Privacy Policy

Privacy Policy

Effective Date: April 3, 2026 | Last Updated: April 3, 2026

1. Introduction & Scope

Perpetua Resources Corp ("Company," "we," "us," "our") operates perpetuaresources.com and related digital properties. This Privacy Policy applies to all personal information we collect through our website, mobile applications, contact forms, and other digital touchpoints.

Data Controller Information:
Perpetua Resources Corp
13181 Highway 55, PO Box 429, Donnelly, Idaho 83615
Email: community@perpetua.us
Data Protection Officer: community@perpetua.us

2. Information We Collect (CCPA Categories)

In the last 12 months, we have collected the following categories of personal information:

CCPA Category	Examples & Types Collected	Retention Period
A. Identifiers	Name, email address, postal address, phone number, IP address, cookie identifiers, device IDs, account usernames	Until deletion request or 3 years of inactivity
B. Commercial Information	Products/services purchased, purchasing history, payment history, customer inquiries	Until deletion request or 7 years (legal/tax requirement)
C. Biometric Information	Not routinely collected. If collected, kept separately and deleted immediately after use.	Not retained
D. Internet Activity	Browsing history, search history, interaction with website content, referring/exit pages, pages visited, time spent on pages, click patterns	13 months (Google Analytics default)
E. Geolocation Data	Approximate location inferred from IP address (not precise GPS)	13 months
F. Sensory Information	Not collected	N/A
G. Professional/Employment Info	Job title, employment history, company affiliation, professional qualifications (for job applicants and employees)	Until completion of hiring process or employment termination + 3 years
H. Education Information	Educational background (for employees, contractors, scholarship applicants)	3-7 years depending on context
I. Inferences & Profiles	Inferred preferences, interests, characteristics, predisposition to contact us, profile reflecting preferences/interests	13 months (tied to underlying data)
J. Protected Classifications	Race, color, religion, sex, national origin, age, disability, genetic information (ONLY if voluntarily provided by users, protected under CCPA for CA residents)	Until deletion request

3. Categories of Sources for Personal Information

• Directly from You: Contact forms, Gravity Forms submissions, newsletter signups, job applications, employee intake forms, vendor intake forms, scholarship applications, feedback/grievance forms
• Automatic Collection: Web servers, Google Analytics, Google Tag Manager, cookies, pixel tags, log files, browser information
• Third Parties: Social media platforms (Facebook, LinkedIn, Twitter/X, Google) when you use social login features; business partners; analytics providers; payment processors; applicant tracking systems
• Public Sources: Public business records, LinkedIn profiles, government databases (for regulatory compliance)

4. Business & Commercial Purposes for Collection

• Processing and responding to your inquiries and communications
• Fulfilling requests for information, products, or services
• Processing employment applications and managing employment relationships
• Administering vendor and supplier relationships
• Scholarship program administration and evaluation
• Website functionality, performance, and optimization
• Security and fraud prevention
• Analytics and understanding user behavior
• Marketing communications and newsletters (with consent)
• Complying with legal obligations and industry regulations
• Defending against legal claims
• Meeting Securities and Exchange Commission (SEC) requirements for publicly traded company
• Community engagement and stakeholder relations
• Accessibility improvements
• Creating aggregated, de-identified data for internal analysis

5. Sensitive Personal Information (CCPA Definition)

We collect the following sensitive personal information categories (which receive special protection under CPRA):

• Social Security Numbers: From employees and contractors only; encrypted and stored separately
• Financial Information: Bank account numbers, credit card numbers (processed through PCI-DSS compliant payment processors; we do not store full numbers)
• Precise Geolocation: Not ordinarily collected; if collected, only with explicit consent
• Health Information: Not collected except as accommodation request documentation (stored separately, protected)
• Genetic/Biometric Data: Not collected
• Race/Ethnicity Information: Only if voluntarily provided by user
• Religious/Philosophical Beliefs: Not intentionally collected
• Sex Life/Sexual Orientation: Not intentionally collected
• Precise Location: Not collected

6. Categories of Third Parties Personal Information is Shared With

Category of Third Party	Purpose of Sharing	Data Categories Shared
Service Providers / Processors	Website hosting, analytics, forms, email, security, backup, customer support	Identifiers, commercial info, internet activity, professional info
Google Services	Analytics (Google Analytics), advertising (Google Ads), tag management (GTM), fonts, maps	Identifiers, internet activity, inferences, geolocation
Social Media Platforms	Social login integration, social media tracking pixels, marketing	Identifiers, internet activity, inferences
Payment Processors	Processing online payments and transactions	Identifiers, commercial information, payment data
Email Service Providers	Newsletter distribution, marketing communications, account notifications	Identifiers, commercial information, inferences
Applicant Tracking Systems	Processing employment and contractor applications	Identifiers, professional info, education info
Legal & Regulatory Bodies	Compliance with legal obligations, court orders, SEC requirements	All categories as required by law
Business Partners & Affiliates	Joint marketing, business development, community partnerships	Identifiers, commercial info, professional info (with consent)
Successor Entity (in acquisition)	Business continuity in merger or acquisition scenario	All collected data

7. Your Privacy Rights (CCPA/CPRA)

7.1 Right to Know (Access)

You have the right to request what personal information we collect, use, share, and sell about you. We will provide you with:

• Categories and specific pieces of personal information collected
• Sources of that information
• Our business purposes for collection
• Categories of third parties with whom we share it

7.2 Right to Delete

You can request deletion of personal information collected from you, subject to certain exceptions (e.g., legally required retention, fraud prevention, law enforcement cooperation).

7.3 Right to Correct

You can request that we correct inaccurate or incomplete personal information we maintain about you.

7.4 Right to Opt-Out of Sale or Sharing

Current Practice: We do not sell or share personal information in the CPRA sense. We work with service providers who may process data on our behalf, and we use analytics/advertising partners that may involve data "sharing" under CPRA definitions. You may still opt out of such sharing through the "Do Not Sell or Share My Personal Information" link.

7.5 Right to Limit Use of Sensitive Personal Information

For sensitive personal information categories, you can request that we limit our use to only those purposes necessary to provide services you requested or required by law.

7.6 Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA/CPRA rights. Discrimination includes denying goods/services, charging different prices, providing different quality of service, or threatening to penalize you.

8. How to Submit Privacy Requests (CCPA/CPRA)

Methods to Submit:

• Email: community@perpetua.us
• Mail: Perpetua Resources Corp, 13181 Highway 55, PO Box 429, Donnelly, Idaho 83615, Attn: Privacy Department
• Online Form: perpetuaresources.com/privacy-request (will be configured in WordPress)
• Phone: 208-901-3060

What to Include:

• Clear description of your request type (Know, Delete, Correct, Opt-Out, Limit Use, etc.)
• Your name, email address, and phone number
• Date range of information you're inquiring about (if applicable)
• Signature (for email submissions, typed name acceptable)

8.1 Verification Process

To protect your privacy and prevent unauthorized access to your information, we will verify your identity before processing requests. We may request:

• Confirmation of email address associated with your account
• Last 4 digits of phone number
• Other information from our records
• Government-issued ID (for sensitive requests)

If we cannot verify your identity, we will notify you and explain what additional information we need.

8.2 Authorized Agents

You may authorize a third party (authorized agent) to submit requests on your behalf. The authorized agent must:

• Provide written authorization signed by you
• Provide their own identification
• We will verify both the agent's and your identity

9. Response Timeline

• Initial Response: Within 45 days of verified request
• Extension: We may extend the response period by an additional 45 days if the request is complex, with notice to you
• Communication: We will respond to the email address or phone number you used to submit the request

10. Global Data Protection Regulation (GDPR) - EU Users

For individuals in the European Union, European Economic Area, or Switzerland, the following additional protections apply:

10.1 Legal Basis for Processing

Processing Activity	Legal Basis
Contact form submissions, customer service	Contract performance or legitimate interest (customer support)
Newsletter & marketing communications	Consent (with opt-out available)
Website analytics and optimization	Legitimate interest (website improvement)
Security and fraud prevention	Legitimate interest (website security)
Employment applications	Necessity for employment relationship
Legal compliance and regulatory obligations	Legal obligation or compliance with SEC requirements
Cookies (non-essential)	Consent

10.2 Legitimate Interests Pursued

Where we rely on "legitimate interests," these include:

• Website functionality and user experience improvement
• Security, fraud detection, and legal compliance
• Understanding user needs and optimizing our services
• Marketing and business development
• Protecting our rights and those of our stakeholders

10.3 International Data Transfers (Standard Contractual Clauses)

Your personal information may be transferred to and processed in countries outside the EEA. Where transfers occur, we ensure adequate safeguards including:

