PRIVACY POLICY

Last updated: May 5, 2024

1661, Inc. dba GOAT (“GOAT”) and its affiliates (collectively, “GOAT Group,” “we,” “us,” “our”) provides this Privacy Policy to inform you about how we collect, use, disclose, and otherwise process personal information when individuals (“you”) access our websites (the “Sites”), our mobile applications (“Apps”), or in-person events or locations, and all related content, products, services, platforms, other functionalities offered on or through our services, and any other properties or locations that link to this Privacy Policy (collectively, the “Services”). This Privacy Policy does not address our privacy practices relating to job candidates, employees and other personnel.

TABLE OF CONTENTS

I. OUR COLLECTION AND USE OF PERSONAL INFORMATION

II. DISCLOSURE OF PERSONAL INFORMATION

III. CONTROL OVER YOUR INFORMATION

IV. DATA RETENTION

V. CHILDREN’S PERSONAL INFORMATION

VI. LINKS TO THIRD-PARTY WEBSITES OR SERVICES

VII. UPDATES TO THIS PRIVACY POLICY

VIII. CONTACT US

IX. REGION-SPECIFIC DISCLOSURES

COOKIE POLICY

I. OUR COLLECTION AND USE OF PERSONAL INFORMATION

We collect personal information in a variety of ways. For example, you may provide us with your personal information when you make a purchase, list an item for sale, send us messages, subscribe to our mailing lists, newsletters or other forms of marketing communications, or use some other feature of our Services.

We may link or combine information collected from you on our Sites and Apps with information we have collected from you offline (e.g., in-person), information we receive from third parties, as well as information we collect automatically through tracking technologies (defined below). This allows us to, for example, provide you with a personalized experience regardless of how you interact with us.

The personal information we collect, the way we collect it, and how we use it will depend on how you are interacting with us and the type of services you use.

Personal Information Collected from You

• Account Information, including name, email address, phone number, username and password, location, profile information, and any other information you provide to us. We use this information to administer your account, provide you with the relevant service and information, communicate with you regarding your account and your use of the Services, and for fraud prevention and customer support purposes. Please note that other users may see your username and/or location (if you enable location services and grant permission) on the Services.

• Buyer Information, including name, email address, shipping and billing address, and payment card and billing information, if you choose to make a purchase. Please note that we use third-party payment processors to process credit card payments made to us. As such, we do not retain any personally identifiable financial information in connection with credit card payments, such as credit card numbers. Rather, all such information is provided directly by you to our third-party payment processor. The payment processor’s use of your personal information is governed by their privacy policy.

• Seller Information, including name, email address, shipping and billing address, bank information and payment card and billing information, if you choose to list an item for sale on one of our platforms. Please note that we use third-party payment processors to process credit card payments made to us. As such, we do not retain any personally identifiable financial information in connection with credit card payments, such as credit card numbers. Rather, all such information is provided directly by you to our third-party payment processor and may be kept on file with such third-party payment processor to cover certain applicable charges incurred by a seller. The payment processor’s use of your personal information is governed by their privacy policy.

• Identity and Compliance Information, including name, birthdate, address, phone number, email address, bank account information, government ID number, VAT ID number or other tax ID number, and copies of government ID or tax documents, along with a selfie image. We may use data collection and verification services provided by a third-party provider, Persona, to collect and verify such information in order to comply with our legal obligations and protect against fraud and abuse. Persona may use a combination of machine-learning tools and optical scans to verify your identity document and may use facial recognition technology to produce a unique biometric identifier based on facial geometry that can be used to compare your selfie to the image on the identity document you provide to determine the likelihood that the images are a "match." We do not receive the biometric identifier generated from the images. It is generated and held by Persona until we inform them that the biometric identifier is no longer needed for the purposes described in this paragraph and must be destroyed. For identity verification and security purposes, we will have access to the selfie image and will receive the information extracted from the scan of the government ID document as well as the results of the verification process. We may use this process and associated information to verify your identity and your identity documents, comply with legal obligations and protect against fraud and abuse. We do not use, disclose or retain your biometric information for any other commercial purpose. Our third-party provider, Persona, processes this information on our behalf strictly in accordance with our contractual agreements. For more information on Persona’s data processing practices, please see Persona’s Privacy Policy.

• User Generated Content, including content that you create, such as posts and/or comments, messages that you send and receive (including their content) and the metadata about content and messages.

• Inquiry and Communications Information, including any information you submit to us through a “Submit Request” customer support form, such as contact information and any other information you provide in the request, information provided in chat messages, to one of our email addresses, in-person, or via phone. We use this information to investigate and respond to your inquiries, to communicate with you, to enhance the services we offer to our users and to manage and grow our organization.

• Newsletter and Marketing Emails Information, including email address and applicable interests and communication preferences. We use this information to manage our communications with you and send you information about products and services we think may be of interest to you. If you wish to stop receiving emails from us, simply click “unsubscribe” at the bottom of the email. Note that you cannot unsubscribe from certain services-related emails (e.g., account verification, confirmations of transactions, technical or legal notices).

Personal Information from Third Parties

We may also combine the information we receive from you with personal information we obtain from third parties. We may receive the same categories of personal information as described above from the following third parties:

• Social Media. When an individual interacts with our Services through various social media platforms, such as when someone logs in through a social media platform, links their social media account, provides us with their social media handle, “Likes” us on a social media platform or follows us or shares our content on Google, Facebook, Twitter, Instagram or other social media platform, we may receive some information about individuals that they permit such social media platform to share with third parties. The data we receive is dependent upon an individual’s privacy settings with the social media platform. Individuals should always review and, if necessary, adjust their privacy settings on third-party websites and social media platforms and services before sharing information and/or linking or connecting them to other services.

• Service Providers. Our service providers that perform services solely on our behalf, such as payment processors, fraud prevention vendors, verification vendors, website hosting providers, or certain survey and advertising/marketing providers, collect personal information and may share some or all of this information with us.

• Other Sources. We may also collect personal information about individuals that we do not otherwise have from, for example, publicly available sources, third-party data providers, our affiliated companies, brand partnerships, or through transactions such as mergers and acquisitions.

Personal Information Collected at Our In-Person Locations

When you visit one of our in-person locations, we may collect the following information from or about you:

• Contact Information. When you visit one of our in-person locations, we may collect your name, email address and/or phone number so that we can send you promotional offers or other marketing materials. We may also give you the opportunity to answer survey questions about your experience.

• Transaction Information. We may collect information about your in-store transaction such as items purchased or dropped off, date and time of your transaction, amount purchased, and payment information, such as your credit/debit card (through our payment processor) or gift card details, when you make an in-store purchase.

• Client Profile Data. In order to have a full understanding of our clients, we may also collect and store data about your behavior, interests, preferences (such as products, topics, and channel and frequency of communication), wish lists, hobbies, client interactions and marketing campaign activities, opinions, customer reviews, demographic data, habits, celebration events, purchasing reviews and feedback as well as your general purchasing tendencies.

• In-store Location and Movement Information. In some locations, we may work with third-party providers that collect location and movement data from your mobile device when you’re using a mobile app configured for this purpose. We may receive aggregated information about visitors to our stores and may use this data to analyze foot traffic patterns and measure the effectiveness of our marketing and promotional campaigns. See Control Over Your Information to learn how you may adjust location data collection through your mobile device.

• In-store Wi-Fi. In some locations, we may offer free Wi-Fi services to our guests. Our Wi-Fi network providers may capture certain data from devices you connect to it, such as a unique device identifier. We may also enable Bluetooth or other technologies in our stores which enable us to detect the presence of your device in our stores or provide operational insights.

• In-store Video or Images. In some locations, we use CCTV cameras in our stores for security, fraud, incident reporting and loss-prevention purposes, or to collect analytics, improve operations and other purposes.

Personal Information Automatically Collected

As is true of many digital properties, we and our third-party partners may automatically collect certain information from or in connection with your device when visiting or interacting with our Services, as described in the list below:

• Log data, including internet protocol (IP) address, operating system, device type and version, unique device identifier, browser type and version, browser ID, the URL entered and the referring page/campaign, date and time of visit, other user agent string data, the time spent on our Services, and any errors that may occur during the visit to our Services.

• Analytics data, including the electronic path you take to our Services, through our Services and when exiting our Services, UTM source, as well as your usage and activity on our Services, such as the time zone, activity information (e.g., first and last active date and time), usage history (e.g., emails opened, total log-ins) as well as the pages, links, objects, services you view, click or otherwise interact with.

• Location data, such as general location information we derive from your IP address. We and our third-party partners may use cookies or small data files that are stored on an individual’s computer and other, related technologies, such as web beacons, pixels, embedded scripts, location-identifying technologies and logging technologies (collectively, “cookies”) to automatically collect this information. We may also use this information to distinguish you from other users of our Services. This helps us monitor and analyze how you use and interact with our Services. It also helps us and our partners to determine products and services that may be of interest to you.

For more information about these practices and your choices regarding cookies, please see the Cookie Policy.

Additional Uses of Personal Information

In addition to the uses described above, we may use the personal information collected as described above for the following purposes:

• Fulfill or meet the reason the information was provided, such as to satisfy our contractual obligations, to deliver the Services you have requested, and to fulfill orders and process transactions (including sharing certain contact information with our shipping and delivery partners);
• Communicate with you and contact you via newsletters, email updates, marketing or promotional materials and other information that may be of interest to you. For more information on your choices about communications, see the Control Over Your Information section of this Privacy Policy;
• Send you technical notices (including sending you an SMS text code for multifactor authentication), security alerts, and support and administrative messages and to respond to your and others’ comments, questions, and customer service requests;
• Personalize your experience on the Services and to tailor the Sites, Apps and the Services to your interests;
• Respond to requests, suggestions, questions, and comments, and provide other types of user support;
• For internal business purposes, including analytics and marketing purposes;
• Test, enhance, update and monitor the Services, or diagnose or fix technology problems;
• Help maintain the safety, security and integrity of our properties and Services, technology assets and business;
• Enforce our Terms of Use, to resolve disputes, to carry out our obligations and enforce our rights, and to protect our business interests and the interests and rights of third parties;
• Prevent, investigate or provide notice of fraud or unlawful or criminal activity;
• Comply with contractual and legal obligations and requirements;
• To fulfill any other purpose for which you provide personal information; and
• For any other lawful purpose, or other purpose that you consent to.

Where you choose to contact us, we may need additional information to fulfill the request or respond to inquiries. We may provide you with additional privacy-related information where the scope of the inquiry or request and/or personal information we require fall outside the scope of this Privacy Policy. In that case, the additional privacy-related information will govern how we may process the information provided at that time.

Through the provision of our Services, we may process deidentified information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular consumer or household. We will maintain and use such information in deidentified form and will not attempt to reidentify the information, except in instances where necessary for determining whether the deidentification process used satisfies the requirements under applicable law.

We may also aggregate data for reporting, analytics, and other business reasons, including to promote or describe the use of our Services.

II. DISCLOSURE OF PERSONAL INFORMATION

As part of our Services, we may also share, transmit, disclose, grant access to, make available, and provide personal information with and to third parties, as follows:

• Affiliated Companies. We may share personal information with other companies owned or controlled by GOAT, and other companies owned by or under common ownership as GOAT, which also includes our subsidiaries (i.e., any organization we own or control) or our ultimate holding company (i.e., any organization that owns or controls us) and any subsidiaries it owns, particularly when we collaborate in providing the Services.

• Other Users. When you create a profile on the Services, other registered users may be able to see the information that you include in your profile, including but not limited to your username and/or your location (if you enable location services and grant permission). If you purchase or list items for sale on certain of our Services, or interact with the Services, we may disclose your information to other parties. For example, if you make a purchase on one of our Sites, we may disclose your information to the Seller. You should exercise care in deciding what information to provide.

• Service Providers. We may employ third-party providers and individuals to facilitate the Services, to provide the Services on our behalf, to perform Service-related functions (e.g., payment processing services, IT support services, maintenance services, shipping, database management, marketing, security and fraud prevention services, web or advertising analytics, and improvement of the Service’s features) or to assist us in analyzing how the Services are used.

• Third-Party Referral Partners. We may work with third-party referral partners. If you visit the Site by linking directly from a third-party website, we may provide the third party with select information about your individual transaction that you made after being referred. To track and credit your transaction, the third-party website may give you a unique code, cookie or graphic which will uniquely identify you. The presence of a third-party navigation bar at the top of any page on any website is an indication that the third-party website may have access to information about your activity on such website.

• Online Advertising Partners. We may also share personal information with advertising networks or permit these partners to collect information from you directly on our Sites to facilitate online advertising, such as search engines and social network advertising providers to serve targeted ads to you or to groups of other users who share similar traits, such as likely commercial interests and demographics, on third-party platforms. For more information, including how to opt out of interest-based advertising, please see the Cookie Policy.

• Business Transaction or Reorganization. We may take part in or be involved with a corporate business transaction, such as a merger, acquisition, joint venture, or financing or sale of company assets. We may disclose personal information to a third party during the negotiation of, in connection with or as an asset in such a corporate business transaction. Personal information may also be disclosed in the event of insolvency, bankruptcy or receivership.

• Legal Obligations and Rights. We may disclose personal information to third parties, such as legal advisors, law enforcement and tax authorities:

  • in connection with the establishment, exercise, or defense of legal claims;
  • to comply with laws and our tax obligations (e.g., to respond to claims, lawful requests and legal process, including but not limited to subpoenas);
  • to protect our rights and property and the rights and property of others, including to enforce our agreements and policies;
  • to detect, suppress, or prevent fraud;
  • to protect the health and safety of us and others or to prevent or stop activity we may consider to be, or to pose a risk of being, any illegal, harmful, unethical or legally actionable activity; or
  • as otherwise required by applicable law.

• With Your Consent. We may disclose personal information about an individual to certain other third parties or publicly with your consent or direction.

• Aggregated and Deidentified Information. We may share aggregated or deidentified information without limitation. This includes sharing the types of technical information that we collect as described above (including information that identifies a device), to the extent permitted by law.

III. CONTROL OVER YOUR INFORMATION

You may control your information in the following ways:

• Account and Profile Information and Settings. If you have created an account, you may review, update, correct or delete certain information in your profile within the Apps or Sites (as applicable). If you would like us to delete your record in our system, please contact us at [email protected] with a request that we delete your personal information from our database. We will use commercially reasonable efforts to honor your request. We may retain an archived copy of your records as required by law or for legitimate business purposes.

• Newsletter and Marketing Emails. You can opt out of receiving marketing emails from us by clicking the “unsubscribe” link at the bottom of each email. Note that you cannot unsubscribe from certain services-related emails (e.g., account verification, confirmations of transactions, technical or legal notices).

• SMS Text Messaging and Telephone Calls. With your prior express consent, we may use personal information we collect to communicate with individuals via text message and telephone calls, including to send you an SMS text code for multifactor authentication. You can unsubscribe from text messages at any time by replying STOP or clicking the unsubscribe link (where available) in one of our messages. For more information, please see our Terms of Use. We do not share SMS consent and the related phone numbers with third parties, except where required to facilitate the text message or phone call. We do not share SMS consent and the related phone numbers with third parties, except as otherwise disclosed in this Privacy Policy.

IV. DATA RETENTION

We will usually store the personal information we collect about you for no longer than necessary to fulfill the purposes for which it was collected, and in accordance with our legitimate business interests and applicable law. However, if necessary, we may retain personal information for longer periods of time, until set retention periods and deadlines expire, for instance where we are required to do so in accordance with legal, tax and accounting requirements set by a legislature, regulator or other government authority.

To determine the appropriate duration of the retention of personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorized use or disclosure of personal information and if we can attain our objectives by other means, as well as our legal, regulatory, tax, accounting and other applicable obligations.

For example, if you reside in the European Economic Area, the United Kingdom or the State of California, your personal information may be subject to certain laws and regulations that define the criteria used to determine the period for which personal information about you will be retained, which varies depending on the legal basis under which we process the personal information:

• Contract. Where we are processing personal information is based on contract, we generally will retain your personal information for the duration of the contract plus some additional limited period of time that is necessary to comply with law or that represents the statute of limitations for legal claims that could arise from our contractual relationship.

• Legitimate Interests. Where we are processing personal information based on our legitimate interests, we generally will retain such information for a reasonable period of time based on the particular interest, taking into account your fundamental interests and your rights and freedoms.

• Consent. Where we are processing personal information based on your consent, we generally will retain your personal information until you withdraw your consent, or otherwise for the period of time necessary to fulfill the underlying agreement with you or provide you with the applicable service for which we process that personal information.

• Legal Obligation. Where we are processing personal information based on a legal obligation, we generally will retain your personal information for the time necessary to fulfill the legal obligation.

• Legal Claim. We may need to apply a “legal hold” that retains information beyond our typical retention period where we face threat of legal claim or intent to establish a claim. In that case, we will retain the information until the hold is removed, which typically means the claim or threat of claim has been resolved.

When an individual discontinues the use of our Services, we will retain their personal information for as long as necessary to comply with our legal obligations, to resolve disputes and defend claims, as well as, for any additional purpose based on the choices they have made, such as to receive marketing communications. We will retain personal information supplied when joining our Services, including complaints, claims and any other personal information supplied during the duration of an individual’s contract with us for the Services until the statutory limitation periods have expired, when this is necessary for the establishment, exercise or defense of legal claims.

Once retention of the personal information is no longer necessary for the purposes outlined above, we will either delete or deidentify the personal information or, if this is not possible (e.g., because personal information has been stored in backup archives), then we will securely store the personal information and isolate it from further processing until deletion or deidentification is possible.

V. CHILDREN’S PERSONAL INFORMATION

Our Services are not directed to, and we do not intend to, or knowingly, collect or solicit personal information from children under the age of 16. If an individual is under the age of 16, they should not use our Services or otherwise provide us with any personal information either directly or by other means. If a child under the age of 16 has provided personal information to us, we encourage the child’s parent or guardian to contact us to request that we remove the personal information from our systems. If we learn that any personal information we collect has been provided by a child under the age of 16, we will promptly delete that personal information.

VI. LINKS TO THIRD-PARTY WEBSITES OR SERVICES

Our Services may include links to third-party websites, plug-ins and applications. Except where we post, link to or expressly adopt or refer to this Privacy Policy, this Privacy Policy does not apply to, and we are not responsible for, any personal information practices of third-party websites and online services or the practices of other third parties. To learn about the personal information practices of third parties, please visit their respective privacy policies.

VII. UPDATES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. When we make changes to this Privacy Policy, we will change the date at the beginning of this Privacy Policy. If we make material changes to this Privacy Policy, we will notify individuals by email to their registered email address, by prominent posting on our Services, or through other appropriate communication channels. All changes shall be effective from the date of publication unless otherwise provided.

VIII. CONTACT US

If you have any questions or requests in connection with this Privacy Policy or other privacy-related matters, please send an email to [email protected].

Alternatively, inquiries may be addressed to:

GOAT Group

Attn: Privacy Department

P.O. Box 91258

Los Angeles, CA 90009-1258

IX. REGION-SPECIFIC DISCLOSURES

We may choose or be required by law to provide different or additional information relating to the processing of personal information about residents of certain countries, regions or states. Please refer below for additional information that may be applicable to you:

• For residents of U.S. States that have enacted applicable and enforceable data privacy legislation, please click here for additional US-specific privacy disclosures.
• For residents of Canada, please click here for additional Canada-specific privacy disclosures.
• For residents of the European Economic Area (“EEA”), Switzerland, and the United Kingdom (“UK”), please click here for additional region-specific privacy disclosures.

ADDITIONAL U.S. STATE PRIVACY DISCLOSURES

Last updated: January 23, 2025

For residents of U.S. States that have enacted applicable and enforceable data privacy legislation: These Additional U.S. State Privacy Disclosures (“U.S. Disclosures”) supplement the information contained in our Privacy Policy by providing additional information about our personal information processing practices relating to individual residents of states that have enacted applicable and enforceable data privacy legislation (as of January 2025, California, Colorado, Connecticut, Delaware, Florida, Iowa, Montana, Nebraska, Nevada, New Hampshire, New Jersey, Oregon, Texas, Utah and Virginia together, the “Applicable States”. For a detailed description of how we collect, use, disclose, and otherwise process personal information in connection with our Services, please see our Privacy Policy. Unless otherwise expressly stated, all terms defined in our Privacy Policy retain the same meaning in these U.S. Disclosures. To the extent any provision in these U.S. Disclosures conflicts with a provision of the Privacy Policy, these U.S. Disclosures shall govern with respect to visitors, users, and others who reside in the Applicable States.

For the purposes of these U.S. Disclosures, personal information does not include publicly available information or deidentified, aggregated or anonymized information that is maintained in a form that is not capable of being associated with or linked to you.

Your Privacy Choices

Depending on your state of residency, you may be able to exercise the following rights in relation to the personal information about you that we have collected (subject to certain limitations at law):

• The Right to Know. The right to confirm whether we are processing personal information about you and, under California law only, to obtain certain personalized details about the personal information we have collected about you in the last 12 months, including:

  • The categories of personal information collected;
  • The categories of sources of the personal information;
  • The purposes for which the personal information were collected;
  • The categories of personal information disclosed to third parties (if any), and the categories of recipients to whom the personal information were disclosed;
  • The categories of personal information shared for cross-context behavioral advertising purposes (if any), and the categories of recipients to whom the personal information were disclosed for those purposes; and
  • The categories of personal information sold (if any), and the categories of third parties to whom the personal information were sold.

• The Right to Access and Portability. The right to obtain access to the personal information we have collected about you and, where required by law, the right to obtain a copy of the personal information in a portable and, to the extent technically feasible, readily usable format that allows you to transmit the information to another entity without hindrance.

• The Right to Request Deletion. The right to request the deletion of personal information that we have collected from you, subject to certain exceptions.

• The Right to Correction. The right to request that any inaccuracies in your personal information be corrected, taking into account the nature of the personal information and the purposes of the processing of your personal information.

• The Right to Opt-Out of Sales or Sharing for Targeted Advertising. The right to direct us not to “sell” personal information we have collected about you to third parties for monetary or other valuable consideration, or “share” your personal information to third parties for cross-context behavioral advertising purposes.

• The Right to Control over Automated Decision-Making/Profiling. The right to direct us not to use automated decision-making or profiling for certain purposes.

• The Right to Control over Sensitive Information. The right to exercise control over our collection and processing of certain sensitive information.

• The Right to Appeal. Depending on your state of residency, you may be able to appeal a decision we have made in connection with your privacy rights request.

  • Colorado Residents: If your appeal is denied, you may contact the Colorado Attorney General to address your concerns here.
  • Connecticut Residents: If your appeal is denied, you may contact the Connecticut Attorney General to submit a complaint here.
  • Virginia Residents: If your appeal is denied, you may contact the Virginia Attorney General to submit a complaint here.
  • Texas Residents: If your appeal is denied, you may contact the Texas Attorney General to submit a complaint here.
  • Nevada Residents: If your appeal is denied, you may contact the Nevada Attorney General here.
  • Montana Residents: If your appeal is denied, you may contact the Montana Attorney General here.
  • Oregon Residents: If your appeal is denied, you may contact the Oregon Attorney General here.
  • Delaware Residents: If your appeal is denied, you may contact the Department of Justice to submit a complaint at [email protected].
  • Iowa Residents: If your appeal is denied, you may contact the Iowa Attorney General to submit a complaint here.
  • Nebraska Residents: If your appeal is denied, you may contact the Iowa Attorney General to submit a complaint here.
  • New Hampshire Residents: If your appeal is denied, you may contact the New Hampshire Attorney General to submit a complaint here.
  • New Jersey Residents: If your appeal is denied, you may contact the New Jersey Division of Consumer Affairs in the Department of Law and Public Safety to submit a complaint here.

Depending on your state of residency, you may also have the right to not receive retaliatory or discriminatory treatment in connection with a request to exercise the above rights. However, the exercise of the rights described above may result in a different price, rate or quality level of product or service where that difference is reasonably related to the impact the right has on our relationship or is otherwise permitted by law.

How to Exercise Your Privacy Rights

To submit a request to exercise one of the privacy rights identified above, please submit a request:

• By Email: Please contact us by email at [email protected] with an explanation of the rights you wish to exercise and submit the required verifying information, as further described below.
• By Mail: You may also exercise your right to request that we delete the personal information we have collected from you or maintain about you by sending a letter to us by mail that explains you would like to exercise this right and that includes your name and email address associated with your account. You can send this letter to us at the following address: GOAT Group, Attn: GOAT Group CCPA, P.O. Box 91258, Los Angeles, CA 90009-1258.

We may need to verify your identity before processing your request, which may require us to request additional personal information from you or require you to log in to your account, if you have one. Note that we may need to request additional information from you to verify your identity or process your request, although you will not be required to create an account with us to submit a request or have it fulfilled. At a minimum, we may ask you for your name, email address, and telephone number. We will use the personal information you provide us in connection with your exercise of the above rights only to review and comply with your request.

In certain circumstances, we may decline a request to exercise the rights described above, particularly where we are unable to verify your identity or locate your information in our systems. If we are unable to comply with all or a portion of your request, we will explain the reasons for declining to comply with the request.

Exercise Your Right to Opt-Out of Personal Information Sales or Sharing for Targeted Advertising

We do not “sell” personal information as most people would typically understand that term (i.e., we do not share your information in exchange for money), but certain uses may be deemed the “sale” of personal information under applicable privacy laws. Unless you have exercised your Right to Opt-Out, we may disclose or “sell” your personal information to third parties for non-monetary consideration, or “share” your personal information to third parties for cross-context behavioral advertising purposes. The third parties to whom we sell or share personal information may use such information for their own purposes in accordance with their own privacy policies.

You do not need to create an account with us to exercise your Right to Opt-Out. However, we may ask you to provide additional personal information so that we can properly identify you to track compliance with your opt-out request. We will only use personal information provided in an opt-out request to review and comply with the request. If you choose not to provide this information, we may only be able to process your request to the extent we are able to identify you in our data systems.

To exercise the Right to Opt-Out, you may submit a request by:

• Cookies-based Opt-Out (Do Not Sell or Share My Personal Information). To exercise your Right to Opt-Out as it relates to the use of cookies and other tracking technologies for analytics and targeted ads, please click “Your Privacy Choices” at the footer of the website. Please note this opt-out is browser specific. You must reset your preferences if you clear cookies or use a different browser or device. For GOAT mobile app users, please go to your Profile > Settings > Privacy & Security > Your Privacy Choices. For alias mobile app users, please go to Account > Settings > Privacy & Security > Privacy Choices.

• Opt Out of “Selling” of Personal Information. In limited circumstances, we may share your personal information (such as your name and email address) with third parties who may use such information for their own commercial or business purposes. To opt out of such sharing, please email [email protected].

Authorized Agents

In certain circumstances, you are permitted to use an authorized agent (as that term is defined by the applicable privacy law) to submit requests on your behalf through the designated methods set forth in these U.S. Disclosures where we can verify the authorized agent’s authority to act on your behalf.

For requests to know, delete, or correct personal information, we require the following for verification purposes: (a) a power of attorney valid under the laws of the state where you reside from you or your authorized agent; or (b) sufficient evidence to show that you have: (i) provided the authorized agent signed permission to act on your behalf; and (ii) verified your own identity directly with us pursuant to the instructions set forth in these U.S. Disclosures; or directly confirmed with us that you provided the authorized agent permission to submit the request on your behalf.

For requests to opt out of personal information “sales” or “sharing”, we require a signed permission demonstrating your authorized agent has been authorized by you to act on your behalf.

Appealing Privacy Rights Decisions

Depending on your state of residency, you may be able to appeal a decision we have made in connection with your privacy rights request. All appeal requests should be submitted by emailing [email protected] or mailing a letter to us at the following address: GOAT Group, Attn: GOAT Group CCPA, P.O. Box 91258, Los Angeles, CA 90009-1258.

California-Specific Disclosures

The following disclosures only apply to residents of the State of California.

• Personal Information Collection. In the last 12 months, we may have collected the following categories of personal information:
  • identifiers (such as first and last name, email address, or unique online identifiers),
  • categories of information described in Section 1798.80(e) of the California Civil Code (such as phone number, bank account number, credit card number, or debit card number),
  • commercial or transactions information (such as records of personal property or products or services purchased, obtained or considered),
  • internet/network information (such as browsing history, search history, interactions with a website, email, application, or advertisement),
  • geolocation information,
  • biometric Information, such as facial geometry used to create a unique biometric identifier in order to verify your identity,
  • inferences drawn from the above information about your predicted characteristics and preferences,
  • other personal information (such as information you submit via a request form and any communications between you and a customer support agent, as well as information we receive from social media platforms), and
  • sensory information (such as call recordings).

In the last 12 months, we may have collected the following categories of sensitive personal information: account log-in in combination with a password allowing access to an account, as well as social security number, government ID, and biometric information (i.e., facial geometry). We do not use or disclose sensitive personal information for any purpose other than for performing services you have requested, for detecting security incidents, fraud and other illegal actions, complying with applicable laws, regulations or other legal obligations, or for short term transient use. We collect and process sensitive information without the purpose of inferring characteristics about a consumer, and we do not sell sensitive information or process or otherwise share sensitive personal information for the purpose of targeted advertising.

For more information about our collection of personal information, the sources of personal information, and how we use this information, please see Our Collection and Use of Personal Information section of our Privacy Policy.

• Disclosure of Personal Information. In the last 12 months, we may have disclosed all of the categories of information described above to third parties for a business purpose, as described in the Disclosure of Personal Information section of our Privacy Policy. The categories of third parties to whom we sell or disclose your personal information for a business purpose include:

  • Service providers;
  • Affiliates;
  • Government entities.

• Sales of Personal Information and Sharing for Targeted Advertising. In the previous 12 months, we have sold the following categories of personal information to third parties:

  • Identifiers;
  • Commercial information;
  • Internet/network information.

