We've built our careers and our business in the ethics and compliance community, where understanding the rules and doing the right thing is the price of entry. We believe compliance and privacy are not just a list of boxes to check; they represent a sincere commitment to doing business with integrity. That's why we will never sell your personal data, will always endeavor to handle your data with care, and will respect your rights.

Your trust is important to us. If you have any questions or concerns about this policy, contact us at dataprivacy@rethinkcomplianceco.com.

PRIVACY POLICY

Effective Date: October 11, 2023

Version 1.1

1. Introduction

Rethink Compliance LLC ("Rethink Compliance", "our", "us", and "we") respects your privacy and is committed to protecting it through our compliance with this privacy policy ("Privacy Policy").

This Privacy Policy describes the types of information we may collect from you, the user, ("you" and "your") or that you may provide through any method, including, for example, when you visit our website http://www.rethinkcomplianceco.com, or any affiliated websites controlled by Rethink Compliance that may contain a link to this Privacy Policy, including, without limitation, any pages, facilities, services, or capabilities accessible on or by any top-level domain owned by us or any subsite, subdomain, subdirectory, virtual site, or virtual directory thereof (collectively, the "Site"). This Privacy Policy also describes our practices for collecting, using, maintaining, protecting, and disclosing that information.

This Privacy Policy applies to information we collect:

• on or through the Site;
• in email, text, and other electronic messages between you and the Site or us;
• when you interact with our advertising and applications on third-party websites and services, if those applications or advertising include links to this Privacy Policy;
• offline or through any other means, including on any other website operated by us or any third-party (including our affiliates and subsidiaries); and
• from any third-party (including our affiliates and subsidiaries), including through any application or content (including advertising) that may link to or be accessible from or on the Site.

Please read this Privacy Policy carefully to understand our policies and practices regarding your information and how we will treat it. If you do not agree with our policies and practices, including our use and disclosure of your Personal Information, please do not use our Site and do not provide us with any of your information. By accessing or using the Site, you agree to the terms of this Privacy Policy and consent to our privacy practices described in this Privacy Policy, including our use and disclosure of your Personal Information as described in Section 6 below. This Privacy Policy may change from time to time as described in Section 2 below. Your continued use of the Site after we make changes is deemed and treated as your acceptance of those changes, so please check the Privacy Policy periodically for updates.

If you reside in the European Union or other regions with laws governing data collection and use that may differ from U.S. law, please note that you are transferring information about you, including personal information, to a country and jurisdiction that does not have the same data protection laws as the European Union, and you consent to the transfer of information about you, including your Personal Information, to theU.S.; and the use and disclosure of information about you, including your Personal Information, as described in this Privacy Policy.

2. Changes to Our Privacy Policy

From time to time, we may make changes to this Privacy Policy in order to accommodate new technologies, platforms, industry practices, regulatory requirements, new developments or for other purposes. We encourage you to review this Privacy Policy periodically to ensure that you understand how we collect, use, and share information through the Site. If we do make changes to this Privacy Policy, we will notify you as required under Page 2 of 11applicable law, and we will also update the "Effective Date" posted at the top of this Privacy Policy. Any changes to this Privacy Policy will become effective when the revised Privacy Policy is available on the Site. By continuing to use the Site following such changes, you are agreeing to accept the terms of the revised Privacy Policy.

3. Contact Information

To ask questions or provide comments about this Privacy Policy, please contact us at: dataprivacy@rethinkcomplianceco.com

4. Children Under the Age of 18

Our Site is not intended for children under 18 years of age. No one under age 18 may provide any information to the Site. We do not knowingly collect information from children under 18 and do not direct our Site for use by individuals under the age of 18. If you are under 18, do not use or provide any information on the Site or on or through any of its features, use any of the interactive or public comment features of the Site or provide any information about yourself to us, including your name, address, telephone number, email address, or any screen name or user name you may use. If we learn we have collected or received Personal Information from a child under 18 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 18, please contact us at dataprivacy@rethinkcomplianceco.com and we will promptly remove the information any information.

5. Information We Collect About You and How We Collect It

As you use the Site, we may collect two types of information from you: (a) Personal Information (as described below); and (b) Non-Personal Information (as described below):

a. "Personal Information" is information that identifies you personally, such as your name, address, telephone number, email address, or company name. Here are some examples of the ways in which may collect and store your personally identifiable information:

• We may collect your first and last names, email address, or other information if you fill out certain forms or online requests on the Site;
• We may collect your email address if you contact us with a question;
• If you apply to work for Rethink, provide us with products or services, or become a customer of ours, we may need to collect additional information, such as: your address, telephone number, driver’s license or state identification card number, education, employment, employment history, bank account number, credit card number, debit card number, social security number, or any other financial information.

b. "Non-Personal Information" is demographic, aggregated, non-identifiable, technical, and/or anonymized information. Non-Personal Information does not identify you personally. If you do provide us with Non-Personal Information, we may use it for the purposes described in this Privacy Policy, or any other legal purpose. Here are some examples of ways through which we may collect and store your Non-Personal Information through the Site:

• Log Information: When you use the Site or view content provided through the Site, we automatically collect and store certain information in our server logs. This type of information includes details of how you use the Site, IP address information, web pages which have been viewed by you, date and time, domain type, device event information such as crashes, system activity, hardware, settings, browser type, browser language, the date and time of your requests, and referral URL.
• Internet Protocol (IP) Address: Your "IP address" is a number that lets computers attached to the internet know where to send you data, such as screens and pages of our services that you view. We use this information to deliver our screens and pages to you upon request and to measure traffic to and within our services.
• Demographic Information: "Demographic Information" may be gender, age, zip code, and interests which are not personally identifiable. We may collect such information about you through our services and use it to provide you with personalized services and to analyze trends to ensure that our services and the information on them is targeted to meet your needs. Please note that we also consider aggregated information, which is not personally identifiable, to be Non-Personal Information.
• Location Information: When you use the Site, we may collect and process information about the general location of the device from which you access this Site, but we do not collect your specific address.
• Usage Information: When you use the Site, we may collect and process information about how you use the Site, including how you navigate through the Site.
• Feedback Information: From time to time, we may request that you provide us with feedback regarding the Site, as well as the products and services we offer. We may do this in the form of a survey or other feedback mechanism. We may collect and analyze this information.
The technologies we use for this automatic data collection may include:
• Cookies (or browser cookies): A cookie is a small file placed on the hard drive of your computer. You may refuse to accept browser cookies by activating the appropriate setting on your browser. However, if you select this setting, you may be unable to access certain parts of the Site. Unless you have adjusted your browser setting so that it will refuse our cookies, our system will use cookies when you direct your browser to the Site.
• Flash Cookies: Certain features of our Site may use local stored objects (or Flash cookies) to collect and store information about your preferences and navigation to, from, and on our Site. Flash cookies are not managed by the same browser settings as are used for browser cookies. For information about managing your privacy and security settings for Flash cookies, see Section 8 below.
• Web Beacons: Pages of the Site and our emails may contain small electronic files known as web beacons (also referred to as clear gifs, pixel tags, and single-pixel gifs) that permit us, for example, to count users who have visited those pages or opened an email and for other related website statistics (for example, recording the popularity of certain website content and verifying system and server integrity). If you encounter a screen or page that requests information you do not want to share with us, do not enter the information and do not proceed with that screen or page.

You also may provide information to be published or displayed (hereinafter, "posted") on public areas of the Site or transmitted to other users of the Site or third-parties (collectively, "User Contributions"). Your User Contributions are provided, posted, and transmitted to others at your own risk. Please be aware that no security measures are perfect or impenetrable. Additionally, we cannot control the actions of other users of the Site with whom you may choose to share your User Contributions. Therefore, we cannot and do not guarantee that your User Contributions will not be viewed by unauthorized persons. Any User Contributions you post or otherwise provide are at your own risk.

6. How We Use Your Information

a. Personal Information. If you provide us with Personal Information, we will only use it for the lawful purposes described in this Privacy Policy and based upon the legal justification set forth below. Primarily, we use it to fulfill our business interests as set forth below, or for other purposes based on your consent, which

• Offering you the products and services you request;
• Helping us create or offer content which is relevant to you;
• Alerting you to special offers, updated information, and other new services offered by us or by third-parties;
• Improving your user experience and the experience of other users of the Site, including through the improvement and implementation of new security measures and protections;
• Understanding how you use the Site; or
• Contacting you in response to an email or other communication.

We will retain your Personal Information for as long as necessary to fulfill the purpose(s) for which it was collected and to comply with applicable laws, and your consent to such purposes(s) remains valid during such time.

b. Non-Personal Information. We may use Non-Personal Information for the purposes described in this Privacy Policy, or any other legal purpose, including, when and where applicable, combining NonPersonal Information with Personal Information. Without limiting the above, we may collect information to understand how you use the Site and how we can improve the Site’s functionality and privacy and security measures.

c. Reports. We periodically prepare analyses and reports reflecting our visitor use of the Site and other services. In preparing these reports, we may combine and analyze the Personal Information you provide Page 5 of 11 to us with information from other sources. However, these reports will only include aggregate information about visitors. The information in these reports will not identify you individually, and any business partner with whom such reports may be shared will not be able to contact you based on the information contained in the reports.

7. Disclosure of Your Information

We may disclose information we obtain about you in compliance with this Privacy Policy and applicable law. We share information in order to provide services for clients, or with our third-party vendor partners on the basis of the consent you provide to us or in order to fulfil our contractual obligations as part of the services we provide to you when you decide to engage with us. The recipients of your Personal Information include our third-party data processors, which include but are not limited to our third-party database administrators, background check providers, lead management vendors, and communications vendors. We take reasonable steps to assure these third parties take steps safeguard your Personal Information against improper disclosure and in accordance with the law.

a. Personal Information. We may share or disclose your Personal Information, and these recipients may process your Personal Information in the following instances:

• To fulfill a service to you (e.g., to provide you with compliance program content, or to conduct risk assessments)
• To send you information, including news, events, and related information that you have subscribed to receive;
• To provide analyses to our clients;
• To offer you products from us or our affiliates, strategic partners, or agents, or to assist such parties for research, administrative, and/or business purposes;
• To unaffiliated third-party service providers, agents, or independent contractors who help us maintain our products and services;
• To comply with law or, if in good faith we believe that such action is necessary to conform to the requirements of law, or comply with legal process served on us, and to protect and defend our rights or property, or act in urgent circumstances to protect the personal safety of you and our other visitors;
• To third parties as part of a corporate reorganization process including, but not limited to, a merger, acquisition, or sale of all or substantially all of our assets;
• To track and analyze non-identifying, aggregate usage and volume information from our visitors and provide such information to third parties; and
• To protect against fraud or potential fraud.

b. Non-Personal Information. We may share or disclose your Non-Personal Information for the purposes disclosed in this Privacy Policy or for any other legal purpose, including when and where applicable, sharing and disclosing Non-Personal Information combined with Personal Information.

c. Legal Disclosure. We may disclose and share information about you and your use of the Site if we believe such disclosure is necessary to:

• Comply with the law and/or legal process where a formal request has been made;
• Protect or defend our rights and/or property and property of others;
• Enforce relevant terms and conditions and/or this Privacy Policy;
• Respond to claims that the content(s) of a communication violates the rights of another.

8. Choices About How We Use and Disclose Your Information

We strive to provide you with choices regarding the Personal Information you provide to us. We have created mechanisms to provide you with the following control over your information:

a. Tracking Technologies and Advertising. You can set your browser to refuse all or some browser cookies, or to alert you when cookies are being sent. If you disable or refuse cookies, please note that some parts of the Site may then be inaccessible or not function properly.

• We may use cookies provided by Google Analytics to help us measure how visitors use the Site. The information collected is used for a variety of purposes, including, but not limited to, site traffic reporting, unique visitor counts, and content optimization. Although Google Analytics logs the information coming from the Site on our behalf, we control how the data may and may not be used. If you do not want to help us learn how to improve the Site, you can opt-out of this website analysis tool by clicking: https://tools.google.com/dlpage/gaoptout.

