OFA Group

Privacy Policy and Privacy Notice

Effective Date: April 27, 2026 / Last Updated: April 27, 2026

1. Introduction; Data Controller

OFA Group, an exempted company incorporated under the laws of the Cayman Islands with its ordinary shares listed on the Nasdaq Capital Market under the symbol “OFAL” (“OFA Group," “we,” “us,” or “our”), is committed to protecting the privacy of individuals whose personal information we process. This Privacy Policy and Privacy Notice (this “Policy”) describes how we collect, use, disclose, retain, and protect personal information in connection with our website, ofacorp.com (the “Site”), our products and services, and our business relationships, including investor relations, counterparty onboarding, and customer due diligence.

OFA Group acts as a “data controller” (or, where applicable, a “business” under U.S. state privacy laws) in respect of the personal information processed under this Policy. Where personal information is processed on behalf of OFA Group by a service provider, that service provider acts as a “data processor” (or “service provider” under applicable U.S. state privacy laws) and is contractually obligated to process personal information only in accordance with our written instructions and applicable law.

Where OFA Group processes personal information on behalf of a separate legal entity (such as an affiliated entity, including but not limited to Hearth Labs Inc.), the privacy notice or service agreement of that entity governs to the extent applicable. Please read this Policy carefully. By accessing the Site, providing personal information to us, or otherwise engaging with our services, you acknowledge that you have read and understood the practices described in this Policy.

2. Scope and Application

This Policy applies to personal information collected or processed by OFA Group in any format, including online, in person, by email, by telephone, and through third-party service providers acting on our behalf.

It covers, among other things:

• Visitors to the Site;

• Prospective and existing customers, counterparties, and contractual partners;

• Individuals whose information is provided to us in connection with know-your-customer (“KYC”), anti-money laundering (“AML”), counter-terrorist financing (“CTF”), and sanctions screening obligations;

• Investors, prospective investors, and shareholders;

• Job applicants and personnel of business counterparties; and

• Other individuals who interact with OFA Group in the course of our business operations.

3. Categories of Personal Information We Collect

Depending on the nature of your interaction with us, we may collect the following categories of personal information:

3.1 Identity and Verification Information

In connection with KYC, AML, CTF, and sanctions screening, and to comply with applicable laws and the listing rules of the Nasdaq Stock Market and the United States Securities and Exchange Commission, we (and our identity verification provider acting on our behalf) collect and process information necessary to verify identity, including:

• Full legal name, sex, date of birth, place of birth, nationality, and personal identification code or number;

• Residential address, country of residence, and tax residency information;

• Government-issued identification documents (e.g., passport, national identity card, driver’s license), including document type, issuing country, document number, expiry date, machine- readable zone (MRZ) data, embedded barcode information, document security features, and document images and video recordings;

• Facial image data, including selfie images, photographs and scans of the face on identification documents, video recordings, and sound recordings;

• Biometric data, including biometric identifiers and biometric information derived from facial geometry, used to verify whether facial images submitted match one another and to perform liveness checks (i.e., to confirm that the individual is a live, genuine person and not a static image, deepfake, or spoofing attempt);

• Proof-of-address documentation (e.g., utility bills, bank statements);

• Source-of-funds and source-of-wealth documentation;

• Information from screening checks, including politically exposed person (PEP) status, sanctions- list and watchlist matches, and adverse media information;

• Technical and device data captured during verification, including IP address and domain name, software and hardware attributes, device fingerprint, browser characteristics, and general geographic location derived from device metadata; and

• For corporate counterparties: beneficial ownership information, organizational documents, and director and officer information.

3.2 Contact and Business Information

• Email address, telephone number, and mailing address;

• Employer, job title, and professional contact details; and

• Correspondence with OFA Group, including emails, letters, and meeting notes.

3.3 Financial and Transactional Information

• Bank account details, wallet addresses, and other payment or settlement information;

• For payment cards: cardholder name, expiry date, and the first six and last four digits of the card number;

• Transaction history with OFA Group; and

• Investment holdings and shareholding details.

3.4 Site Usage and Technical Information

• IP address, device identifiers, browser type and version, and operating system;

• Pages visited, time spent on the Site, referral source, and other usage analytics; and

• Cookies and similar tracking technologies (see Section 11 below).

3.5 Information from Third Parties

We may receive personal information from third-party sources, including identity verification providers, sanctions and PEP screening databases, credit reference agencies, public registries, regulatory authorities, and publicly available sources.

