Version: 1.0
Last Updated: March 27, 2026

1. Introduction

RezyFi Inc. ("RezyFi," "we," "us," or "our") respects your privacy and is committed to protecting your personal information. This Privacy Policy ("Policy") explains how we collect, use, disclose, and store personal information when you visit our website at rezy.fi (the "Website"), use our investor portal or platform services (the "Platform"), or otherwise interact with us.

RezyFi is the subject of a pending acquisition by ECGI Holdings, Inc. (OTC: ECGI) pursuant to a definitive Share Exchange Agreement signed March 24, 2026 (the "Pending Acquisition"). References to RezyFi's relationship with ECGI Holdings in this Policy reflect the anticipated post-closing corporate structure and will be updated upon closing of the Pending Acquisition. Upon closing, your personal information may be shared with ECGI Holdings and its affiliates as described in Section 5.

This Policy applies when RezyFi acts as the controller of your personal information — meaning we determine how and why your personal information is processed. This includes when you visit or interact with our Website, register for an account, participate in an investment offering, complete identity verification, submit inquiries or feedback, sign up for communications, or interact with us at events or through other channels.

Where RezyFi processes personal information on behalf of a third party (for example, mortgage loan data processed in connection with loan servicing by ResMac Inc., our subsidiary), this Policy does not apply to that processing. Please contact the relevant party directly for information about their privacy practices.

By accessing the Website or using Platform Services, you acknowledge that you have read and understood this Policy. If you do not agree with our practices, please do not use the Website or Platform Services.

2. Personal Information We Collect

We collect personal information in several ways, depending on how you interact with us.

2.1. Information You Provide Directly

When you interact with us, you may provide the following categories of personal information:

Contact and account information, including your name, email address, phone number, mailing address, and account credentials, collected when you sign up for communications, create an account, or contact us.

Identity verification information, including government-issued identification documents, date of birth, Social Security number or tax identification number, selfie photographs, and results of identity verification checks, collected when you complete KYC (Know Your Customer) or KYB (Know Your Business) verification through our approved verification providers in connection with Platform Services.

Accredited investor documentation, including financial statements, tax returns, income verification, net worth certifications, or third-party verification letters, collected when you seek to participate in investment offerings that require investor qualification.

Financial and payment information, including bank account details, wire transfer information, and payment transaction records, collected when you make investments or receive distributions through Platform Services.

Entity information, including corporate formation documents, beneficial ownership information, operating agreements, and authorized signatory details, collected when a trust, corporation, LLC, or other entity registers for Platform Services.

Communications and correspondence, including the content of emails, contact form submissions, and other messages you send to us.

2.2. Information Collected Automatically

When you visit the Website or use Platform Services, we automatically collect certain information, including:

Device and browser information, including your IP address, browser type and version, operating system, device identifiers, and screen resolution.

Usage information, including pages visited, links clicked, time spent on pages, referring URLs, and navigation paths through the Website.

Cookie and tracking data, as described in our Cookie Policy (available at rezy.fi/cookies), including information collected through Google Analytics and similar analytics tools.

Log data, including access times, server logs, and error reports.

When you use Platform Services, we may also automatically collect:

Blockchain wallet addresses associated with your account.

On-chain transaction data, including token ownership records, transfer history, and smart contract interactions.

Platform activity data, including login history, feature usage, and investor portal interactions.

Compliance monitoring data, including transaction screening results and ongoing sanctions monitoring.

2.3. Information From Third Parties

We may receive personal information about you from third parties, including:

Identity verification providers (currently Persona, integrated through our platform infrastructure), which provide identity verification results, document validation outcomes, and AML/sanctions screening results.

Wallet infrastructure providers (currently Dfns, integrated through our platform infrastructure), which provide wallet provisioning and transaction data.

Payment processors, which provide payment confirmation, bank verification, and transaction status information.

Blockchain networks, which provide publicly available on-chain data including wallet addresses, token holdings, and transaction history.

Analytics providers (currently Google Analytics), which provide aggregated and individual-level website usage data.

Publicly available sources, including SEC filings, public records, and sanctions lists.

3. How We Use Your Personal Information

We use your personal information for the following purposes:

To operate and provide the Website and Platform Services, including processing account registrations, facilitating investments and distributions, maintaining your account, communicating with you about your account or transactions, and providing customer support.

To verify your identity and eligibility, including conducting KYC/AML verification, verifying accredited investor status, performing sanctions and watchlist screening, and conducting ongoing compliance monitoring as required by applicable law.

To comply with legal and regulatory obligations, including securities law requirements (such as Form D filings, blue sky notice filings, and investor recordkeeping), anti-money laundering and sanctions compliance, tax reporting obligations, and responding to lawful requests from regulatory authorities, law enforcement, or courts.

To operate blockchain infrastructure, including recording token ownership and transactions on blockchain networks, enforcing smart contract compliance logic (such as transfer restrictions and investor whitelisting), and processing distributions.

For our legitimate business purposes, including maintaining records, analyzing Website and Platform usage to improve our services, conducting research and development, managing our business relationships, and protecting our legal rights.

For security and fraud prevention, including monitoring for unauthorized access, detecting and preventing fraudulent activity, investigating potential violations of our Terms, and maintaining the integrity of Platform Services.

To send you communications, including transactional emails related to your account or investments, service announcements and updates, and (where you have opted in or where permitted by law) marketing communications about our services. You may opt out of marketing communications at any time by following the unsubscribe instructions in any email or by contacting us at privacy@rezy.fi.

To facilitate corporate transactions, such as mergers, acquisitions, or reorganizations (including the Pending Acquisition), where your information may be transferred as part of the transaction.

4. Legal Bases for Processing (EEA, UK, and Switzerland)

If you are located in the European Economic Area ("EEA"), the United Kingdom ("UK"), or Switzerland, we process your personal information on the following legal bases:

Performance of a contract: where processing is necessary to provide you with Platform Services or to take steps at your request before entering into a contract.

Compliance with legal obligations: where processing is necessary to comply with applicable laws, including securities regulations, AML/KYC requirements, tax reporting, and regulatory recordkeeping.

Legitimate interests: where processing is necessary for our legitimate business interests (such as improving our services, ensuring security, and preventing fraud), provided those interests are not overridden by your rights and interests. You have the right to object to processing based on legitimate interests.

Consent: where you have given your explicit consent to processing for a specific purpose, such as receiving marketing communications. You may withdraw consent at any time.

5. How We Share Your Personal Information

We do not sell your personal information. We may share your personal information with the following categories of recipients:

Affiliated companies. Upon closing of the Pending Acquisition, RezyFi will become a subsidiary of ECGI Holdings, Inc. At that point, your personal information may be shared with ECGI Holdings and its affiliates for purposes consistent with this Policy, including corporate administration, compliance, and operational support. Prior to closing, RezyFi does not share personal information with ECGI Holdings except as necessary to facilitate the Pending Acquisition and as permitted by applicable law. ResMac Inc., RezyFi's wholly owned subsidiary, may receive personal information as necessary for mortgage loan origination and servicing activities.

Service providers and processors, including identity verification providers (Persona), wallet infrastructure providers (Dfns), payment processors, transfer agents (such as tZERO, when engaged), analytics providers (such as Google), website hosting providers (such as Webflow), email service providers, cloud storage providers, and professional advisors (legal, accounting, audit). These parties process personal information on our behalf and are contractually required to protect it. A current list of sub-processors that process personal information on RezyFi's behalf is available upon request by contacting privacy@rezy.fi.

Blockchain networks, where token ownership records, transaction history, compliance parameters, and other on-chain data are recorded. On-chain data may be publicly visible and cannot be deleted. We are not able to control access to data once it is recorded on a blockchain network.

Regulatory authorities and law enforcement, where disclosure is required or permitted by applicable law, regulation, legal process, or governmental request. This includes the U.S. Securities and Exchange Commission, FINRA, FinCEN, state securities regulators, and equivalent authorities in other jurisdictions. We may be required to disclose information without prior notice to you.

SPV and offering-related parties, including special purpose vehicles, fund administrators, auditors, and other parties involved in the administration of investment offerings in which you participate, to the extent necessary for the operation and administration of those offerings.

Corporate transaction parties, in connection with a merger, acquisition, corporate reorganization, sale of assets, or similar transaction (including the Pending Acquisition), where your information may be transferred to the acquiring or successor entity. In such event, the acquiring entity will be subject to the commitments made in this Policy with respect to your personal information.

Other users or the public, only to the extent that you make information publicly available (for example, through on-chain transactions) or as required by the terms of a specific offering.

6. Blockchain Data — Important Notice

When you use Platform Services involving blockchain technology, certain personal information becomes permanently recorded on blockchain networks:

Wallet addresses associated with your account are recorded on-chain and may be publicly visible.

Token ownership records and transaction history are permanent and immutable.

Smart contract interactions, including compliance events such as whitelisting and transfer restriction enforcement, are recorded on-chain.

Distribution events and payment records may be recorded on-chain.

You acknowledge and agree that: (a) on-chain data cannot be modified, deleted, or erased, even if you close your account or exercise data deletion rights under applicable privacy law; (b) while wallet addresses are pseudonymous, they may be linked to your identity through blockchain analytics or other means; (c) RezyFi cannot control access to or use of data once it is recorded on a public blockchain; and (d) you should carefully consider the privacy implications before engaging in any on-chain activity.

For data that we store off-chain (such as identity documents, financial records, and account information), we maintain the ability to modify, correct, or delete such data in accordance with applicable law and this Policy.

7. Cookies and Tracking Technologies

We use cookies and similar tracking technologies on the Website, as described in our Cookie Policy (available at rezy.fi/cookies). These include:

Strictly necessary cookies, which are essential for the Website to function properly, including session management and security features.

Analytics cookies, including Google Analytics, which collect information about how visitors use the Website (such as pages visited, time on site, and traffic sources). Google Analytics uses cookies to collect aggregated, anonymized data. We configure Google Analytics to anonymize IP addresses where required by applicable law. You can opt out of Google Analytics by installing the Google Analytics Opt-Out Browser Add-on.

Functional cookies, which remember your preferences and settings to provide an enhanced experience.

Marketing cookies, which may be used in the future to deliver relevant communications and measure the effectiveness of marketing campaigns. We will update this Policy and the Cookie Policy before deploying marketing cookies.

When you use Platform Services, additional tracking may be used for compliance monitoring, transaction screening, and security purposes. These are essential for the operation of Platform Services and cannot be disabled while using those services.

You can manage your cookie preferences through our cookie consent tool, your browser settings, or industry opt-out programs. Please see our Cookie Policy for detailed information on managing cookies.

8. Data Retention

We retain your personal information for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by law. Specific retention periods include:

Website visitor data (analytics, logs): retained for up to 26 months from collection, or as configured in our analytics tools.

Account information: retained for the duration of your account and for a reasonable period thereafter to comply with legal obligations and resolve disputes.

KYC/AML records: retained for a minimum of 5 years after the end of our relationship with you, as required by applicable anti-money laundering regulations.

Securities transaction records: retained for a minimum of 7 years, as required by applicable securities regulations.

Tax-related records: retained for a minimum of 7 years or as otherwise required by applicable tax law.

Blockchain data (on-chain): permanent. We cannot delete on-chain records.

Email communications and marketing preferences: retained for the duration of your subscription to our communications and for a reasonable period thereafter.

When personal information is no longer needed for the purposes for which it was collected and there is no legal requirement to retain it, we will securely delete or anonymize it.

9. Data Security

We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction. These measures include encryption of data in transit and at rest, access controls and authentication requirements, regular security assessments, employee training on data protection, and incident response procedures.

While we take reasonable steps to protect your information, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee the absolute security of your personal information.

If we become aware of a data breach that is likely to result in a risk to your rights, we will notify affected individuals and applicable regulatory authorities in accordance with applicable law, including within 72 hours of becoming aware of the breach where required under the GDPR or UK GDPR, and within the timeframes required by applicable U.S. state breach notification laws.

10. International Data Transfers

RezyFi is based in the United States. If you access the Website or Platform Services from outside the United States, your personal information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction.

For transfers of personal information from the EEA, UK, or Switzerland to the United States, we rely on appropriate safeguards, including Standard Contractual Clauses approved by the European Commission and the UK Information Commissioner's Office, as applicable.

Where personal information is recorded on blockchain networks, that data is distributed globally across network nodes. We cannot control the geographic location of blockchain network nodes or restrict the jurisdictions in which on-chain data may be accessed.

Our key Third-Party Service Providers process data in the following locations: Persona (United States), Dfns (United States and Europe), Google Analytics (United States), and Webflow (United States). For transfers to these providers, we ensure appropriate safeguards are in place.

By using the Website or Platform Services, you acknowledge and consent to the transfer of your personal information to the United States and other jurisdictions as described in this Policy.

11. Your Privacy Rights

Depending on your location, you may have certain rights regarding your personal information. We will respond to rights requests in accordance with applicable law.

11.1. Rights Available to All Users

You may: (a) request access to the personal information we hold about you; (b) request correction of inaccurate personal information; (c) request deletion of your personal information, subject to applicable legal exceptions and the limitations described in Section 6 regarding blockchain data; (d) opt out of marketing communications at any time; and (e) contact us with questions or complaints about our privacy practices.

To exercise any of these rights, contact us at privacy@rezy.fi.

11.2. Additional Rights for California Residents

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA), including:

Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which we collected it, the business or commercial purpose for collecting it, and the categories of third parties with whom we shared it.

Right to Delete: You may request that we delete your personal information, subject to applicable exceptions. We may not be able to delete information required for legal compliance, completion of transactions, security purposes, or exercising legal rights. On-chain data cannot be deleted.

Right to Correct: You may request that we correct inaccurate personal information.

Right to Opt Out of Sale or Sharing: We do not sell your personal information as defined under the CCPA. If we share personal information for cross-context behavioral advertising in the future, we will provide a mechanism for you to opt out, including a "Do Not Sell or Share My Personal Information" link in the Website footer.

Right to Limit Use of Sensitive Personal Information: Where we collect sensitive personal information (such as Social Security numbers or financial account information), we use it only for purposes permitted under the CCPA, including performing services you request, ensuring security, and complying with legal obligations.

Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To exercise your California privacy rights, contact us at privacy@rezy.fi or submit a request through rezy.fi/privacy-request. We will verify your identity before processing your request.

Important limitations for securities-related data: Certain personal information collected in connection with investment offerings, including KYC/AML records, accredited investor documentation, and securities transaction records, may be exempt from deletion requests under CCPA financial institution and regulatory compliance exemptions.

11.3. Additional Rights for EEA, UK, and Swiss Residents

If you are located in the EEA, UK, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) or UK GDPR, as applicable:

Right of Access: You may request a copy of the personal information we hold about you.

Right to Rectification: You may request correction of inaccurate or incomplete personal information.

Right to Erasure: You may request deletion of your personal information in certain circumstances, subject to legal exceptions and the blockchain data limitations described in Section 6.

Right to Restriction of Processing: You may request that we restrict processing of your personal information in certain circumstances.

Right to Data Portability: You may request that we provide your personal information in a structured, commonly used, machine-readable format, or transmit it to another controller.

Right to Object: You may object to processing based on legitimate interests or for direct marketing purposes.

Right to Withdraw Consent: Where we process your personal information based on consent, you may withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.

Right to Lodge a Complaint: You have the right to lodge a complaint with your local data protection authority. Contact details for EU/EEA data protection authorities are available at edpb.europa.eu. For the UK, contact the Information Commissioner's Office at ico.org.uk.

To exercise your rights, contact us at privacy@rezy.fi. We will respond to your request within the timeframe required by applicable law (generally 30 days for GDPR requests; 45 days for CCPA requests, with extensions as permitted by law).

Data Controller: For purposes of the GDPR and UK GDPR, the data controller is RezyFi Inc., 4141 S Nogales St. C102, West Covina, CA 91792, United States. Contact: privacy@rezy.fi.

11.4. Additional Rights for Residents of Other Jurisdictions

Australia: Personal information is collected, stored, used, and processed in accordance with the Australian Privacy Act 1988 and the Australian Privacy Principles. Complaints may be directed to the Office of the Australian Information Commissioner (OAIC).

Brazil: Personal information is processed in accordance with Brazil's Lei Geral de Proteção de Dados (LGPD). You may exercise your rights under the LGPD by contacting us at privacy@rezy.fi.

Canada: Personal information is processed in accordance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.

Japan: Personal information is processed in accordance with Japan's Act on the Protection of Personal Information (APPI).

Singapore: Personal information is processed in accordance with the Personal Data Protection Act 2012 (PDPA).

Nevada: We do not sell personal information as defined under Nevada law. Nevada residents may submit an opt-out request to privacy@rezy.fi.

12. Children's Privacy

The Website and Platform Services are not directed to individuals under the age of 18. We do not knowingly collect personal information from children under 18. If you are a parent or guardian and believe that your child has provided personal information to us, please contact us at privacy@rezy.fi and we will take steps to delete such information.

13. Third-Party Links

The Website may contain links to third-party websites, services, or resources that are not operated by RezyFi. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access.

14. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or business operations. The "Last Updated" date at the top of this Policy indicates when it was last revised. For material changes, we will provide notice by posting a prominent notice on the Website, sending an email to registered users, or both. We will provide at least 30 days' advance notice for material changes where feasible. Your continued use of the Website or Platform Services after any changes constitutes your acceptance of the updated Policy.

15. Contact Information

If you have questions, complaints, or requests regarding this Privacy Policy or our privacy practices, please contact us at:

RezyFi Inc. Attn: Privacy 4141 S Nogales St. C102 West Covina, CA 91792

General privacy inquiries: privacy@rezy.fi Data deletion and rights requests: privacy@rezy.fi Security incidents: security@rezy.fi Legal and regulatory inquiries: legal@rezy.fi Sub-processor list requests: privacy@rezy.fi

‍