PRIVACY POLICY

EFFECTIVE Date: June 1st, 2026

This Comprehensive Privacy Policy (the "Policy") constitutes the absolute, legally binding framework governing the collection, utilization, cryptographic decoupling, and cross-border transfer of all data processed by Permanent Media Corporation (DBA "Perma Media"), a corporation incorporated under the Canada Business Corporations Act with its registered office in Saskatchewan, including its subsidiaries, affiliates, and assigns (collectively, the "Company" or the "Platform").

This Policy applies universally to all entities, users, facility owners, and advertising agencies accessing the demand-side marketplace located at PermaMedia.com, the supply-side infrastructure portal located at ModernizationGrant.com, or interacting with the proprietary Verification Confidence Engine (VCE) APIs.

Accessing the Platform via an authenticated user session, scanning a physical cryptographic QR code credential, or navigating the public-facing domains constitutes an explicit, incontestable manifestation of intent to be bound by the data handling practices codified herein. If a user does not unconditionally agree to the terms of this Policy, the user possesses no authorization to utilize the Platform, is ineligible to participate in the Sponsor Matching Pool or the PMX, and must immediately cease all access.

1. JURISDICTIONAL SUPREMACY AND BORDERLESS COMPLIANCE

1. Governing Law And Venue

1. This Policy, and all matters regarding data sovereignty, algorithmic evaluation, and cross-border data routing, are governed exclusively by the laws of the Province of Saskatchewan, Canada, and the federal laws of Canada applicable therein. By executing access to the Platform, all parties explicitly and permanently waive the right to seek discovery, litigation, class-action participation, or injunctive relief regarding the Platform's core data infrastructure in alternate jurisdictions.

2. USMCA Digital Trade Supremacy

1. The Platform is architected for frictionless, cross-border dominance across the North American continent. The technical infrastructure utilizes centralized cloud environments hosted exclusively within the United States. Pursuant to the digital trade provisions of the United States-Mexico-Canada Agreement (USMCA)—specifically Chapter 19, Articles 19.11 and 19.12—the Company guarantees the free flow of data across North American borders.
2. The User explicitly recognizes that the USMCA strictly prohibits participating nations from enforcing data localization mandates as a condition of conducting digital trade. The User explicitly and irrevocably waives any right under local, state, or provincial law to demand local data storage within Canada or Mexico, legally consenting to the centralized processing, storage, and algorithmic manipulation of all telemetry, PII, and financial data on servers located within the United States.

3. APEC CBPR Adherence

1. The Company recognizes the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR) System as a paramount baseline transfer mechanism, as explicitly referenced within the USMCA framework, to ensure the secure and compliant routing of PII across the digital ecosystem without incurring regulatory friction.

2. COLLECTION OF INFORMATION (SUPPLY AND DEMAND BIFURCATION)

1. To maintain absolute Zero-Trust security and ensure the integrity of the blind auction system, the Platform mathematically and cryptographically decouples the collection of Personally Identifiable Information (PII) on the supply side from the demand-side marketplace.

2. Supply-side Data Collection (The Host)

1. The Platform ingests highly detailed spatial, demographic, and corporate intelligence from the Host to calculate the algorithmic Perma Media Index (PMI) valuation. Information collected includes:

3. Corporate Entity Data: Verified legal business names, Doing Business As (DBA) classifications, primary point-of-contact identities, corporate email addresses, and direct phone numbers.
4. Physical Real Estate Data: Validated street addresses, estimated facility square footage, peak working elevations, and commercial lease expiration timelines utilized to dynamically calculate the The mathematically determined operational duration based on verified property rights.-month contract durations.
5. Telemetry And Traffic Proxies: Self-reported daily foot traffic, membership counts, gross annual sales ranges, and demographic brackets, cross-referenced autonomously against third-party semantic caching APIs.
6. Architectural Photography: Live, cryptographically signed visual media captured via HTML5 environment capture protocols, strictly forcing the utilization of a rear-facing camera to extract raw EXIF data and GPS coordinates.
7. Financial Routing Data: Encrypted banking and routing integers required to facilitate the automated disbursement of the Host Stipend via the Stripe Connect gateway.
8. Demand-Side Data Collection (The Agency)
9. The Platform ingests corporate intelligence and financial escrow data from the Agency to secure the PMX bidding seats and enforce B2B lock-in. Information collected includes:
10. Corporate Identity And Access: Agency corporate names, executive keyholder identities, corporate email domains, and physical QR token hashes.
11. Financial Escrow Data: Encrypted institutional wire transfer routing numbers, ACH/PAD direct debit authorizations, and credit card profiles utilized to capture the upfront Architectural Integration Fee during the strict 72-hour activation window.
12. Brand Client Declarations: The specific URLs and consumer-facing brand names of the underlying Fortune 500 clients, mandated to enforce the Host's category blacklists and trigger automated conflict resolution protocols.
13. Pre-Collection Notice and the Ghost Draft
14. The Platform utilizes an Algorithmic Progressive Web App (PWA) for Host onboarding. The architecture initiates a persistent session the exact moment an email address is entered, utilizing a silent auto-save engine updating every 30 seconds. The User explicitly acknowledges that data collection commences prior to formal application submission. Incomplete session data is securely retained to facilitate Abandonment Recovery communication loops. Any onboarding session that remains un-submitted and dormant past the strict 30-day threshold is permanently purged from the database.

3. TELEMETRY, DATA EXHAUST, AND PSYCHOLOGICAL ESTOPPEL

1. Absolute Ownership Of Data Exhaust

1. The Platform generates continuous, invisible data exhaust. "Data Exhaust" signifies all behavioral telemetry, session logic, semantic caches, onFocus and onBlur timestamps, navigation vectors, and micro-hesitations exceeding the 1,500-millisecond threshold generated during user interaction with the Platform. The Company collects, aggregates, and retains absolute ownership over all Data Exhaust generated by the user.

2. Psychological Estoppel Mechanism

1. The frontend architecture continuously pipes interaction telemetry directly into the proprietary database. If the Data Exhaust confirms that a user hovered over, focused on, or registered a micro-hesitation exceeding the 1,500-millisecond threshold on any contractual clause, and subsequently proceeded to execute a bid or submit an application, the Platform retains this timestamped telemetry as definitive, affirmative evidence. The User expressly acknowledges and agrees that the Company will utilize this exact Data Exhaust to legally estop the User from asserting claims of "unconscionability," "coercion," "hidden clauses," or "failure to read" in any future arbitration, litigation, or dispute resolution proceeding.

4. VERIFICATION CONFIDENCE ENGINE (VCE) AND HEALTH PRIVACY

1. Cryptographic Proof Of Performance (Pop)

1. The User explicitly consents to the continuous algorithmic monitoring of their submitted architectural photography and ongoing visual audits. The VCE extracts GPS coordinates and executes SHA-256 EXIF hash signing to establish an unalterable Cryptographic Proof of Performance (PoP).

2. Strict Phi/hipaa Mandate

1. The Platform explicitly forbids the ingestion of Protected Health Information (PHI). For Hosts classified under the medical, health, or wellness verticals, the Host explicitly warrants that absolutely no patient faces, medical dossiers, or identifying health data shall be captured during the VCE visual audit. The Host unconditionally and fully indemnifies the Company against all statutory fines, legal fees, and operational damages resulting from negligent photographic submissions that violate HIPAA, PIPEDA, or equivalent health privacy frameworks.

5. INFORMATION UTILIZATION AND AI TRAINING RIGHTS

1. Operational Execution And Valuations

1. The Company utilizes the collected PII, demographic inputs, and architectural media for the explicit operational purposes of driving the blind-bid auction mechanics on the PMX. The Company reserves the absolute right to utilize the submitted facility data to execute algorithmic PMI valuations, establishing the baseline metrics that dictate the maximum Monthly Media Lease yields.