In addition, please see our Cookie Policy to learn more about how third-party advertising networks, social media companies and other third-party businesses collect and disclose your personal information directly from your browser or device through cookies or tracking technologies when you visit or interact with our Sites, use our Apps or otherwise engage with us.

Minors. We do not sell the personal information and do not have actual knowledge that we sell the personal information of minors under the age of 16. Please contact us at [email protected] to inform us if you, or your minor child, are under the age of 16.

If you are under the age of 18 and you want to delete your account, please contact us directly at [email protected]. We may not be able to modify or delete your information in all circumstances.

If you wish to submit a privacy request on behalf of your minor child in accordance with applicable jurisdictional laws, you must provide sufficient information to allow us to reasonably verify your child is the person about whom we collected personal information and you are authorized to submit the request on your child’s behalf (i.e., you are the child’s legal guardian or authorized representative).

“Shine the Light”. The California “Shine the Light” law gives residents of California the right under certain circumstances to request information from us regarding the way we share certain categories of personal information (as defined in the Shine the Light law) with third parties for their direct marketing purposes. To opt out of this type of sharing, please email us at [email protected].

Financial Incentives. We may provide financial incentives to consumers who allow us to collect and retain personal information, such as identifiers (e.g., name and email address) and commercial information (e.g., purchase history). These incentives may result in differences in our prices or services offered to consumers and may include a lower price for goods and services (e.g., discounts and other promotions). For example, the financial incentives we may provide include discounts or promo codes for certain existing customers. The material aspects of any financial incentive will be explained and described in its program terms or in the details of the incentive offer.

Please note that participating in any financial incentive program is entirely optional and participants may withdraw from the program at any time. To opt out of the program and forgo any ongoing incentives, please follow the instructions in the program’s terms and conditions or contact us using the contact information referenced in the Contact Us section of the Privacy Policy.

Each financial incentive or price or service difference related to the collection and use of personal information is based upon our reasonable, good faith determination of the estimated value of such information to our business, taking into consideration the value of the offer itself and the anticipated revenue generation that may be realized by rewarding brand loyalty and/or repeat purchases.

ADDITIONAL CANADA-SPECIFIC PRIVACY DISCLOSURES

Last updated: October 10, 2023

This section contains disclosures required by the Personal Information Protection and Electronic Documents Act and substantially similar provincial privacy laws in Canada, including Quebec’s Act respecting the protection of personal information in the private sector, as may be amended from time to time (“Canada Disclosures”). These Canada Disclosures supplement the information contained in our Privacy Policy and apply solely to individual residents of Canada (“you”). Unless otherwise expressly stated, all terms in this section have the same meaning as defined in our Privacy Policy or as otherwise defined in the applicable Canadian privacy law. Please note our Privacy Officer can be contacted at [email protected]. If you are a resident of Quebec, Canada, please see Politique De Protection Des Renseignements Personnels for the French translation of the Privacy Policy.

Cross-jurisdictional Transfers. By providing us with personal information, you acknowledge and agree that your personal information may be transferred to other jurisdictions for processing and storage, including in servers located across Canada and in the United States, where laws regarding the protection of personal information may be less stringent than the laws in your jurisdiction. Further, your personal information may be accessible to law enforcement, national security authorities, and the courts of such jurisdictions. Where necessary to make such transfers, we will comply with our legal and regulatory obligations in relation to the personal information.

Your Legal Rights. Subject to certain exemptions, as permitted by law, you have the following rights in relation to the personal information we hold about you:

• Right of Access. You have the right to access the personal information we hold about you and to receive a general account of our uses of that personal information. Upon receipt of a written request from you, we will provide you with a copy of your personal information, although in certain limited circumstances, we may not be able to make all relevant personal information available to you, for example, where that personal information also relates to another individual. In such circumstances, we will, upon request, provide you with the reasons for such refusal. We will endeavour to deal with all requests for access of personal information in a timely manner.

• Right to Rectification. If the personal information we hold about you is inaccurate or incomplete, you are entitled to have it rectified. Where appropriate, such amended personal information will be provided to the parties to whom we are authorized to disclose your personal information. We will endeavour to deal with all requests for rectification of personal information in a timely manner.

• Right to Erasure. You can ask us to delete or remove your personal information in some circumstances such as where we no longer need your information to fulfill the purposes for which it was collected, or if you withdraw your consent (where applicable because your consent was the legal basis on which we were processing your personal information). If you are entitled to erasure and if we have shared your personal information with others, we will take reasonable steps to inform those others where possible and where this would not involve disproportionate effort.

• Right to Personal Information Portability. You may have the right, in certain circumstances, to obtain personal information you have provided us with (in a structured, commonly used, and machine-readable format) and to reuse it elsewhere or to ask us to transfer this to a third party of your choice.

• Right to Withdraw Consent. If we rely on your implicit or explicit consent as our legal basis for processing your personal information, you have the right to withdraw that consent at any time. However, this will not affect the lawfulness of any processing carried out before you withdrew your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent. We may use your information to send important notices or communications regarding your orders, even if you have opted out from our marketing communications.

ADDITIONAL PRIVACY DISCLOSURES FOR EEA, UK AND SWISS USERS

Last updated: December 19, 2023

This section contains disclosures on how we collect, store, process, transfer, share, or use data that identifies or is associated with residents of the European Economic Area (“EEA”), Switzerland, and the United Kingdom (“UK”) ("personal data") and information regarding our use of cookies and similar technologies (collectively, “EU Disclosures”) in connection with the Services. These EU Disclosures supplement the information contained in our Privacy Policy and apply solely to residents of the EEA, Switzerland, and the UK (“you”). Please ensure that you have read and understood these EU Disclosures before accessing or using the Services. Unless otherwise expressly stated, all terms in this section have the same meaning as defined in our Privacy Policy or as otherwise defined in the EU General Data Protection Regulation and the UK General Data Protection Regulation (collectively, “GDPR”).

The controller, which is the company belonging to GOAT Group that is responsible for the processing of your personal data, depends on how you interact with the GOAT Group brands. As such, the relevant controller will typically consist of one or two entities: (1) The main entity who manages the GOAT Group brands based on region, and, if applicable, (2) the local company you interact with in connection with localized activities (e.g., marketing campaigns, events, promotions). In connection with the local controller, the controller and contact information will be disclosed in the specific method of interaction.

Personal Data We Collect from You When You Use the Services and How We Use It. We collect personal data as set out in the Our Collection and Use of Personal Information section of our Privacy Policy. We will indicate to you where the provision of certain personal data is mandatory. If you choose not to provide such personal data, we may not be able to provide those parts of the Services to you or respond to your other requests.

Annex 1 sets out in detail the categories of personal data we collect about you and how we use that information when you use the Services, as well as the legal basis which we rely on to process the personal data and recipients of that personal data.

Information We Collect About You Automatically. We also automatically collect personal data indirectly about how you access and use the Services, and information about the device you use to access the Services, or otherwise engage with us. Please see our Cookie Policy for more information about what data we collect and how we use it.

Annex 2 sets out in detail the categories of personal data we collect about you automatically and how we use that information. The table also lists the legal basis which we rely on to process the personal data and recipients of that personal data. For more information on cookies and other tracking technologies we use, please see our Cookie Policy.

• We may link or combine the personal data you provide and the information we collect automatically. This allows us to provide you with a personalized experience regardless of how you interact with us.
• We may anonymize and aggregate any of the personal data we collect (so that it does not directly identify you) and may use the anonymized and aggregated information or disclose it as set out in our Privacy Policy.

