in clause 13 and includes the Service and any Output Data.

Contributors / Data Providers means any third party that owns or licenses any part of the Business Information and/or provides data to the Supplier.

Contract has the meaning in clause 2.3.

Customer means the individual, firm, partnership, company or other organisation that orders or receives the Service/Business Information.

Data Protection Legislation means the UK GDPR (as defined in s.3(10) of the Data Protection Act 2018) and the Data Protection Act 2018, together with all applicable data protection and privacy laws, regulations and guidance in the UK as amended or replaced from time to time.

Intellectual Property Rights (IPR) means any and all intellectual property rights and industrial property rights of any nature, including patents, utility models, copyright, database right, design rights, trademarks, service marks, business names, domain names, rights in knowhow and confidential information and applications for any of the foregoing, in any part of the world.

Licence means the limited licence granted in clause 4.

Minimum Period means the initial minimum subscription term stated in the Order Acknowledgement.

Order means any order submitted by the Customer.

Order Acknowledgement means the Supplier’s written acceptance of an Order, subject to these Terms & Conditions and any additional terms contained in the Order Acknowledgement.

Output Data means any output, report, score, insight or content generated by the Service using Business Information (including derived or transformed data).

Registration means completion and submission of the online registration information when entering or using the Site or Platform.

Service means the Supplier’s SaaS platform, APIs, portals, dashboards and related services for access to and use of Business Information, together with support and any deliverables described in the Order Acknowledgement.

Site means www.creditacuity.com and any other website operated by the Supplier for the Service.

Start Date means the earlier of: (a) the date stated as the start date in the Order Acknowledgement; or (b) the date the Supplier first makes the Service or Business Information available to the Customer.

Term means the duration of the Contract as set out in clause 14.

2. Basis of Contract

2.1 These Terms & Conditions apply to the exclusion of any other terms that the Customer seeks to impose or incorporate, or which are implied by trade, custom, practice or course of dealing.

2.2 The Customer’s use of the Site is governed by the Supplier’s Website Terms of Use and Privacy Policy. The Supplier uses personal information in accordance with its Privacy Policy.

2.3 A legally binding contract is formed when the Supplier issues an Order Acknowledgement (the Contract). Any quotation or marketing material is not an offer.

2.4 The Supplier may amend these Terms & Conditions from time to time by posting an updated version on the Site or by notifying the Customer in writing. Changes will not apply retrospectively to Orders already accepted unless required by law or explicitly agreed.

3. Registration & Account

3.1 By submitting a Registration or Order, the Customer warrants that the person acting has authority to bind the Customer; that the principal place of business is as stated; and that all information provided is true, accurate and complete.

3.2 User IDs are personal to named users. The Customer must keep all credentials secure, must not share them, and must immediately disable any credentials for leavers or those who no longer require access.

3.3 Unless the Order Acknowledgement states otherwise, access is licensed for one designated user. Access by any other person (simultaneous or otherwise) requires additional licences.

4. Licence & Use Restrictions

4.1 Subject to payment of applicable fees, the Supplier grants to the Customer a nonexclusive, nontransferable, nonsublicensable licence for the Term to access and use the Service and Business Information for the Customer’s internal business purposes only in the territory specified in the Order Acknowledgement, in accordance with these Terms.

4.2 The Customer must not: a) resell, relicense, publish, distribute or make the Business Information, Output Data or Service available to any third party (including group companies) except as expressly permitted in the Order Acknowledgement;

b) use the Business Information/Output Data to build or enhance any product or service that competes with the Service;

c) copy, frame, mirror, scrape, harvest, crawl, batch download, extract or otherwise reproduce any part of the Service or Business Information (except for reasonable internal backups and permitted archives);

d) reversecompile, disassemble, reverseengineer or otherwise reduce to humanperceivable form any part of the Service (except to the extent such restriction is prohibited by law);

e) produce the Business Information/Output Data in judicial or administrative proceedings (including disclosure/discovery) without the Supplier’s prior written consent unless required by law and provided the Supplier is promptly notified;

f) use Business Information as a factor in establishing an individual’s eligibility for personal credit, insurance, employment or any other consumer purpose;

g) use the Service or Business Information in any manner that is unlawful, deceptive, anticompetitive or otherwise in breach of applicable law (including laws on telemarketing, customer solicitation, data protection, privacy and antibribery).

4.3 The Customer may create an internal archive or backup of Business Information solely to meet audit or regulatory retention requirements, provided such copy is not used for any commercial purpose and remains subject to these Terms.