4. How and Why We Use Personal Information

We process personal information for the following purposes:

• Identity verification, KYC, AML, CTF, and sanctions screening, and ongoing customer due diligence;

• Investor onboarding, shareholder communications, and the management of capital markets activity;

• Performance of our contracts with customers, counterparties, and service providers;

• Responding to inquiries and providing customer support;

• Maintaining records required by law, regulation, listing rules, or sound corporate governance;

• Detecting, investigating, and preventing fraud, money laundering, terrorist financing, identity theft, and other unlawful or fraudulent activity;

• Securing the Site and our information systems, including monitoring for unauthorized access; and

• Complying with requests from courts, regulators, and other governmental authorities.

5. Legal Bases for Processing

Where the EU General Data Protection Regulation (“EU GDPR”), the United Kingdom GDPR (“UK GDPR”), or substantially similar laws apply, we rely on one or more of the following legal bases for processing personal information:

• Compliance with a legal obligation (Article 6(1)(c)): to comply with applicable laws and regulations, including AML, CTF, and sanctions laws of the Cayman Islands, the United States, the European Union, the United Kingdom, Japan, and other jurisdictions in which we operate, as well as obligations imposed by the Nasdaq Stock Market and the U.S. Securities and Exchange Commission.

• Performance of a contract (Article 6(1)(b)): to enter into and perform contracts with customers, counterparties, and service providers, and to take pre-contractual steps at your request.

• Legitimate interests (Article 6(1)(f)): to operate, secure, and improve our business and the Site; to manage relationships with investors, counterparties, and prospects; to prevent fraud and protect against unlawful activity; and to establish, exercise, or defend legal claims. Where we rely on legitimate interests, we have considered the impact on you and concluded that our interests are not overridden by your interests, rights, and freedoms.

• Consent (Article 6(1)(a) and, for special categories of data, Article 9(2)(a)): where we rely on consent (for example, for the processing of biometric data for unique identification in certain jurisdictions, or for non-essential cookies), you may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal.

• Substantial public interest (Article 9(2)(g)): for the processing of biometric data and other special categories of personal data in connection with AML, CTF, sanctions, and fraud- prevention purposes, where applicable law provides that such processing is necessary for reasons of substantial public interest.

• Establishment, exercise, or defense of legal claims (Article 9(2)(f)): where the processing of special categories of personal data is necessary for legal proceedings.

6. Identity Verification Provider; Biometric Processing

6.1 Use of Sumsub

OFA Group uses Sum and Substance Ltd. (a company incorporated in England and Wales with company number 09688671) and its affiliated companies (collectively, “Sumsub”) as our identity verification provider. Sumsub processes personal information on our behalf as a data processor (and, in certain limited circumstances described in Sumsub’s own privacy notice, as an independent controller for purposes such as service development and fraud detection across its client base).

Sumsub’s data processing activities include: automated reading and authenticity checks of identity documents; biometric processing of facial images (including liveness checks and facial-feature matching to confirm that the individual presenting an identity document is the same person depicted in it); video identification interviews; data validation against third-party databases (including PEP, sanctions, and adverse media sources); and fraud detection signals based on device, network, and behavioral indicators.

Sumsub may store personal information on servers located primarily in Germany (European Union), and may transfer personal information to other Sumsub group companies located in the United Kingdom, Cyprus, the United States, the United Arab Emirates, Singapore, and Brazil. Where required, such transfers are made under EU/UK adequacy decisions or under standard contractual clauses adopted by the European Commission and the United Kingdom.

A copy of Sumsub’s service-delivery privacy notice, which describes Sumsub’s processing in further detail, is available at https://sumsub.com/privacy-notice-service/. To the extent of any inconsistency between Sumsub’s notice and this Policy with respect to processing carried out on our behalf, this Policy governs.

6.2 Biometric Data Notice and Consent

In connection with identity verification, biometric identifiers (including scans of facial geometry) and biometric information derived from such identifiers (collectively, "Biometric Data") may be collected and processed for the limited purpose of verifying that you are the person depicted in the identification document you submit and that you are a live, genuine person.

Biometric Data is processed only with your consent and for the purposes described in this Policy. Biometric Data will be retained only for as long as necessary to fulfill those purposes and to comply with applicable law, after which it will be permanently destroyed in accordance with our retention schedule (see Section 9). We will not sell, lease, trade, or otherwise profit from your Biometric Data, and we will not disclose your Biometric Data except: (i) to our identity verification provider and other service providers acting on our behalf under contractual confidentiality and data-protection obligations; (ii) where disclosure is required by applicable law, regulation, court order, or subpoena; or (iii) with your consent.

Special notice for residents of Illinois, Washington, and Texas: To the extent the Illinois Biometric Information Privacy Act, the Washington Biometric Privacy Act, or Chapter 503 of the Texas Business and Commerce Code applies to the processing of your Biometric Data, by submitting Biometric Data to OFA Group or to our identity verification provider acting on our behalf, you provide your written informed consent to such collection, storage, use, and disclosure for the purposes described above. Biometric Data of Illinois residents will be retained for no longer than three (3) years from the date of last interaction; Biometric Data of Texas residents will be retained for no longer than one (1) year after the purpose for collection has been satisfied; in each case, retention may be longer where required by AML, CTF, or other applicable law.

7. How We Share Personal Information

We do not sell personal information and do not share personal information for cross-context behavioral advertising. We may share personal information with the following categories of recipients:

• Affiliates and subsidiaries: companies within the OFA Group corporate structure, where necessary for the purposes described in this Policy.

• Identity verification, KYC, AML, and screening providers: including, without limitation, the Sumsub group of companies (see Section 6 above), and other providers engaged to perform PEP, sanctions, watchlist, and adverse-media screening on our behalf.

• Professional advisors: including external legal counsel, auditors, accountants, tax advisors, and consultants.

• Service providers: including providers of cloud hosting, information technology, cybersecurity, customer relationship management, communications, and analytics services, who process personal information on our behalf and are bound by contractual confidentiality and data- protection obligations.

• Banks and financial institutions: including custodians, transfer agents, paying agents, and brokers.

• Regulators and authorities: including the U.S. Securities and Exchange Commission, the Nasdaq Stock Market, the Cayman Islands Monetary Authority, the Office of the Ombudsman of the Cayman Islands, fraud-prevention agencies, and other governmental, regulatory, tax, or law enforcement authorities, where required or permitted by law.

• Corporate transactions: in connection with any actual or proposed merger, acquisition, sale of assets, financing, restructuring, or other corporate transaction, including due diligence with prospective counterparties under appropriate confidentiality obligations.

• With consent or at your direction: we may share personal information with any other party where you have provided consent or directed us to do so.

8. Automated Decision-Making

Certain elements of the identity verification process involve automated analysis of identity documents, biometric facial images, and other verification data in order to assess authenticity and detect indicators of fraud. These automated systems generate reports and risk signals which are made available to OFA Group.

Final decisions regarding account approval, onboarding, ongoing service, and other outcomes are made by OFA Group, generally with human review of the verification report. Where, in limited circumstances, OFA Group makes a decision that produces legal or similarly significant effects on you based solely on automated processing, we will inform you of this and, where required by applicable law, obtain your consent or provide an alternative basis for the decision. You have the right to request human review of, to express your point of view on, and to contest, any such decision in accordance with applicable law (see Section 12).

9. International Transfers

OFA Group is incorporated in the Cayman Islands and operates internationally. Personal information may be transferred to, stored in, and processed in jurisdictions outside the country in which it was collected, including the United States, the Cayman Islands, the European Economic Area, the United Kingdom, Japan, and other jurisdictions where we, our affiliates, or our service providers operate. Our identity verification provider stores personal information primarily in Germany and may also transfer it to the United Kingdom, Cyprus, the United States, the United Arab Emirates, Singapore, and Brazil. Where required by applicable law, we and our service providers implement appropriate safeguards in respect of cross-border transfers, including the use of standard contractual clauses approved by the European Commission, the United Kingdom International Data Transfer Agreement (or addendum to the EU SCCs), reliance on adequacy decisions (including the EU–U.S. Data Privacy Framework, the UK adequacy regulations, and the EU adequacy decisions for the United Kingdom and Switzerland), and equivalent transfer mechanisms. A copy of the relevant safeguards may be requested using the contact details in Section 14 below.

