Privacy Policy

Effective Date: April 21, 2026 Last Updated: April 21, 2026

This Privacy Policy explains how Mizu Financial Inc. ("Mizu," "we," "us," or "our") collects, uses, shares, and protects personal information when you use our website at mizufinancial.com, our dashboard, and our services (collectively, the "Services").

Mizu is a Delaware corporation with its principal place of business at 605 East Evelyn Avenue, Unit 6361, Mountain View, CA 94041, USA. We serve customers globally and knowingly process data about residents of many countries, including the United States, China, the European Economic Area, the United Kingdom, and elsewhere. This policy is written to meet core US privacy standards (including the California Consumer Privacy Act, as amended) and to address rights available under other frameworks, including the EU and UK GDPR and China's Personal Information Protection Law (PIPL).

If you disagree with this policy, do not use the Services.

1. Information We Collect

We collect the following categories of personal information:

Information you give us. When you sign up, complete the onboarding wizard, or communicate with us, you provide:

• Contact information: name, email address, phone number, country of residence, and preferred language.
• Identity documents: a government-issued photo ID (typically a passport), photos of supporting documents, and related metadata, which we collect to comply with state, federal, and third-party "know your customer" (KYC) requirements.
• Business information: proposed company name, business activity description, ownership structure, beneficial-owner information, and tax-residency information.
• Tax and filing information: information needed to prepare and submit IRS Form SS-4 (EIN application), Form 5472 with pro forma Form 1120, Wyoming annual reports, and similar filings.
• Payment information: billing address and limited payment details. Card numbers and bank account numbers are handled by our payment processor (Stripe) and are not stored on our servers.
• Communications: messages you send us through the dashboard, email, or support channels.

Information collected automatically. When you visit the website or use the dashboard, we automatically collect:

• Device and connection data: IP address, browser type and version, operating system, device identifiers, referring URL, pages visited, time stamps, approximate location derived from IP, and interactions within the dashboard.
• Cookies and similar technologies: used for authentication, preferences, security, analytics, and measurement. See Section 8.

Information from third parties. We receive information from:

• Identity-verification vendors, fraud-prevention vendors, and sanctions-screening vendors, which return verification results and risk signals.
• Banking and payment partners (such as Mercury and Stripe), which tell us whether an application was submitted, received, or declined.
• Government agencies and public registries (such as the Wyoming Secretary of State and the IRS), which return filing confirmations, EIN letters, and status updates.
• Business partners who refer you to us.

We do not knowingly collect data from children under 16, and the Services are not intended for anyone under 18. If we learn we have collected information from a child in violation of applicable law, we will delete it.

2. How We Use Personal Information

We use personal information for the following purposes:

• To provide the Services. To set up and administer your account; to prepare and submit filings to the Wyoming Secretary of State and the IRS; to provide a registered agent and business address; to facilitate applications to banking and payment partners; to deliver documents through your dashboard; and to provide ongoing compliance services.
• To verify identity and prevent fraud. To comply with KYC, anti-money-laundering, and sanctions requirements; to detect and prevent fraud; and to keep the Services secure.
• To handle payments. To process fees for the Services and issue receipts.
• To communicate. To send service messages, deadline reminders, compliance notices, responses to support requests, and — where permitted — product updates and our monthly newsletter. You can unsubscribe from marketing email at any time.
• To improve the Services. To analyze how the Services are used, to debug and troubleshoot, to develop new features, and to measure the effectiveness of our content.
• To comply with law and protect rights. To comply with legal obligations; to respond to legal process; to enforce our Terms; and to protect the rights, property, and safety of Mizu, our customers, and others.

Where legally required (for example, in the EEA, UK, or China), the legal bases or processing conditions we rely on include: (a) performance of a contract with you; (b) compliance with a legal obligation; (c) your consent (for example, for marketing email or for non-essential cookies); and (d) our legitimate interests in operating and securing the Services, where those interests are not overridden by your rights.

3. How We Share Personal Information

We share personal information only as described below. We do not sell personal information for money.

• Government agencies. With the Wyoming Secretary of State, the US Internal Revenue Service, and similar agencies as needed to submit filings you have requested.
• Third-party service providers for the Services. With banking partners (such as Mercury), payment processors (such as Stripe), telecommunications providers (for the US business phone), mail and registered-agent partners, and identity-verification vendors, to the extent needed to deliver the Services you have asked for.
• Infrastructure providers. With cloud hosting, storage, email delivery, customer support, analytics, and security vendors who process data on our behalf under written data-processing terms.
• Professional advisors. With our lawyers, accountants, auditors, and insurers, subject to professional confidentiality obligations.
• Business transfers. In connection with a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred to the counterparty, subject to this Privacy Policy or an equivalent successor.
• Legal and safety. When we reasonably believe disclosure is required by law, legal process, or government request, or is necessary to investigate or address fraud, a security incident, or a violation of our Terms.
• With your direction or consent. In other cases where you ask us or agree for us to share your information.

4. International Data Transfers

Mizu is headquartered in the United States, and much of our processing occurs there. If you are located in the European Economic Area, the United Kingdom, Switzerland, China, or another jurisdiction with data-export rules, your information may be transferred to, stored in, and processed in the United States or other countries whose data-protection laws may differ from those of your home country.

Where required, we use an appropriate transfer mechanism, such as the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum) with our service providers. For transfers involving personal information of individuals in China, we rely on the lawful basis and transfer mechanisms available under PIPL, including consent, necessity to perform a contract to which the individual is a party, and Standard Contract filings where applicable.

5. Data Retention

We keep personal information only for as long as we need it for the purposes described in this policy or as required by law. In practice:

• Formation and filing records (including identity documents associated with filings) are retained for the life of the customer relationship and for a period afterward to comply with tax, corporate, and financial-services recordkeeping obligations, typically at least seven years after the last filing or last relevant customer interaction.
• Account and billing records are retained for at least seven years after the last transaction, to meet tax and accounting rules.
• Support communications are retained for up to three years after the last interaction.
• Logs and cookies are typically kept for up to 13 months.

When information is no longer needed, we delete or anonymize it in a secure manner.

6. Security

We use administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit, access controls, employee training, vendor due diligence, and logging. No system can be completely secure. If you have reason to believe your interaction with us is no longer secure, contact us immediately at info@mizufinancial.com.

7. Your Rights and Choices

Depending on where you live, you may have the following rights:

• Access. You may ask for a copy of the personal information we hold about you.
• Correction. You may ask us to correct inaccurate or incomplete personal information.
• Deletion. You may ask us to delete personal information, subject to legal retention obligations (for example, we may need to retain filings and related records to meet tax or corporate law requirements).
• Portability. You may ask to receive certain information in a portable, machine-readable format, where applicable.
• Objection/Restriction. You may object to or ask us to restrict certain processing, where applicable.
• Withdraw consent. Where we rely on your consent, you may withdraw it at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.
• Complaint. You may complain to a data-protection authority in your country of residence.

California residents. Under the California Consumer Privacy Act (as amended by the CPRA), you have the right to know what personal information we collect, use, disclose, and retain; to delete personal information; to correct inaccurate personal information; to opt out of sale or sharing of personal information for cross-context behavioral advertising (we do not engage in either); to limit the use of sensitive personal information; and to be free from discrimination for exercising your rights. We do not use sensitive personal information to infer characteristics about consumers.

EEA/UK residents. You have the rights described above under the GDPR and the UK GDPR. You may lodge a complaint with your local supervisory authority, such as the UK Information Commissioner's Office (ICO) or your national data-protection authority in the EEA.

China residents. Under PIPL, you have rights to access, copy, correct, delete, and port your personal information, to withdraw consent, and to receive an explanation of our processing rules. You also have specific rights when your personal information is transferred outside of China, as described in Section 4.

How to exercise your rights. Email info@mizufinancial.com with your request and enough information for us to verify your identity. You may also designate an authorized agent. We respond within the time required by applicable law.

8. Cookies and Similar Technologies

We use cookies, local storage, and similar technologies for:

• Strictly necessary functions, such as authentication, security, and load balancing.
• Preferences, such as remembering your language and onboarding state.
• Analytics and measurement, such as understanding which pages and features are used. Where required, we ask for consent before using non-essential cookies.

You can control cookies through your browser settings. Blocking all cookies may cause parts of the Services to stop working.

9. Marketing Communications

If you opt in, we may send you our monthly newsletter or other marketing email. Every marketing email includes an unsubscribe link, and you can also email info@mizufinancial.com to opt out. Unsubscribing from marketing does not stop service messages, such as filing confirmations and compliance reminders, which we send to all active customers.

10. Automated Decision-Making

We use automated tools to assist with identity verification, fraud detection, and sanctions screening. We do not make decisions with legal or similarly significant effects based solely on automated processing without meaningful human involvement. If an automated tool flags an application, a person at Mizu reviews the result before we act on it.

11. Do Not Track

Some browsers send a "Do Not Track" signal. There is no common industry standard for how to respond to these signals. We do not currently respond to them, but we also do not track your activity across third-party websites for cross-context behavioral advertising.

12. Third-Party Links

The Services may link to third-party websites, such as our banking and payment partners. We are not responsible for the privacy practices of those sites. Please review their privacy policies.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will give you reasonable notice — for example, by posting a notice on our website or by emailing the address associated with your account — before the change takes effect. The "Last Updated" date at the top shows when we most recently revised this policy.

14. Contact Us

For privacy questions, complaints, or to exercise any of your rights:

Mizu Financial Inc. Attn: Privacy 605 East Evelyn Avenue, Unit 6361 Mountain View, CA 94041, USA Email: info@mizufinancial.com

If you are in the EEA or the UK and need to contact a representative regarding the EU or UK GDPR, email info@mizufinancial.com and we will identify the relevant contact for your request.