• We may use Google to provide re-marketing services to you (i.e., when you visit other third-party websites, you may see advertisements about us). Google uses cookies through our Site to remember that you have visited our Site and provide our advertisements to you on those third-party websites. You can opt out of Google’s features by visiting https://adssettings.google.com/authenticated to customize how you receive ads from Google across different websites.

• We may also use LinkedIn to provide advertisements to you about our products and services. Please visit LinkedIn’s opt-out choices at https://www.linkedin.com/psettings/guest-controls to see how you can control the advertisements you receive from LinkedIn.

b. Promotional Offers and Marketing from Us. Should you not wish to have your contact information used to promote our products or services, you can opt-out by either using the “unsubscribe” link located in the email or by sending us an email stating your request to dataprivacy@rethinkcomplianceco.com.
We do not control third parties' collection or use of your information to serve interest-based advertising. However, these third parties may provide you with ways to choose not to have your information collected or used in this way. You can opt out of receiving targeted ads from members of the Network Advertising Initiative ("NAI") on the NAI's website, available here: http://optout.networkadvertising.org/?c=1#!/.

9. Data Security

We have implemented measures to secure your Personal Information from accidental loss and from unauthorized access, use, alteration, and disclosure. However, this is not a guarantee that such information may not be accessed, disclosed, altered, or destroyed by breach of such firewalls or secure server software. Unfortunately, the transmission of information via the internet is not completely secure. Although we do our reasonable best to protect your Personal Information, we cannot guarantee the security of your PersonalPage 7 of 11Information when transmitted. Any transmission of Personal Information is done at your own risk. We are not responsible for circumvention of any privacy settings or security measures contained on the Site.

10. Accessing, Correcting, and Deleting your Personal Information

If you provide us with information in order to access the Site or receive our services, we may or may not be able to provide you with access to your Personal Information. If information that we control about you is incorrect, we strive to give you ways to update it quickly or to delete it (unless we have to keep that information for legitimate business or legal purposes). When updating your Personal Information, we may ask you to verify your identity before we can act on your request. We aim to maintain our services in a manner that protects information from accidental or malicious destruction. Because of this, we may not immediately delete residual copies from our active servers and may not remove information from our backup systems.

11. Third-Party Links

The Site may contain links to webpages operated by parties other than us. We do not control such websites and are not responsible for their contents or the privacy policies or other practices of such websites. Our inclusion of links to such websites does not imply any endorsement of the material on such websites or any association with their operators. Further, it is up to you to take precautions to ensure that whatever links you select or software you download (whether by using the Site to access websites or otherwise) is free of such items as viruses, worms, trojan horses, defects and other items of a destructive nature. Other websites and services may have their own privacy policies, which the User will be subject to upon linking to the other third-party's website. We strongly recommend that you review the other third-party’s terms and conditions and privacy policies prior to visiting or using any other websites or downloading any software.

12. Do Not Track (DNT) Signals

Our Site does not respond to Do Not Track (DNT) signals. Some third-party websites do keep track of your browsing activities when they serve you content, which enables them to tailor what they present to you. If you are visiting such sites, your browser may include controls to block and delete cookies, web beacons and similar technologies, to allow you to opt out of data collection through those technologies.

13. Compliance and Cooperation with Regulatory Authorities

We regularly review our compliance with our Privacy Policy. When we receive formal written complaints, if reasonably possible, we will contact the person who made the complaint to follow up. We will work with the appropriate regulatory authorities, including local data protection authorities, to resolve any complaints regarding the transfer of Personal Information if we cannot resolve the matter with our customers directly. Subject to applicable law, you also have a right to communicate directly with appropriate regulatory authorities if you believe we are in violation of your rights under applicable law.

14. General Data Protection Regulations (“GDPR”)

The GDPR is a privacy regulation covering individuals in the European Union. In the event that we collect Personal Data (as defined in the GDPR) that is subject to the GDPR, this section will apply. Terms in this section are to be understood in a manner consistent with GDPR including the definition of such term in the GDPR. Such term may have a different definition or meaning in other portions of this Privacy Policy because GDPR may not apply to those sections. This section will only apply to you if you are an individual who currently resides in the European Union (a "Data Subject").

Categories of Personal Information.

• We may collect the data elements described above in Section 5.1 "Personal Information."

Legal Basis for Processing and Processing Purposes

We only use your Personal Information for the lawful purposes described in this Privacy Policy and based upon the legal justification set forth below. Generally, we process your Personal Data: (1) with your consent;(2) subject to the performance of a contract to which you as the data subject are a party; (3) in order to take steps at your request to enter into an agreement with Rethink Compliance; or (4) pursuant to our or a third party’s legitimate interest provided such interests are not overridden by any of your interests or freedoms and fundamental rights with respect to data privacy. You have the right to withdraw your consent at any time. The Personal Information we collect originates from the individual providing their Personal Information to us, our partners, third parties, or from publicly-available sources. Specifically, we process your Personal Information:

• With your consent and pursuant to our legitimate interests, to offer you the products and services you request in order to fulfill our contractual obligations as a part of the services we provide to you when you decide to engage with us;
• Pursuant to our legitimate interests, to provide analyses to our clients;
• Subject to the execution of a data protection agreement, to unaffiliated third-party service providers, agents, or independent contractors who help us maintain our services and with other administrative services (including, but not limited to, order processing and fulfillment, providing customer service, maintaining and analyzing data, and sending customer communications on our behalf);
• With your consent, to help us create or offer content which is relevant to you;
• With your consent, alert you to special offers, updated information, and other new services offered by us or by third parties;
• With your consent, and pursuant to our legitimate interests, to improve your user experience and the experience of other users of the Site, including through the improvement and implementation of new security measures and protections;
• With your consent, and pursuant to our legitimate interests, to understand how you use the Site;
• With your consent, to contact you in response to an email or other communication;
• To third parties as part of a corporate reorganization process including, but not limited to, mergers, acquisitions, and sales of all or substantially all of our assets. To the extent permitted, we will inform Data Subjects before making such disclosure and provide them with a reasonable opportunity to object to such disclosure.
• Subject to your choices and your consent, to track and analyze non-identifying, aggregate usage and volume statistical information from our visitors and customers and provide such information to third parties; or
• To comply with legal obligations, if in good faith we believe that such action is necessary to conform to the requirements of law, or comply with legal process served on us, and, pursuant to our legitimate interests, to protect and defend our rights or property, or act in urgent circumstances to protect the personal safety of you and our other visitors.

Onward Transfer

We will not disclose Personal Information to a third party except as stated below:

We may disclose Personal Data to subcontractors and third-party agents. Before disclosing Personal Information to a subcontractor or third-party agent, we take reasonable steps to assure these parties take steps to: (i) transfer such data only for limited and specified purposes; (ii) as certain that the subcontractor or third party agent is obligated to provide at least the same level of privacy protection as is required by the GDPR; (iii) take reasonable and appropriate steps to confirm that subcontractors and third-party agents effectively process the personal information transferred in a manner consistent with the organization’s obligations under the GDPR; (iv) require subcontractors and third-party agents to notify the organization if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the GDPR; (v) upon notice, including under (iv), take reasonable and appropriate steps to stop and remediate unauthorized processing; and (vi) provide a summary or a representative copy of the relevant privacy provisions of its contract with subcontractors and third-party agents to supervisory authorities upon request.
We may also be required to disclose, and may disclose, Personal Information in response to lawful requests by public authorities, including for the purpose of meeting national security or law enforcement requirements, or in the event of a merger or acquisition.

Choice

Data Subjects have the right to opt out of (a) disclosures of your Personal Information to third parties not identified at the time of collection or subsequently authorized, and (b) uses of Personal Information for purposes materially different from those disclosed at the time of collection or subsequently authorized. If you wish to limit the use or disclosure of your Personal Information, you should submit that request to our Data Protection Officer at dataprivacy@rethinkcomplianceco.com.

Data Integrity

We are responsible for ensuring that (a) Personal Information collected is accurate, complete, current and reliable for its intended uses; and (b) Personal Information is retained only for as long as is necessary to accomplish the legitimate business purposes disclosed to the Data Subject and for any compatible purposes. We will cooperate with reasonable requests for assistance in meeting these obligations.

