Privacy Policy

August 29, 2025

About this Policy

This privacy policy applies to:

• First Mile Group, Inc. d/b/a/ Alloy and our affiliates (“Alloy,” “we,” “us,” “our”).
• Alloy’s online properties (including our websites and websites or mobile applications that link to it), our social media pages or handles, our online and offline events, and our products and services (the “Services”).

This Policy applies when you interact with us through our Services. It also applies anywhere it is linked. It does not apply to third-party websites, mobile applications, or services that may link to the Services or be linked to from the Services. Please review the privacy policies on those websites and applications directly to understand their privacy practices.

Our products and services are used by enterprises to make onboarding, ongoing, and credit decisions about applicants and customers for financial products and services. In this Policy, “you” refers to individuals who administer or use our products and services or otherwise interact with us on behalf of our Clients (“Client Representatives”) and other individuals who are not affiliated with our Clients but who interact with our Services (“Visitors”). “Clients” refers to the enterprises that use or seek to use our products and services, and “Client Customers” refers to applicants and customers of our Clients.

This Policy is incorporated into, and considered a part of, the First Mile Group Terms of Service, currently located at www.alloy.com/tos. Any capitalized terms not defined herein have the meanings ascribed to them in the Terms of Service.

We may change this Policy from time to time. If we do, we will notify you by posting the updated version. Any changes to the Policy will become effective upon being posted to the Services, except when we notify Clients and/or Client Representatives about material changes by email (sent to the email address specified in your account) or by posting a notice to our website prior to the change becoming effective. 

Table of Contents

Information We Collect

Information Visitors Give Us

Information Client Representatives Give Us

Information Clients Give Us

Information We Collect Automatically

Information We Collect About Visitors and Client Representatives From Other Sources

Information We Collect About Client Customers From Other Sources

How We Use Visitor and Client Representative Information

How We Use Client Customer Information

How We Share Information

Security

Options and Rights Regarding Your Information

Other Important Information

Data Retention

Cross-Border Data Transfer

Information About Children

Biometric Services

Privacy Disclosures for Specific Jurisdictions

European Economic Area, United Kingdom, and Switzerland

California Consumer Privacy Act

Contact Information, Submitting Requests, and Our Response Procedures

Contact

Making a Request to Exercise Your Rights

Information We Collect

We collect information from you directly, from the devices you use to interact with us, and from third parties. We may combine information from the Services together and with other information we obtain from our business records. We may use and share information that we aggregate (compile to create statistics that cannot identify a particular individual) or de-identify (strip information of all unique identifiers such that it cannot reasonably be linked to a particular individual) at our discretion.

Information Visitors Give Us

You may provide the following information to us directly:

• Contact and professional information, including name, email address, telephone number, mailing address, job title, and company name when you subscribe to a newsletter, register for an event, leave comments or communicate with us through the Services.
• Payment information, including credit card information, when you make a purchase through the Services.
• Commercial information, including products or services you viewed, added to a shopping cart, obtained, or purchased.
• Geolocation data.
• Event attendance and registration information, including contact information and any other information you choose to provide when you register for or attend an event.
• Audiovisual information, including recordings of online events.
• Content you may include in survey responses.
• Information contained in your communications to us.
• Information you make available to us via a social media platform.
• Any information or data you provide by interacting in our online forums, or by commenting on content posted on our Services. Please note that these comments may also be visible to other users of our Services.
• Information regarding your use of our Services
• Any other information you submit to us.

Information Client Representatives Give Us

You may provide the following information to us directly:

• Contact and professional information, including name, email address, telephone number, mailing address, job title, company name, payment information, and password when you register for or communicate with us through the Services.
• Payment information, including credit card information, when you make a purchase through the Services.
• Commercial information, including products or services you viewed, added to a shopping cart, obtained, or purchased.
• Geolocation data.
• Event attendance and registration information, including contact information and any other information you choose to provide when you register for or attend an event.
• Audiovisual information, including recordings of online events.
• Content you may include in survey responses.
• Information contained in your communications to us, including call recordings of customer service calls.
• Information you make available to us via a social media platform.
• Any information or data you provide by interacting in our online forums, or by commenting on content posted on our Services. Please note that these comments may also be visible to other users of our Services.
• Information regarding Your use of our Services.
• Any other information you submit to us.