Marketing and Advertising. From time to time, we may contact you with information about our products and services, including sending you marketing messages and asking for your feedback on our products and services.

• For some marketing messages, we may use personal data we collect about you to help us determine the most relevant marketing information to share with you.
• We will only send you marketing messages if you have given us your consent to do so. You can withdraw your consent later by clicking on the “unsubscribe” link at the bottom of our marketing emails.

Storing and Transferring Your Personal Data.

• Security. We implement appropriate technical and organizational measures to protect your personal data against accidental or unlawful destruction, loss, change or damage. We will never send you unsolicited emails or contact you by phone requesting your account ID, password, credit or debit card information or national ID numbers.

• International Transfers of Your Personal Data. The personal data we collect may be transferred to and stored in countries outside of the jurisdiction you are in where we and our third-party providers have operations, including in the United States. If you are accessing the Services from the EEA, UK or Switzerland, your personal data will be processed outside of the EEA, UK or Switzerland. In the event of such a transfer, we ensure that: (i) the personal data is transferred to countries recognized as offering an equivalent level of protection; or (ii) the transfer is made pursuant to appropriate safeguards, such as standard data protection clauses adopted by the European Commission. Annex 3 sets out in detail the provisions for international transfers of your personal data to the United States if you are accessing the Services from the EEA, UK or Switzerland.

Your Rights in Respect of Your Personal Data. In accordance with applicable privacy law, you have the following rights in respect of your personal data that we hold:

• Right of access. You have the right to obtain:

  • confirmation of whether, and where, we are processing your personal data;
  • information about the categories of personal data we are processing, the purposes for which we process your personal data and information as to how we determine applicable retention periods;
  • information about the categories of recipients with whom we may share your personal data; and
  • a copy of the personal data we hold about you.

• Right of portability. You have the right, in certain circumstances, to receive a copy of the personal data you have provided to us in a structured, commonly used, machine-readable format that supports re-use, or to request the transfer of your personal data to another person.

• Right to rectification. You have the right to obtain rectification of any inaccurate or incomplete personal data we hold about you without undue delay.

• Right to erasure. You have the right, in some circumstances, to require us to erase your personal data without undue delay if the continued processing of that personal data is not justified.

• Right to restriction. You have the right, in some circumstances, to require us to limit the purposes for which we process your personal data if the continued processing of the personal data in this way is not justified, such as where the accuracy of the personal data is contested by you.

• Right to withdraw consent. If you have provided consent for the processing of your personal data, you have the right to withdraw your consent. If you withdraw your consent, this will not affect the lawfulness of our use of your personal data before your withdrawal.

You also have the right to object to any processing based on our legitimate interests where there are grounds relating to your situation. There may be compelling reasons for continuing to process your personal data, and we will assess and inform you if that is the case. You can object to marketing activities for any reason.

You also have the right to lodge a complaint to your local data protection authority. Information about how to contact your local data protection authority is available here.

If you wish to exercise one of these rights, please contact us using the details referenced in the Contact Us section of the Privacy Policy.

Due to the confidential nature of data processing, we may ask you to provide proof of identity when exercising the above rights. This can be done by providing a scanned copy of a valid identity document or a signed photocopy of a valid identity document.

ANNEX 1: PERSONAL DATA YOU PROVIDE TO US

Contact information and identifiers, such as your first name, last name, email address, phone number, and birthdate.

• How we may use your contact information and the legal bases for processing:
  • We may use this information to set up and authenticate your account on the Services. The processing is necessary for the performance of a contract with you and to take steps prior to entering a contract with you, namely our Terms of Use.
  • We may use this information to communicate with you, including sending service-related communications. The processing is necessary for the performance of a contract with you, namely our Terms of Use.
  • We may use this information to deal with enquiries and complaints made by or about you relating to the Services. The processing is necessary for our legitimate interests, namely administering the Services, and for communicating with you effectively to respond to your queries or complaints.
  • We may use this information to send you unsolicited marketing communications in accordance with your preferences. We will only use your personal data in this way to the extent you have given us consent to do so.
• Recipients of this information: We may share this information with payment processors to identify you so that you can make and receive payments through the Services. We may also share your personal data with our email marketing providers.

Profile and log-in information. This is information you choose to put in your profile such as username, phone number, photo, mailing address and shoe size.

• How we may use your profile and log-in information and the legal bases for processing:
  • We use this information to allow you to populate your profile with relevant information. The processing is necessary for the performance of a contract and to take steps prior to entering a contract, namely our Terms of Use.
  • We use this information to provide to you the features and functionality of the Services. The processing is necessary for the performance of a contract and to take steps prior to entering a contract, namely our Terms of Use.
• Recipients of this information: We may share this information with third parties that help us prevent fraud on our platform and shipping carriers or logistics providers that facilitate the delivery of an item purchased on our platform.

Payment and transaction information, such as your credit/debit card numbers, payment authentication code, billing address, and other information such as date and time of your transaction.

• How we may use your payment and transaction information and the legal bases for processing:
  • We may use this information to process the payments you make or receive through the Services. The processing is necessary for the performance of a contract, namely our Terms of Use.
  • We may use this information to verify your identity in connection with the detection and prevention of fraud or financial crime. The processing is necessary for our and third parties’ legitimate interests, namely the detection and prevention of fraud and financial crime.
• Recipients of this information: We may share this information with payment processors to identify you so that you can make and receive payments through the Services.

Identity and compliance information, such as your name, birthdate, address, phone number, email address, bank account information, national ID number, VAT ID number or other tax ID number, and copies of government ID or tax documents, along with a selfie image. This information may also be used by our third-party provider, Persona, to create a unique biometric identifier based on facial geometry.

• How we may use your identity and compliance information and the legal basis for processing:
  • We use data collection and verification services provided by a third-party provider, Persona, to collect and verify your information in order to comply with legal obligations and protect against fraud and abuse. Persona may use a combination of machine-learning tools and optical scans to verify your identity document and may use facial recognition technology to produce a unique biometric identifier based on facial geometry that can be used to compare your selfie to the image on the identity document you provided to determine the likelihood that the images are a "match." The processing is necessary for our and third parties’ legitimate interests, namely the detection and prevention of fraud and financial crime and compliance with applicable laws and regulations.
• Recipients of this information: We use identity verification services provided by a third-party provider, Persona. We do not receive the biometric identifier generated from the images. It is generated and held by Persona until we inform them that the biometric identifier is no longer needed for the purposes described in our Privacy Policy and must be destroyed. For identity verification and compliance purposes, we will have access to the selfie image and will receive the information extracted from the scan of the government ID document as well as the results of the verification process. We may also share relevant information with local authorities to fulfil our legal obligations.

Information about your activity on the Services, such as any offers for products you have made, any products on your 'want list', and information about any products you have purchased, listed for sale or sold.

• How we may use information about your activity on the Services and the legal basis for processing:
  • We use this information to provide to you the features and functionality of the Services. The processing is necessary for the performance of a contract and to take steps prior to entering a contract, namely our Terms of Use as well as to comply with our legal obligations.
• Recipients of this information: We may share this information with our cloud storage provider and other third-party providers. We may also share certain information with local tax authorities to fulfil our legal obligations.

Chat, comments, opinions. When you contact us directly (e.g., by email or phone), we may record your comments and opinions.

• How we may use information about any direct contact from you and the legal bases for processing:
  • We may use this information to address your questions, issues and concerns. The processing is necessary for our legitimate interests, namely communicating with you and responding to queries, complaints and concerns.
  • We may use this information to improve the Services. The processing is necessary for our legitimate interests (i.e., to develop and improve our Services).
• Recipients of this information: We may share any information you provide to us when you contact us with our customer support platforms to process any customer support queries you might submit to us.

Your preferences such as preferences set for notifications, marketing communications, how the Services are displayed and the active functionalities on the Services.

• How we may use information about your preferences and the legal bases for processing:
  • We use this information to provide notifications, send news, alerts and marketing communications and provide the Services in accordance with your choices. The processing is necessary for our legitimate interest, namely ensuring the user receives the correct marketing and other communications, and that features are displayed in accordance with the user's preferences.
  • We use this information to ensure that we comply with our legal obligation to send only those marketing communications to which you have consented. The processing is necessary for compliance with a legal obligation to which we are subject.
• Recipients of this information: We may share this information with our email marketing providers to send out relevant communications as well as third-party providers that support our compliance efforts.

All personal data set out above.

• How we may use all personal data set out above and the legal basis for processing:
  • We may use all the personal data we collect to operate, maintain and provide to you the features and functionality of the Services, to communicate with you, to monitor and improve the Services and business, and to help us develop new products and services. The processing is necessary for our legitimate interests, namely, to administer and improve the Services.

ANNEX 2: PERSONAL DATA COLLECTED AUTOMATICALLY

Approximate location information. Other than information you choose to provide to us (when you enable location services and/or grant permission for location tracking), we do not collect information about your precise location. Your device’s IP address may however help us determine an approximate location.

• How we may use your approximate location information and the legal bases for processing:
  • We may use information you provide to us about your location to monitor and detect fraud or suspicious activity in relation to your account. The processing is necessary for our legitimate interests, namely, to protect our business and your account from fraud and other illegal activities.
  • We may use this information to tailor how the Services are displayed to you (such as the language in which it is provided to you). The processing is necessary for our legitimate interest, namely tailoring our service so that it is more relevant to our users.

Information about how you access and use the Services. For example, how frequently you access the Services, the time you access the Services and how long you use it for, the approximate location that you access the Services from, the site from which you came and the site to which you are going when you leave our Site, the website pages you visit, the links you click, whether you open emails or click the links contained in emails, whether you access the Services from multiple devices, and other actions you take on the Services.

• How we may use information about how you access and use the Services and the legal bases for processing:
  • We may use information about how you use and connect to the Services to present the Services to you on your device. The processing is necessary for our legitimate interests, namely, to tailor the Services to the user.
  • We may use this information to determine products and services that may be of interest to you for marketing purposes. The processing is necessary for our legitimate interests, namely, to inform our direct marketing.
  • We may use this information to monitor and improve the Services and business, resolve issues and to inform the development of new products and services. The processing is necessary for our legitimate interests, namely, to monitor and resolve issues with the Services and to improve the Services generally.

Log files and information about your device. We also collect information about the tablet, smartphone or other electronic device you use to connect to the Services. This information can include details about the type of device, unique device identifiers, operating systems, browsers and applications connected to the Services through the device, your mobile network, your IP address and your device’s telephone number (if it has one).

• How we may use log files and information about your device and the legal bases for processing:
  • We may use information about how you use and connect to the Services to present the Services to you on your device. The processing is necessary for our legitimate interests, namely, to tailor the Services to the user.
  • We may use this information to monitor and improve the Services and business, resolve issues, prevent fraud, and to inform the development of new products and services. The processing is necessary for our legitimate interests, namely, to monitor and resolve issues with the Services and to improve the Services generally.

Recipients of personal data set forth above. We may share this information with the following: affiliates and third-party providers, including payment processors, customer support platforms, email marketing providers, fraud prevention vendors, cloud storage providers and analytics providers; and third-party social media platforms.

ANNEX 3: PROVISIONS FOR INTERNATIONAL TRANSFERS OF YOUR PERSONAL DATA TO THE UNITED STATES

GOAT and its U.S. subsidiaries (Flight Club New York, LLC and Grailed, LLC) (hereinafter “we”) comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. We have certified to the U.S. Department of Commerce that we adhere to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. We have certified to the U.S. Department of Commerce that we adhere to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Privacy Policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles (collectively, the DPF Principles), the DPF Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please click here.

The Federal Trade Commission has jurisdiction over our compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF.

Complaints per the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF

In compliance with the EU-U.S. DPF, and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, we commit to resolve DPF Principles-related complaints about our collection and use of your personal data. EU, UK and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF should first contact us using the details referenced in the Contact Us section of the Privacy Policy. EU, UK and Swiss individuals may, under certain circumstances, invoke binding arbitration with respect to complaints about our collection and use of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF. See DPF Annex 1 here.

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, we commit to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to Judicial Arbitration and Mediation Services, Inc. (JAMS), an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit here for more information or to file a complaint. The services of JAMS are provided at no cost to you.

Onward transfers to third parties

In the event that we disclose your personal data to third parties to perform certain business-related services on our behalf as “agents” (as such term is utilized under the DPF), we will do so only for limited and specified purposes consistent with any notice provided to you or your choices regarding processing and disclosure. These companies perform services at our instruction and pursuant to contracts which require they provide at least the same level of privacy protection as is required under the DPF and notify us if they are no longer able to provide such protections, at which point we will take reasonable remedial steps. We may also disclose personal data to our affiliates in order to support marketing, sale, and delivery of any services, or other business operations as disclosed in the Disclosure of Personal Information section of the Privacy Policy and Annex 1 to the Additional Privacy Disclosures for EEA, UK and Swiss Users.

Our accountability for personal data that we receive under the DPF and subsequently transfers to a third party is described in the DPF Principles. In particular, we remain responsible and liable under the DPF Principles if third-party agents that we engage to process the personal data on our behalf do so in a manner inconsistent with the DPF Principles, unless we prove that we are not responsible for the event giving rise to the damage.

In certain situations, we may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Option to limit certain onward transfers to third parties

You have the opportunity to opt out of sharing of your personal data with third parties other than our agents or before we use it for a purpose other than which it was originally collected or subsequently authorized. To limit the use and disclosure of your personal data under the DPF, please submit a written request using the details referenced in the Contact Us section of the Privacy Policy, indicating as such.

We will not disclose your sensitive personal data to any third party without first obtaining your opt-in consent.

In each instance, please allow us a reasonable amount of time to process your response.

Your DPF rights

Upon request to us, we will confirm whether we are processing your personal data pursuant to the DPF and provide you with the data in a reasonable amount of time. You also have the right to correct, amend, or delete the personal data processed pursuant to the DPF where it is inaccurate or has been processed in violation of our privacy disclosures to you, except where the burden or expense of providing access would be disproportionate to the risks to the individual’s privacy in the case in question, or where the rights of persons other than the individual would be violated. We may require payment of a non-excessive fee to defray our expenses in this regard. Please allow us a reasonable amount of time to respond to your inquiries and requests.

Personal data retention

We will retain the personal data processed pursuant to the DPF in a form that identifies you pursuant to the retention policy described above. We may continue processing such personal data for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of our privacy disclosures. After such time periods have expired, we may either delete your personal data or retain it in a form such that it does not identify you personally.

How we protect your data

We will implement reasonable and appropriate security measures to protect your personal data from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the risks involved in processing and the nature of such data.

If you wish to enquire further about these safeguards used, please contact us using the details referenced in the Contact Us section of the Privacy Policy.

COOKIE POLICY

Last updated: November 1, 2023

Unless otherwise expressly stated, terms in this policy have the same meaning as defined in the Privacy Policy.

I. SCOPE OF POLICY

This Cookie Policy supplements the information contained in the Privacy Policy and explains how we and our third-party partners and service providers use cookies and related technologies while managing and providing our online services and our electronic communications to you. It explains what these technologies are and why we use them, as well as your rights to control our use of them.

In some cases, we may use cookies and related technologies described in this Cookie Policy to collect personal information, or to collect information that becomes personal information if we combine it with other information. For more details about how we process your personal information, please review the Privacy Policy.

2. WHAT ARE COOKIES AND RELATED TECHNOLOGIES

As is common practice among websites, our Services use cookies, which are tiny files downloaded to your device that allow us and our third-party partners and service providers to collect certain information about your interactions with our email communications, Sites and other online services, and that improve your experience. We and our third-party partners and service providers may also use other, related technologies to collect this information, such as web beacons, pixels, embedded scripts, location-identifying technologies and logging technologies (collectively, “cookies”).

We use the following types of cookies:

• Strictly necessary cookies. These cookies enable core functionality such as security, network management and accessibility. You may disable these by changing your browser settings, but this may affect how the Services function. The legal basis for our use of strictly necessary cookies is our legitimate interests, namely being able to provide and maintain our Services.

• Functional cookies. These cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in. The legal basis for our use of functional cookies is our legitimate interests, namely being able to provide and maintain our Services.

• Analytical/performance cookies. These cookies allow us to recognize and count the number of visitors to our Services, and to see how visitors move around our Services when they are using them. This helps us to improve the way our Services work, for example, by ensuring that users are finding what they are looking for easily. If you are accessing our Services with a European IP address, you have been asked to consent to the use of these cookies. You are free to deny your consent.

• Targeting Cookies. These cookies record your visit to our Services, the pages you have visited and the links you have followed. They are used to track visitors across our Services. If you are accessing our Services with a European IP address, you have been asked to consent to the use of these cookies. You are free to deny your consent.

If you are visiting the Site from the EEA, please see the Cookie Library by clicking on “Cookie Settings” at the footer of this page for more information about the cookies we use on the Site. For App users, please see the SDK Library by going to your Profile > Settings > Privacy & Security > Privacy Settings in the Apps for more information about the technologies we use on the Apps. Please see our Privacy Policy for more information about cookies and other similar technologies.

3. WHAT WE COLLECT WHEN USING COOKIES

We and our third-party partners and service providers may use cookies to automatically collect certain types of usage information when you visit or interact with our emails and Services. For example, we may collect log data about your device and its software, such as your IP address, unique device identifier, operating system, browser type, date and time of your visit, and other similar information. Our emails may also contain tracking pixels that identify if and when you have opened an email that we have sent you, how many times you have read it and whether you have clicked on any links in that email. We may also collect analytics data or use third-party analytics tools to help us measure usage and activity trends for our online services and better understand the individuals using our services. We also may collect location data, including general geographic location based on IP address.

We may include or engage in the following as part of our Services:

• Social Media Widgets. Our Services may include social media features, such as the ability to share content on Instagram or Twitter or other widgets. These social media companies may recognize you and collect information about your visit to our Services, and they may set a cookie or employ other tracking technologies. Your interactions with those features are governed by the privacy policies of those companies.

• Social Media Platforms. We may display targeted advertising to you through social media platforms, such as Facebook, Twitter, Instagram, and LinkedIn. These companies have interest-based advertising programs that allow us to direct advertisements to users who have shown interest in our services while those users are on the social media platform, or to groups of other users who share similar traits, such as likely commercial interests and demographics. We may share a unique identifier, such as a user ID, with these platform providers or they may collect information from our Site visitors through a first-party pixel, to direct targeted advertising to you or to a custom audience on the social media platform. These advertisements are governed by the privacy policies of those social media companies that provide them. If you do not want to receive targeted ads on your social networks, you may be able to adjust your advertising preferences through your settings on those networks.

• Third-Party Partners. We work with a variety of third-party partners to provide analytics and advertising services. For example, we use Google Analytics to recognize you and link the devices you use when you visit our Services on your browser or mobile device, log in to your account on our Services, or otherwise engage with us. We share a unique identifier, like a user ID, with Google to facilitate the service. Google Analytics allows us to better understand how our users interact with our Services and to tailor our advertisements and content accordingly. For information on how Google Analytics collects and processes data, as well as how you can control information sent to Google, review Google's website, “How Google uses data when you use our partners’ sites or apps” located here. You can learn about Google Analytics’ currently available opt-outs, including the Google Analytics Browser Ad-On here.

We may also utilize certain forms of display advertising and other advanced features through Google Analytics. These features enable us to use first-party cookies (such as the Google Analytics cookie) and third-party cookies (such as the DoubleClick advertising cookie) or other third-party cookies together to inform, optimize, and display ads based on your past visits to the Services. You may control your advertising preferences or opt out of certain Google advertising products by visiting the Google Ads Preferences Manager, currently available here, or by visiting NAI’s online resources here.

4. HOW WE USE INFORMATION COLLECTED VIA COOKIES

We use cookies for a variety of reasons outlined below:

• If you create an account with us, we will use cookies for the management of the sign-up process and general administration. These cookies will usually be deleted when you log out; however, in some cases, they may remain to remember your site preferences when logged out.
• The Services may offer payment capabilities and some cookies are essential to ensure that your order is remembered between pages so that we can process it properly.
• When you submit data through a form, such as those found on the contact pages, cookies may be set to remember your user details for future correspondence.
• To provide you with a great experience on the Services, we provide the functionality to set your preferences for how the Services run when you use it. To remember your preferences, we need to set cookies so that this information can be called whenever you interact with a website page.
• We use cookies to provide and monitor the effectiveness of our Services, monitor online usage and activities of our Services, and facilitate the purposes identified in the Our Collection and Use of Personal Information section of our Privacy Policy.
• We may also use the information we collect through cookies to understand your browsing activities, including across unaffiliated third-party websites, so that we can deliver information about products and services that may be of interest to you.
• Tracking technology used in emails helps us measure the effectiveness of our marketing email campaigns, make the emails we send to you more relevant to your interests and help us understand if you have opened and how you interacted with our emails.

Please note that we link some of the personal information we collect through cookies with the other personal information that we collect about you and for the purposes described in our Privacy Policy.

5. YOUR CHOICES ABOUT COOKIES

If you are in the EEA, UK, or Switzerland, other than strictly necessary cookies, which are required for the operation of our Service, we will only place cookies on your device if you give us your consent to do so. We will ask you to tell us which cookies you agree to receive when you first access our Service.

If you would prefer not to accept cookies, you can use our cookie consent management tool located at the bottom of the Site. Moreover, most browsers will allow you to change the setting of cookies by adjusting the settings on your browser to: (i) notify you when you receive a cookie, which lets you choose whether to accept it; (ii) disable existing cookies; or (iii) set your browser to automatically reject cookies. Be aware that disabling cookies may negatively affect the functionality of this and many other websites that you visit. Disabling cookies will usually result in also disabling certain functionalities and features of the Services.

Depending on your device and operating system, you may not be able to delete or block all cookies. In addition, if you want to reject cookies across all your browsers and devices, you will need to do so on each browser on each device you actively use. These settings will typically be found in the "options" or "preferences" menu of your browser. To understand these settings, the following links may be helpful, otherwise you should use the "Help" option in your browser for more details.

Cookie settings in Internet Explorer

Cookie settings in Firefox

Cookie settings in Chrome

Cookies settings in Safari web and iOS

You may also set your email options to prevent the automatic downloading of images that may contain technologies that would allow us to know whether you have accessed our emails and performed certain functions with them.

If you would like to find out more about cookies and other similar technologies, please visit www.allaboutcookies.org or the Network Advertising Initiative's online sources here.

Please note that deleting or blocking cookies may not be effective for all types of tracking technologies, such as Local Storage Objects (LSOs) like HTML5.