California Supplemental Privacy Notice

Perpetua Resources Corp | Effective Date: April 3, 2026

Scope: Who This Notice Applies To

This California Privacy Notice applies to all natural persons who are California residents as defined by California Civil Code §1798.140(i). A "consumer" under CCPA means a natural person who is a California resident, regardless of where the consumer is located when they submit information to us.

This notice does not apply to:

• Business-to-business (B2B) information governed by Cal. Civil Code §1798.140(c)
• Employees or job applicants (unless separate notice is provided)
• Non-California residents
• Information covered by federal privacy laws (HIPAA, GLBA, FCRA, etc.)

Categories of Personal Information Collected (Last 12 Months)

During the last 12 months, Perpetua Resources has collected the following categories of personal information from California consumers:

Category (CCPA §1798.140)	Collected?	Examples	Sources
A. Identifiers (§1798.140(o)(1)(A))	Yes	Name, email address, phone number, postal address, IP address, device identifiers (cookie IDs, mobile device IDs), user IDs, account numbers	Contact forms, employee intake, vendor intake, social login, cookies, analytics (Google Tag Manager GTM-THLL9MZ, Google Analytics), webhooks
B. Customer Records (Cal. Civ. Code §1798.80(e))	Yes	Name, signature, address, phone, email, account history, transaction history, product/service inquiries	Forms, email communications, CRM system, account platforms
C. Protected Classifications (§1798.140(o)(1)(C))	Limited	Race, color, religion, sex, national origin, sexual orientation, disability, age (only if voluntarily disclosed by applicant or user)	Employee intake forms, scholarship applications (voluntary disclosure only)
D. Commercial Information (§1798.140(o)(1)(D))	Yes	Commercial transactions, contract history, vendor pricing, products/services inquired about, purchase history, engagement records	Forms, vendor intake, email, CRM, contract management systems
E. Biometric Information (§1798.140(o)(1)(E))	No	Fingerprints, facial recognition, iris/retina scans, voiceprints	Not collected
F. Internet/Network Activity (§1798.140(o)(1)(F))	Yes	Browsing history, clicks, pages visited, time on page, referrer URLs, search queries, cookie identifiers, session IDs, clickstream data	Google Tag Manager (GTM-THLL9MZ), Google Analytics, cookies, web server logs, heat mapping
G. Geolocation Data (§1798.140(o)(1)(G))	Yes	IP-derived location (city, state, country level); not precise GPS or real-time location unless explicitly provided by user	IP geolocation databases, Google Analytics, forms
H. Sensory Information (§1798.140(o)(1)(H))	No	Audio, video, photographs (visual information identifying individuals)	Not routinely collected
I. Professional/Employment Information (§1798.140(o)(1)(I))	Yes	Job title, company name, department, employment history, professional qualifications, vendor credentials, contractor details	Employee intake forms, vendor intake, job applications, LinkedIn social login, professional inquiries
J. Education Information (§1798.140(o)(1)(J))	Yes	School/university name, degree field, graduation status, academic history (from scholarship applicants)	Scholarship application forms
K. Inferences (§1798.140(o)(1)(K))	Yes	Profiles created from browsing history, inferred preferences, interests, characteristics, purchasing behavior, geographic profile	Google Analytics, advertising platforms, behavioral tracking, form data analysis

Sensitive Personal Information (CPRA §1798.140(ae))

Under the CPRA, we collect limited sensitive personal information. Below is a summary of sensitive PI categories and the purposes for which we use them:

Sensitive PI Category	Collected?	Limited Purposes (§1798.121(b))
Social Security Numbers, Financial Account Info, Precise Geolocation	No	Not collected
Racial/Ethnic Origin, Religious Beliefs, Union Membership	Limited	Only collected if voluntarily disclosed; used only for stated purposes (scholarship evaluation, employment compliance)
Sex, Gender Identity, Sexual Orientation, Citizenship Status	Limited	Only collected if voluntarily disclosed; used for equal opportunity compliance and program eligibility only
Age (under 16), Health Information, Genetic Data, Biometric Data, Criminal History	No	Not collected

Business Purposes for Collection and Use

We collect and use personal information for the following business purposes as defined by Cal. Civil Code §1798.140(d):

• Performing services requested by consumers (form processing, program administration)
• Providing customer support and responding to inquiries
• Processing applications (scholarship, vendor, employment)
• Conducting internal research and analytics to improve services
• Detecting and addressing fraud, security, and technical issues
• Debugging technology products
• Complying with legal obligations and law enforcement requests
• Marketing and advertising (email newsletters, event communications, retargeting)
• Enabling internal operations (personnel management, business administration)
• Personalizing website content and user experience

Sale and Sharing of Personal Information

Sale Under CCPA/CPRA §1798.100

Statement: Perpetua Resources has NOT sold personal information of California consumers in the traditional sense (exchanged for money) during the past 12 months and does not intend to do so in the future.

Sharing for Cross-Context Behavioral Advertising Under CPRA §1798.115

Statement: Under CPRA regulations, "sharing" includes providing information to service providers for purposes of cross-context behavioral advertising. Perpetua Resources uses the following platforms/partners that may constitute "sharing" under California law:

Category of PI	Shared With	Purpose
Identifiers (IP, Cookie IDs, Device IDs), Internet Activity	Google Analytics, Google Tag Manager	Website analytics, user behavior analysis, audience segmentation, potential behavioral advertising
Identifiers, Internet Activity, Inferences	Advertising platforms (retargeting, programmatic advertising)	Cross-context behavioral advertising, audience targeting
Email, Name, Contact Information	Email service providers, newsletter platforms	Email marketing, event communications

Your Right to Opt Out: You have the right to opt out of the sale or sharing of your personal information. See "Your Privacy Rights" section below.

Retention Periods by Category

Category of PI	Retention Period	Justification
Identifiers (from forms)	Duration of relationship + 3 years	Contract/service delivery, legal compliance, dispute resolution
Analytics & Tracking Data (Cookies, GTM, GA)	Up to 26 months; varies by cookie type	Website analytics, user behavior tracking, performance measurement
Employee Data	Duration of employment + 3-7 years	Payroll, tax, legal compliance (labor law, wage/hour)
Vendor Data	Duration of relationship + 7 years	Contract administration, audit trail, legal/tax compliance
Scholarship Applicant Data	3 years post-award or denial	Program administration, appeals/disputes, audit documentation
Commercial/Transaction Data	Duration of relationship + 7 years	Contract performance, dispute resolution, legal compliance

Consumer Rights Under CCPA/CPRA

1. Right to Know (Cal. Civ. Code §1798.100, §1798.110, §1798.115)

You have the right to request and obtain from us the following information about personal information we have collected about you during the past 12 months:

• The categories of personal information collected
• The sources from which personal information was collected
• The business purpose(s) for collecting personal information
• The categories of third parties with whom we share personal information
• A copy of the specific personal information we have collected about you in a portable, readily usable format

Frequency: You may make two verified requests within a 12-month period at no cost. Additional requests may be subject to a reasonable fee.

2. Right to Delete (Cal. Civ. Code §1798.105)

You have the right to request that we delete personal information we have collected from you and retained, subject to certain exceptions. Once we receive and verify your request, we will delete your personal information from our records and direct service providers to do the same, except where:

• The information is necessary to complete the transaction for which it was collected or to provide services you requested
• We are required to retain it by law (tax, legal compliance, records retention requirements)
• The information relates to fraud detection, security, or other legal obligations
• It is necessary to debug technology or improve services

3. Right to Correct (Cal. Civ. Code §1798.106 — CPRA)

You have the right to request that we correct inaccurate personal information, taking into account the nature of the information and the purposes of collection. We will use commercially reasonable efforts to correct inaccurate information upon verification and will direct service providers to do the same.

4. Right to Opt-Out of Sale/Sharing (Cal. Civ. Code §1798.120, §1798.121)

You have the right to opt out of:

• Sale of Personal Information: Although we do not sell personal information for money, you may opt out if future business models change
• Sharing for Cross-Context Behavioral Advertising: You may opt out of sharing your personal information with advertising platforms and analytics providers for behavioral advertising purposes

How to Opt Out: Visit our Do Not Sell My Personal Information page or submit a request using the methods in the "How to Submit Requests" section below.

5. Right to Limit Use of Sensitive Personal Information (Cal. Civ. Code §1798.121)

You have the right to request that we limit our use and disclosure of your sensitive personal information to only those uses necessary to provide you with the services or goods you requested, or as otherwise permitted by CPRA. We will honor such requests without discrimination.

Current Limitation: We already limit our use of sensitive PI to stated purposes and do not use it for general marketing or profiling.

6. Right to Non-Discrimination (Cal. Civ. Code §1798.125)

We will not discriminate against you for exercising any of your CCPA/CPRA rights. Specifically, we will not:

• Deny you goods or services
• Charge you different prices or rates
• Provide you different levels of quality or service
• Suggest that you will receive different treatment or terms

However, we may offer financial incentives for certain data collection practices, provided such incentives are transparently disclosed and you provide explicit consent.

7. Right to Authorize an Agent (Cal. Civ. Code §1798.185)

You may designate an authorized agent to make requests on your behalf. The authorized agent must:

• Provide us with a written authorization signed by you
• Identify themselves to us as your authorized agent
• Provide proof of authorization (power of attorney is accepted)

We will require verification of both the agent's and your identity before processing the request.