Information Clients Give Us

Clients may provide the following information about Client Customers to us directly when using the Services:

• Contact information, including name, email address, telephone number, and address.
• Government identifiers, such as social security numbers, passport numbers, and driver’s license numbers.
• Other identifiers such as customer ID and unique pseudonyms.
• Internet and electronic network activity information, including IP address, device IDs, pixel tags, mobile advertising identifiers, and other persistent individual and device identifiers.
• Social media handles and account information.
• Demographic information, such as sex, gender, and age.
• Transaction information, including credit card information and order information.
• Location information, including coarse and precise geolocation.
• Commercial information, including records of personal property, products or services purchased, obtained, viewed online, or added to a shopping card, and histories of past purchases.
• Audiovisual information, such as selfies and photographs of identification documents like a driver’s license.
• Professional or employment-related information, including current employer and employment history.
• Education information, including education history and level of education.
• Any other information they submit to us.

Information We Collect Automatically

We and partners working on our behalf may use log files, cookies, or other digital tracking technologies to collect the following information from the device you use to interact with our Services. We may also create records when you make purchases or otherwise interact with the Services.

• Device information, including IP address, device identifiers, and details about your web browser.
• Analytical information, including details about your interaction with our Services, website, app, and electronic newsletters.
• Diagnostic information, including web traffic logs.
• Advertising information, including special advertising and other unique identifiers that enable us or third parties working on our behalf to target advertisements to Visitors. Please be aware that our advertising partners may collect information about you when you visit third-party websites or use third-party apps. They may use that information to better target advertisements to you on our behalf.
• Business record information, including customer IDs, records of your purchases of products and services and use of our Services.

The following is a list of our partners who collect the information described above. Please follow the links to find out more information about the partner’s privacy practices.

Information We Collect About Visitors and Client Representatives from Other Sources

We may collect the following information about you from third-party sources:

• Information about your interests, activities, and employment history from social networks and other places where you choose to share information publicly.
• Contact, employment, and professional information you provide when you register for or attend an event hosted by an event partner.
• Information from online advertising companies about your interaction with advertisements that we place on third party websites.
• Information about your employment activities and history from B2B data providers 

Information We Collect About Client Customers from Other Sources

We may collect the following information about Client Customers from third-party data services integrated into our platform (“partner companies”) that are accessed by Clients using our products and services: 

• Contact information, including name, email address, telephone number, and address.
• Government identifiers, such as social security numbers, passport numbers, and driver’s license numbers.
• Other identifiers such as customer ID and unique pseudonyms.
• Login credentials.
• Social media handles and account information.
• Internet and electronic network activity information, including IP address, device IDs, pixel tags, mobile advertising identifiers, and other persistent individual and device identifiers.
• Credit history and consumer reports.

How We Use Visitor and Client Representatives Information

We may use any of the information we collect for the following purposes:

• Service functionality: To provide you with our Services, including to take steps to enter a contract for sale or for services, bill or invoice for services, process payments, fulfill orders, send service communications (including renewal reminders), and conduct general business operations, such as accounting, recordkeeping, and audits.
• Service improvement: To improve and grow our Services, including to develop new products and services and understand how our Services are being used, our customer base and purchasing trends, and the effectiveness of our marketing.
• Personalization: To offer you recommendations and tailor the Services to your preferences.
• Advertising and marketing: To send you marketing communications, conduct surveys, personalize the advertisements you see on third-party online properties, and measure the effectiveness of our advertising. We may share your information with business partners, online advertising partners, and social media platforms for this purpose.
• Security: To protect and secure our Services, assets, network, and business operations, and to detect, investigate, and prevent theft, unauthorized use, or abuse of the Services and other activities that may violate our policies or be fraudulent or illegal.
• Legal compliance: To comply with legal process, such as warrants, subpoenas, court orders, and lawful regulatory or law enforcement requests and to comply with applicable legal and regulatory requirements.

