NUTRI-LINK TECHNOLOGIES, INC.
Product and Services Privacy Policy
Effective Date: May 29, 2024

Nutri-Link Technologies, Inc. (“Nutri-Link,” “we,” or “us”) understands that privacy is tremendously important to school districts and schools that purchase or subscribe to our Services (defined below) (“Clients”) and to educators and students whose information we may access on behalf of a Client (“Educators” and “Students”). Nutri-Link provides hosted solutions for public and private school districts, camps, school nutrition and food service operations, including online Free and Reduced Price School Meals Application submission and eligibility verification services, meal planning/fees and payment portals, and before/afterschool student dismissal.

This privacy policy applies to all of our products and services (collectively, the “Services”) and will help you understand how we collect, use and safeguard the personal information provided to us through the Services. This Privacy Policy (the “Policy” or “Privacy Policy”) is incorporated into the services agreement (or related terms of use) between Nutri-Link and its Clients (the “Services Agreement”), as well as the end user terms governing use of websites from which the Services may be accessible, including, without limitation, nlappscloud.com, curbsmart.net, mymealorder.com, onlineschoolfees.com, mymealline.com, summerebtapp.com and nutri-cafe.com. By using the Services, you acknowledge that you have read and agree to this Policy and consent to the collection, processing, sharing and retaining of information (including personal information or data) as described in this Privacy Policy. If you do not agree with this Policy or grant such consent, you may not use or access the Services.

This privacy policy does not apply to our marketing website, nutrilinktechnologies.com. Please visit nutrilinktechnologies.com/privacy to view the privacy policy applicable to that website.

A Special Note for International Users of the Services:  Our systems are currently based primarily in the United States, so your personally identifiable information will generally be processed by us in the United States, where data protection and privacy regulations may be different than other parts of the world, such as the European Union. If you use the Services as a visitor from outside the United States, you are agreeing to the terms of this Policy and, if applicable, the end user terms of use posted in association with the Services, and you will have consented to the transfer and processing of all such information in the United States, which may not offer an equivalent level of protection of that in the European Union or certain other countries. 

This Policy provides the following information:

1. How We Collect and Use Information
2. How We Share Information
3. How We Protect Your Information
4. Choices About Your Information
5. Compliance with Student Data Privacy Laws
6. Student Data Privacy Policies, Practices and Procedures
7. Children’s Privacy
8. Links to Other Websites and Services
9. Additional State Privacy Rights
10. How to Contact Us
11. Changes to This Policy

Transparency. We will always be transparent with the methods we use to collect data and describe exactly how we will use it to the benefit and strict direction of our Clients and their users.

1. HOW WE COLLECT AND USE INFORMATION

We collect the following types of information:

Information about Clients and Their Users: We ask for certain information when a Client administrator, Educator, parent or other user registers with Nutri-Link, or if the user corresponds with us online, which may include a name, school name, school district name, email address and/or account name and password, phone number, and/or message content. We may also retain information provided by a user if the user sends us a message, posts content to one of our websites or through our Services, or responds to emails or surveys. Once a Client begins using the Services, we will keep records of activities related to their and their users’ use of the Services.

We use information collected for the following purposes:

• To provide and maintain our Services, including to support, optimize improve and monitor the usage of our Services.
• To manage registered user accounts for the Services. The personal data you provide can give you access to different functionalities of the Services that are available to you as a registered user.
• For the performance of a contract for the products, items or services Clients have purchased or of any other contract with us. This may include contacting Client customers via email, telephone calls, SMS, or other equivalent forms of electronic communication as directed by our Clients based on the Customer Data provided by the Client or its customer or processing payments from Client customers on our Clients’ behalf.
• To contact users by email, telephone calls, SMS, or other equivalent forms of electronic communication, regarding updates or informative communications related to the functionalities, products or contracted services, including security updates, when necessary or reasonable for their implementation.
• To provide Clients and their employee users (but not parent or Student users) information that we think our Clients might find of interest from Nutri-Link or its affiliates such as new services, special offers, or other important service changes. You may choose not to receive these communications by contacting us at [email protected] or by following the opt-out procedure outlined in such communications. Please note that opting out of receiving these communications will not remove your personal information from our files, and we will still contact you as necessary to provide the Services at your request.
• To manage user requests to us, including requests for information regarding our products or services or to explore potential sales leads.
• To evaluate or conduct a business transfer, which may be structured as a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal data held by us in the Services users is among the assets transferred.
• To comply with applicable legal or regulatory requirements and our policies, and to protect against criminal activity, claims and other liabilities.
• For other purposes such as data analysis, identifying usage trends, determining the effectiveness of our promotional campaigns and to evaluate and improve our products, services, marketing and your experience.