How to Submit Privacy Requests

You may submit a request to exercise your privacy rights through any of the following methods:

Method	Details
Email	community@perpetua.us Subject line: "California Privacy Request [Type: Know/Delete/Correct/Opt-Out]"
Phone	208-901-3060 | Ask for Privacy Department
Online Form	perpetuaresources.com/privacy-request
Mail	Perpetua Resources Corp Privacy Department 13181 Highway 55, PO Box 429 Donnelly, Idaho 83615 Attn: California Privacy Request

Request Verification Process

Right to Know / Right to Delete Requests

To verify your identity, we will request:

• Two forms of identification (e.g., driver's license + email verification, or credit card last 4 digits + date of birth)
• Confirmation of your email address and/or phone number we have on file
• Any account numbers or identifiers associated with your request

Opt-Out Requests

For opt-out requests, verification is simplified:

• Email address confirmation or IP/device ID
• Minimal friction to encourage opt-outs

Authorized Agent Requests

When submitting through an authorized agent:

• We will first verify the agent's identity and authority
• We will then verify your identity (the consumer's identity)
• Power of attorney documents are accepted as proof of authority

Response Timeline

• Acknowledgment: Within 10 business days of receipt
• Substantive Response: Within 45 calendar days of verified request
• Extension: We may take up to 90 calendar days total if the request is complex or requires third-party coordination. We will notify you of any extension and the reason.
• Format: Responses will be delivered electronically to the email address you provided, in a portable, readily usable format (typically PDF or CSV for data)

Global Privacy Control (GPC)

We honor Global Privacy Control (GPC) signals as valid opt-out requests in accordance with California Civil Code §1798.135(b)(1). When we detect a GPC signal on your browser or device:

• We will automatically treat it as a request to opt out of the sale and sharing of your personal information
• We will not use the signal to discriminate against you
• We will provide confirmation that we have recognized and honored your GPC signal

Financial Incentives & Data Collection Programs

Current Policy: Perpetua Resources does not currently offer financial incentives tied to personal information collection.

Future Programs: If we develop loyalty programs, discounts, or other incentives in the future that involve collecting or selling/sharing personal information, we will:

• Clearly disclose the program terms and what personal information is involved
• Obtain your explicit, informed consent before enrollment
• Allow you to withdraw consent and opt out at any time without penalty
• Explain the reasonable relationship between the data collected and the value of the incentive

All such programs will comply with Cal. Civ. Code §1798.125(b).

Do Not Track (DNT) Disclosure

California Online Privacy Protection Act (CalOPPA, Cal. Bus. & Prof. Code §22575) requires disclosure of our response to Do Not Track (DNT) signals.

Current Response: Our website does not currently respond automatically to DNT browser signals. However, we provide multiple opt-out mechanisms through this notice and our Do Not Sell page that achieve similar privacy protection.

Minors & Parental Consent

Consumer Under Age 16: Perpetua Resources does not knowingly sell or share the personal information of consumers under 16 years of age. If we become aware that a consumer is under 16, we will:

• Cease any sale or sharing of their personal information
• Obtain affirmative opt-in consent before any future sale or sharing

Consumer Under Age 13: For consumers under 13 (primarily in scholarship applications or content access), we will obtain parental or guardian consent as required by the Children's Online Privacy Protection Act (COPPA) and CPRA §1798.121(d).

Metrics & Annual Disclosure (CPRA §1798.150)

Under CPRA regulations, businesses that annually buy, receive, or sell the personal information of 100,000 or more California consumers are required to publish metrics about privacy requests received and processed. Perpetua Resources commits to annual transparency reporting:

Metrics for the period [JANUARY 1, 2025 — DECEMBER 31, 2025]:

Request Type	Number Received	Complied With	Denied	Median Days to Response
Right to Know	To be published	To be published	To be published	To be published
Right to Delete	To be published	To be published	To be published	To be published
Right to Opt-Out	To be published	To be published	To be published	To be published

Detailed metrics will be updated and published annually by April 30th of the following year.

Changes to This Notice

Perpetua Resources may update this California Privacy Notice from time to time to reflect changes in our privacy practices, technology, applicable law, or other factors. When we make material changes, we will:

• Update the "Effective Date" and "Last Updated" date at the bottom of this page
• Post the updated notice on this webpage at least 30 days before the changes take effect
• Notify you via email if you have provided an email address (for material changes affecting your rights)

Your continued use of our website and services after any changes constitutes your acceptance of the updated terms.

Contact Information

If you have any questions about this California Privacy Notice or wish to exercise your rights, please contact us:

• Privacy Department
• Perpetua Resources Corp
• 13181 Highway 55, PO Box 429
• Donnelly, Idaho 83615
• Email: community@perpetua.us
• Phone: 208-901-3060
• Privacy Request Form: perpetuaresources.com/privacy-request

Additional Privacy Resources

• Full Privacy Policy
• Notice at Collection
• Cookie Policy
• Do Not Sell My Personal Information
• Privacy Request Form