• EU-U.S. Data Privacy Framework: Where applicable, we rely on approved Data Privacy Framework certifications
• Standard Contractual Clauses (SCCs): We use EU-approved SCCs with our service providers
• Adequacy Decisions: Where applicable, reliance on EU adequacy decisions
• Explicit Consent: In some cases, we obtain your explicit consent for international transfer

10.4 GDPR Rights (EU Residents)

• Right of Access: Request a copy of your personal data (GDPR Article 15)
• Right of Rectification: Correct inaccurate or incomplete data (Article 16)
• Right of Erasure: Request deletion ("Right to be Forgotten") (Article 17)
• Right to Restrict Processing: Limit how we process your data (Article 18)
• Right to Data Portability: Receive a copy of your data in structured format (Article 20)
• Right to Object: Object to processing including for marketing (Article 21)
• Right to Withdraw Consent: Withdraw consent at any time without affecting legality of prior processing (Article 7)
• Rights Related to Automated Decision-Making: Obtain explanation of automated decisions affecting you; request human review (Article 22)

10.5 Right to Lodge a Complaint

You have the right to lodge a complaint with your local Data Protection Authority regarding our processing of your personal data. Contact details for major EU/EEA authorities:

• Germany (BfDI): www.bfdi.bund.de
• France (CNIL): www.cnil.fr
• Ireland (DPC): www.dataprotection.ie
• Spain (AEPD): www.aepd.es
• Other EU countries: European Data Protection Board directory at edpb.eu

11. California Online Privacy Protection Act (CalOPPA)

11.1 Effective Date of Privacy Policy

This Privacy Policy became effective on April 3, 2026.

11.2 Process for Notifying of Changes

We may update this Privacy Policy at any time. When we make material changes, we will:

• Notify you by email (if we have your email address)
• Post the updated policy on this page
• Update the "Last Updated" date at the top of this policy
• For material changes affecting privacy rights, provide at least 30 days' notice before changes take effect

11.3 How Consumers Can Review and Request Changes

To review the personal information we maintain about you or request changes:

• Email: community@perpetua.us
• Mail: Perpetua Resources Corp, 13181 Highway 55, PO Box 429, Donnelly, Idaho 83615, Attn: Privacy Department
• Use the Privacy Request Form on our website

11.4 Third-Party Tracking & Do Not Track Signals

Third-Party Tracking: We allow third parties (Google, Facebook, LinkedIn) to collect information about your online activities for advertising and analytics purposes. These third parties operate independently and have their own privacy policies.

Do Not Track (DNT) Signals: Your web browser may have a DNT feature. Currently, there is no industry standard for recognizing DNT signals. We do not currently respond to or change our practices based on DNT browser signals. However, you can manage your privacy preferences through:

• Cookie management settings in your browser
• Opting out of Google Analytics
• Using our "Do Not Sell or Share My Personal Information" page
• Unsubscribing from marketing communications

12. Cookie Usage & Technology Tracking

We use cookies and similar tracking technologies to provide functionality, analyze usage, and deliver targeted advertising. See our Cookie Policy for comprehensive details on all cookies used, including:

• Google Analytics (_ga, _gid, _gat)
• Google Tag Manager cookies
• YouTube player cookies
• WordPress session cookies
• WP Rocket caching cookies
• Social login cookies (Google, Facebook, LinkedIn, Twitter/X, GitHub, Microsoft, Amazon)
• Gravity Forms cookies
• Wordfence security cookies
• Google Fonts requests
• ArcGIS cookies
• Hostinger newsletter cookies

13. Children's Privacy (COPPA)

Our website is not intended for children under 13 years old. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13 without parental consent, we will delete such information promptly.

If you are aware that a child under 13 has provided us with personal information, please contact us at community@perpetua.us.

For Children 13-18: If you are between 13 and 18, you have the right to:

• Request deletion of information you posted
• Request deletion of information we collected with your consent
• Prevent us from sharing your information with third parties without consent

14. Data Security & Breach Notification

14.1 Security Measures

We implement comprehensive security measures to protect your personal information:

• Encryption: Data in transit (SSL/TLS) and sensitive data at rest
• Access Controls: Limited employee access to personal information on need-to-know basis
• Firewalls & Intrusion Detection: Wordfence security plugin, DDoS protection via hosting provider
• Regular Security Audits: Periodic vulnerability assessments and penetration testing
• Backup & Disaster Recovery: Regular encrypted backups with secure recovery procedures
• Employee Training: Privacy and security training for all staff with access to personal data
• Vendor Assessment: Evaluation of third-party vendors' security practices

Important Limitation: While we maintain strong security practices, no system is absolutely secure. We cannot guarantee absolute security of information transmitted over the internet.