4.4 The Contributors/Data Providers own all IPR in the Business Information. Except for the Licence, no IPR is assigned or transferred to the Customer.

5. Customer Obligations

5.1 The Customer shall provide all information, access and assistance reasonably required to enable the Supplier to perform, and warrants that such information is true, complete and accurate and in the agreed format. The Customer will promptly correct any errors or omissions.

5.2 The Customer must comply with all applicable laws and regulations (including Data Protection Legislation, Artificial Intelligence Legislation, antibribery and anticorruption laws).

5.3 The Customer must restrict access to the Service to those employees who have a needtoknow, ensure Output Data is used only for legitimate internal purposes and prevent personal use by employees.

5.4 The Customer shall promptly notify the Supplier by email to customerservices@creditacuity.com of any suspected or actual breach of these Terms, unauthorised access or security incident, and fully cooperate with any investigation.

5.5 Security & acceptable use. The Customer must (a) implement and maintain appropriate technical and organisational measures to safeguard the Service, Business Information and Output Data; (b) not attempt to circumvent any access control; (c) not introduce any malware; (d) not use any automated means to access the Service other than Supplierapproved APIs.Shape

6. Data Protection

Roles. The parties acknowledge that:

When the Supplier supplies Business Information and the Customer uses it for its own purposes, each party acts as an independent controller.

Where the Supplier hosts, processes or otherwise handles personal data on behalf of the Customer via the Service, the Supplier acts as processor and the Customer as controller. The processor terms in Annex Data Processor/protection (Annex DP) (within this clause) apply in that case.

6.1 Each party will comply with Data Protection Legislation. The Customer is responsible for ensuring it has a valid lawful basis for its processing of any personal data in Business Information and Output Data and for providing any required notices to data subjects.

6.2 The Customer will not upload special category or criminal offence data to the Service unless expressly agreed in the Order Acknowledgement.

6.3 International transfers. If the Supplier transfers personal data outside the UK, it shall ensure an appropriate safeguard (e.g., IDTA or UK Addendum to EU SCCs) is in place.

6.4 Security. Each party shall implement appropriate technical and organisational measures (including encryption at rest and in transit for personal data processed via the Service).

Annex DP (Processor Terms — apply only where the Supplier processes Customer personal data as processor)

(a) Processing instructions. The Supplier will process personal data only on documented instructions of the Customer (including via the Service functionality).

(b) Confidentiality. The Supplier ensures persons authorised to process personal data are subject to confidentiality.

(c) Security. The Supplier implements appropriate security (including encryption, access controls, logging and incident response).

(d) Subprocessors. The Supplier may appoint subprocessors and will remain liable for their acts/omissions. A list can be provided on request. The Supplier will provide notice of any intended changes, and the Customer may object on reasonable grounds.

(e) Assistance. The Supplier will assist with data subject requests and Data Protection Impact Assessments.

(f) Incidents. The Supplier will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer personal data.

(g) Deletion/return. On termination, at the Customer’s option, the Supplier will delete or return personal data (unless retention is required by law).

(h) Audits. The Supplier will make available information to demonstrate compliance and allow reasonable audits (no more than annually) upon reasonable notice, subject to confidentiality and security.

7. Fees & Payment

7.1 Price. Prices are as set out in the Order Acknowledgement and are exclusive of VAT and other applicable taxes.

7.2 Payment

a) Unless otherwise stated, invoices are due prior to the commencement of the service.

b) The Contract continues for the Minimum Period, then rolls monthly unless terminated on one month’s written notice after the Minimum Period. Early termination during the Minimum Period requires payment of all remaining charges to the end of the Minimum Period.

c) Card payments. Accepted cards are as stated on the Site.

7.3 Late payment & suspension. The Supplier may suspend access to the Service/Business Information if the Customer fails to pay any undisputed amount by the due date and does not cure within 7 days of notice. The Supplier may terminate under clause 14.

7.4 Interest & charges. Statutory interest and compensation may be charged under the Late Payment of Commercial Debts (Interest) Act 1998, or, where agreed in the Order Acknowledgement, interest at 4% per annum above the Bank of England base rate on overdue amounts, accruing daily. A £40 administration fee may be charged for failed Direct Debit payments.

7.5 Prepayments. Any prepayments for Business Information are valid during the Term (or other period stated in the Order Acknowledgement).Shape

8. Delivery

8.1 All delivery times and dates for Business Information are estimates only. The Supplier will use reasonable endeavours to meet timeframes stated on the Site or Order Acknowledgement but is not liable for delays.

