GLOBAL MOUNTAIN GROUP LLC

Last Updated: January 2026

Global Mountain Group LLC (“Company”, “GMG”, “we”, “us”, or “our”) is a Wyoming limited liability company operating internationally across security and risk management, cross-border investigative operations, evidence-led risk intelligence, logistics coordination, and the design, development, deployment, and operation of software, applications, platforms, and Software-as-a-Service (SaaS) solutions, including proprietary and patented technologies.

This Privacy Policy explains how we collect, use, disclose, and protect personal data in connection with our activities, services, platforms, and communications.

1. Scope of This Policy

This Privacy Policy applies to personal data processed in connection with:

• Security, risk management, and operational protection services
• Cross-border investigative operations and evidence-led risk intelligence
• Investigations, risk intelligence, and operational protection in high-complexity environments
• Support to companies, law firms, insurance companies, and private clients operating in, or requiring verification related to, Ukraine or other high-risk jurisdictions
• Logistics coordination and transport-related services
• Design, development, testing, deployment, and operation of software, applications, AI systems, and SaaS platforms
• Software and platforms developed for internal use, on behalf of third parties, or for public/commercial use
• Use and protection of proprietary, licensed, or patented technologies
• Websites, digital platforms, APIs, dashboards, and communications

This Policy does not apply to third-party services operating independently of the Company.

2. Role of the Company (Data Controller / Data Processor)

Depending on the context:

• Global Mountain Group LLC acts as Data Controller for personal data processed for its own operations, platforms, investigative activities, and services.
• In certain software, SaaS, or commissioned development contexts, the Company may act as a Data Processor or Service Provider on behalf of a client, subject to written agreement.

Unless expressly agreed otherwise, the Company is the Data Controller.

3. Categories of Personal Data We Process

Depending on the nature of the activity, we may process the following categories of personal data:

A. Identity & Contact Data

Name, company affiliation, role or title, contact details, and—where required for compliance or operational purposes—government-issued identification.

B. Investigative & Intelligence Data

Information collected or generated in connection with investigative, verification, or intelligence activities, including evidentiary material, risk indicators, source-derived data, and assessment outputs. Such data may relate to individuals, entities, or transactions and may be subject to legal, security, or source-protection constraints.

C. Operational & Logistics Data

Travel, transport, routing, access, clearance, and coordination data required for logistics or operational support.

D. Software, Platform & Technical Data

Account and authentication data, user identifiers, system logs, audit trails, usage data, configuration data, and user-submitted content processed through Company platforms or SaaS systems.

E. Communications Data

Emails, messages, calls, support requests, and other communications related to inquiries, screening, operations, or contractual relationships.

F. Compliance & Risk Data

Sanctions screening results, export-control checks, due diligence records, regulatory assessments, and internal risk evaluations.

G. Website & Security Data

IP addresses, access logs, device and browser information, and security monitoring data.

We do not collect or process personal data beyond what is necessary for legitimate business, operational, investigative, contractual, or legal purposes.

4. Legal Bases for Processing

Where applicable, personal data is processed on one or more of the following legal bases:

• Contractual Necessity – to deliver services, software, SaaS, investigative, or logistics support
• Legitimate Interests – operational security, investigative integrity, risk mitigation, fraud prevention, system protection, and internal governance
• Legal Obligations – compliance with U.S. federal and state laws, international sanctions regimes, export controls, transport and technology regulations, and applicable foreign laws
• Vital Interests – protection of life, physical safety, or critical interests in high-risk environments
• Consent – where expressly required by law

5. Mandatory Data Provision

Due to the nature of investigative, security, logistics, and platform activities, certain personal data is mandatory. Failure to provide required information may prevent evaluation, access, or service delivery.

6. Investigative & Intelligence Activities – Specific Notice

Where the Company conducts or supports investigative, verification, or intelligence activities:

• data may be obtained from lawful sources, partners, or client-provided materials
• certain information may be subject to confidentiality, source-protection, or legal restrictions
• disclosure, access, correction, or deletion rights may be restricted where legally permitted to protect investigations, sources, methods, or third-party rights

The Company does not publicly disclose investigative methods, sources, or internal assessment criteria.

7. Software, SaaS & AI Systems

When operating software platforms, applications, or SaaS solutions:

• data is processed to operate, secure, monitor, and improve systems
• system outputs, including AI-generated outputs, may be probabilistic and are provided “as-is” unless contractually specified
• client or user data is not used to train public AI models unless explicitly agreed in writing

Clients remain responsible for the lawfulness of content they submit.

8. Disclosure of Personal Data

Personal data may be disclosed on a strict need-to-know basis to:

• authorized contractors, investigative partners, and operational providers
• cloud, hosting, infrastructure, and security service providers
• professional advisors (legal, audit, compliance)
• governmental, regulatory, or law-enforcement authorities where required by law

The Company does not sell personal data and does not engage in consumer advertising profiling.

9. Law Enforcement & Government Requests

Personal data may be disclosed where required by applicable law, court order, subpoena, sanctions enforcement, national security, or public safety obligations. Disclosures may occur without prior notice where legally permitted.

10. International Data Transfers

As a U.S.-based company operating internationally, personal data may be transferred to and processed in the United States and other jurisdictions, including the European Union and Ukraine.

Appropriate safeguards are applied where required by law.

11. Data Security

We implement commercially reasonable, industry-standard administrative, technical, and organizational measures to protect personal data. No system is entirely secure; absolute security cannot be guaranteed.

12. Data Retention

Personal data is retained only as long as necessary for operational, investigative, contractual, legal, or audit purposes. Retention periods may vary depending on activity, jurisdiction, and legal requirements.

13. Data Subject Rights

Where applicable under GDPR or similar laws, individuals may have rights to access, correction, restriction, or objection. Certain rights may be limited where legally permitted, particularly in investigative, security, intelligence, or compliance contexts.

14. Children’s Data

Our services and platforms are not intended for individuals under 18 years of age. We do not knowingly collect personal data from minors.

15. Changes to This Policy

This Privacy Policy may be updated at any time. The “Last Updated” date reflects the current version.

16. Contact

For privacy-related inquiries: