ClassDojo E.U.-US Data Privacy Framework Human Resources Privacy Policy Effective August 9, 2023 ClassDojo, Inc (“Company” or “ClassDojo”) is committed to protecting the Personal Data that is collected concerning our prospective, current, and former employees (collectively, “Employees”) for management, human resources, and payroll purposes. This document sets forth ClassDojo’s HR Data Privacy Framework Privacy Policy (the “Policy”) governing the Company’s use of Personal Data in the context of its relationship with Employees. This Policy applies only to the Personal Data of Employees that is collected in the European Economic Area (“EEA”), United Kingdom (“UK”) or Switzerland, and that is transferred to Company in the U.S. The section “Description of Processing Activities” below describes the types of Personal Data that are collected. ClassDojo’s objective is to respect and protect Personal Data collected or maintained by or on behalf of the Company. In furtherance of the Company’s commitment to this objective, ClassDojo complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF (“UK Extension”), and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. ClassDojo has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (“EU-U.S. DPF Principles” or “Principles”) with regard to the processing of Personal Data received from the EEA in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension (once formally adopted). ClassDojo has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (“Swiss-U.S. DPF Principles”) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF (once formally adopted). If there is any conflict between the terms in this Policy and the EU-U.S. DPF Principles or the Swiss-U.S. DPF Principles, as applicable, the Principles shall govern. To learn more about the Data Privacy Framework (“DPF”) program, and to view our certification, please visit https://www.dataprivacyframework.gov/. In this Policy, we refer to the EU-U.S. DPF, the UK Extension and the Swiss-U.S. DPF collectively as the “DPF Programs”. With respect to Personal Data received or transferred pursuant to the DPF Programs, ClassDojo is subject to the investigatory and regulatory enforcement powers of the U.S. Federal Trade Commission and other authorized statutory bodies. In certain situations, ClassDojo may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. Principles Notice. ClassDojo participates in and subjects itself to the DPF Programs. We set out below the types of Personal Data collected, the purposes for which ClassDojo collects and uses Personal Data, and the types (or identity) of Third Parties to whom the Company discloses or may disclose that Personal Data and the purposes for doing so. ClassDojo will provide notice in clear and conspicuous language when Data Subjects are first asked to provide Personal Data to the Company, or as soon as practicable thereafter. In any event, notice will be provided before the Company (i) uses or discloses the Personal Data for a purpose other than that for which it was originally collected or processed by the Company, or (ii) discloses it for the first time to a Third Party. Choice. ClassDojo collects Personal Data about its Employees for human resources or compliance related functions, including, without limitation, recruiting, onboarding, performance appraisals and payroll or benefit distribution (the “Purposes”). We will give you an opportunity to choose whether your Personal Data may be used for a purpose that is materially different from the purposes for which it was originally collected or subsequently authorized, or if we intend to disclose it to a Third Party (other than an Agent) that we have not previously notified you about. In such circumstances, we will notify you and offer you the opportunity to opt-out of such uses and/or disclosures where non-sensitive Personal Data is involved, and to opt-in where Sensitive Personal Data is involved. To request to limit the use and disclosure of your Personal Data, please submit a written request to privacy@classdojo.com. Accountability For Onward Transfers. [We set out below the Third Parties to whom we may disclose Personal Data, and the purposes for doing so.] We remain responsible for the processing of Personal Data received under the DPF Programs and subsequently transferred to an Agent if the Agent processes such Personal Data in a manner inconsistent with the Principles, or the Swiss-U.S. DPF Principles as applicable, unless we prove that we are not responsible for the event giving rise to the damage. Security. ClassDojo takes reasonable and appropriate administrative, technical and physical measures to protect Personal Data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved in the processing and the nature of the Personal Data. Data Integrity and Purpose Limitation. ClassDojo may use the Personal Data it receives from the EEA, the UK and Switzerland for the Purposes or as otherwise notified to the Data Subjects. We will not process Personal Data in a way that is incompatible with these Purposes. ClassDojo limits the collection, use and retention of Personal Data to that which is germane for the Purposes for which it was collected or authorized by the Data Subject and takes reasonable steps to ensure that all Personal Data is reliable, accurate, complete and current. ClassDojo depends on its employees to notify it if the Personal Data it holds is no longer reliable, accurate, complete or current for the Purposes. The Company shall also adhere to the Principles, or the Swiss-US DPF Principles as applicable, for as long as it retains such Personal Data. Access. Where appropriate, ClassDojo shall allow Data Subjects to access their Personal Data and to correct, amend or delete inaccurate information or information that is processed against the Principles (or Swiss-U.S. DPF Principles, as applicable). We will review your request in accordance with the Principles (or Swiss-U.S. DPF Principles, as applicable), and may limit or deny access to Personal Information where providing such access is unreasonably burdensome or expensive under the circumstances, or as otherwise permitted by the Principles (or Swiss-U.S. DPF Principles, as applicable). To exercise these rights, a data subject may contact ClassDojo at privacy@classdojo.com or by writing to: ClassDojo U.S. Privacy Officer 735 Tehama Street San Francisco, CA 94103 privacy@classdojo.com ClassDojo shall process requests made by Data Subjects to access their Personal Data in accordance with the Principles (or Swiss-U.S. DPF Principles, as applicable). Recourse, Enforcement, and Liability. ClassDojo periodically verifies that this Policy is accurate, comprehensive for the information intended to be covered, is disseminated to its Employees, is completely implemented and accessible and is in conformity with the Principles (or Swiss-U.S. DPF Principles, as applicable). ClassDojo encourages