9. Intellectual Property

9.1 The Contributors/Data Providers and the Supplier own all IPR in the Business Information, the Output Data (to the extent of the Supplier’s selection and arrangement), the Service and the Site. The Customer acquires no ownership rights.

9.2 The Customer must not remove any proprietary notices and, where required by the Supplier, shall reproduce copyright notices and proprietary rights legends on authorised copies.

9.3 The Customer shall not do or omit anything that might jeopardise, limit or challenge the Supplier’s or any Contributor’s IPR.Shape

10. Warranties

10.1 The Service is based on data input from third parties and public sources. While the Supplier employs quality controls, the Business Information and Output Data may contain inaccuracies or be incomplete or out of date.

10.2 Except as expressly stated in the Order Acknowledgement, the Service, Business Information and Output Data are provided “as is” and “as available”. The Supplier disclaims all other warranties, representations and conditions, whether express or implied, including any implied warranties of accuracy, completeness, merchantability, noninfringement, satisfactory quality or fitness for a particular purpose.

10.3 The Customer is responsible for determining whether the Business Information and Output Data are sufficient for the Customer’s purposes and must rely on its own skill and judgment.

11. Liability

11.1 No exclusion for mandatory liabilities. Nothing in the Contract excludes or limits liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; (c) breach of the implied term as to title under section 12, Sale of Goods Act 1979 or section 2, Supply of Goods and Services Act 1982; or (d) any other liability that cannot lawfully be excluded.

11.2 Excluded losses. Subject to clause 11.1, the Supplier shall not be liable for: (a) loss of profits; (b) loss of sales or business; (c) loss of agreements or contracts; (d) loss of anticipated savings; (e) increase in bad debt or failure to reduce bad debt; (f) loss of or damage to goodwill; or (g) indirect or consequential loss.

11.3 Implied terms excluded. To the fullest extent permitted by law, the terms implied by sections 13–15, Sale of Goods Act 1979 and sections 3–5, Supply of Goods and Services Act 1982 are excluded.

11.4 Cap. Subject to clause 11.1, the Supplier’s total aggregate liability arising out of or in connection with any claim relating to specific Business Information or a specific Service deliverable shall be limited to the amounts paid for that specific Business Information or deliverable; and for subscription Services, limited to the total fees paid in the 12 months preceding the event giving rise to the claim. Multiple claims will not enlarge this cap.

11.5 The Supplier will not be liable for any loss or injury arising from the procurement, compilation, collection, interpretation or reporting of Business Information except as expressly set out above.Shape

12. Indemnity

12.1 The Customer shall indemnify and hold harmless the Supplier, its affiliates and personnel from and against all losses, costs, claims, damages, liabilities and expenses (including reasonable legal fees) arising out of or in connection with:

(a) the Customer’s breach of the Contract or applicable law;

(b) access to or use of the Service, Business Information or Output Data by any person other than as permitted;

(c) any use, processing, modification, inputting or dissemination of Output Data in or via any AI System or AIM System in breach of Appendix A or this Contract.

13. Confidentiality

13.1 Definition. “Confidential Information” means information of a confidential nature disclosed by one party to the other, whether in writing, orally or by any other means, that is marked confidential or would reasonably be regarded as confidential, including business, financial, technical, product, customer and supplier information, and the Service and Output Data.

13.2 Each party shall keep the other’s Confidential Information confidential and shall not use it for any purpose other than to perform its obligations under the Contract.

13.3 A party may disclose Confidential Information: (a) to its personnel, professional advisers and contractors who need to know for the permitted purpose and are bound by confidentiality obligations; and (b) as required by law, court order or regulatory authority.Shape

14. Term & Termination

14.1 The Contract starts on the Start Date and continues for the Minimum Period (if any) and thereafter unless terminated in accordance with this clause.

14.2 The Supplier may terminate with immediate effect on written notice if:

(a) the Customer fails to pay any undisputed amount by the due date and does not pay within 14 days after written notice;

(b) the Customer commits a material breach (other than payment) and, if remediable, fails to remedy within 14 days after written notice;

(d) any agreement between the Supplier and a Data Provider that is necessary to provide the Service expires or is terminated and no suitable alternative is available.

14.3 The Supplier may suspend access immediately without notice where it reasonably believes the Customer has breached the Contract or to protect the integrity or security of the Service or Business Information.

14.4 On termination or expiry: (a) all rights and licences terminate; (b) the Customer must immediately cease use and delete or return the Service, Business Information and Output Data (except for permitted regulatory archives); (c) all sums due become immediately payable; and (d) clauses which by their nature survive (including 6, 9–13, 15–17 and the Appendices) shall continue.