We do not rent or sell Client or employee user contact information to third parties for marketing purposes.

Student Data: Nutri-Link may have access to personally identifiable information about Students (“Student Data”) in the course of providing the Services to a Client. We consider Student Data to be confidential and do not use such data for any purpose other than to provide the Services on the Client’s behalf as agreed in the Services Agreement. For many of our Services, Nutri-Link receives Student Data only from the Client and never interacts with the Student directly. In some instances, depending on the type and level of Services selected by the Client, the Services may require that parents or guardians access and use the Services to provide data as authorized and directed by the Client. Nutri-Link has access to Student Data only as requested by the Client and only for the purposes of performing Services on the Client’s behalf.

Student privacy is very important to us. Student Data is used only for educational purposes at the discretion of the applicable Client.  We do not use Student Data for marketing purposes, and we do not send marketing communications to students or parents.

Sensitive Personal Information: “Sensitive personal information” is information about an individual that reveals their racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic information, biometric information for the purpose of uniquely identifying an individual, information concerning health or information concerning a natural person’s sex life or sexual orientation.

We do not knowingly or intentionally collect sensitive personal information from individuals through the Services, with the exception of Student Data or other personal information submitted by or on behalf of our Clients or their users through the Services. Unless provided by you solely through the Services, and only as necessary to use the same, you must not submit to us Sensitive Personal Information of any kind.

Information Collected through Technology:  We automatically collect certain types of usage information when visitors use the Services. We may send one or more cookies — a small text file containing a string of alphanumeric characters — to your computer that uniquely identifies your browser and lets Nutri-Link help you log in faster and enhance your navigation through the Services. A cookie may also convey information to us about how you use the Services (e.g., the pages you view, the links you click and other actions you take on the Services), and allow us to track your usage of the Services over time. We may collect log file information from your browser or mobile device each time you access the Services. Log file information may include anonymous information such as your web request, Internet Protocol (“IP”) address, browser type, information about your mobile device, number of clicks and how you interact with links on the Service, pages viewed, and other such information. We may employ clear gifs (also known as web beacons), which are used to anonymously track the online usage patterns of our Users. The information allows for more accurate reporting and improvement of the Services. We may also collect analytics data, or use third-party analytics tools, to help us measure traffic and usage trends for the Services. We do not allow third party advertising networks to collect information about the users of our Services.

We use or may use the data collected through cookies, log files, device identifiers, and clear gifs information to: (a) remember information so that a user will not have to re-enter it during subsequent visits; (b) provide custom, personalized content and information; (c) to provide and monitor the effectiveness of our Services; (d) monitor aggregate metrics such as total number of visitors, traffic, and usage on our website and our Services; (e) diagnose or fix technology problems; and (f) help users efficiently access information after signing in.

Other non-public information or data received from Clients that constitutes “confidential information” under the terms of the applicable Services Agreement will be subject to the confidentiality terms outlined in that Services Agreement.

2.  HOW WE SHARE INFORMATION
Nutri-Link only shares personal information in a few limited circumstances, described below. We do not rent or sell information for marketing purposes.

• We may share information (including Student Data) with certain third-party providers whose software or services interface with or otherwise may receive information from, or provide information to, the Services, but only as directed or approved by our Clients or as necessary for us to fulfill requests submitted by our Clients or their users. We do not release Student Data to any third party without the prior written consent of the Client or the affected Student (if he or she 18 years of age or older) or his or her parent or legal guardian, as applicable. If Client has elected for the Services to be integrated with any other software or services utilized by Client, then Client has consented to our sharing of information (including Student Data) with the providers of such software or services.
• We may share information with those that provide us with technology or support services (e.g. web hosting, technical support and analytics services), but strictly for the purpose of carrying out their work for us. Client and its end users acknowledge that the Services, and the Student Data, will be made available in a hosted environment that may be provided by a third party, and Client consents to storage of Student Data in such environment solely for the purposes of providing the Services to Client and its users under the Services Agreement.
• We may share information you provide with other users with whom you share information or otherwise interact with via interactive features of the Services; any information shared in such forums may be viewed by all users with appropriate access permissions.
• We may use or disclose your personal information for any other purpose with your consent.
• We may be required to share information with law enforcement or other third parties when compelled to do so by court order or other legal process, to comply with statutes or regulations, to enforce our Services Agreements, or if we believe in good faith that the disclosure is necessary to protect the rights, property or personal safety of our users.
• If we sell, divest or transfer the business or a portion of our business, we may transfer information, provided that the new provider has agreed to data privacy standards no less stringent than our own. We may also transfer personal information – under the same conditions – in the course of mergers, acquisitions, bankruptcies, dissolutions, reorganizations, liquidations, similar transactions or proceedings involving all or a portion of our business.

3.  HOW WE PROTECT YOUR INFORMATION

We store our data in the United States and take strong measures to keep data safe and secure.

Storage and Processing: Any information collected through the Service is stored and processed in the United States. If you use our Service outside of the United States, you consent to have your data transferred to the United States.

Keeping Your Information Safe: Nutri-Link maintains administrative, technical and physical procedures to protect information stored in our servers, which are located in the United States. While no service provider can guarantee absolute security when communicating over the internet or wireless networks, we are committed to taking steps to help secure any personal information that may be in our possession. Access to information is limited (through user/password credentials and two factor authentication) to those employees who require it to perform their job functions. We use industry-standard Secure Socket Layer (SSL) encryption technology to safeguard the account registration process and sign-up information. We secure our system against external hacking and attacks with firewalls and restricted access protocols. Regardless, you should always be mindful and responsible whenever disclosing information online that the information is potentially accessible to the public, and consequently, could be collected and used by others without your consent.

You are responsible for maintaining the confidentiality of your access information and password used to access the Services. You are responsible for restricting access to your computer, and you agree to accept responsibility for all activities that occur under your password. We cannot secure any personal information that you release on your own, that you request us to release or that is released through another third party to whom you’ve given access.

Where required under applicable law or by contract, we will notify the appropriate parties or individuals of any loss, misuse or alteration of personal information so that such parties or individuals can take the appropriate actions for the due protection of their rights.

4.  CHOICES ABOUT YOUR INFORMATION

Account Information and Settings: Clients may update account information and modify Services by signing into the administrator account. Clients and their employee users can opt-out of receiving promotional email from us by contacting us at [email protected] or by following the opt-out procedure outlined in such communications. You cannot unsubscribe from Service-related messaging.

If you have any questions about reviewing or modifying account information, contact us directly at [email protected].

Access to Student Data: Student Data is controlled by our Clients. Clients have access to their Student Data via the Services. If you have any questions about reviewing, modifying, or deleting personal information of a Student, please contact your school district directly.

Deleting or Disabling Cookies: You may be able to disallow cookies to be set on your browser. Please look for instructions on how to delete or disable cookies and other tracking/recording tools on your browser’s technical settings. You may not be able to delete or disable cookies on certain mobile devices and/or certain browsers. For more information on cookies, visit www.allaboutcookies.org. Remember, disabling cookies may disable some of the features available on the Service, so we recommend you leave cookies enabled.

How Long We Keep User Content: Nutri-Link may retain user personal information for a commercially reasonable time for backup, archival, or legal compliance and audit purposes. We may maintain de-identified, anonymized or aggregated data, including usage data, for analytics purposes. Usage data is generally retained for a shorter period of time, except when this data is used to strengthen the security or to improve the functionality of our Services, or we are legally obligated to retain this data for longer time periods. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize your information, or, if this is not possible (for example, because your personal information has been stored in backup archives), we will securely store your personal information and isolate it from any further processing until deletion is possible. 

If you have any questions about data retention or deletion, please contact [email protected].

5. COMPLIANCE WITH STUDENT DATA PRIVACY LAWS

Nutri-Link provides a restricted access, private platform that enables Clients to integrate data from various sources and securely store that data in one place.

All interactions with Student Data are handled with attention to accuracy and protecting Student privacy. Once Student Data is provided to us, we treat it as if it were our own children’s information.

Protecting the confidentiality, integrity, and availability of our Clients’ systems and data is of the utmost importance to us, as is maintaining Client trust and confidence. To that end, we ensure that our staff is trained and systems are in place to provide required security and confidentiality of Student Data. We have implemented training on the federal and state laws, regulations and policies governing confidentiality of Student Data and any PII (defined below) included in such Student Data for any Nutri-Link officers and employees who will have access to Student Data and PII under the Client’s Services Agreement. We also conduct background checks and require that our employees and agents sign secure data handling signed prior to receiving such access.

Nutri-Link has implemented practices and procedures designed to meet or exceed applicable requirements in federal and state laws and regulations, school district policies, as well as private industry best practices, regarding the proper handling and security of student information; these practices and procedures are described in further detail below. Our use and maintenance of PII from Student Data is subject to the direct provision and control of our Clients and parent and guardians of Students.

Different levels of access in our hosted Services may require different permissions, and we look to the Client to designate such permissions. System administrators assigned by the Client will have the ability (independently of Nutri-Link) to enable or disable access by any given Client user to various portions of the hosted data Services, and if a Client desires to have us disable access by any previously-authorized Client user, an authorized official of the Client must notify us in writing, and we will take reasonably prompt measures to disable access for that user as requested.

Family Educational Rights and Privacy Act: Nutri-Link understands and is compliant with all applicable aspects of the federal Family Educational Rights and Privacy Act, 20 USC § 1232(g) et seq. (“FERPA”), and associated regulations regarding “personally identifiable information” (“PII”), as such term is defined in FERPA, and Nutri-Link follows federal guidelines in regard to the collection, production, and distribution of PII included in Student Data we receive. For more information regarding FERPA, see http://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html. We agree that we will manage and use such PII in accordance with FERPA and applicable state statutes, regulations, and policies. We rely on our Clients’ proper compliance with FERPA provisions regarding the release of PII from education records by (a) Clients’ obtaining parental consent to share PII with appropriately approved or contracted third parties such as Nutri-Link, or (b) Clients’ use of the “School Official” exception under FERPA (See http://ptac.ed.gov/sites/default/files/FERPA%20Exceptions_HANDOUT_horizontal_0.pdf and 34 CFR §§ 99.31(a)(1) and 99.7(a)(3)(iii)).

Compliance with State Student Data Privacy Laws: Our Services comply with specific state statutes, regulations, and policies regarding student data privacy and security. To the extent a state has requirements not otherwise covered by these policies, please contact our Compliance Department at 404-437-7964 or email us at [email protected].

6. STUDENT DATA PRIVACY POLICIES, PRACTICES AND PROCEDURES

Nutri-Link has implemented the following specific policies, practices and procedures with respect to Student Data:

• Prohibition against using Personally Identifiable Information (PII) in student records to engage in targeted advertising. We do not sell, trade, or rent PII in Student Data to anyone outside the organization. We strictly limit internal access to Student Data and PII to those individuals who have a legitimate need for such access in order for us to perform our obligations under the Services Agreement with our Client. We do not use any PII for our own purposes and do not use any PII for the purposes of selling or marketing any product to any person or third party, whether such person or party is the subject of the applicable PII or otherwise.
• Prohibition against using any PII in the student record for any purpose other than those required or specifically permitted by the contract. Nutri-Link prohibits using any PII in Student Data for any purpose outside those required or permitted by the Services Agreement with the applicable Client. Any PII in Student Data to which we have possession or access will be used by us solely for the purposes of providing the Services to the Client, and for providing such information through the Services to those persons or parties to whom the Client has provided access to the applicable portion of the Services. We hold Client data in strictest confidence and do not disclose it to any third parties, unless such third parties are required to fulfill the contract, nor make use of such data for our own benefit or for the benefit of another, or for any use other than the purpose(s) agreed upon in the services Agreement. If third parties have access to Student Data as required by the Services Agreement with the Client, such access is only allowed through Nutri-Link systems and process.
• Collection of data and information from student records. Nutri-Link does not collect any information from student records separately from that which is provided by or through an educational institution that is within the scope of an approved and legally binding contract.
• Description of the procedures by which a parent, legal guardian, or eligible student may review personally identifiable information in the student’s records and correct erroneous information. In general, the Client has the capability to provide any such person with access to the applicable data by means of the Services without the involvement of Nutri-Link, and if deemed appropriate, the Client has the capability to revise such Student Data to address any inaccuracy without the involvement of Nutri-Link. However, in the event our participation is necessary or useful to enabling access or addressing any inaccuracy that the Client or an adjudicatory body deems to be required, we will provide cooperation to enable such access or to address such inaccuracy. Importantly, only parents or guardians with FERPA rights may review or correct PII; Client must make such determination and communicate the same to us in the event our cooperation is needed.
• Description of the procedures for notifying the affected parent, legal guardian, or eligible student in the event of an unauthorized disclosure of the student’s records. In the unlikely case of an unauthorized disclosure of Student Data, we will make every effort to assist the Client in notifying the affected parents or legal guardian. We will notify the Client within 24 hours of becoming aware of any breach of our security system that reasonably could compromise any Student Data or PII.
• Certification that a student’s records shall not be retained upon completion of the terms of the contract and a description of how that certification will be enforced. Nutri-Link certifies that, to the extent any PII is stored or maintained by Nutri-Link in the Services, within a reasonable period of time after termination of the applicable Services Agreement and expiration of any post-termination access period requested by the Client, we will remove all PII from the hosted Services and deactivate the hosted Services account associated with Client’s subscription. Nutri-Link may, however, retain copies of any PII in its offline data archives for backup, archive or legal recordkeeping purposes, and may subsequently destroy or erase such retained archive data, all in accordance with its data retention policies; provided that the terms of this Privacy Policy apply for so long as Nutri-Link maintains any Student Data. We may maintain anonymized or aggregated data, including usage data, for analytics purposes.
• Student records continue to be the property of and under the control of the school district. Nutri-Link ensures that Student Data is the property of and under the control of our Client. We may be required to disclose PII to comply with a court order, law or legal process (including a government or regulatory request). However, in advance of such agency request, we will provide the Client with notice of the requirement so that the Client may seek a protective order or other remedy if it so chooses. If, after providing such notice, IO must disclose the required PII, IO will only disclose that portion of the PII which, on the advice of our legal counsel, the order, law or process specifically requires us to disclose

Different levels of access in some of our hosted Services require different permissions, and we look to the Client to designate such permissions. System administrators assigned by the Client will have the ability (independently of Nutri-Link) to enable or disable access by any given Client user to various portions of the hosted data Services, and if a Client desires to have us disable access by any previously-authorized Client user, an authorized official of the Client must notify us in writing, and we will take reasonably prompt measures to disable access for that user as requested.

• De-identified personally identifiable information. The above outlines Nutri-Link’s treatment of PII, but it is also very important to be clear what type of information is not PII. Once PII has been de-identified, that information is no longer PII. PII may be de-identified through aggregation or other appropriate means. The U.S. Department of Education has issued guidance on de-identifying PII in education records, available at http://ptac.ed.gov/sites/default/files/data_deidentification_terms.pdf. In order to allow Nutri-Link to proactively address client needs, we anticipate using de-identified information to improve Nutri-Link products and services generally. This does not mean we will market to you, necessarily, but that we may use de-identified data for general marketing to our Clients and prospective Clients. IO uses reasonable de-identification methods that avoid compromising the privacy or security of the PII provided to us.

7. CHILDREN’S PRIVACY
The Children’s Online Privacy Protection Act (“COPPA”) gives parents control over certain commercial websites’ and online services’ collection, use and disclosure of information from children under the age of 13. As noted above under “Student Data”, in most instances, Nutri-Link receives Student Data only from the Client or a Student’s parent or guardian and does not interact with children directly. To the extent the exact Services selected by the Client permits a Client to allow Students to log into the Services to provide personal information data as authorized and directed by the Client, Nutri-Link has, collects and uses such information only as requested by the Client for the purposes of performing Services on behalf and for the benefit of the Client; notwithstanding any term to the contrary in this Privacy Policy, such information is not used for any other commercial purpose and is, in all cases, subject to the terms of this Privacy Policy. In such circumstances and for purposes of COPPA, Nutri-Link relies on the Client’s grant of consent on behalf of the Student’s parent, if applicable, to the collection and use of such information from children. If you have any questions about the information we collect from Students or how we use such information, please contact your school district directly.

8.  LINKS TO OTHER WEB SITES AND SERVICES
Please remember that this Privacy Policy applies to the Nutri-Link Services only, and not other websites or third party applications that may be linked via our Services, which may have their own privacy policies. You should carefully read the privacy practices of each third party application before agreeing to engage with the application through the Services. We assume no responsibility or liability for the privacy practices of any vendor or operator of third party sites or applications.

9.  ADDITIONAL SATE PRIVACY RIGHTS
Certain states, such as California, Nevada, Connecticut, Colorado, Virginia and Utah, have consumer privacy laws that may provide their residents with additional rights regarding our use of their personal information. This section is applicable to residents of such states (sometimes called “consumers”), as applicable, who live in the applicable state on a permanent basis, but only to the extent such state’s privacy law applies to such residents’ use of the Services. This section uses certain terms that have the meaning given to them in each state’s privacy law, as applicable, including “Personal Information”, which shall be used interchangeably with privacy laws that similarly define “Personal Data”.

I.  Shine The Light

Under California Civil Code Section 1798.83 (“Shine the Light”), California residents have the right to request in writing from businesses with whom they have an established business relationship, (a) a list of the categories of Personal Information, such as name, e-mail and mailing address and the type of services provided to the customer, that a business has disclosed to third parties (including affiliates that are separate legal entities) during the immediately preceding calendar year for the third parties’ direct marketing purposes; and (b) the names and addresses of all such third parties. To request the above information, please contact us as directed in the CONTACT US section below with a reference to California Disclosure Information.

II.  California Consumer Privacy Act Of 2018, As Revised And Updated By The California Privacy Rights Act (Collectively, “CCPA”)

A.  Collection, Disclosure, and Retention of Personal Information

The Personal Information we collect and the sources from which we collect is described above in HOW WE COLLECT AND USE INFORMATION. The Personal Information we disclose for business or commercial purposes is described above in HOW WE SHARE INFORMATION. The length of time that we retain your Personal Information is described above in CHOICES ABOUT YOUR INFORMATION.

B. Selling and Sharing Personal Information

We do not sell or share your Personal Information in exchange for monetary consideration.

C. CCPA Consumer Rights

Under CCPA, consumers have certain rights regarding their Personal Information, as described below.

• Right of Access: You have the right to request, twice in a 12-month period, that we disclose to you the following information about you, limited to the preceding twelve (12) months:
  • The categories of Personal Information that we collected about you;
  • The categories of sources from which the Personal Information is collected;
  • The business or commercial purpose for collecting or selling Personal Information;
  • The categories of third parties with whom we share Personal Information;
  • The specific pieces of Personal Information that we have collected about you;
  • The categories of Personal Information that we disclosed about you for a business purpose or sold to third parties; and
  • For each category of Personal Information identified, the categories of third parties to whom the information was disclosed or sold.
• Right of Deletion: You have the right to request that we delete any Personal Information about you which we have collected from you, subject to exceptions within the law.
• Right to Opt-Out: You have the right to opt-out of the disclosure of Personal Information about you for monetary or other valuable consideration. However, we do not sell your Personal Information in exchange for monetary consideration.
• Right to Opt-In: We do not have actual knowledge that we collect, share, or sell the Personal Information of minors under the age of 16 without proper consent of a parent or guardian.
• Right to Limit Use and Disclosure of Sensitive Personal Information: You may request specific limitations on further sharing, use, or disclosure of your Sensitive Personal Information that is collected or processed for certain reasons outside of providing the Services. However, we do not collect or process Sensitive Personal Information for any of these reasons.
• Right to Correction: You have the right to request that we maintain accurate Personal Information about you and correct any Personal Information about you which we have collected from you, subject to exceptions within the law.

If you would like to exercise any of the rights provided, please refer to the CONSUMER REQUESTS AND VERIFICATION section below.

III.  Virginia, Colorado, Connecticut, Utah Privacy Rights

This section applies only to Virginia, Colorado, Connecticut residents to the extent their Personal Information is subject to the Virginia Consumer Data Protection Act (VCDPA), or the Colorado Privacy Act (CPA), Connecticut Data Privacy Act (CTDPA), Utah Consumer Privacy Act (UCPA) or any amendments or acts thereto upon their effective dates.

A. Collection, Disclosure, and Retention of Personal Information

The Personal Information we collect and the sources from which we collect is described above in HOW WE COLLECT AND USE INFORMATION. The Personal Information we disclose for business or commercial purposes is described above in HOW WE SHARE INFORMATION. The length of time that we retain your Personal Information is described above in CHOICES ABOUT YOUR INFORMATION.

B. Consumer Rights

Virginia, Colorado, Connecticut, and Utah privacy law provides residents with specific rights regarding Personal Information, including:

• Right to Access. You have the right to confirm whether or not we are processing your Personal Information and to access such information.
• Right to Correction. You have the right to correct inaccuracies in your Personal Information which we have collected, taking into account the nature of the Personal Information and the purposes of processing the Personal Information.
• Right to Deletion. You have the right to request deletion of Personal Information provided by or obtained about you, subject to legal exemptions.
• Right to Data Portability. You have the right to obtain a copy of your Personal Information.
• Right to Opt-Out. You have the right to opt out of the processing of Personal Information for purposes of (1) targeted advertising; (2) the sale of Personal Information; or, if you are in Virginia or Colorado (3) profiling in furtherance of decisions that produce legal or similarly significant effects.

If you would like to exercise any of the rights provided, please refer to the CONSUMER REQUESTS AND VERIFICATION section below.

IV.  NEVADA PRIVACY RIGHTS

We comply with the requirements of the Nevada Privacy law, which in some instances provides residents with choices regarding how we share information. Nevada Covered Personal Information (“Nevada PI”) includes personally identifiable information about a Nevada consumer collected online, such as an identifier that allows the specific individual to be contacted. Nevada PI also includes any other information about a Nevada consumer collected online that can be combined with an identifier to identify the specific individual. We may collect the following categories of covered information about you through our Services:

• First and Last Name
• Physical Address
• Email Address
• Telephone Number
• Username

We may share such covered information with categories of third parties including marketing. Third parties may collect covered information about your online activities over time and across different Internet websites or online services when you use our Services.

You have the right to request that we not sell your Personal Information. Although we do not currently sell Personal Information, you may submit a request directing us not to sell Personal Information if our practices change in the future.

If you would like to exercise any of the rights provided, please refer to the CONSUMER REQUESTS AND VERIFICATION section below.

V.  CONSUMER REQUESTS AND VERIFICATION

A. Right to Non-Discrimination

We may not discriminate against you because you exercise any of your privacy rights contained in this Privacy Policy including, but not limited to:

• Denying goods or services to you;
• Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties;
• Providing a different level or quality of goods or services to you; or
• Suggesting that you will receive a different price or rate for goods or services or a different level or quality of goods or services.

B. Verifying Requests

You may request to exercise your rights of access, deletion, or correction by contacting us as described in the HOW TO CONTACT US section below. To help protect your privacy and maintain security, we will take steps to verify your identity before processing your request. If you request access to or deletion of your Personal Information, we may require you to provide any of the following information: name, date of birth, email address, telephone number, or postal address. When you make such a request, you can expect the following:

• As required under applicable law, we will verify your identity. You will need to provide us with your email address and full name. We may ask for additional information if needed.
• We will confirm that you want your information accessed, corrected, and/or deleted.
• We will confirm our receipt of your request within 10 days. If you have not received a response within a few days after that, please let us know by contacting us at the webpage or phone number listed below.
• We will respond to your request within 45 days upon receipt of your request. If necessary, we may need an additional period of time, up to another 45 days, but we will reply either way within the first 45-day period and, if we need an extension, we will explain why.
• In certain cases, a request for access, correction, or deletion may be denied. For example, if we cannot verify your identity, the law requires that we maintain the information, or if we need the information for internal purposes such as providing products or services or completing an order. If we deny your request, we will explain why we denied it and delete any other information that is not protected and subject to denial.

C. Authorized Agents

You may designate an authorized agent to request any of the above rights on your behalf. You may make such a designation by providing the agent with written permission, signed by you, to act on your behalf. Your agent may contact us as described in the HOW TO CONTACT US section below to make a request on your behalf. Even if you choose to use an agent, we may, as permitted by law, require:

• The authorized agent to provide proof that you provided signed permission to the authorized agent to submit the request;
• You to verify your identity directly with us; or
• You to directly confirm with us that you provided the authorized agent permission to submit the request.

D. Virginia and Connecticut Appeal Process

If you have made a request to access, correct, or delete your Personal Information under VCDPA and CTDPA, and we have declined to take action, you may appeal our decision within 45 days of the denial. When you make such an appeal, you can expect the following:

• We will verify your identity. You will need to provide us with your email address and full name. We may ask for additional information if needed.
• We will review your appeal and respond in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons for the decision, within 45 days upon receipt of your appeal. If necessary, we may need an additional period of time, up to another 45 days, but we will reply either way within the first 45-day period and, if we need an extension, we will explain why.
• In certain cases, an appeal may be denied. For example, if we cannot verify your identity, the law requires that we maintain the information, or if we need the information for internal purposes such as providing products or services or completing an order. If we deny your appeal, we will explain why we denied it and provide you with a method to contact your state’s Attorney General to submit a complaint.

10.  HOW TO CONTACT US
If you have any questions, concerns or complaints about this Privacy Policy, our privacy practices or the Services, please contact us at [email protected]. We will respond to your inquiries as soon as is practicable.

CLASS ACTION WAIVER:  YOU AND WE AGREE THAT EACH MAY BRING CLAIMS AGAINST THE OTHER ONLY IN YOUR OR OUR INDIVIDUAL CAPACITY AND NOT AS A PLAINTIFF OR CLASS MEMBER IN ANY PURPORTED CLASS OR REPRESENTATIVE PROCEEDING.

11.  CHANGES TO THIS POLICY
We reserve the right to change this Privacy Policy at any time by posting revised Policy on this webpage, and we will notify Clients of such posting via the most recent Client administrator email address on file with us. We encourage you to review this webpage periodically. The changes will be effective immediately upon notice or posting, and we will update the effective date of this Privacy Policy upon such posting. Your use or continued use of the Services following the posting or email notification (as applicable) of any changes to the Privacy Policy will be deemed to be your acceptance of the changed Privacy Policy.