PRIVACY POLICY

This Privacy Policy for Bridgetree LLC defines Bridgetree’s commitment to privacy. This policy has been adopted to keep all data safe, secure, and private and to comply with federal and state privacy laws. The following rights are applicable to all users:

User Rights

Right to Know: This is your right to know what categories of personal information we collect about you, how we use your personal information, whether we share, disclose and/or sell your personal information to third parties, and what other rights you may have.

• Right to Delete: This is your right to request that we delete the personal information we have collected from you and maintain in our systems, subject to certain exceptions that permit us to keep your personal information for specific purposes.

• Right to Access: This is your right to request access to the personal information we have collected about you.

• Right to Opt-Out of Sale: This right allows you to opt-out of the sale of your personal information to third parties.

• Right to Non-Discrimination/Equal Service: This right means that Bridgetree will not discriminate against you in any manner because you elect to exercise any of your rights.

Information We Collect

Bridgetree has collected the following categories of personal information:

• Personal identifiers (e.g., real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, or other similar identifiers);

• Personal information categories (e.g., name, address, telephone number, education, employment, publicly available financial information, medical information, or health insurance information);

• Commercial information (e.g., records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies);

Bridgetree does not consider the following personal information:

• Publicly available information from government records;

• Deidentified or aggregated consumer information;

• Health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data;

• Personal information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FRCA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver’s Privacy Protection Act of 1994.

Sources of Personal Information

Bridgetree collects personal information about you from the following sources:

• Directly from our clients;

• Information obtained from third parties; and

• Publicly available information.

Use of Personal Information

We may use this personal information to operate, manage, and maintain our business, to provide our products and services, to communicate with you, for our vendor management purposes, and to accomplish our business purposes and objectives, including, for example, using personal information to: develop, improve, repair, and maintain our products and services; process or fulfill a request or other transactions submitted to us; personalize, advertise, and market our products and services; conduct research, analytics, and data analysis; maintain our facilities and infrastructure; undertake quality and safety assurance measures; conduct risk and security control and monitoring; detect and prevent fraud; perform identity verification; perform accounting, audit, and other internal functions; comply with law, legal process, and internal policies; maintain records; exercise and defend legal claims; and fulfill legal obligations.

Sharing Personal Information

Bridgetree does not sell your personal information to third parties for monetary consideration for any purpose, including advertising. In other instances, Bridgetree discloses the personal information identified earlier in this policy to service providers who perform services on our behalf for specific business purposes. In those instances, Bridgetree provides such service providers with only that personal information necessary to perform the services they are providing to Bridgetree. Bridgetree engages service providers for the following business purposes:

• Auditing;

• Protecting the security of Bridgetree ‘s networks, preventing fraud, detecting unauthorized reception, use, and abuse of any Bridgetree product, service, website or application, enforcing any Bridgetree policy or applicable terms of service, and detecting security incidents;

• Providing updates, upgrades, repairs or replacements for any of our service-related devices or software used in providing or receiving services, and managing and configuring our device(s), system(s) and network(s);

• Short-term, transient uses that does not involve or contribute to profiling a consumer or household;

• Performing business activities and functions on our behalf to support our interactions with you, such as billing and collections, payment processing, analytics and research, marketing, service delivery and customization, maintenance and operations, and fraud prevention;

• Internal purposes, such as improving our products and services; and/or

• Testing or improving our products, service, and devices.

Bridgetree may disclose personal information identified earlier in this policy to third parties for the following reasons:

• Comply with federal, state, or local laws;

• Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities;

• Cooperate with law enforcement agencies concerning conduct or activity that the business, service provider, or third party reasonably and in good faith believes may violate federal, state, or local law;

• Exercise or defend legal claims;

• Collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information

Access to Specific Information and Data Probability Rights

You have the right to request that Bridgetree LLC disclose certain information to you about our collection and use of your personal information over the past 12 months. Once we receive and confirm your verifiable consumer request, we will disclose to you:

• The categories of personal information we collected about you.

• The categories of sources for the personal information we collected about you.

• Our business or commercial purpose for collecting or selling that personal information.

Deletion Request Rights

You have the right to request that Bridgetree LLC delete any of your personal information that we collected from you and retained, subject to certain exceptions. Once we receive and confirm your verifiable consumer, we will delete your personal information from our records, unless an exception applies.

We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

• Complete the transaction for which the personal information was collected, provide a good or service requested by you, or reasonably anticipated within the context of our ongoing business relationship with you, or otherwise perform a contract between you and us;

• Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity;

• Identify and repair errors that impair existing intended functionality of our services;

• Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law;

• Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when our deletion of the information is likely to render impossible or seriously impair the achievement of such research, if you have provided informed consent;

• To enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with us;

• Comply with a legal obligation; or

• Otherwise use the personal information, internally, in a lawful manner that is compatible with the context in which you provided the information.

Exercising Access, Data Portability, and Deletion Rights

To exercise the access, data portability, and deletion rights described above, please submit a verifiable consumer request to us by either:

• Using the Bridgetree website at www.bridgetree.com

• Emailing us at privacy@bridgetree.com

Only you, or a person that you authorize to act on your behalf, may make a verifiable consumer request related to your personal information. You may also make a verifiable consumer request on behalf of your minor child.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

• Provide sufficient information that allows us to reasonably verify you are the person about whom we collected personal information or an authorized representative.

• Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with personal information if we cannot verify your identity or authority to make the request and confirm the personal information relates to you.

Making a verifiable consumer request does not require you to create an account with us. However, we do consider requests made through your password protected account sufficiently verified when the request relates to personal information associated with that specific account.

We will only use personal information provided in a verifiable consumer request to verify the requestor’s identity or authority to make the request.

Response Timing and Format

We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to 90 days), we will inform you of the reason and extension period in writing.

All responses will be delivered electronically using the provided contact information.

Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request’s receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your personal information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Policy Update

Bridgetree’s Privacy Policy may change without notice and is effective immediately after posting. If you have any questions or concerns regarding this privacy policy, contact us at privacy@bridgetree.com