Notwithstanding the above, we only use Client Representative data in accordance with our agreement with the Client.

How We Share Information

We may share any of the information we collect with the following recipients.

• Affiliates: We share information with other members of our group of companies.
• Service providers: We engage vendors to perform specific business functions on our behalf, and they may receive information about you from us or collect it directly. These vendors are obligated by contract to use information that we share only for the purpose of providing these business functions or as otherwise permitted by law, which include:
  • Supporting Service functionality, such as vendors that support event registration, customer service and customer relationship management, content management, subscription fulfillment, application development, list cleansing, postal mailings, and communications.
  • Auditing and accounting firms, such as firms that help us create our financial records.
  • Professional services consultants, such as firms that perform analytics, assist with improving our business, provide legal services, or supply project-based resources and assistance.
  • Analytics and marketing services, including entities that analyze traffic on our online properties and assist with identifying and communicating with potential customers.
  • Security vendors, such as entities that assist with security incident verification and response, service notifications, and fraud prevention.
  • Information technology vendors, such as entities that assist with website design, hosting and maintenance, data and software storage, and network operation.
  • Marketing vendors, such as entities that support distribution of marketing emails.
• Partner companies: We share information with partner companies in order to provide the products and services requested by the Client.
• Event partners: From time to time, we may share Visitor information with organizations that we sponsor or partner with for events for marketing purposes.
• Online advertising partners: We partner with companies that assist us in advertising our Services, including partners that use cookies and online tracking technologies to collect information to personalize, retarget, and measure the effectiveness of advertising.
• Social media platforms: If Visitors or Client Representatives interact with us on social media platforms, the platform may be able to collect information about you and your interaction with us. If Visitors or Client Representatives interact with social media objects on our Services (for example, by sharing a link to Facebook), both the platform and your connections on the platform may be able to view that activity. To control this sharing of information, please review the privacy policy of the relevant social media platform.
• Government entities/Law enforcement: We may share information when we believe in good faith that we are lawfully authorized or required to do so to respond to lawful subpoenas, warrants, court orders, or other regulatory or law enforcement requests, or where necessary to protect our property or rights or the health and safety of our employees, contractors, customers, or other individuals.
• Other businesses in the context of a commercial transaction: We may change our ownership or corporate organization while providing the Services. We may transfer to another entity or its affiliates or service providers some or all information about you in connection with, or during negotiations of, any merger, acquisition, sale of assets or any line of business, change in ownership control, or financing transaction. We cannot promise that an acquiring party or the merged entity will have the same privacy practices or treat your information as described in this policy.

Security

We use a combination of physical, technical, and administrative safeguards to protect the information we collect through the Services, including secure socket layer technology (SSL) to encrypt sensitive information transmitted through the Services. While we use these precautions to safeguard your information, we cannot guarantee the security of the networks, systems, servers, devices, and databases we operate or that are operated on our behalf. Should you have any questions regarding our security procedures or wish to report any potential system failures or breaches, please contact us at [email protected].

Options and Rights Regarding Your Information

Your Account: If you have an account with us, please sign in to your account to update your account information.

Email Unsubscribe: If you do not wish to receive marketing information from us or wish to opt out of future email promotions from us, please contact us. Please note that all promotional email messages you receive from us will include an option to opt out of future email communications.

Cookie Choices: You may disable cookies and related technologies in your browser or mobile device using their settings menu. If you are in the EEA, UK, or Switzerland can also set and adjust your cookie preferences using our cookie settings menu. Please note that declining certain types of cookies may affect performance and functionality of the Services. If you delete your cookie, you may also delete your consent preferences.

Ad Choices: Visitors and Client Representatives have options to limit the information that we and our partners collect for online advertising purposes.

• You may disable cookies and related technologies in your browser or mobile device using their settings menus. Your mobile device may give you the option to disable advertising functionality. Because we use cookies to support Service functionality, disabling cookies may also disable some elements of our online properties.
• The following industry organizations offer opt-out choices for companies that participate in them: the Network Advertising Initiative, the Digital Advertising Alliance, and the European Interactive Digital Advertising Initiative.
• You may use our cookie settings menu.
• You may contact us directly.

If you exercise these options, please be aware that you may still see advertising, but it will not be personalized. Nor will exercising these options prevent other companies from displaying personalized ads to you. 

If you delete your cookies, you may also delete your consent preferences.

Do Not Track: Your browser or device may include “Do Not Track” functionality. Our information collection and disclosure practices and the choices that we provide to you will continue to operate as described in this privacy policy regardless of whether a Do Not Track signal is received.

Jurisdiction-specific rights: Visitors and Client Representatives may have certain rights with respect to your personal information depending on your location or residency. Please see “privacy disclosures for specific jurisdictions” below. Please contact us to exercise your rights.

Other Important Information

Data Retention

We may store information about you for as long as we have a legitimate business need for it. 

Cross-Border Data Transfer

We may collect, process, and store your information in the United States and other countries. The laws in the United States regarding information may be different from the laws of your country. Any such transfers will comply with safeguards as required by relevant law. 

Information About Children

Clients may offer financial products and services to individuals who are under the age of majority in their jurisdiction (“minors”) and may therefore submit information about minors to us in connection with their use of our products and services. However, the Services are intended for users who are 18 years old and older. We do not knowingly collect information from children. If we discover that we have inadvertently collected information from anyone younger than the age of 13, we will delete that information. Please contact us with any concerns.

Privacy Disclosures for Specific Jurisdictions

European Economic Area, United Kingdom, and Switzerland

We process “personal data,” as that term is defined in the European Union’s General Data Protection Regulation (“GDPR”). In some cases, we are the controller of personal data about Visitors and Client Representatives. We act as the processor of personal data about Client Customers, and in some cases about Client Representatives, on behalf of our Clients. 

Alloy’s EU representative is: The DPO Centre Europe Limited Alexandra House, 3 Ballsbridge Park, Dublin, D04C 7H2, Ireland, who can be contacted at [email protected] 

Alloy’s DPO is: The DPO Centre Limited of 50 Liverpool Street, London EC2M 7PY, UK, who can be contacted at [email protected]. 

To learn more about how Client Customer data is processed, please review the privacy policy of the relevant Client.      Client Representatives and Client Customers who would like to access, correct, or delete personal data that we process on behalf of Clients, should submit their requests directly to the Client. 

Legal basis for processing under the GDPR: When we are a controller, we only use your personal data to (1) fulfill our contractual obligations to Clients; (2) where it is necessary for our legitimate business and commercial interests (or those of a third party) and your interests and fundamental rights do not override those interests; or (3) to comply with a legal obligation. To the extent we process your personal data for any other purposes, we (or a partner) will obtain your consent.

If we need to collect personal data for a legal purpose or under the terms of a contract we have and you fail to provide that data when requested, we might not be able to perform the contract we have or are trying to enter into (for example, to provide the requested products or services). If that happens, we will let you know.

Your rights under the GDPR for data we process as a controller: If you are located in the European Economic Area (“EEA”), U.K., or Switzerland, you have the right to lodge a complaint about our data collection and processing actions with the supervisory authority concerned. Contact details for data protection authorities are available here: http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm. 

Visitors and Client Representatives located in the EEA, U.K., or Switzerland have the following rights.

• Access and Portability: Request access to personal data we hold about you or request transmission of your data to a third party.
• Correction: Request that we rectify inaccurate or incomplete personal data we store about you.
• Erasure: Request that we erase personal data when such data is no longer necessary for the purpose for which it was collected, when you withdraw consent and no other legal basis for processing exists, or when you believe that your fundamental rights to data privacy and protection outweigh our legitimate interest in continuing the processing.
• Restriction of processing: Request that we restrict our processing of personal data if there is a dispute about the accuracy of the data; if the processing is unlawful; if the processing is no longer necessary for the purposes for which it was collected but is needed by you for the establishment, exercise or defense of legal claims; or if your request to object to processing is pending evaluation.
• Objection to processing: Object to processing of your personal data based on our legitimate interests or for direct marketing (including profiling). We will no longer process the data unless there are compelling legitimate grounds for our processing that override your interests, rights, and freedoms, or for the purpose of asserting, exercising, or defending legal claims.
• Transfers: Obtain information about and a copy of the safeguards, including the standard contractual clauses, we use to transfer personal data across borders.

Please contact us to exercise these rights.

California Consumer Privacy Act

The California Consumer Privacy Act (“CCPA”) provides California residents with rights to receive certain disclosures regarding our collection, use, and disclosure of information by businesses under the CCPA, as well as rights to know/access, correct, delete, and limit disclosure of personal information granted under the CCPA. You have the right to be free from discrimination based on your exercise of your CCPA rights. If we collect personal information as a business subject to the CCPA, that information, our practices, and your rights are described below.

Notice at Collection Regarding the Categories of Personal Information Collected

You have the right to receive notice of certain information about our data collection, use, and disclosure as a business under the CCPA. The following table summarizes the categories of personal information we collect in that capacity about Visitors and Client Representatives; the categories of sources of that information; whether we disclose, sell, or share that information to service providers or third parties, respectively; and the criteria we use to determine the retention period for such information. The categories we use to describe personal information are those enumerated in the CCPA. We collect this personal information for the purposes described above in “How We Use Your Information.”

We determine the retention period for each of the categories of personal information listed above based on (1) the length of time we need to retain the information to achieve the business or commercial purpose for which it was obtained, (2) any legal or regulatory requirements applicable to such information, (3) internal operational needs, and (4) any need for the information based on any actual or anticipated investigation or litigation.

Entities to whom we disclose information for business purposes are service providers, which are companies that we engage to conduct activities on our behalf. We restrict service providers from using personal information for any purpose that is not related to our engagement or authorized by law. 

Entities to whom we “sell” or with whom we “share” information are third parties. Under the CCPA, a business “sells” personal information when it discloses personal information to a company for monetary or other benefit. A company may be considered a third party either because we disclose personal information to the company for something other than an enumerated business purpose under California law, or because its contract does not restrict it from using personal information for purposes unrelated to the service it provides to us.  A business “shares” personal information when it discloses personal information to a company for purposes of cross-context behavioral advertising.

Your rights under the CCPA

• Opt out of sale or sharing of personal information: You have the right to opt out of our sale or sharing of your personal information to third parties. To exercise this right, please visit our Do Not Sell or Share My Personal Information webpage or contact us. Your right to opt out does not apply to our disclosure of personal information to service providers.
• Know and request access to and correction or deletion of personal information: You have the right to request access to personal information collected about you and information regarding the source of that personal information, the purposes for which we collect it, and the third parties and service providers to whom we sell, share, or disclose it. You also have the right to request in certain circumstances that we correct personal information that we have collected about you and to delete personal information that we have collected directly from you. Please contact us to exercise these rights.

Contact Information, Submitting Requests, and Our Response Procedures

Contact

Please contact us if you have questions or wish to take any action with respect to information to which this privacy policy applies. 

Email: [email protected]

Telephone: 844-382-5569

Mail: First Mile Group, Inc. (dba Alloy), 41 East 11^th Street, Second Floor, New York, NY 10003

Making a Request to Exercise Your Rights

Submitting requests: You may request to exercise your rights by submitting this Form or making a request using the contact information above.

If you are a resident of California, you may, under certain circumstances, authorize another individual or a business, called an authorized agent, to make requests on your behalf.  

We may have a reason under the law why we do not have to comply with your request, or why we may comply with it in a more limited way than you anticipated. If we do, we will explain that to you in our response.

Verification: We must verify your identity before responding to your request. We verify your identity by asking you to provide personal identifiers that we can match against information we may have collected from you previously. We may need to follow up with you to request more information to verify identity. 

We will not use personal information we collect in connection with verifying or responding to your request for any purpose other than responding to your request.