15. ThirdParty Rights

15.1 The parties agree that Contributors/Data Providers may enforce, in their own name, the provisions of this Contract that relate to the use of their information and corresponding rights and liabilities under the Contracts (Rights of Third Parties) Act 1999. Save for the foregoing, no person other than a party has any right to enforce any term.

16. Force Majeure

16.1 Neither party is liable for delay or failure to perform caused by events beyond its reasonable control, including acts of God, epidemic or pandemic, default of subcontractors or thirdparty suppliers, perils of the sea or air, flood, drought, explosion, sabotage, accident, embargo, riot, civil commotion, or acts of governmental or regulatory authorities.

16.2 If a force majeure event continues for 30 consecutive days, the nonaffected party may terminate the Contract by written notice.Shape

17. General Provisions

17.1 Entire agreement. The Contract constitutes the entire agreement and supersedes prior agreements, representations and understandings (written or oral) relating to its subject matter. Each party agrees it has not relied on any statement not set out in the Contract. Neither party excludes liability for fraud.

17.2 Assignment. The Supplier may assign or transfer its rights and obligations. The Customer may assign or transfer only with the Supplier’s prior written consent.

17.3 No waiver. A failure or delay to enforce any right is not a waiver.

17.4 Severance. If any provision is held unlawful or unenforceable, the remainder continues in full force.

17.5 Notices. Notices must be in writing and delivered by hand, prepaid post or email to the address stated in the Order Acknowledgement (or as otherwise notified). Notice is deemed received: if by hand, at delivery; if by prepaid post, on the second business day after posting; if by email, at the time of transmission (unless sent outside business hours, in which case at 9:00am GMT the next business day).

17.6 Governing law and jurisdiction. The Contract is governed by English law and the parties irrevocably submit to the exclusive jurisdiction of the courts of England.

Appendix A — AI Use Conditions

A1. Scope. This Appendix governs any use of Business Information and Output Data with AI Systems or AIM Systems.

A2. Permitted purpose. The Customer may use Output Data with AI Systems solely for the specific internal purposes agreed in writing and in accordance with this Contract.

A3. Security. The Customer will keep Output Data secure and encrypted when stored or processed in any AI System, using encryption no less protective than AES256 for data at rest and TLS 1.2+ for data in transit.

A4. Governance. The Customer will implement security governance including:

(a) appointing a responsible employee to coordinate data security;

(b) periodic risk assessments of security, confidentiality and integrity of Output Data;

(c) safeguards aligned to Good Industry Practice which is define as the care, security and professionalism reasonable expected from a skilled provider of comparable data services and regular testing.

(d) strong authentication, password policies, inactivity timeouts, account lockouts, blocking compromised passwords, and employee training.

A5. Prohibitions. The Customer shall not input any Business Information or Output Data into:

(a) any open or public AI/LLM service (including for training or finetuning) without the Supplier’s prior written consent; or

(b) any AIM System that does not meet the security standards in A3–A4.

A6. Incidents. The Customer will promptly notify the Supplier of any misuse, unauthorised access or loss of Output Data, fully cooperate with investigations, and bear the reasonable and direct costs of remediation to the extent the incident arises from the Customer’s breach.

A7. Suspension. The Supplier may suspend the Customer’s AIrelated rights where misuse, breach or an unresolved security incident is identified.

Appendix B — Consumer & Prospecting Data Use

B1. Consumer services. If the Customer receives consumer reporting services, the Customer shall:

(a) conduct searches only with prior, valid consent from the relevant individual;

(b) not use the service for tracing, debt collection or private investigation;

B2. Prospecting data. If the Customer receives prospecting/marketing data, it is licensed only for the Customer’s internal marketing activities. The Customer is responsible for identifying the lawful basis and complying with all laws and selfregulatory rules (including the Telephone Preference Service (TPS), Corporate Telephone Preference Service (CTPS) and Data & Marketing Association guidelines).

B3. Credits/usage. Each search or request for additional address data on a consumer counts as one credit deducted from the balance stated in the Order Acknowledgement.

B4. No consumer eligibility use. Prospecting or consumer data must not be used to determine personal eligibility for credit, insurance or employment.Shape

Appendix C — International Report Terms

C1. International company credit reports are provided subject to availability, and the list of available countries may vary.

C2. Delivery timeframes for international reports are as stated on the Site and may vary by country and data source.

C3. Each request for a company credit report on the same entity counts as one credit per request (including repeat requests).