14.2 Data Breach Notification

If we discover a breach of personal information affecting California residents, we will:

• Notify affected individuals without unreasonable delay
• Notify the California Attorney General
• Notify major credit reporting agencies if breach affects 500+ CA residents
• Notification will include information about the breach and remedial measures
• All notifications will be made in English or the user's preferred language

15. Retention Periods by Data Category

Data Category	Retention Period	Reason
Marketing/Newsletter Subscriber Data	Until unsubscribe or inactivity (12 months)	Opt-in consent valid; removed upon opt-out
Website Analytics Data	13 months	Google Analytics default; aggregated thereafter
Contact Form Submissions	3 years or until request processed	Customer service, liability protection
Employment Applications	1 year after application date	Anti-discrimination compliance (EEOC)
Active Employees	Duration of employment + 3-7 years	Legal, tax, compliance obligations
Vendor/Contractor Information	Until business relationship ends + 3 years	Tax, audit, compliance
Customer Transaction Records	7 years	Tax compliance, dispute resolution
Website Server Logs	90 days	Security and fraud prevention
Cookie Data	Per cookie (see Cookie Policy)	Varies by purpose
Scholarship Application Data	2 years after decision	Program administration and verification

16. Global Privacy Control (GPC) Signal

We honor Global Privacy Control (GPC) browser signals. If your browser sends a GPC signal indicating you do not want your data sold or shared:

• We will treat it as a valid opt-out request under CPRA
• We will not sell or share your personal information
• We will not discriminate against you for sending the signal
• Opt-out will remain valid for 12 months, then you may need to resubmit

17. Financial Incentive Disclosures

Current Status: We do not currently offer any financial incentives, discounts, or rewards programs tied to collection or use of your personal information. If we establish such programs in the future, we will update this policy with:

• Description of the incentive
• Value of the incentive
• Explanation of how personal information is used differently
• How to opt-in and opt-out
• Cancellation procedures

18. Annual Update Statement

This Privacy Policy was last updated on April 3, 2026. We review and update this policy at least annually to ensure it reflects:

• Changes in our data collection and use practices
• New privacy regulations and compliance requirements
• Updates to our systems and third-party providers
• User feedback and privacy concerns

19. "Sale" and "Sharing" Definitions (CPRA)

Sale: Under CPRA, "sale" means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating personal information to another business or third party for monetary or other valuable consideration. We do not sell personal information for money or other compensation.

Sharing: Under CPRA, "sharing" means sharing personal information with service providers or contractors for targeted advertising purposes. This includes pixel tracking by advertising partners on our website. To opt out of such sharing, use the "Do Not Sell or Share My Personal Information" link.

20. Contact Information & Data Subject Request

For Privacy Questions or Requests:

• Email: community@perpetua.us
• Mail: Perpetua Resources Corp
  13181 Highway 55, PO Box 429, Donnelly, Idaho 83615
  Attn: Privacy Department
• Phone: 208-901-3060
• Online Form: perpetuaresources.com/privacy-request (to be configured in WordPress)

For GDPR Requests (EU Residents): Submit requests using any of the methods above. Please include "GDPR Request" in the subject line.

For California-Specific Requests (CalOPPA/CCPA/CPRA): Submit requests using any of the methods above. Please include "California Privacy Request" in the subject line.

21. Third-Party Privacy Policies

This policy does not address third-party services. Our website may contain links to and integrate with third-party sites and services, including:

• Google Analytics/GTM: analytics.google.com/analytics/web/privacy.html
• YouTube: google.com/intl/en/policies/privacy/
• Facebook/Meta: facebook.com/privacy/explanation
• LinkedIn: linkedin.com/legal/privacy-policy
• Twitter/X: twitter.com/privacy
• Google Fonts: fonts.google.com/metadata/fonts_metadata
• ArcGIS: esri.com/en-us/privacy

These third parties have their own privacy policies, and we are not responsible for their privacy practices. We encourage you to review their policies.