interested persons to raise any questions or concerns using the contact information provided below and will investigate and attempt to resolve any complaints and disputes regarding use and disclosure of Personal Data in accordance with the Principles (or Swiss-U.S. DPF Principles, as applicable). If a privacy complaint or dispute cannot be resolved by ClassDojo, the following recourse mechanisms are available free of charge: EU Data Subjects. For EU Data Subjects, ClassDojo commits to cooperate and comply with the advice of the panel established by the EU Data Protection Authorities for the purpose of handling any unresolved complaints regarding Personal Data concerns. EU Data Subjects (Employees) may engage their local Data Protection Authority concerning adherence to the Principles in the context of the employment relationship and the Company shall respond directly to such authorities with regard to investigations and the resolution of complaints. UK Data Subjects. For UK Data Subjects, ClassDojo commits to cooperate and comply with the advice of the Information Commissioner’s Office (“ICO”) for the purpose of handling any unresolved complaints regarding Personal Data concerns. UK Data Subjects (Employees) may engage the ICO concerning adherence to the Principles in the context of the employment relationship and the Company shall respond directly to the ICO with regard to investigations and the resolution of complaints. Swiss Data Subjects. For Swiss Data Subjects, ClassDojo commits to cooperate and comply with the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) for the purpose of handling any unresolved complaints regarding Personal Data concerns. Swiss Data Subjects (Employees) may engage the FDPIC concerning adherence to the Swiss-U.S. DPF Principles in the context of the employment relationship and the Company shall respond directly to such authorities with regard to investigations and resolution of complaints. Binding Arbitration for EU, UK and Swiss Data Subjects. Under certain conditions, more fully described on the DPF website, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. Limitation on Scope of Principles. ClassDojo may limit its adherence to the Principles where the DPF Programs provide derogations. Changes to this Policy. This Policy may be amended consistent with the requirements of the DPF Programs. When ClassDojo updates the Policy, it will also revise the “Last Updated” date at the bottom of this document. Any material changes to this Policy will also be posted on ClassDojo’s intranet. Contact Information. In compliance with the EU-U.S. DPF, the UK Extension and the Swiss-U.S. DPF, ClassDojo commits to resolve DPF Program-related complaints about our collection and use of your Personal Data. EU, UK and Swiss individuals with questions, comments or complaints regarding this Policy or our handling of Personal Data received in reliance on the EU-U.S. DPF, the UK Extension or the Swiss-U.S. DPF should first contact ClassDojo at: ClassDojo U.S. Privacy Officer 735 Tehama Street San Francisco, CA 94103 privacy@classdojo.com EU Representative. Pursuant to Article 27 of the GDPR, ClassDojo has appointed the European Data Protection Office (EDPO) as its GDPR representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR by sending an email to privacy@edpo.brussels, using EDPO’s online request form, or writing to EDPO at Avenue Huart Hamoir 71, 1030 Brussels, Belgium. UK Representative.ClassDojo has appointed EDPO UK Ltd as its GDPR representative in the UK. You can contact EDPO UK regarding matters pertaining to the UK GDPR by using EDPO UK’s online request form or by writing to EDPO UK at 8 Northumberland Avenue, London WC2N 5BY, United Kingdom. Description of Processing Activities Types of Personal Data. ClassDojo commits to the Principles with respect to all Personal Data received from the EEA and UK. ClassDojo commits to the Swiss-U.S. DPF Principles with respect to all Personal Data received from Switzerland. The types of Personal Data collected include: date of birth marital status social security or other taxpayer identification numbers, banking details, compensation and pay changes, sick pay, pensions, insurance and other benefits information (including the gender, age, nationality for any spouse, minor children or other eligible dependants and beneficiaries) technical skills, educational background, professional certifications and registrations, language capabilities, training courses attended records of work absences, vacation entitlement and requests, salary history expectations, performance appraisals, letters of appreciation and commendation, and disciplinary and grievance procedures results of credit and criminal background checks, the results of drug and alcohol testing, screening, health certifications, driving license number, vehicle registration and driving history, to the extent permitted by applicable law information required to comply with laws, the requests and directions of law enforcement authorities or court orders (e.g., child support and debt payment information) reason for resignation or termination, information relating to administering Description of Third Parties. Please see our list of Service Providers set forth here: https://www.classdojo.com/third-party-service-providers/ Definitions Agent. “Agent” means any Third Party that processes Personal Data under the instructions of and solely for ClassDojo or to which ClassDojo discloses Personal Data for use on its behalf. Data Subject. “Data Subject” is a natural person resident in the EEA, the UK or Switzerland who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. For purposes of this Policy, Data Subject shall be restricted to any ClassDojo Employees, including but not limited to, temporary and permanent employees, retirees, and other former employees as well as dependents of such employees. Personal Data (“Personally Identifiable Data”). “Personal Data” means any information or set of information that is collected or processed in the context of an Employee’s relationship with ClassDojo and that (1) identifies or could be used by or on behalf of ClassDojo to identify any individual (such as name, email address, telephone number, photograph, etc.), (2) is recorded in any form and (3) is received by ClassDojo in the U.S. from the EEA, the UK or Switzerland. Personal Data does not include anonymized information. Processing of Personal Data. “Processing” of Personal Data shall mean any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction Sensitive Personal Data. “Sensitive Personal Data” means Personal Data that reveals medical or health conditions, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or information relating to sex life. Third Party. “Third Party” shall mean any natural or legal person that is not a subsidiary, employee or director of ClassDojo or its subsidiaries.

ClassDojo Privacy Policy