CASL and CAN-SPAM Compliance Policy

1. Purpose

Canada's Anti-Spam Legislation (CASL) — formally titled An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities — is the primary Canadian federal statute governing the sending of commercial electronic messages (CEMs). Enacted to protect recipients from unsolicited commercial communications while preserving legitimate business engagement, CASL imposes an opt-in consent framework with significant penalties for non-compliance.

In the United States, the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act, 15 U.S.C. § 7701 et seq.) governs commercial email sent to U.S. recipients. Unlike CASL, CAN-SPAM operates on an opt-out basis; however, its requirements relating to accurate headers, subject lines, physical address disclosure, and opt-out processing are mandatory.

The ArcStone group includes entities regulated by FINRA (ArcStone Securities LLC), advisors operating in Canada (ArcStone Canada Inc.), investor relations and financial communications platforms (ArcStone Financial Pulse), brand and marketing services operations (ArcStone Branding Inc.), and affiliated broker-dealer networks (ArcStone Kingswood). Each entity engages in electronic communications with a cross-border recipient base. This Policy is designed to protect all group entities from regulatory sanction, civil liability, and reputational harm arising from non-compliant electronic communications.

 This Policy establishes the compliance framework governing all commercial electronic messages sent on behalf of any ArcStone group entity, in any jurisdiction, through any electronic channel.

2. Scope and Group Entities

This Policy applies to all employees, officers, directors, interns, contractors, independent consultants, registered representatives, associated persons, vendor partners, marketing agencies, and any other individual or entity sending electronic messages on behalf of any member of the ArcStone group.

The ArcStone group includes, but is not limited to, the following entities:

•       ArcStone Securities and Investments Corp. — Delaware holding company and parent entity.

•       ArcStone Securities LLC — FINRA-registered broker-dealer (CRD #306029), member FINRA/SIPC, conducting regulated securities activities in the United States.

•       ArcStone Canada Inc. — Canadian capital markets advisory and consulting entity.

•       ArcStone Financial Pulse — Investor relations and financial communications subsidiary.

•       ArcStone Branding Inc. — Brand strategy, marketing, and communications services subsidiary.

•       ArcStone Kingswood — Affiliated retail wealth and distribution platform.

Electronic messages will be assessed on a case-by-case basis to determine whether they constitute CEMs under CASL and/or commercial email under CAN-SPAM. Not all outbound messages qualify as CEMs or commercial email. Internal administrative communications, regulatory correspondence, transactional confirmations, and purely informational messages that do not encourage participation in commercial activity may fall outside the scope of CASL. Personnel must consult the CASL Compliance Officer whenever classification is uncertain.

IMPORTANT: The live website version of this policy (Revision 4) incorrectly stated that ALL electronic messages sent externally would be presumed to be CEMs. This presumption has been removed. Classification is fact-specific and must be assessed per the definitions in Section 3. Consult the CASL Compliance Officer with any uncertainty.

3. Definitions

The following definitions apply throughout this Policy:

CASL: Canada's Anti-Spam Legislation (S.C. 2010, c. 23), as amended.

CAN-SPAM Act: The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, 15 U.S.C. § 7701 et seq., and regulations promulgated thereunder by the Federal Trade Commission (FTC).

Electronic Address: An address used in connection with the transmission of an electronic message to an electronic mail account, an instant messaging account, a telephone account, or any similar account.

Electronic Message: A message sent by any means of telecommunication, including a text, sound, voice, or image message.

Commercial Electronic Message (CEM): Under CASL, an electronic message where it would be reasonable to conclude, having regard to the content, the hyperlinks, and contact information contained in the message, that one of the message's purposes is to encourage participation in a commercial activity. Messages are assessed on the totality of their content, not solely on whether profit is expected.

Commercial Email (CAN-SPAM): Under CAN-SPAM, any electronic mail message whose primary purpose is the commercial advertisement or promotion of a commercial product or service, including content on an Internet website. CAN-SPAM distinguishes between commercial messages, transactional or relationship messages, and other messages based on primary purpose.

Commercial Activity: Any transaction of a commercial character, regardless of whether there is an expectation of profit, including investment solicitation, securities promotion, financial advisory outreach, investor relations communications, and brand or marketing services promotion.

Express Consent (CASL): Permission affirmatively granted by a recipient who opts in to receive CEMs. May be oral or written. Express consent does not expire under CASL unless revoked. ArcStone will maintain records of all express consents, including the date, method, and purpose of consent obtained.

Implied Consent (CASL): Consent inferred from the existence of a prior business relationship, a prior non-business relationship, or conspicuous publication of an electronic address, subject to the time limits and conditions described in Section 4.2.

Opt-Out (CAN-SPAM): The right of a recipient of commercial email to request cessation of further commercial email from the sender. Opt-out requests must be honoured within ten (10) business days.

Unsubscribe: A withdrawal of consent (CASL) or exercise of an opt-out right (CAN-SPAM) to receive further electronic messages from ArcStone.

Sender (CASL): A person who sends or causes or permits a CEM to be sent.

Initiator / Sender (CAN-SPAM): A person who originates or transmits a commercial email message, or procures the origination or transmission of a commercial email message. Both initiating and assisting in the transmission may create liability.

Social Networking Sites: Online communities, platforms, or applications that link individuals electronically and enable users to connect and share information, including LinkedIn, X (formerly Twitter), Instagram, Facebook, YouTube, and similar platforms, whether existing or emerging.

CRTC: The Canadian Radio-television and Telecommunications Commission, the principal Canadian regulator administering CASL.

FTC: The U.S. Federal Trade Commission, the principal U.S. regulator enforcing CAN-SPAM.

FINRA: The Financial Industry Regulatory Authority, the self-regulatory organization regulating broker-dealers in the United States, including ArcStone Securities LLC.

4. Consent Requirements — CASL

4.1 Express Consent

Express consent must be obtained prior to sending any CEM unless a valid implied consent basis or statutory exemption applies. When soliciting express consent, ArcStone must:

•       Clearly and prominently state the purpose for which consent is being sought;

•       Identify ArcStone (or the applicable group entity) by name and provide full contact information, including: mailing address, and at least one of telephone number, email address, or web address;

•       Inform the recipient that they may withdraw consent at any time and explain how to do so; and

•       Obtain consent through a positive opt-in mechanism — pre-ticked checkboxes, silence, or inaction do not constitute valid express consent under CASL.

ArcStone will maintain complete records of all express consents, including: the name of the consenting party, the date and method of consent, the purpose for which consent was granted, and the identity of the ArcStone entity on whose behalf consent was obtained. Records must be retained for a minimum of three (3) years following the expiry or revocation of consent.

4.2 Implied Consent

Implied consent under CASL may exist in the following circumstances:

4.2.1 Existing Business Relationship

A prior purchase, sale, barter, lease, licence, investment transaction, or service agreement completed within the 24 months preceding the CEM. An existing business relationship also arises where the recipient holds or has held a membership, subscription, or account with ArcStone within the preceding 24 months. This 24-month period begins from the date of the last transaction and may be renewed by subsequent transactions.

4.2.2 Existing Non-Business Relationship

A prior donation or gift to ArcStone (if applicable), voluntary work performed for ArcStone, or membership in ArcStone-associated clubs or organisations within the preceding 24 months.

4.2.3 Prior Inquiry or Application

Where a recipient has made an inquiry or submitted an application to ArcStone within the 6 months immediately preceding the CEM. This category applies, for example, to inbound inquiries received through the website, event registrations, or requests for information materials. Personnel must document the date and nature of the inquiry.

4.2.4 Conspicuous Publication

Where a recipient has conspicuously published their electronic address (e.g., on a professional website, business card, or public directory) without any indication that they do not wish to receive unsolicited commercial messages, and the CEM is relevant to their business role or professional function. All three conditions must be met:

•       The address is publicly available without restriction or access barriers;

•       The recipient has not included a statement indicating they do not wish to receive unsolicited CEMs; and

•       The message is directly relevant to the recipient's professional role, business function, or area of expertise.

Personnel relying on conspicuous publication as a basis for implied consent must document: the source of the electronic address, the date it was obtained, and a brief written explanation of the relevance of the communication to the recipient's role, before sending any CEM.

Implied consent based on an existing business relationship or inquiry expires automatically. Personnel must not send CEMs after the applicable 24-month or 6-month window has elapsed unless renewed consent has been obtained. The Approved CEM Recipients List must reflect current consent status at all times.

4.3 Exemptions

Certain electronic messages are exempt from CASL's consent requirements. Personnel must not rely on any exemption without prior confirmation from the CASL Compliance Officer. Applicable exemptions include:

•       Messages sent in response to a recipient's request, inquiry, or complaint;

•       Messages that provide a quote or estimate previously requested by the recipient;

•       Messages that facilitate, confirm, or complete a commercial transaction previously agreed upon;

•       Messages that provide warranty, safety, security, recall, or factual product or service information;

•       Messages sent to enforce a legal right or obligation;

•       Messages sent between employees, representatives, consultants, or affiliates within the ArcStone group concerning ArcStone group activities, where the relationship is established;

•       Certain business-to-business communications where the message relates directly to the recipient's professional role or business function and is sent to a corporate electronic address (not a personal address); and

•       Messages to registered charities, political parties, or certain non-commercial organisations where the message does not promote commercial activity.

4.4 Cross-Border Communications

ArcStone operates across Canada and the United States. CASL applies to CEMs sent from or accessed in Canada. CAN-SPAM applies to commercial email sent to recipients in the United States. Where a message is potentially subject to both regimes (e.g., a message sent from a Canadian entity to a U.S. recipient, or vice versa), ArcStone will apply the more stringent compliance standard across all applicable requirements.

Personnel must consult the CASL Compliance Officer prior to initiating any cross-border electronic marketing campaign. The CASL Compliance Officer will assess applicable law, determine the required consent standard, and confirm content and unsubscribe requirements for each jurisdiction.

5. U.S. CAN-SPAM Act Compliance

5.1 Overview and Applicability

The CAN-SPAM Act of 2003 governs commercial email sent to recipients in the United States, regardless of where the sender is located. ArcStone Securities LLC (FINRA BD), as a U.S.-registered broker-dealer, and all ArcStone group entities conducting U.S.-directed electronic outreach, must comply with CAN-SPAM.

Unlike CASL's opt-in framework, CAN-SPAM permits commercial email to be sent without prior consent, provided that all mandatory content requirements are met and all opt-out requests are honoured promptly. However, where CASL's opt-in standard is also applicable (cross-border communications), ArcStone will apply the CASL opt-in standard as the more protective requirement.

5.2 Mandatory CAN-SPAM Requirements

All commercial email sent by any ArcStone entity to U.S. recipients must satisfy the following requirements:

5.2.1 Accurate Header Information

The 'From', 'To', 'Reply-To', and routing information — including the originating domain name and email address — must be accurate and identify the person or business sending the message. No false or misleading header information is permitted.

5.2.2 Non-Deceptive Subject Lines

The subject line must accurately reflect the content of the message. Deceptive or misleading subject lines are prohibited. This requirement aligns with CASL's prohibition on false or misleading message content.

5.2.3 Identification as an Advertisement

The message must clearly and conspicuously disclose that it is an advertisement or commercial solicitation, unless the recipient has given prior affirmative consent (i.e., opted in). Where CASL express consent has been obtained, this disclosure may be adapted accordingly.

5.2.4 Physical Postal Address

Every commercial email must include ArcStone's valid physical postal address (either a current street address, a registered P.O. Box, or a private mailbox registered with a commercial mail receiving agency). The address of the relevant sending entity must be included.