2. AI Training And Visionary Mockups

1. Any active data, spatial dimensions, and architectural photography submitted by a Host or Agency becomes the permanently licensed operational data of the Company. The Company retains the irrevocable right to process this data through machine-learning models and Generative AI pipelines to generate the highly detailed visionary mockups utilized within the secure Sponsor Matching Pool. The User explicitly waives any right to demand the deletion or suppression of submitted architectural photography once it has been processed into a Perma Media Digital Twin or AI mockup, as this constitutes the core intellectual property of the marketplace.

6. THE ANTI-DATA BROKER MANDATE AND PERMITTED DISCLOSURES

1. Absolute Prohibition On Syndication

1. The Company explicitly rejects the B2B Data Syndication model. The Company will never sell, rent, or syndicate Host or Agency PII, contact lists, or telemetry profiles to third-party telemarketers, lead brokers, or SaaS vendors. The corporate valuation is driven strictly by high-margin architectural media integration and hardware deployment, ensuring all user data remains securely quarantined within the Perma Media ecosystem.

2. Exemption For Corporate Restructuring And Securitization

1. While the syndication of data to marketing brokers is strictly prohibited, all parties legally consent that the Company retains the absolute, unencumbered right to assign, transfer, or share all Platform PII, financial escrow ledgers, and Data Exhaust with third-party legal, financial, or corporate entities for the specific purposes of due diligence, corporate mergers, acquisitions, or the asset-backed securitization of the media lease portfolio. The transfer of underlying contract data and Host/Agency intelligence to a Special Purpose Vehicle (SPV) to execute debt securitization does not constitute a "sale" of data under any applicable privacy statute.

7. CALIFORNIA PRIVACY RIGHTS (CCPA / CPRA)

1. The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), imposes stringent requirements on the commercial processing of data. The temporary exemptions for Business-to-Business (B2B) communications and human resources data have expired. Consequently, the B2B intelligence harvested by the Platform falls under the regulatory purview of the CPRA.

2. Rejection Of Joint Controller Liability

1. To mathematically insulate the corporate treasury from the CPRA's private right of action and statutory fines, the Platform explicitly defines its regulatory role. The Company operates strictly and exclusively as a "Service Provider" under the CCPA/CPRA.
2. The Company acts solely as the automated manufacturer, digital marketplace facilitator, and encrypted conduit for the programmatic media buys. Under absolutely no circumstances shall the Company and the transacting Agency act as "Joint Controllers". The Agency, by executing a bid on the PMX, explicitly accepts the designation of the sole "Data Controller" (or "Business" under the CCPA), thereby assuming 100% of the regulatory liability, Data Subject Access Request (DSAR) compliance burden, and legal indemnification obligations regarding the data processed on their behalf.

3. Data Subject Access Requests (Dsars)

1. While the Company operates as a Service Provider, it complies with the architectural requirements to facilitate consumer rights. Eligible California residents interacting with the Platform may request:

1. The categories of PII collected.
2. The categories of sources from which the PII is harvested.
3. The commercial purpose for collecting the data.
4. The specific pieces of PII retained by the Platform.
5. The deletion of their PII (subject to the overriding Soft-Delete Anonymization Protocol described in Article IX).
6. The Company will execute commercially reasonable efforts to process valid DSARs within the 45-day statutory timeframe. Users may submit requests via the administrative contact channels defined in the Platform dashboard.

4. Prohibition Of Selling Or Sharing

1. The Company explicitly confirms that it does not "sell" or "share" PII for the purposes of cross-context behavioral advertising to third parties, as defined by the CCPA/CPRA. All data transfers executed by the Company are strictly necessary business purposes performed under binding Service Provider contracts, or authorized asset transfers during corporate securitization.

8. CANADIAN PRIVACY RIGHTS (PIPEDA)

1. For users originating within Canada, data processing is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA).

2. Consent And Accountability

1. The Company secures explicit, affirmative consent from Canadian Hosts and Agencies prior to the ingestion of PII via the clickwrap mechanisms deployed during the onboarding flow. While PIPEDA generally permits the transfer of personal information outside of Canada for processing, it holds the originating organization accountable for ensuring comparable protection. The Company enforces these protections via strict contractual safeguards and Zero-Trust architecture, operating strictly as a "Data Processor" on behalf of the Agency.

3. Breach Notification SLA

1. In the event of a catastrophic data breach that poses a real risk of significant harm to Canadian users, the Company shall execute incident response protocols to notify the Privacy Commissioner of Canada and affected individuals as soon as legally and technically feasible following the cryptographic confirmation of the breach payload, in strict accordance with statutory requirements.

9. DATA RETENTION AND THE SOFT-DELETE PROTOCOL

1. The Platform enforces ruthless database hygiene to prevent toxic data bloat and mitigate compliance liabilities. For completed accounts and executed contracts, the Company retains the associated PII and financial ledgers for a minimum of 7 years to satisfy institutional audit requirements.

2. The Ccpa/pipeda Soft-delete (Manual Anonymization) Protocol

1. To rigorously comply with global privacy deletion mandates while mathematically preserving the Company's proprietary architectural datasets and neutralizing the risk of rogue automated deletion scripts, the Platform utilizes a highly restricted Manual Admin Overwrite Protocol.
2. If a legally verified data deletion request is received and authenticated, the system strictly forbids the automated deletion of the database row. Instead, authorized administration manually highlights and overwrites the PII fields (such as the verified corporate entity name, the primary point-of-contact, the email address, and the target phone number) with the exact string [REDACTED].
3. The administration explicitly leaves the geographic data, the estimated facility square footage, the uploaded architectural photography, the AI-generated mockups, and the unstructured JSONB ghost columns entirely intact. This air-gapped human process guarantees the absolute preservation of the platform's spatial intelligence and machine-learning assets while achieving perfect CCPA and PIPEDA compliance through mathematical anonymization. Furthermore, raw IP telemetry and tracking exhaust is programmatically anonymized after 90 days.

10. SECURITY ARCHITECTURE AND ZERO-TRUST

1. The Company deploys a "Never trust, always verify" Zero-Trust security framework. Initial onboarding and mandatory compliance tasks are gated behind dynamically decaying Magic-Links, valid for exactly 14 days. Persistent access to the PMX terminal and the Host Dashboard requires the establishment of a static password.

2. Tokenized Data Export

3. The Company expressly forbids the generation of physical PDF printouts of the financial ledgers to prevent unmonitored data exfiltration. Financial reconciliation requests are executed cryptographically. The API compiles the requested ledger, encrypts the payload, and dispatches a secure, tokenized download link valid for strictly 15 minutes to the authenticated user's registered email address. This creates an immutable, auditable telemetry event proving exactly who extracted the financial data.

4. Cloud Redundancy

5. Disaster recovery is handled at the bare-metal infrastructure level. The database architecture utilizes continuous Point-In-Time Recovery (PITR) with a minimum retention window of 7 days, ensuring that the global media grid remains permanently online and immune to catastrophic data loss.

11. CHILDREN'S PRIVACY (COPPA)

1. The Platform operates exclusively as a Business-to-Business (B2B) infrastructure network. The Company does not knowingly collect, solicit, or ingest Personally Identifiable Information from anyone under the age of 13. If the Company discovers that PII has been collected from a minor without verified parental consent, the Company will execute immediate deletion protocols to purge the data from the active database.

© 2026 Permanent Media Corporation. All Rights Reserved. The contents of this document, including all operational frameworks, legal architectures, and installation methodologies, are the exclusive intellectual property of Permanent Media Corporation. Unauthorized reproduction, adaptation, or distribution is strictly prohibited and will be prosecuted to the maximum extent permitted by law.