Retention

Personal Information that we process for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes or for compatible purposes, such as to provide additional services, Page 10 of 11 to comply with legal requirements, or to preserve or defend our legal rights. We will retain your Personal Information for as long as necessary to fulfill the purpose(s) for which it was collected and to comply with applicable laws, and your consent to such purposes(s) remains valid during such time. Notwithstanding the other provisions of this section, we may retain your Personal Information where such retention is necessary for compliance with a legal obligation to which we are subject, or to protect your vital interests or the vital interests of another natural person.

Accessing, Correcting, and Deleting Your Information.

Data Subjects have the right to access the Personal Data an organization holds about them. If such Personal Information is inaccurate or processed in violation of the GDPR, a Data Subject may also request that Personal Information be corrected, amended, or deleted. To request access to, or correction, amendment, or deletion of, Personal Information, Data Subjects should contact our Data Protection Officer at dataprivacy@rethinkcomplianceco.com. We will cooperate with all reasonable requests to assist Data Subjects to exercise their rights under the GDPR.

Objection to Processing.

Data Subjects have the right at any time to object to our use of your Personal Information for any direct marketing purposes, including profiling to the extent it is used for direct marketing. If we are processing your Personal Information based on our business interests, you may contact us and object to such processing by asserting that our interests do not override your interests, rights, and freedoms. You may exercise the rights set out in this paragraph by contacting us as at address listed above.

Suspension of Processing.

Data Subjects have the right to request that we restrict the processing of your Personal Information, if:

• you believe that the Personal Information we maintain about you is inaccurate, and you have asked us to verify the accuracy of such information as provided above;
• you believe that your Personal Information has been unlawfully processed and you want us to restrict processing rather than erase your information;
• we no longer need your Personal Information, but you need us to retain it in order to establish, exercise or defend a legal claim; or
• you have objected to our processing of your Personal Information, as permitted under applicable law, and we are considering the grounds of your objection.

Identification of Data Controller:

For most purposes other than processing information through the site, we are not a data controller. We may, however, process personal information for our clients. We are located at 1800 Wazee Street, Suite 300, Denver, CO 80202. You may contact Rethink Compliance at dataprivacy@rethinkcomplianceco.com for questions related to this policy.

Data Protection Officer and Contact Details

Rethink’s Data Protection Officer can be contacted at dataprivacy@rethinkcomplianceco.com.

Identification of Primary Member State Supervisory/Data Protection Authority

You have the right to lodge a complaint regarding the processing of your Personal Information with us by contacting our Data Protection Officer listed above. If you are a resident of the European Union, you also may lodge a complaint with the Data Protection Authorities in the Member State where you habitually reside, work, or where an infringement occurred. You can find a list of Data Protection Authorities here.

Transfers outside the European Union

When we transfer Personal Information from the EU to entities within our organization located outside of the EU, we rely on GDPR rules that permit transfer in certain cases (e.g., to perform a contract) or rely on standard contractual clauses adopted by the European Commission to help establish adequate safeguards. If we transfer Personal Information from the EU to another party located outside the EU, where needed, we will rely on a legal framework that provides appropriate safeguards, which could include the standard contractual clauses, binding corporate rules, or another framework deemed adequate by the European Commission.

15. Information for California Residents

A California resident who has provided Personal Information to a business with whom they have established a business relationship for personal, family, or household purposes (a "California Customer") may request information about whether the business has disclosed personal information to any third parties for the third parties’ direct marketing purposes. In general, if the business has made such a disclosure of Personal Information, upon receipt of a request by a California Customer, the business is required to provide a list of all third parties to whom Personal Information was disclosed in the preceding calendar year, as well as a list of the categories of Personal Information that were disclosed. California Customers may request further information about our compliance with this law by mailing us at 1800 Wazee St, Suite 300, Denver, CO 80202 or emailing us at dataprivacy@rethinkcomplianceco.com. Please note that we are only required to respond to two requests per California Customer each year under Code Section 1798.83.

We are not a "business" as defined by the California Consumer Protection Act ("CCPA"), and therefore, the CCPA does not apply to our collection of your information. However, we provide California residents with all the rights listed elsewhere in this Privacy Policy.