10. Data Retention

We retain personal information only for as long as is necessary for the purposes for which it was collected, including to satisfy any legal, regulatory, accounting, or reporting requirements. Specifically:

• KYC, AML, CTF, sanctions screening, and customer due diligence records (including underlying identity-verification reports) are retained for a minimum of five (5) years following the termination of the relevant relationship or transaction, or such longer period as may be required by applicable law (including the Anti-Money Laundering Regulations of the Cayman Islands, the U.S. Bank Secrecy Act, and equivalent laws of other jurisdictions);

• Biometric Data is retained for the periods described in Section 6.2;

• Financial and transactional records are retained in accordance with applicable accounting, tax, and securities laws;

• Site usage and analytics information is generally retained for a shorter period, consistent with the purpose of collection; and

• Where personal information is no longer required, we will securely delete or anonymize it.

11. Information Security

We maintain administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, use, alteration, disclosure, and destruction. Such safeguards include access controls, encryption in transit and at rest where appropriate, network security measures, employee training, and vendor due diligence. Our identity verification provider maintains compliance with leading information security standards, including ISO/IEC 27001, ISO/IEC 27017, ISO/IEC 27018, SOC 2 Type II, and PCI DSS. No method of transmission or storage, however, is completely secure, and we cannot guarantee absolute security.

12. Cookies and Tracking Technologies

The Site uses cookies and similar tracking technologies to operate, secure, and analyze use of the Site. Cookies are small text files placed on your device. We use the following categories of cookies:

• Strictly necessary cookies required for the operation of the Site;

• Performance and analytics cookies that help us understand how visitors use the Site; and

• Functional cookies that remember preferences.

You may control the use of non-essential cookies through your browser settings or, where applicable, through any cookie banner provided on the Site. Disabling cookies may affect the functionality of the Site.

13. Your Rights

Subject to applicable law and to certain conditions and exceptions, you may have the following rights in relation to personal information that we hold about you:

• Access: to obtain confirmation of whether we process personal information about you and to receive a copy of such information;

• Correction: to request correction of inaccurate or incomplete personal information;

• Deletion: to request deletion of personal information, subject to legal and regulatory retention obligations;

• Restriction and objection: to request that we restrict, or object to, certain processing of personal information;

• Portability: to receive personal information you have provided in a structured, commonly used, and machine-readable format;

• Withdrawal of consent: to withdraw consent where processing is based on consent, including consent to the processing of Biometric Data;

• Human review of automated decisions: to request human review of, and to contest, decisions based solely on automated processing that produce legal or similarly significant effects on you;

• Lodging a complaint: to lodge a complaint with a data protection authority, including the Office of the Ombudsman of the Cayman Islands, your local supervisory authority in the European Economic Area or the United Kingdom, or other applicable authority.

13.1 California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, the “CCPA”), provides you with additional rights, including the right to know what personal information we collect, use, disclose, and (if applicable) sell or share; the right to request deletion or correction of your personal information; the right to opt out of any “sale” or “sharing” of your personal information; and the right to limit the use and disclosure of “sensitive personal information.” OFA Group does not sell or share personal information for cross-context behavioral advertising as those terms are defined under the CCPA. We use sensitive personal information (including government identifiers and biometric information) only for purposes permitted under the CCPA, including identity verification, fraud prevention, security, and compliance with legal obligations. We will not discriminate against you for exercising any of your CCPA rights.

13.2 Other U.S. State Privacy Laws

Residents of certain other U.S. states (including Colorado, Connecticut, Delaware, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, and Virginia) may have additional rights under their respective state privacy laws, including the rights of access, correction, deletion, portability, and opt-out from sale, targeted advertising, or profiling in furtherance of decisions producing legal or similarly significant effects. To exercise these rights, please contact us using the details in Section 14.

13.3 Cayman Islands Data Protection Act

OFA Group processes personal data in accordance with the Data Protection Act (As Revised) of the Cayman Islands. Data subjects have rights of access, rectification, erasure, restriction, and objection, and may complain to the Office of the Ombudsman of the Cayman Islands.

13.4 Exercising Your Rights

To exercise any of these rights, please contact us using the details set out in Section 14. We may need to verify your identity before responding to your request and may decline requests where permitted or required by law (including where retention is required by AML, CTF, or other applicable law). We will respond within the timeframes required by applicable law. Where personal information is processed by our identity verification provider on our behalf, we will coordinate with that provider as necessary to give effect to your rights.

14. Contact Information

Questions, comments, requests, or complaints regarding this Policy or our processing of personal information may be directed to:

OFA Group

Attn: Data Protection / Compliance

609 Deep Valley Drive Suite 200

Rolling Hills, California 90274, United States

Telephone: (800) 418-5160

Email: Info@ofacorp.com

Website: https://www.ofacorp.com

For matters concerning data protection in the Cayman Islands, you may also contact the Office of the

Ombudsman at https://ombudsman.ky.

15. Children’s Privacy

The Site is not directed at, and our services are not intended for, children under the age of eighteen (18). We do not knowingly collect personal information from children. If you believe a child has provided personal information to us, please contact us using the details in Section 14.

16. Changes to this Policy

We may update this Policy from time to time to reflect changes in our practices, in applicable law, or in regulatory expectations. The “Last Updated” date at the top of this Policy indicates when it was most recently revised. Material changes will be communicated through the Site or by other reasonable means.

OFA GROUP

Privacy Notice - Identity Verification

(Short-Form Notice for KYC / AML Onboarding)

This short-form Privacy Notice (this “Notice”) summarizes how OFA Group, an exempted company incorporated in the Cayman Islands (“OFA Group,” “we,” “us,” or “our”), processes personal information in connection with identity verification, know-your-customer (“KYC”), anti-money laundering (“AML”), counter-terrorist financing (“CTF”), and sanctions screening procedures. OFA Group is the data controller in respect of this processing. This Notice should be read together with our full Privacy Policy available at https://www.ofacorp.com/privacy-policy.

What we collect

We collect identity and verification information that you provide directly to us or to our identity verification provider, including your name, date of birth, nationality, address, government-issued identification documents (such as passport, national identity card, or driver’s license), photographs and video, biometric facial-geometry and “liveness” data, proof-of-address documents, source-of-funds and source-of-wealth information, technical and device data, and screening results (including PEP status, sanctions list matches, and adverse media information).

Why we collect it

We collect this information to comply with our legal and regulatory obligations under applicable AML, CTF, sanctions, and securities laws (including the laws of the Cayman Islands and the United States and the listing rules of the Nasdaq Stock Market) (Article 6(1)(c) GDPR), to perform our contracts with you (Article 6(1)(b) GDPR), in our legitimate interest in preventing fraud and financial crime (Article 6(1)(f) GDPR), and, where applicable, with your consent (Article 6(1)(a) and Article 9(2)(a) GDPR) or for reasons of substantial public interest (Article 9(2)(g) GDPR). Identity verification provider We use Sum and Substance Ltd. and its affiliates (collectively, “Sumsub”) to perform identity verification on our behalf as a data processor. Sumsub’s service-delivery privacy notice is available at https://sumsub.com/privacy-notice-service/.

Biometric data

Biometric data (including scans of facial geometry and liveness data) is processed only with your consent and only for identity verification, fraud prevention, and compliance purposes. We will not sell, lease, trade, or otherwise profit from your biometric data. Residents of Illinois, Washington, and Texas: please see Section 6.2 of our full Privacy Policy for jurisdiction-specific notices.

Automated decision-making

Identity verification involves automated analysis of documents, facial images, and other verification data to detect fraud and authenticity issues. Final onboarding decisions are made by OFA Group, generally with human review. You have the right to request human review of, and contest, any decision based solely on automated processing that produces legal or similarly significant effects on you.

Who we share it with

We share verification information with our identity verification provider (Sumsub), affiliates within the OFA Group corporate structure, professional advisors, regulators, and law enforcement, in each case only as necessary for the purposes described in this Notice and in our Privacy Policy.

International transfers

Personal information may be transferred internationally, including to the United States, the Cayman Islands, the European Economic Area (data is stored primarily on servers in Germany), the United Kingdom, the United Arab Emirates, Singapore, Brazil, and Japan. Where required by applicable law, we use appropriate safeguards (including standard contractual clauses and adequacy decisions) to protect international transfers.

How long we keep it

We retain KYC, AML, CTF, and sanctions screening records for a minimum of five (5) years following the end of the relevant relationship or transaction, or such longer period as may be required by applicable law. Biometric data retention is described in Section 6.2 of our full Privacy Policy.

Your rights

Depending on the jurisdiction in which you reside, you may have rights to access, correct, delete, restrict, or object to our processing of your personal information, to data portability, to withdraw consent, to request human review of automated decisions, and to lodge a complaint with a supervisory authority. To exercise these rights, contact Info@ofacorp.com. Certain rights may be limited where retention is required by AML, CTF, or other applicable law.

Contact

OFA Group - info@ofacorp.com - http://www.ofacorp.com/privacy-policy

Projects