Supplemental California Consumer Privacy Act Privacy Policy

In this Supplemental California Consumer Privacy Act Privacy Policy (“CCPA Privacy Policy” or “Policy”), we, STRIVR LABS, INC. (“Strivr”), disclose information about our data processing practices as required by the California Consumer Privacy Act of 2018 (“CCPA”) and supplement the disclosures in our other privacy notices. This CCPA Privacy Policy is effective January 1, 2020.

Note: If you are not a California resident, this Policy does not apply to you.

I. Who and what information is subject to this CCPA Privacy Policy?
California residents are protected as “consumers” by the CCPA with respect to personal information. A number of statutory exceptions apply under the CCPA. As a result, this CCPA Privacy Policy does not apply to the following:

a. personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, non-profit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, non-profit, or government agency

b. personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the natural person’s personal information is collected and used by the business solely within the context of the natural person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business

c. personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file

d. personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of administering those benefits.

II. How can an individual with a disability access this CCPA Privacy Policy?
Individuals who have a visual disability may be able to use a screen reader or other text-to-speech or text-to-Braille tool to review the contents of this document.

III. Supplemental CCPA Disclosures
We provide additional disclosures about consumer rights and our personal information handling practices in the preceding twelve months.


1. Right to Know About Personal Information Collected, Disclosed, or Sold
We describe here the personal information we generally collect, use, disclose and sell about California residents. You have the right to request that we disclose what personal information we collect, use, disclose and sell about you specifically (“right to know”). To submit a request to exercise the right to know, please submit an email request to privacy@strivr.com and include “California Request to Know” in the subject line. Please specify in your request the details you would like to know, including any specific pieces of personal information you would like to access.We will ask that you provide certain information to verify your identity, such as a code sent to an email address we may have on file for you. If you have a password-protected account with us, we may verify your identity through our existing authentication practices for your account. The information that we ask you to provide to verify your identity will depend on your prior interactions with us and the sensitivity of the personal information at issue. We will respond to your request in accordance with the CCPA. If we deny your request, we will explain why.

2. Our Personal Information Handling Practices in 2019
We have set out below the categories of personal information we have collected about California residents in the preceding twelve (12) months and, for each category of personal information collected, the categories of sources from which that information was collected and the business or commercial purposes for which the information was collected.
“Everyday Business Purpose” encompasses the Business Purposes (as defined in the CCPA) and the following related purposes for which personal information may be used:
- To provide the information, product, or service requested by the individual or as reasonably expected given the context in which the personal information was collected (e.g. providing customer service)
- For identity and credential management, including identity verification and authentication, system and technology administration
- To protect the security and integrity of systems, networks, applications and data, including detecting, analyzing, and resolving security threats, and collaborating with cybersecurity centers or law enforcement regarding imminent threats
- For legal and regulatory compliance, including all uses and disclosures of personal information required by law or reasonably needed for compliance with company policies and procedures, such as security and incident response programs, intellectual property protection programs, as well as compliance with civil, criminal, judicial, or regulatory inquiries
- To exercise or defend the legal rights of Strivr and its employees, customers, contractors, agentsTo comply with applicable tax, health and safety, anti-discrimination, labor and employment, and social welfare lawsFor corporate audit, analysis, and reporting
- To enforce our contracts and protect against injury, theft, legal liability, fraud or abuse, to protect people or property, including physical security programs
- To deidentify data or create aggregated data sets, such as for consolidating reporting, research or analytics
- To make back-up copies for business continuity and disaster recovery purposes
- For corporate governance, including mergers, acquisitions, and divestitures

Categories of Personal Information Collected we may collect:

Sources of Personal Information we may collect from:

Purposes for Collecting:

Categories of Third Parties we may share/disclosure information to:

Identifiers (e.g. name, address, email address, postal address, account name, or other similar identifiers)

- Directly from you
- Third parties, such as consumer or credit reporting agencies to verify information you provided
- Service Providers

- Account activation and administration
- Customer support
- User identification
- Order fulfillment
- Delivery of marketing communications
- Records integrity
- Everyday Business Purpose

- Service Providers
- Attorneys, auditors, consultants
- Third parties as required by law

Commercial information (e.g. products or services purchased or inquired about)

- Directly from you
- Third-party advertisers or promoters
- Service Providers

- Customer support and feedback
- Process fulfillment, and maintenance of order
- Delivery of marketing communications
- Everyday Business Purpose

- Service Providers
- Third parties as needed to complete the transaction you initiated or agreed to
- Attorneys, auditors, consultants
- Third parties as required by law

Internet or Network Activity (e.g. IP address, browser and operating system, referral URL, pages viewed, date/time of visit)

- Directly from you
- Automatically, such as through cookies, web beacons when you visit our websites
- Third parties, including computer security services and third party advertising network companies, social media, and CRM platform partners

- System administration, technology management, including optimizing our websites and applications
- Information security and cybersecurity
- Recordkeeping, including logs and records maintained as part of Commercial information
- Everyday Business Purpose

- Service Providers
- Third parties who assist with information technology and security programs, e.g. malware threat detection
- Third parties who assist with fraud prevention, detection, mitigation
- When you consent through cookie consent banner, to third party network advertising partners or social media platform companies
- Attorneys, auditors, consultants
- Third parties as required by law

Biometric information

Directly from you when you have provided consent and engage in our products/services through your employer

- Provide products/services to Customers
- Everyday Business Purpose

- Attorneys, auditors, consultants
- Customers
- Third parties as required by law

Geolocation data

Automatically from your mobile device

- Provide information, products, or services requested
- Information security and fraud prevention
- Everyday Business Purpose

- Service Providers
- Third parties who assist with fraud prevention, detection
- Attorneys, auditors, consultants
- Third parties as required by law

Audio Visual information

- Directly from you
- Automatically when we use security cameras in our facilities if you visit
- Third parties that provide access to information you make publicly available, such as social media

- Market research purposes
- Premises security purposes and loss prevention
- Everyday Business Purpose

- Service Providers
- Attorneys, auditors, consultants
- Third parties as required by law

Financial information

- Directly from you
- Payment processors and other financial institutions
- Consumer reporting agencies
- Third parties that provide security and fraud prevention services

- Fulfill business relationship with you, including processing payments, issuing refunds and collections
- Recordkeeping and compliance, including dispute resolution
- Internal business purposes, such as finance, audits
- Risk management
- Everyday Business Purpose

- Service Providers
- Payment processors, financial institutions, and others as needed to complete the transactions you agree to
- Attorneys, auditors, consultants
- Customers
- Consumer reporting agencies
- Third parties as required by law

Inferred information (e.g. interest in services, such as based on feedback and customer support)

We may create inferred and derived data elements by analyzing relationship and transactional information

- Marketing research purposes
- To identify potential Customers
- Internal business purposes, such as training
- Everyday Business Purpose

- Service Providers
- Third parties with whom we may have joint marketing arrangement where you have initiated or agreed
- Attorneys, auditors, consultants
- Third parties as required by law

3. Disclosures of Personal Information; No Sale
Over the preceding 12 months, we disclosed certain categories of California residents’ personal information to the categories of third parties as shown in the table above. We do not and will not sell California residents’ personal information. We do not sell the personal information of minors under 16 years of age without affirmative authorization.

4. Right to Request Deletion of Personal Information
You have a right to request the deletion of personal information that we collect or maintain about you. To submit a request to delete personal information, submit an email request to privacy@strivr.com and include “California Request to Delete” in the subject line. Please specify in your request the personal information about you that you would like to have deleted.

5. Right to Opt-Out of the Sale of Personal Information
You have the right to opt-out of the sale of your personal information by a business. We do not, and will not, sell your personal information.

6. Right to Non-Discrimination for the Exercise of a Consumer’s Privacy Rights
You may not be discriminated against because you exercise any of your rights under the CCPA.

7. Authorized Agent
You can designate an authorized agent to make a request under the CCPA on your behalf if:

- The authorized agent is a natural person or a business entity registered with the Secretary of State of California; and
- You sign a written declaration that you authorize the authorized agent to act on your behalf.

If you use an authorized agent to submit a request to exercise your right to know or your right to request deletion, please have the authorized agent take the following steps in addition to the steps described in Sections 1 and 4 above:

- Mail a certified copy of your written declaration authorizing the authorized agent to act on your behalf to STRIVR, Attention: Legal Dept. Privacy Requests, 975 California Avenue, Suite 200, Palo Alto, CA 94304; and
- Provide any information we request in our response to your email to verify your identity. The information that we ask you to provide to verify your identity will depend on your prior interactions with us and the sensitivity of the personal information at issue.

If you provide an authorized agent with power of attorney pursuant to Probate Code sections 4000 to 4465, it may not be necessary to perform these steps and we will respond to any request from such authorized agent in accordance with the CCPA.

8. Contact for More Information
If you have questions or concerns regarding our privacy policy or practices, you may email us at privacy@strivr.com.