5.2.5 Clear and Conspicuous Opt-Out Notice

Every commercial email must contain a clear and conspicuous notice of the recipient's right to opt out of receiving further commercial email from ArcStone, and a functional opt-out mechanism by which that right may be exercised. The opt-out mechanism must:

•       Be clearly visible and easy to find;

•       Provide a return email address or other Internet-based mechanism that the recipient can use to request opt-out; and

•       Remain functional for at least 30 days after the message is transmitted.

5.2.6 Opt-Out Processing

ArcStone must honour opt-out requests within ten (10) business days of receipt. Once an opt-out is processed, ArcStone may not sell, lease, or transfer the opted-out address to any other entity for any email purpose. Personnel must immediately forward opt-out requests to the CASL Compliance Officer.

5.3 CAN-SPAM and Third Parties

Both the company whose products or services are advertised in a commercial email and the company that initiates the email (if different) may be legally responsible for CAN-SPAM compliance. ArcStone must ensure that any third party or vendor sending commercial email on ArcStone's behalf is contractually bound to comply with CAN-SPAM. Vendor agreements must include specific CAN-SPAM warranties (see Section 14).

5.4 Business-to-Business Email

CAN-SPAM applies to B2B commercial email. However, guidance from the FTC indicates that enforcement has generally focused on consumer-directed commercial email. Notwithstanding this, ArcStone will apply full CAN-SPAM compliance to all outbound commercial email regardless of recipient type, in alignment with best practices and risk management principles.

6. FINRA and Securities Regulatory Requirements — ArcStone Securities LLC

6.1 FINRA Rule 2210 — Communications with the Public

ArcStone Securities LLC, as a FINRA-registered broker-dealer (CRD #306029), is subject to FINRA Rule 2210, which governs all communications with the public. Commercial electronic communications by ArcStone Securities LLC — including email, social media, and electronic newsletters — constitute 'communications with the public' for purposes of FINRA Rule 2210 and must satisfy applicable content, approval, and recordkeeping standards.

FINRA Rule 2210 classifies communications as: (a) Retail Communications; (b) Correspondence; or (c) Institutional Communications. Each category carries different pre-use filing, approval, and supervisory requirements. The CASL Compliance Officer, in coordination with ArcStone Securities LLC's designated Registered Principal, must confirm the classification of each communication type prior to distribution.

All retail communications and correspondence distributed by ArcStone Securities LLC must:

•       Be fair, balanced, and not misleading;

•       Not make exaggerated, unwarranted, or misleading claims or comparisons;

•       Include required disclosures, including risk disclosures for investment products;

•       Not predict or project investment performance (except in permitted circumstances with required disclosures);

•       Be approved by a designated Registered Principal before use; and

•       Be retained for a minimum of three (3) years from the date of last use.

6.2 Supervision and Recordkeeping of Electronic Communications

Pursuant to SEC Rules 17a-3 and 17a-4 and FINRA Rule 4511, ArcStone Securities LLC is required to maintain and preserve all business-related electronic communications, including email and electronic messages. All electronic communications involving the securities business of ArcStone Securities LLC must be:

•       Conducted through approved and supervised communication channels;

•       Retained in a WORM-compliant (write-once, read-many) format for a minimum of three (3) years, with the first two years in an easily accessible location;

•       Supervised by a designated Registered Principal; and

•       Available for inspection by FINRA, the SEC, or other regulators upon request.

Personnel associated with ArcStone Securities LLC are prohibited from using personal email accounts, unapproved messaging applications, or any communication channel not subject to ArcStone's electronic communications supervision program for any securities-related business communication.

6.3 Investment-Related Electronic Communications

Electronic communications involving the promotion of, or solicitation for, investment opportunities, securities offerings, or advisory services must include all required regulatory disclosures, including applicable risk disclosures, suitability cautions, and member firm disclosures. No communication may contain a recommendation of a specific security or investment strategy without appropriate suitability disclosures.

Securities offerings may only be marketed through approved channels and in jurisdictions where ArcStone Securities LLC is properly registered. Electronic communications that constitute an offer of securities must comply with applicable U.S. federal and state securities laws, including Regulation D (private placements), Regulation A/A+, and applicable Blue Sky laws.

6.4 State Securities Law Considerations

Electronic communications sent on behalf of ArcStone Securities LLC to prospective investors or clients in specific U.S. states may trigger state securities law (Blue Sky) registration or notice filing requirements. The CASL Compliance Officer must consult ArcStone's securities counsel before initiating targeted electronic solicitations in any U.S. state to confirm applicable registration and filing status.

7. Investor Relations and Financial Communications — ArcStone Financial Pulse

7.1 Section 17(b) Disclosures

ArcStone Financial Pulse, as an investor relations and financial communications platform, may be engaged by public companies to produce and disseminate financial communications or promotional content regarding issuers' securities. All such communications must comply with Section 17(b) of the Securities Act of 1933, which requires disclosure of any compensation received, directly or indirectly, in exchange for the publication of communications promoting a security.

All electronic communications produced or disseminated by ArcStone Financial Pulse that discuss or promote any issuer's securities must include a clear, conspicuous, and complete Section 17(b) disclosure identifying: the nature and amount of compensation received; the identity of the party paying the compensation; and the period during which the compensation arrangement is in effect.

7.2 Material Non-Public Information

Personnel involved in investor relations communications must be aware of, and comply with, all applicable restrictions on the use and disclosure of material non-public information (MNPI). Electronic communications must never reference or incorporate information that would constitute MNPI until such information has been publicly disclosed in accordance with applicable law. ArcStone's information barrier and insider trading policies apply to all investor relations communications.

7.3 Fair Disclosure (Regulation FD)

Where ArcStone Financial Pulse works with U.S.-listed issuers, electronic communications must be structured to avoid triggering selective disclosure violations under SEC Regulation FD. The selective distribution of material non-public information through targeted electronic messages to investors would constitute a Regulation FD violation. Any planned investor relations communications involving material information about a U.S.-listed issuer must be reviewed by legal counsel prior to distribution.

8. Marketing and Advertising Compliance — ArcStone Branding Inc.

ArcStone Branding Inc. provides brand strategy, marketing materials, and advertising services to internal and external clients. All electronic marketing communications produced or distributed by ArcStone Branding Inc. on behalf of any ArcStone entity or third-party client must comply with this Policy, CASL, CAN-SPAM, FINRA Rule 2210 (where applicable), and all applicable Canadian competition and advertising laws, including the Competition Act (Canada).

ArcStone Branding Inc. must confirm with the CASL Compliance Officer, prior to any campaign launch, that:

•       Valid consent exists for all CEM recipients (CASL) and that opt-out mechanisms are in place (CAN-SPAM);

•       All advertising content is truthful, accurate, and not misleading under the Competition Act (Canada) and the FTC Act (U.S.);

•       All investment-related content has been reviewed and approved by a Registered Principal of ArcStone Securities LLC or applicable Canadian securities counsel where the content relates to securities; and

•       FINRA Rule 2210 filing requirements have been satisfied for any content distributed by or on behalf of ArcStone Securities LLC.

9. Policy Guidelines

All employees, contractors, vendors, and any other person sending CEMs on behalf of any ArcStone group entity must adhere to the following: 

1.     All information systems within ArcStone are the property of ArcStone and must be used in compliance with this Policy.

2.     All users must immediately report any irregularities in incoming or outgoing CEMs, or in the CEM delivery system, to the CASL Compliance Officer.

3.     The CEM delivery system is subject to monitoring at all times. Use of the CEM delivery system constitutes acceptance of this Policy.

4.     Release of CEMs is at the discretion of ArcStone. All requests for CEM release must be submitted to the CASL Compliance Officer or their designate for approval.

5.     Users must not use ArcStone devices or systems to send CEMs without prior approval from management or the CASL Compliance Officer.

6.     Users must not use ArcStone devices, systems, or email accounts to conduct personal business.

7.     Personal emails must not be sent from an ArcStone email address.

8.     Instant messaging with external parties is permitted only in the course of authorized business activity and through supervised, approved channels.

9.     Personnel associated with ArcStone Securities LLC are prohibited from conducting securities business through any personal or unapproved electronic communication channel.

10.  Personnel must consult the CASL Compliance Officer before sending any CEM to a new recipient, new jurisdiction, or through a new channel.

10. CEM Content Requirements

10.1 Required CEM Components

All CEMs sent on behalf of any ArcStone group entity must contain the following elements:

•       Sender identification: first and last name of the individual sending the message;

•       Sending entity identification: the full legal name of the ArcStone entity on whose behalf the message is sent;

•       Physical mailing address of the sending entity;

•       Email address of the sender;

•       Telephone number of the sending entity;

•       Website address of the sending entity;

•       A clear, functional, and permanently displayed unsubscribe mechanism (CASL) and opt-out notice (CAN-SPAM), in compliance with Sections 4 and 5 of this Policy; and

•       If the CEM is sent on behalf of a third party (e.g., an issuer client of ArcStone Financial Pulse), the identity of both the third party and the ArcStone entity sending the message must be included.

Personnel are prohibited from modifying approved email signature templates or removing the unsubscribe mechanism from any CEM. Modifications to approved templates require written approval from the CASL Compliance Officer.

10.2 CEM Recipients and List Management

Personnel sending CEMs on behalf of any ArcStone group entity must send CEMs only to electronic addresses of parties listed on the Approved CEM Recipients List maintained by the CASL Compliance Officer. Prior to sending any CEM, personnel must verify the recipient's status on the Approved CEM Recipients List.

All new contacts must be added to the Approved CEM Recipients List using the approved consent intake template, available from the CASL Compliance Officer. Personnel must not add contacts to the list without valid documented consent, a confirmed valid implied consent basis, or classification under ArcStone's email database and newsletter distribution program described in Section 10A of this Policy.

ArcStone does not purchase, rent, harvest, or otherwise acquire email lists from third parties for CEM purposes without express written approval from the CASL Compliance Officer and legal counsel. Any third-party list acquisition must be accompanied by: verifiable consent records covering all addresses on the list, representations and warranties from the list provider as to the validity of consent, and contractual indemnification provisions in ArcStone's favour.

10.3 Content Standards

All CEM subject lines, sender information, and message content must be accurate, truthful, and not false, misleading, or deceptive, whether within the meaning of CASL, the Competition Act (Canada), CAN-SPAM, or the FTC Act (U.S.).

For communications sent on behalf of ArcStone Securities LLC, all content must additionally comply with FINRA Rule 2210 (see Section 6). No communication may contain predictions of investment returns, exaggerated performance claims, or material omissions that could create a misleading impression.

10.4 Email List Hygiene and Data Minimization

The Approved CEM Recipients List must be maintained in a current, accurate, and minimal state. The CASL Compliance Officer will conduct periodic reconciliation of the list against:

•       Unsubscribe and opt-out records;

•       Implied consent expiry dates (24 months from last business transaction; 6 months from last inquiry);

•       Bounce and non-delivery records; and

•       Requests for removal received through any channel.

Individuals whose consent has lapsed, who have unsubscribed, or whose addresses are no longer deliverable must be promptly removed from the Approved CEM Recipients List and must not receive further CEMs until valid renewed consent is obtained.

10A. Email Database Compilation and Newsletter / Report Distribution

ArcStone operates an electronic communications program through which professional email addresses sourced from inbound business communications received across ArcStone's corporate email infrastructure are processed and added to a proprietary database for the purpose of distributing financial news, market reports, investor relations materials, and other informational content produced by ArcStone Financial Pulse and affiliated entities. ArcStone's group entities collectively operate the following corporate email domains, each associated with a distinct legal entity:

•       @arcstoneglobalsecurities.com — ArcStone Securities and Investments Corp. (holding company) and ArcStone Canada Inc.

•       @arcstonesecurities.com — ArcStone Securities LLC (FINRA-registered broker-dealer, CRD #306029)

•       @arcstonekingswood.com — ArcStone Kingswood (affiliated retail wealth and distribution platform)

•       @arcstoneventures.com — ArcStone Ventures (as applicable)

The primary source of addresses for this database is correspondence that individuals have themselves sent to personnel across any of these domains — including inquiries, meeting requests, introductions, deal flow submissions, and other professional communications received in the ordinary course of business. This section governs the operation, compliance obligations, and permitted scope of that program, including the specific obligations arising from ArcStone's operation of multiple domains across multiple legal entities.

Program Strength: Because ArcStone's database is built from inbound communications — i.e., emails that individuals have already directed to ArcStone — the legal foundation for this program is significantly stronger than address collection from external public sources. Every inbound email represents a prior communication or inquiry by the sender, which directly engages one of CASL's strongest implied consent categories and is entirely outside the scope of CAN-SPAM's address harvesting prohibition.

10A.1 Legal Basis — CASL (Canadian Recipients)

The collection of email addresses from inbound communications received across ArcStone's corporate email domains, and the subsequent sending of news and report distributions to Canadian recipients, is governed by CASL. ArcStone's primary legal basis for this program in respect of Canadian recipients is the prior inquiry and existing business communication implied consent category under CASL, which is one of the most robust and directly applicable consent bases available under the legislation.

Primary Basis: Prior Inquiry or Existing Communication (CASL s.10(1)(b))

Under CASL, implied consent based on a prior inquiry or communication is established where the recipient has themselves initiated or participated in a communication with ArcStone within the six (6) months preceding the CEM. Every inbound email that ArcStone receives from an external party represents a direct communication or inquiry made by that individual to ArcStone. Accordingly:

•       The sender of an inbound email to any ArcStone inbox has, by the act of sending that email, made a communication or inquiry to ArcStone that creates a valid implied consent basis under CASL;

•       ArcStone may send CEMs to that individual within six (6) months of the date of the inbound communication without requiring additional express consent; and

•       If that inbound communication gives rise to, or occurs in the context of, an ongoing business relationship (e.g., an advisory engagement, a transaction, or a continuing service arrangement), the implied consent period extends to twenty-four (24) months from the date of the last communication within that relationship.

This is the cleanest and most defensible consent basis for ArcStone's database program, as it does not rely on public source verification, relevance assessments of third-party-published information, or assumptions about the individual's professional role. The inbound communication itself creates the basis.

Secondary Basis: Conspicuous Publication

Where an email address is added to the database from a source other than a direct inbound communication — for example, where a contact is referenced by a third party, or where an address is visible on a professional profile — ArcStone may additionally rely on the conspicuous publication implied consent basis under CASL s.10(2), provided that: the address was published by the individual without a do-not-contact statement; the source is publicly accessible without restriction; and the distribution is directly relevant to the recipient's professional role. This secondary basis requires more careful documentation and should be used only where the primary inbound basis is not available. 

ArcStone's distributions — comprising financial news, capital markets reports, and investor relations content — qualify as relevant to recipients' professional roles where those recipients are investment professionals, capital markets participants, institutional investors, fund managers, public company executives, investor relations professionals, financial advisors, or other individuals whose roles are materially connected to the financial markets.

Consent Clock Management: The six-month implied consent window from an inbound inquiry can be renewed each time the individual engages in a further communication with ArcStone. Where an individual replies to a distribution, clicks through, or otherwise communicates with ArcStone, that interaction may renew the implied consent window. The CASL Compliance Officer will implement a system to track last-communication dates for all database contacts.

10A.2 Legal Basis — CAN-SPAM (U.S. Recipients)

Unlike CASL, the U.S. CAN-SPAM Act does not require prior consent before sending commercial email to U.S. recipients. CAN-SPAM operates on a pure opt-out basis: commercial email may be sent to any U.S. recipient provided that all mandatory content requirements are met and opt-out requests are honoured within ten (10) business days. See Section 5 of this Policy for the full requirements.

Importantly, ArcStone's inbox-based email collection methodology is entirely outside the scope of CAN-SPAM's address harvesting prohibition. Section 5(b)(1)(A) of CAN-SPAM prohibits the use of automated programs or scripts to harvest email addresses from third-party websites without authorisation — conduct that ArcStone does not engage in. Collecting email addresses from correspondence that individuals have voluntarily sent to ArcStone's own inboxes is the opposite of prohibited harvesting: the individual has affirmatively reached out to ArcStone using that address. No harvesting prohibition concern arises.

For U.S. recipients, ArcStone's legal position is therefore straightforward: the inbound communication establishes the contact relationship, and CAN-SPAM compliance requires only that each subsequent distribution satisfies the mandatory content and opt-out requirements. ArcStone will apply full CAN-SPAM compliance to all U.S.-directed distributions as a matter of standard practice. 

Cross-border note: Where a Canadian recipient's implied consent window has lapsed (6 or 24 months depending on the basis), ArcStone may not continue sending CEMs to that Canadian address under CASL, even though CAN-SPAM would permit continued U.S.-directed sending. The CASL standard is more stringent and governs for Canadian recipients. The master suppression list must reflect this distinction.

10A.3 Permissible Email Address Collection Methods

ArcStone's distribution database is built primarily from inbound business email received in ArcStone's corporate inboxes. The following collection methods are permissible, listed in descending order of legal strength:

•       Inbound inbox communications (primary): Email addresses extracted from emails that individuals have themselves sent to any ArcStone corporate inbox across any of the group's active email domains (@arcstoneglobalsecurities.com, @arcstonesecurities.com, @arcstonekingswood.com, @arcstoneventures.com) — including inquiries, introductions, meeting requests, deal flow submissions, responses to ArcStone communications, press release replies, event-related correspondence, and any other unsolicited or responsive inbound email received in the ordinary course of business. This is ArcStone's primary and strongest collection basis. The receiving domain must be logged against each contact record to establish entity attribution (see Section 10A.10).

•       Direct recipient-provided addresses: Email addresses provided directly by the recipient in person, through contact forms, conference registrations, subscription requests, or business card exchange at events attended by ArcStone personnel.

•       Event-based collection: Email addresses collected through ArcStone-hosted or co-hosted events, seminars, webinars, or industry conferences, where attendance and engagement implies acceptance of post-event communications, provided the distribution type is relevant to the event context.

•       Existing business contact referrals: Email addresses shared by an existing ArcStone business contact who has expressly consented to receive and forward ArcStone communications and has represented that the referred contact is open to receiving relevant financial communications.

•       Public regulatory and professional registries: Email addresses obtained from public regulatory databases (e.g., SEDAR, EDGAR, FINRA BrokerCheck) or government-maintained professional registries, where addresses are published in a professional capacity and without a do-not-contact indication.

The following collection methods are NOT permissible for the database, regardless of the availability of a consent basis:

•       Automated bulk extraction of email addresses from third-party websites using scraping tools, bots, or similar automated processes — whether or not the addresses are technically 'public';

•       Collection of clearly personal (non-professional) email addresses where the individual has not voluntarily used that address in a professional or business capacity in their communication with ArcStone;

•       Addresses extracted from forwarded email chains without the knowledge or context of the original sender, where the original sender had no intent to communicate with ArcStone; and

•       Purchase or acquisition of harvested email lists from third-party brokers without full legal compliance verification, verifiable consent records, and written approval from the CASL Compliance Officer and legal counsel.

10A.4 Database Intake and Screening Protocol

Before any email address is added to the distribution database, the following intake and screening steps must be completed:

11.  Source verification and entity attribution logging: The address must be traceable to a specific inbound communication received at an identified ArcStone domain. The following must be logged in the database record for each contact: (a) the specific ArcStone email domain at which the inbound communication was received — being one of @arcstoneglobalsecurities.com, @arcstonesecurities.com, @arcstonekingswood.com, or @arcstoneventures.com; (b) the corresponding ArcStone legal entity associated with that domain; (c) the date the inbound email was received; (d) the general nature of the communication (e.g., inquiry, introduction, deal submission); and (e) the professional context of the sender, including their apparent role and organisation, to confirm relevance. Entity attribution — i.e., which ArcStone entity the contact originally engaged with — must be recorded for every contact, as it governs which entity's name and contact information must appear in subsequent distributions sent to that contact.

12.  Relevance assessment: Personnel must confirm that the planned distribution is directly relevant to the contact's professional role or business function. A contact who emailed ArcStone about a capital markets matter is presumed relevant for capital markets and financial news distributions. Addresses must not be repurposed for a materially different distribution type without re-assessing the relevance and consent basis.

13.  Opt-out / unsubscribe suppression check: The address must be screened against ArcStone's master suppression list before being added to the active database. Any address appearing on the suppression list must be excluded regardless of any new inbound communication, unless the individual has since provided fresh express consent.

14.  Intent and context review: Where the nature of the inbound communication clearly indicates that the sender does not wish to receive commercial distributions (e.g., a complaint, a cease-and-desist, or a message explicitly stating the sender does not wish to be contacted), that address must be added to the suppression list rather than the active database.

15.  CASL Compliance Officer approval: All new batches of addresses intended for import into the database must receive written approval from the CASL Compliance Officer before being imported or used for distribution. The CASL Compliance Officer will maintain a log of all approved intake batches, including source, date, and batch size.

10A.5 First-Contact Message Requirements

The first commercial electronic message sent to any newly added database contact must include, in addition to the standard CEM components required by Section 10.1:

•       A clear identification of ArcStone as the sender and a description of the ArcStone entity and distribution platform (e.g., ArcStone Financial Pulse) from which the message originates;

•       An explanation of how the recipient's contact information was obtained, referencing the specific ArcStone domain or entity through which they originally made contact (e.g., 'You previously reached out to our team at [specific domain, e.g., @arcstoneglobalsecurities.com / @arcstonesecurities.com] and we have added your contact details to our distribution list for ArcStone Financial Pulse. If you no longer wish to receive these communications, please use the unsubscribe link below.');

•       A clear description of the type of content the recipient will receive and the expected frequency of distribution;

•       A clear, functional, and prominently displayed unsubscribe link enabling the recipient to immediately opt out of all future distributions; and

•       A statement that the recipient's information will not be shared with third parties for marketing purposes.

Best practice: Including a 'preference centre' link in the first-contact message — allowing recipients to select the types of content they wish to receive rather than only offering a binary unsubscribe — can reduce opt-out rates and establish a stronger documented consent basis for ongoing communications.

10A.6 Ongoing Distribution Requirements

Every distribution sent to the database — including market reports, financial news digests, issuer-specific publications, and research summaries — must comply with the following requirements on every send:

•       All standard CEM components required by Section 10.1 must be included in every message;

•       A functional, clearly visible unsubscribe link must appear in every message. Unsubscribe mechanisms must not require the recipient to log in, create an account, or take more than two steps to complete the opt-out;

•       The subject line must accurately reflect the content of the message and must not be misleading or designed to prevent identification as a commercial distribution;

•       The distribution list must be screened against the master unsubscribe / opt-out suppression list before every send. Sending to a suppressed address is a direct CASL and/or CAN-SPAM violation;

•       The sending entity must be clearly identified. Distributions may not be sent from a generic or obscured sender address that conceals ArcStone's identity;

•       If the distribution contains or promotes content relating to a specific issuer for which ArcStone Financial Pulse has received compensation, a Section 17(b) disclosure must be included (see Section 7.1); and

•       Distributions that contain securities commentary, investment analysis, or recommendations must include applicable risk disclosures and FINRA/regulatory disclosures as required by Section 6.

10A.7 Unsubscribe Processing for Database Distributions

The unsubscribe mechanism embedded in all database distributions must:

•       Be functional at all times — the unsubscribe link must not return an error, require the recipient to log in, or be broken or expired;

•       Remain active for a minimum of 30 days following the date of transmission of the relevant distribution (CAN-SPAM requirement);

•       Process opt-out requests within ten (10) business days (CASL and CAN-SPAM requirement);

•       Immediately add the unsubscribed address to ArcStone's master suppression list upon receipt of the request — and before the next scheduled send;

•       Apply across all ArcStone distribution lists and entities, so that a recipient who unsubscribes from one ArcStone distribution is suppressed from all ArcStone distributions unless they separately and affirmatively re-subscribe to a specific list; and

•       Be accompanied by a confirmation message sent to the unsubscribed address confirming that the opt-out has been processed.

All unsubscribe requests received through the embedded mechanism, direct email reply, or any other channel must be forwarded immediately to the CASL Compliance Officer for processing and suppression list updating. The CASL Compliance Officer maintains the master suppression list and is solely responsible for its accuracy.

CRITICAL: Sending a distribution to an address that has previously unsubscribed or opted out — even if the address was re-added to the database through a subsequent collection cycle — is a direct violation of CASL and CAN-SPAM. The master suppression list must be checked before every database re-population exercise, and all previously suppressed addresses must be excluded from any new import regardless of the source from which they were re-collected.

10A.8 Database Maintenance and Implied Consent Monitoring

The database must be maintained to ensure that implied consent remains current and valid for all active recipients. The CASL Compliance Officer will conduct a database audit at least every six (6) months to:

•       Identify and remove all addresses for which implied consent based on conspicuous publication has lapsed or for which the relevance of the distribution to the recipient's professional role can no longer be confirmed;

•       Remove all addresses that have generated hard bounces or persistent delivery failures;

•       Identify and flag addresses for which the implied consent basis has expired but for which express consent may be obtainable through a targeted re-engagement campaign;

•       Update source documentation for all addresses to reflect any changes in the address holder's professional role or employer; and

•       Reconcile the database against the master suppression list.

ArcStone will implement a re-engagement protocol for database contacts who have not interacted with any distribution for a period of 24 consecutive months. Prior to the expiry of implied consent, the CASL Compliance Officer may initiate a targeted re-engagement communication inviting the recipient to expressly subscribe to ArcStone's distributions. Recipients who do not respond affirmatively will be removed from the active distribution list upon consent expiry.

10A.9 Data Privacy and PIPEDA / CPPA Considerations

The collection, use, and storage of email addresses and associated personal information in ArcStone's distribution database is subject to applicable Canadian privacy legislation, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and, where applicable, provincial privacy legislation. ArcStone's Privacy Policy governs the collection and use of personal information and must be consistent with the practices described in this section.

ArcStone will not share, sell, rent, or otherwise disclose the email addresses or personal information of database contacts to any third party for commercial purposes without the express consent of the individual, except as required by law or regulatory authority. The distribution database is for ArcStone's internal use only.

10A.10 Multi-Domain and Multi-Entity Inbox Attribution

Because ArcStone's group entities operate distinct corporate email domains — @arcstoneglobalsecurities.com, @arcstonesecurities.com, @arcstonekingswood.com, and @arcstoneventures.com — the database program involves inbound communications directed to four legally separate entities. This creates specific compliance obligations relating to entity attribution, permissible cross-entity use of contact data, and the identity of the sender disclosed in distributions.

Entity Attribution and Sender Identification

Under CASL, the identity of the sender that a recipient engaged with is legally material. Where a contact originally emailed ArcStone at a specific domain, the implied consent relationship exists between that individual and the ArcStone entity associated with that domain. Distributions sent to that contact must:

•       Clearly identify the sending entity — the ArcStone group member from whose domain or on whose behalf the distribution is sent — in the sender name, 'From' field, and message body;

•       Use contact information (address, telephone, web address) that corresponds to the sending entity; and

•       Where distributions are sent by ArcStone Financial Pulse or another group entity on behalf of the entity that originally received the inbound email, identify both entities in the message — the original contacting entity and the distributing entity — so that recipients can understand the relationship and the source of their contact information.

Cross-Entity Use of Contact Data

A contact who originally emailed @arcstonesecurities.com has established an implied consent relationship with ArcStone Securities LLC. Using that contact's address to send distributions on behalf of a materially different ArcStone entity — for example, ArcStone Kingswood or ArcStone Ventures — without a separate consent basis requires careful assessment. The CASL Compliance Officer must determine, prior to any cross-entity distribution:

•       Whether the nature of the original inbound communication was sufficiently broad to encompass communications from affiliated ArcStone group entities (e.g., a general capital markets inquiry directed to any group member);

•       Whether the contact has since engaged with the other entity directly, establishing a separate implied consent basis; or

•       Whether express consent should be obtained to broaden the contact's distribution scope to additional ArcStone entities.

As a practical safeguard, ArcStone Financial Pulse distributions sent to the full database must clearly position themselves as a group-wide publication operating across all ArcStone entities, and must disclose that the contact's information was sourced from prior engagement with the specific ArcStone domain through which they originally made contact. This framing, included in the first-contact message and consistently maintained in the email footer and distribution metadata, provides the most legally coherent basis for group-wide distribution to a cross-entity contact database.

Domain-Specific Suppression

The master suppression list must track, for each suppressed address, whether the unsubscribe or opt-out request was made in response to a distribution from a specific entity or from all ArcStone entities. Where a recipient unsubscribes from one entity's distribution, that address must be suppressed from all ArcStone group distributions unless the individual has separately and affirmatively subscribed to receive communications specifically from another named group entity. Domain-level suppression segmentation is not a defence — a single unsubscribe from any ArcStone distribution constitutes a group-wide opt-out unless the recipient expressly indicates otherwise.

Operational recommendation: ArcStone's email distribution platform should be configured to tag each database contact record with the originating domain (@arcstoneglobalsecurities.com, @arcstonesecurities.com, @arcstonekingswood.com, or @arcstoneventures.com) and the corresponding entity name at the time of intake. This metadata should travel with the contact record through the database lifecycle and populate automatically into the sender identification fields and first-contact disclosure language of each distribution, eliminating the risk of misidentification or cross-entity attribution errors.

11. Approved CEM Recipients List

The Approved CEM Recipients List is the authoritative record of all electronic addresses to which ArcStone may send CEMs. The list is maintained by the CASL Compliance Officer and must be available to personnel responsible for CEM distribution.

The list must record, for each contact:

•       Full name and electronic address;

•       The ArcStone entity in whose name consent was obtained;

•       The type of consent (express or implied) and its basis;

•       The date consent was obtained;

•       The date consent expires (for implied consent);

•       The method and source of consent; and

•       Any unsubscribe or opt-out history.

The CASL Compliance Officer will audit the Approved CEM Recipients List at least quarterly. Periodic reconciliation against unsubscribe records and consent expiry dates is mandatory.

12. Unsubscribe and Opt-Out Processing

ArcStone bears the burden of proof in demonstrating valid consent under CASL. The unsubscribe and opt-out mechanism is the primary consumer protection tool in ArcStone's email database and newsletter distribution program (Section 10A), and its proper functioning is non-negotiable under both CASL and CAN-SPAM. All unsubscribe requests under CASL and all opt-out requests under CAN-SPAM must be processed within ten (10) business days of receipt. A failure to process an unsubscribe or opt-out within the required timeframe is itself a standalone violation of applicable law, regardless of whether the underlying message was lawfully sent.

Personnel who receive an unsubscribe or opt-out request through any channel — including direct email reply, web form submission, telephone, or in person — must:

•       Forward the request to the CASL Compliance Officer immediately upon receipt;

•       Not send any further CEM to the unsubscribed or opted-out party, effective immediately; and

•       Document the date, method, and channel through which the request was received.

The CASL Compliance Officer will:

•       Process all unsubscribe and opt-out requests within ten (10) business days;

•       Update the Approved CEM Recipients List to reflect the unsubscribed or opted-out status;

•       Ensure the opt-out mechanism remains functional for 30 days following initial transmission of any CEM (CAN-SPAM requirement);

•       Not sell, transfer, or share opted-out email addresses with any third party for email marketing purposes; and

•       Maintain a complete record of all unsubscribe and opt-out requests for a minimum of three (3) years.

ArcStone must not send any further CEM to an unsubscribed party, including through an affiliated ArcStone entity, unless the individual subsequently provides fresh express consent for communications from the specific entity and for the specific purpose identified.

13. Social Media and Digital Outreach

13.1 Social Media — General Principles

Publicly accessible posts on social media platforms that are broadcast generally (i.e., not directed to specific electronic addresses) are generally not considered CEMs under CASL. However, direct messages, InMail communications, private messages, group messages, and any targeted electronic communication sent through social networking platforms to specific individuals may constitute CEMs and must comply with this Policy.

Connection requests that contain no commercial content are generally not CEMs under CASL. However, any subsequent commercial communication directed to a connection must satisfy applicable consent requirements before it is sent.

13.2 LinkedIn InMail and Professional Direct Messaging

LinkedIn InMail and equivalent direct messaging features on professional networking platforms are frequently used by ArcStone personnel for business development, investor outreach, and institutional communications. These communications may constitute CEMs under CASL and/or commercial email under CAN-SPAM where their content encourages participation in commercial activity.

Before sending any commercial direct message through LinkedIn or similar platforms, personnel must:

•       Confirm that a valid consent basis exists (express or implied), or that a recognized exemption applies;

•       Ensure the message content and sender identification comply with Section 10.1; and

•       Include unsubscribe language or a mechanism by which the recipient can request to stop receiving further messages, where required.

Bulk InMail or mass direct message campaigns targeting multiple recipients must receive prior approval from the CASL Compliance Officer. Automated outreach tools or LinkedIn automation software must not be used without written approval.

13.3 Paid Digital Advertising

Paid digital advertising campaigns (including programmatic display, sponsored social media content, Google Ads, and similar channels) must comply with applicable advertising laws, platform terms of service, and — where applicable — FINRA Rule 2210. Paid campaigns that redirect to content promoting securities or investment opportunities are subject to securities regulatory review prior to launch.

The CASL Compliance Officer must be notified of any planned paid digital advertising campaign targeting Canadian recipients. The CASL Compliance Officer will assess whether the campaign involves CEMs and whether consent is required.

14. Third-Party Vendors and Service Providers

Any third-party vendor, consultant, marketing agency, list provider, or technology service provider engaged to send electronic messages on behalf of any ArcStone group entity must satisfy the following requirements prior to engagement and throughout the term of the engagement:

•       Provide written representations and warranties confirming full compliance with CASL, CAN-SPAM, and all other applicable laws governing electronic communications in the jurisdictions where messages will be sent;

•       Demonstrate that verifiable, valid consent records exist for all electronic addresses to which messages will be sent on ArcStone's behalf;

•       Agree to provide consent records and documentation to ArcStone upon request;

•       Agree contractually to indemnify ArcStone for any regulatory penalty, civil liability, or other loss arising from non-compliance attributable to the vendor's conduct;

•       Submit all proposed message content, templates, and campaigns for prior review and approval by the CASL Compliance Officer before any message is sent;

•       Honor all unsubscribe and opt-out requests within ten (10) business days; and

•       Maintain adequate data security controls to protect the electronic addresses and personal information of ArcStone's contacts.

ArcStone reserves the right to audit the compliance practices of any vendor or service provider at any time. Non-compliant vendors will be immediately suspended from further engagement pending remediation or termination of the relationship.

15. Record Retention

ArcStone will maintain the following records for the periods specified below: