EFFECTIVE DATE: February 16, 2024

THIS COLORADO PRIVACY NOTICE SUPPLEMENTS OUR GENERAL PRIVACY POLICY AND ONLY APPLIES TO USERS WHO ARE RESIDENTS OF THE STATE OF COLORADO AND WHO EITHER (A) RECEIVE SERVICES DIRECTLY FROM NEW USA FUNDING (TOGETHER WITH ITS AFFILIATES AND SUBSIDIARIES, “COMPANY,” “WE,” or “US”), OR (B) ARE USERS OF THE SITES.

This Colorado Privacy Notice has been adopted to comply with the Colorado Privacy Act, as amended (together with all applicable regulations, “CPA”), and terms defined in the CPA have the same meaning when used in this Notice, unless those terms have been otherwise defined in the general Privacy Policy. Accordingly, this Privacy Notice should be reviewed in conjunction with our general Privacy Policy. 3

We do not sell the personal information we collect. However, we share your personal information with our affiliates for purposes of cross-contextual behavioral advertising.

Special Note: The Sites are general audience sites and are not designed or intended to target children younger than 16. We do not knowingly target or collect personal information from any person younger than 16.

What Information Do We Collect and Disclose?

We collect information that identifies or is linked, or could reasonably be linked, directly or indirectly, with a particular consumer (“personal information”). In particular, we have collected the following categories of personal information from consumers within the last twelve (12) months:

Category	Examples	Collected
A. Personal Information and Identifiers.	Real name, postal address, email address, telephone numbers, account name, education, bank account number, credit card number, debit card number, or any other financial information.	YES
B. Commercial Information.	Information or records for commercial purposes or on behalf of entities, including business plans, financial information, records of personal property, products or services purchased, obtained, or considered, account or other purchasing or consuming histories or tendencies.	YES
C. Internet and Network Information.	Internet protocol (IP) address, registration date, and one or more cookies that may uniquely identify a user’s browser; internet domain and the specific path, actions and navigation choices; the internet address of the site from which Sites were linked, the time and date the Sites were accessed, and the frequency and duration of visits to the Sites; browsing history, search history, information on users interaction with the Sites or other websites and applications or advertisements; and browser software, operating system and browser language, and information about location and mobile device, including a unique identifier for the mobile device.	YES
D. Non-Public Education Information	Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.	NO
E. Miscellaneous Information	Marital status, veteran or military status, gender information, physical or digital photographs, video or audio recordings or data generated therefrom.	YES

For the previous 12 months, we have collected the following categories of sensitive personal information:

Category	Examples	Collected
F. Protected Class Information	Personal data revealing mental or physical health condition, or medical treatment or diagnosis by a health care professional, citizenship or immigration status.	YES
G. Genetic and Biometric Information.	Fingerprint, voiceprint, eye retinas, irises, or other unique biological patterns or characteristics that is used to identify a specific individual, or other data generated by automatic measurements of an individual’s biological characteristics.	NO
H. Specific Geolocation Information.	Physical location or movements or other information derived from technology regarding location or movements.	YES

Please Note: Personal data, as defined by the CPAA, does not include publicly available information from government records, de-identified or aggregated consumer information, or information excluded from the CPA’s scope, such as (i) Protected health information (PHI), defined and regulated under HIPAA collected, stored and processed by a covered entity or its business associates; (ii) information and documents created by a HIPAA covered entity for the purpose of HIPAA compliance; (iii) healthcare information governed by Colo. Rev. Stat. Ann. §§ 25-1-801 to 25-1-803; (iv) substance use disorder patient records, defined and regulated under the federal substance use disorder data confidentiality statute and rules (42 U.S.C. § 290dd-2; 42 C.F.R. §§ 2.1 to 2.67); (v) information derived from exempt healthcare-related information or deidentified using the HIPAA Privacy Rule's deidentification standards and approved methodologies; (vi) information maintained in the same manner as exempt healthcare-related information by (1) a HIPAA covered entity or business associate, (2) a health care facility or provider, or (3) a Part 2 qualified service organization's program; (vii) personal data collected and maintained for the Colorado Health Benefit Exchange; (viii) information used for public health activities and purposes authorized by HIPAA, community health activities, and population health activities; (ix) clinical trial, patient safety, and other similar health information that otherwise meet the criteria set forth in the CPA; (x) personal data collected, processed, sold, or disclosed in compliance with the Gramm-Leach-Bliley Act; (xi) personal information bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living by consumer reporting agency, a furnisher or user that provides information for use in a consumer report, or a user of a consumer report; (xii) personal data regulated by the Family Educational Rights and Privacy Act; (xiv) personal data collected, processed, sold, or disclosed in compliance with the Driver's Privacy Protection Act of 1994;or (xv) personal data regulated by and collected, processed, and maintained in compliance with COPPA.

Employment Information: Please note that, under the CPA, personal data does not include personal data of persons acting in a commercial or employment context. CPA further excludes data collected or used within the context of an individual’s role as an employee, an applicant, independent contractor, or as an agent.

How Do We Collect Information? We collect this information from you through information you submit to us or passively by observing your actions relative to the Sites and Services and through cookies and related technologies. We also collect information by gathering, obtaining, receiving, and accessing the information from third parties, including customers, service providers and vendors, auditors, and advisors. For more information regarding our data collection practices please read our general Privacy Policy.

Why Do We Collect and Process Information? We collect and process personal information for business and commercial purposes. To learn more about why we collect and process information, please review our general Privacy Policy.

Why Do We Collect and Process Sensitive Data? We only collect and process Sensitive Personal Data for those exempt purposes set forth in Section 1304 of the CPA, including specifically:

• comply with federal, state, or local laws, rules, or regulations;
• comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
• cooperate with law enforcement agencies concerning conduct or activity that the Company reasonably and in good faith believes may violate federal, state, or local law;
• investigate, exercise, prepare for, or defend actual or anticipated legal claims;
• conduct internal research to improve, repair, or develop products, Services, or technology;
• identify and repair technical errors that impair existing or intended functionality;
• perform internal operations that are reasonably aligned with the your expectations based on the our existing relationship with you;
• provide the Services specifically requested by you, perform a contract to which you are a party, or take steps at your request prior to entering into a contract;
• protect your vital interests or the vital interests or of another individual;
• prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, or malicious, deceptive, or illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action;
• process personal data for reasons of public interest in the area of public health, solely to the extent that such processing: (i) is subject to suitable and specific measures to safeguard your rights, and (ii) is under the responsibility of a professional subject to confidentiality obligations under federal, state, or local law; or
• assist another person with any of the activities set forth in Section 1304(3) of the CPA.

Do We Share Information With Third Parties? Yes. We take reasonable precautions to be sure that affiliates and non-affiliated third party service providers, to whom we disclose your personally identifiable information are aware of our privacy policies and will treat the information in a similarly responsible manner. Our contracts and written agreements with non-affiliated third party service providers that receive information from us about you prohibit those parties from transferring the information other than to provide the Services that you obtain from us. To learn more about why we share information with third parties please see our general Privacy Policy.

In the preceding twelve (12) months, we have disclosed the following categories of personal information for a business purpose those corresponding third parties listed below:

Categories of Personal Information	Third Parties Disclosed To:
Category A: Personal Information and Identifiers.	Service providers, affiliates, partners, parent or subsidiary organizations, internet cookie data recipients, operating systems and platforms, government entities, data analytic providers, internet service providers, advertising networks.
Category B: Commercial Information	Service providers, affiliates, partners, parent or subsidiary organizations, internet cookie data recipients, operating systems and platforms, government entities, data analytic providers, internet service providers, advertising networks.
Category C: Internet and Network Information	Service providers, affiliates, partners, parent or subsidiary organizations, internet cookie data recipients, operating systems and platforms, government entities, data analytic providers, internet service providers, advertising networks.
Category D: Non-Public Education Information	Not Applicable.
Category E: Miscellaneous	Service providers, affiliates, partners, parent or subsidiary organizations, internet cookie data recipients, operating systems and platforms, government entities, data analytic providers, internet service providers, advertising networks.
Category F: Protected Class Information	Service providers, affiliates, partners, parent or subsidiary organizations, internet cookie data recipients, operating systems and platforms, government entities, data analytic providers, internet service providers, advertising networks.
Category G: Genetic and Biometric Information	Not Applicable.
Category H: Specific Geolocation Information	Service providers, affiliates, partners, parent or subsidiary organizations, internet cookie data recipients, operating systems and platforms, government entities, data analytic providers, internet service providers, advertising networks.

To learn more about why we share information with third parties, please see our general Privacy Policy.

Do We Sell Your Information? No. Although we share data with third parties as outlined in in the Privacy Policy, we do not sell any of your personal information to any third party.

Do We Share Your Information for Behavioral Advertising Purposes or Otherwise Engage In Behavioural Advertising? Yes. With your consent, we share your personal information for cross-contextual behavioural advertising purposes.

How Do We Protect Personal Data? We protect data using administrative, technical, and physical safeguards. When we use third-party service providers, we ask those providers to implement similar safeguards. However, we cannot guaranty that your information is completely secure either within Company or on the systems of third party service providers.

How Long Do We Keep Your Personal Data? We retain personal data we collect from you when we have an ongoing legitimate business need to do so (i.e., to provide you with the Services you have requested or to comply with applicable legal requirements). When we no longer have an ongoing legitimate business need to process your personal information, we will physically destroy, delete or anonymize it or, if this is not possible, then we will securely store your personal data and isolate it from any further processing until deletion is possible.

What Are My Colorado Consumer Privacy Rights? If you are a Colorado resident and are engaged in a direct business relationship with Company as a consumer for provision of the Sites or Services, you may have the following rights:

• Right to Access and Data Portability. You may request that we provide to you certain information about our collection and use of your personal information for the 12 month period preceding your request, such as (i) requesting confirmation as to whether or not we collect your personal data and process your personal data, and (ii) accessing or otherwise receiving a copy of your personal data collected by the Company (data portability request), including the categories of personal information we collected about you.

  Though you may request specific pieces of your personal information that we have collected, we may not provide certain information in order to protect the security of such information.

• Right to Correct Inaccurate Data. Under certain circumstances, you may request that we correct your personal data to the extent that it is inaccurate. We may deny your request depending on factors relating to the nature of the personal data and the processing purposes.

• Right to Request Deletion. Under certain, limited circumstances, you may request that we delete personal information that we have collected from you or maintain about you. Once we receive your request and confirm your identity, we will review your request to see if an exception allowing us to retain the information applies. We may deny your deletion request if retaining such information is necessary for us or our service providers to:

  • Comply with federal, state, or local laws, rules, or regulations;
  • Comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities;
  • Cooperate with law-enforcement agencies concerning conduct or activity that the controller or processor reasonably and in good faith believes may violate federal, state, or local laws, rules, or regulations;
  • Investigate, establish, exercise, prepare for, or defend legal claims;
  • Provide a product or service specifically requested by a consumer;
  • Perform a contract to which you are a party, including fulfilling the terms of a written warranty, or take steps at your request prior to entering into a contract;
  • Take immediate steps to protect an interest that is essential for the life or physical safety of you or of another natural person;
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity; preserve the integrity or security of systems; or investigate, report, or prosecute those responsible for any such action;
  • Engage in public or peer-reviewed scientific or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board, or similar independent oversight entities;
  • Assist another controller, processor, or third party with any of the obligations under the CPA. Make other internal and lawful uses of that information that are compatible with the context in which you provided it; or
  • We obtained the personal data from a source other than you and we either (i) maintain a record of the deletion request and retain only the minimum data necessary to ensure your personal data remains deleted, or (ii) stop processing your personal data subject to the deletion request, other than processing for purposes excluded by CPA from application.

How Do I Submit a Colorado Privacy Rights Request? If you are a Colorado resident and you have a direct business relationship with Company or you otherwise use the Sites, you may make a request pertaining to the rights described above by clicking here for a Request for Disclosure and emailing or sending the Request to the email address or mailing address listed below:

What are My Personal Information Sales Opt-Out? We do not sell personal information as defined under the CPA.

What are My Personal Information Sharing Opt-Out Rights? To exercise the right to opt-out, you (or your authorized representative) may submit a request to us by visiting Do Not Share My Personal Information. Once you make an opt-out request, we will wait at least twelve (12) months before asking you to reauthorize personal information. However, you may change your mind and opt back into personal information sharing at any time by visiting Opting Into Sharing of My Personal Information. You do not need to create an account with us to exercise your opt-out rights. We will only use personal information provided in an opt-out request to review and comply with the request.

What are My Profiling Opt-Out Rights? We do not engage in the automated processing of personal data for purposes of profiling our consumers as defined under the CPA.

What are My Sensitive Personal Information Opt-Out Rights? We do not collect or process your sensitive personal data for any purpose except (i) as necessary to perform or otherwise provide the Services to you, and (ii) for those exempt purposes set forth in Section 1304 of the CPA.

Do I have Right to Non-Discrimination? We will not discriminate against any consumer who has chosen to exercise their rights under the CPA. Unless permitted by the CPA, we will not deny you the Services, charge you different prices/rates for the Services (including through granting discounts or other benefit or imposing penalties), provide you a different level of quality of service, or suggest that you may receive a different price or rate for the Services or a different level or quality of Services. However, we can deny you access to our Services if such Services require your personal data that we do not collect or maintain.

However, we may offer you certain financial incentives permitted by the CPA that can result in different prices, rates, or quality levels. Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time. We currently do not provide any financial incentives.

Changes To This Privacy Notice: We reserve the right to amend this Privacy Notice at our discretion and at any time. We may make changes to the Privacy Policy without providing you prior notice. However, after we make any changes to this Privacy Policy, we will give notice to you via (i) the Sites or (ii), where feasible, and at our discretion, contact information available to us. We encourage you to periodically review this Privacy Policy so as to remain informed on how we are protecting your information. YOUR CONTINUED USE OF OUR SITES AND SERVICES FOLLOWING THE POSTING OF CHANGES CONSTITUTES YOUR ACCEPTANCE OF SUCH CHANGES.

How To Contact Us. If you have any questions regarding this Privacy Policy or exercising any of your privacy rights, please contact us at the email address or mailing address listed below: