PRIVACY POLICY AND NOTICE

Card Issuance & Management, Inc.

Effective Date: September 15, 2025

Notice: Visitors are welcome on this website. But visitors are not authorized to use this website, or any website to which this website links, to obtain information about a specific CIMI Card, Cardholder or data subjects unless you are a legal holder of a CIMI Card or are otherwise permitted to do so under the terms and conditions of the CIMI Card. Any use of bots, crawlers, scripts or other automated means to test this website for information, to access data or to collect content is strictly prohibited unless expressly authorized by Card Issuance & Management, Inc.

PRIVACY NOTICE

Important: You must read this Privacy Policy. It describes our privacy policies and practices with respect to collecting, receiving, using, storing, processing, sharing, disclosing, retaining and protecting Personal Information (defined below) if it is collected and received by us regarding the services we provide to our business clients and consumers. It also informs you of the privacy rights you may hold per applicable privacy laws. And it informs you of our privacy policies regarding the use of our websites. It is important that you understand what Personal Information we may collect and what we do with Personal Information while it is in our hands.

WHO WE ARE

Card Issuance & Management, Inc., also known as CIMI, is an Arizona corporation in the USA. Directly or through its subsidiaries, CIMI is engaged in the business of issuing and/or servicing prepaid cards whether they are issued as a physical card or as a digital or virtual code, including (a) gift cards, (b) merchandise return cards, (c) loyalty, incentive and promotional cards, along with (d) related wallets, accounts and applications (collectively, the CIMI Cards). CIMI Cards are sold or given to cardholders. A cardholder may be a purchaser of a CIMI Card or a person who acquires a CIMI Card by gift, reward or otherwise. Cardholders use a CIMI Card to purchase goods and/or services from a merchant in accordance with the terms and conditions of the CIMI Card.

DEFINITIONS

This Privacy Policy and Notice is referred to herein as the Privacy Policy. Cardholders are referred to as Cardholders or as you, your, or the like. Visitors to our websites are also referred to as you, your, or the like. CIMI and its subsidiaries and affiliates are referred to collectively as CIMI or as we, us, our or the like. The United States of American is referred to as United States or USA. The terms include or including are deemed to be followed by the phrase “without limitation.” The terms or phrases Bulk Business Buyer, Card Distributor, CIMI Sites, Demographic Data, Personal Information, Program Manager, Redeeming Merchants, Transaction Data and Transaction Processer are described or defined elsewhere in this Privacy Policy.

OUR PRIVACY POLICY – PERSONAL INFORMATION

As used herein, Personal Information means and refers to personal data, personal information, and personally identifiable information about consumers as those phrases are defined in applicable privacy laws, including such privacy laws in the United States and foreign jurisdictions. Personal Information includes information that identifies, describes, or reveals a particular consumer or household. Examples are names, postal addresses, residence addresses, email addresses, internet protocol addresses, social security numbers, driver’s license numbers, and passport numbers. We do not consider pseudonymous data, deidentified data or anonymous aggregated data itself to be Personal Information. Personal Information sometimes is referred to as being PI which stands for personal information, or as being PII which stands for personally identifiable information.

OUR PRIVACY POLICY – ITS PURPOSE

In the course of performing our business activities, we receive information and data regarding CIMI Cards and CIMI services. Depending upon the CIMI Card and program, we may or may not receive Personal Information on Cardholders, including your Personal Information. We are committed to protecting the privacy of Personal Information. The purpose of this Privacy Policy is to inform you about how we collect, receive, use, store, process, share, disclose, retain and/or protect Personal Information in the course of issuing and servicing CIMI Cards and providing related services. It also informs you of your privacy rights and how the law may protect you. It also covers your use of the websites hosted and/or managed by CIMI and its affiliates (collectively, the CIMI Sites). For a list of the CIMI Sites, see the Glossary below in this Privacy Policy.

Please note that additional information is provided in the Addendum on Jurisdiction Specific Privacy Notices and Disclosures. The Addendum informs you about our handling of Personal Information under the specific laws of certain USA states and foreign jurisdictions.

This Privacy Policy will be changed from time to time, as is more fully described in the section below on Changes to Our Privacy Policy. You may download a pdf version of the current Privacy Policy or you may obtain access to copy by calling the toll free number, 855.971.7430.

OUR PRIVACY POLICY – ITS OBJECTIVES

Our Privacy Policy is based upon six objectives designed, among other things, to achieve the following privacy goals required one or more privacy laws: limited collection, minimized collection, limited dissemination, limited use, limited retention, and secure environments.

First, applying the objective of limited collection, Personal Information will be collected by or on behalf of CIMI only for the limited business purposes specified in this Privacy Policy. Further, applying the objective of minimized collection, CIMI will collect only as much Personal Information as is necessary for the specified business purposes. In that regard, the typical CIMI Card is designed to be a simple anonymous card, like most retail gift cards, under which the identity of the cardholder is not known by the card issuer.

Second, applying the objective of limited dissemination, to the extent that other companies and contractors (involved with the CIMI Cards or a CIMI program) may collect Personal Information for collateral reasons in the course of their specific, respective businesses, then the Personal Information should not be shared with CIMI unless it is physically needed at CIMI for the conduct of CIMI’s specific business. In those situations, CIMI will endeavor to enter into contracts with the third parties containing provisions barring disclosure or sharing of Personal Information with CIMI, thereby limiting the unneeded disclosure or dissemination of Personal Information among multiple separate companies, avoiding the unnecessary spread of Personal Information, reducing the exposure of Personal Information to identity thieves and hackers, reducing security costs, and maintaining the goal of a simple anonymous card. That typically occurs in two situations:

Card Program Required Collection. A client or contractor may collect Personal Information on behalf of or in furtherance of a CIMI Card program, such as for the limited purpose of collecting the delivery address for a CIMI Card when sold on-line. The collected Personal Information is needed for the CIMI Card program (i.e. to deliver a card) but physical possession of the Personal Information at CIMI as the Card Issuer is not necessary. In that situation, CIMI will endeavor to enter into a contract with the client or contractor that bars the disclosure or sharing of the Personal Information with CIMI and thereby holds the Personal Information where it is needed which is with the third party.

Dual Purpose Collection. A client or contractor may collect Personal Information on behalf of a CIMI Card program but also on behalf of or in furtherance of another program or endeavor other than the CIMI Card program. As an example, a Bulk Business Buyer may collect Personal Information for an employee incentive program for the purpose of having the address of an employee for the delivery of CIMI Cards to ultimate end-users. However, the Bulk Business Buyer also may collect additional personal employment information about the employment of the employee that may be needed for the employer’s employment incentive program but will be unrelated to the CIMI Card program. In that situation, CIMI will endeavor to enter into a contract with the Bulk Business Buyer that bars the disclosure or sharing of the Personal Information with CIMI given its dual purpose nature, particularly since CIMI does not physically need the information at CIMI for the performance of conducting its business. A second example is an active incentive program of a Redeeming Merchant in which a CIMI Card is involved, and information is collected for the delivery of the CIMI Card but also for the separate incentive program of the Redeeming Merchant.

Third, applying the objective of limited uses, if Personal Information is received or collected by CIMI, then CIMI will limit the use of the Personal Information to uses that are reasonable and necessary for CIMI to carry out its business operations. Again, the business of CIMI typically is to issue or to service anonymous cards where the identity of the cardholder is unknown.

Fourth, applying the objective of minimal data, if Personal Information is received or collected by CIMI, then CIMI should endeavor to use commercially reasonable efforts to pseudonymize or deidentify the Personal Information while in the hands of CIMI.

Fifth, applying the objective of limited retention, if Personal Information is received or collected by CIMI, then CIMI will endeavor to retain Personal Information only for as long as is necessary to perform the task for which the Personal Information was collected, after which time CIMI should cease to retain the Personal Information per its document and data retention policy.

Sixth, applying the objective of secure environments and the general goals of compliance, if Personal Information is received or collected by CIMI, then CIMI should comply with applicable privacy laws governing the Personal Information during the time period from when the Personal Information is received or collected until it ceases to be retained by CIMI pursuant to CIMI’s document and data retention policy. Without limiting the foregoing, CIMI will store and process Personal Information using appropriate technical and organizational measures to provide appropriate security, accuracy, integrity, and confidentiality.

OUR PRIVACY POLICY – THE PERSONAL INFORMATION WE RECEIVE

In the course of our business and depending upon the CIMI Card and card program, CIMI may or may not receive or collect Demographic Data on the CIMI Cards that will include Personal Information regarding a Cardholder, including you. We may also collect Personal Information from visitors to the CIMI Sites.

To determine if your CIMI Card is in a card program in which CIMI receives Personal Information, please visit the CIMI Site designated on the back of your CIMI Card and go to our Consumer Personal Information Disclosures Tab at the CIMI Site. The URL for that CIMI Site usually begins with the phrase “mycardterms.com.” The Consumer Personal Information Disclosures Tab will inform you if Personal Information is collected in conjunction with your specific CIMI Card. For more information, see the section below in this Privacy Policy on About Our Consumer Personal Information Disclosures Tab.

Gift cards commonly are purchased by a Cardholder who may gift the CIMI Card to a gift recipient resulting in two Cardholders; namely, the card purchaser then the gift card recipient. This Privacy Policy applies to Personal Information collected on all consumers who are Cardholders, including both a gift card purchaser and/or a gift card recipient. For CIMI Cards purchased by a business instead of a consumer, please see the information provided in a separate section below on Personal Information Re Cards Sold in Bulk to Businesses

In addition to the foregoing, the following describes some of the more common circumstances illustrating the Personal Information that we receive or collect and the sources of the Personal Information that we receive and collect:

Sources of Personal Information in General. If CIMI receives or collects Personal Information, it typically will do so from the following sources: (a) CIMI may receive Personal Information about Cardholders that is collected by Card Distributors, Bulk Business Buyers, Redeeming Merchants, Transaction Processors, and/or Program Managers; such information, if received, will be transmitted by those entities to CIMI either directly or through commercial transaction processors, (b) CIMI itself may directly collect Personal Information from Cardholders while directly performing certain operational services for the Cardholders, (c) CIMI may collect Personal Information from the visitors at the CIMI Sites, (d) CIMI may be provided Personal Information in the course of incidents, audits, reviews and/or investigations, and (e) CIMI will collect Personal information if and when a consumer elects to contact CIMI for customer service. Each of these sources of Personal Information is discussed below.

Third Parties in General. CIMI receives a variety of information about CIMI Cards from companies and contractors involved in the operation and administration of the a CIMI card program, including business clients, Program Managers, Transaction Processors, data centers, card inventory providers, Redeeming Merchants, Card Distributors, Bulk Business Buyers, regulators, auditors, government authorities, professionals, and others. The information received by CIMI from those third parties sources includes Transaction Data (described below), but typically does not include Personal Information. To the extent Personal Information is received or collected by us from these companies and contractors, it is described below and will be subject to this Privacy Policy.

Card Distributors. CIMI receives information about the CIMI Cards that is collected or generated by the third parties that sell or distribute the CIMI Cards and/or manage the sales and distribution of the CIMI Cards (each a Card Distributor). With respect to Personal Information received by CIMI from Card Distributors, if any, please review the separate section below on Personal Information Collected By Card Distributors.

Redeeming Merchants. CIMI receives information about CIMI Cards emanating from the merchants that accept and redeem the CIMI Cards for the purchase of goods and/or services from the merchants (each a Redeeming Merchant). With respect to Personal Information received by CIMI from such merchants, if any, please review the separate section below on Personal Information Collected by Card Redeeming Merchants.

Direct Services. The CIMI Cards are supported by certain CIMI services that are provided directly by CIMI and are available to Cardholders and accessible at CIMI Sites. Some of these CIMI services require the collection by CIMI of Personal Information. Currently, the service that requires Personal Information is the Virtual Cash Out Service (VCO), which supports requests by Cardholders to cash-out a CIMI Card if and as cash-out is required by law. The Personal Information is collected with the Cardholder’s consent for the business purpose of carrying out the VCO service and to prevent fraud, abuse, and misuse in providing the VCO service.

Transaction Processors. In a typical CIMI Card program, Transaction Data (described below) is processed by a commercial transaction processor (each a Transaction Processor) and is provided by the Transaction Processors to CIMI. Typically, the Transaction Data is generated at the points of card sales (i.e., at a Card Distributor) and at the points of card redemption (i.e., at a Redeeming Merchant). Some Transaction Processors may also serve as a Program Managers and/or Card Distributor. CIMI may receive Personal Information from a Transaction Processor. If it is received by CIMI, it will be subject to this Privacy Policy.

Program Managers. In a typical CIMI Card program, certain program management tasks will be performed by third party service providers or contractors commonly known as program managers (each a Program Manager). Some Program Managers may also serve as a Transaction Processor and/or a Card Distributor. CIMI may receive Personal Information from a Program Manager. If it is received by CIMI, it will be subject to this Privacy Policy.

Customer Service. CIMI will receive or collect Personal Information about you in the event you elect to contact CIMI with respect to customer service and provide Personal Information during the contact. Such Personal Information typically consists of name and contact information provided by you. It is collected for customer service purposes only and will be subject to this Privacy Policy.

Website Interaction. A CIMI Site may provide Cardholders and other visitors to a CIMI Site with the opportunity to contact or interact directly by email with us through or via the website. The information that a Cardholder or visitor elects to provide in making the contact may include Personal Information provided by a Cardholder or the visitor. Such information usually consists of name and contact information. It is collected for the purpose of addressing the inquiry or comment of the Cardholder or visitor, and will be subject to this Privacy Policy.

CIMI Site Usage. With respect to your access and use of a CIMI Site, including this website, we may automatically collect information about how a Cardholder or other site visitor interacts with and uses a CIMI Site and the services thereon, if any. We automatically collect various types of data including the date and time of access to the CIMI Site and the pages and other content that a Cardholder or visitor accesses or downloads. We also automatically collect your internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other information about the devices you use to access a CIMI Site. We collect and use site usage data for system administration purposes to audit and monitor traffic on the CIMI Site and to improve the CIMI Site and the CIMI Cards and services. The information will be subject to this Privacy Policy. We do not use site usage data to manufacture the name or postal or residence address of the CIMI Site user. For specific information about the use of cookies and related website analytics at the CIMI Sites, please see the information provided in the section below on Cookies and Related Analytics.

Visitors to a CIMI Site. Visitors to the CIMI Sites may be individuals other than Cardholders. With respect to such visitors, the terms “you” and “your” and the like as used in this Privacy Policy include the visitor. With respect to visitors to the CIMI Sites, we automatically collect data regarding their use of the CIMI Site; in that regard, see the section above on CIMI Site Usage. The visitor also may engage in website interactions with us; in that regard, see the section above on Website Interaction. The collected Personal Information will be subject to this Privacy Policy.

Other. With respect to Cardholders, we may receive Personal Information from other sources such as in investigations of or inquiries regarding incidents, consumer issues, security matters, fraud, misconduct, money laundering, crimes, and/or the like. To the extent that such information constitutes Personal Information, it will be subject to this Privacy Policy.

Types of Personal Information We Receive: If it is received by us, the types of Personal Information will vary depending upon the CIMI Card and the CIMI card program, but typically will include one or more of the following personal identifiers about a Cardholder: name, residence address, zip code, email address, device and online identifiers, internet and website activities, date of birth, phone number, and/or variants thereof (generally referred to herein as the Typical Types of Collected Information). When we process a verifiable privacy right request, additional Personal Information may be collected such as a government ID if permitted, for the purpose of verification; see the section below on How to Assert Your Privacy Rights and Choices.

Unless otherwise specifically disclosed in the terms and conditions for a CIMI Card or in the Consumer Personal Information Disclosure Tab for a specific CIMI Card, it is our police not to receive or collect the following types of information about you: race or ethnicity, religious or philosophical beliefs, union membership, sex life or sexual orientation, health conditions, gender preference, political opinions, individual preferences and characteristics, education history, genetic and biometric data, background and criminal information, and audio or visual identification information.

The Consumer Personal Information Disclosures Tab. As explained above, CIMI issues CIMI Cards in multiple unrelated card programs. The categories and items of Personal Information collected by us may vary from CIMI Card program to CIMI Card program. To determine the categories and type of Personal Information collected with respect to your specific CIMI Card, if any, please visit the CIMI Site designated on the back of your CIMI Card and go to our Consumer Personal Information Disclosures Tab on the CIMI Site. The URL for that CIMI Site usually begins with the phrase “mycardterms.com.”

Transaction Data. CIMI issues a variety of different CIMI Cards in a variety of different card programs. In each card program, CIMI will receive transaction data regarding CIMI Cards from Transaction Processors, Program Managers, various contractors, and/or others. Transaction Data typically consists of a unique identifier or number for each CIMI Card (the “Card Number”) and information regarding the card transactions arising from the purchase and use of the CIMI Card (the “Transactions”). The types of card Transactions differ per card programs. Examples of the more common card Transactions are activations, loads, reloads, redemptions, and/or balance inquiries. We do not consider the Transactions themselves to be Personal Information. To the extent that the Card Numbers are viewed as being Personal Information by a specific privacy law, then it will be subject to this Privacy Policy. As a general rule, however, we do not consider the Card Numbers received by CIMI regarding CIMI Cards, in and of themselves, without more, to be Personal Information under this Privacy Policy, for one or more reasons (depending upon the card program and applicable privacy law), which reasons include: (a) in most card programs, the Card Number is not associated with a particular consumer or household, because the CIMI Card is designed to be an anonymous card, (b) we do not receive or store the PINs or security numbers for the CIMI Cards, (c) with respect to international data, the Personal Information should be separated from the Card Numbers by the company that collected it before it is sent to CIMI, (d) if Personal Information is received, it is received in many programs in tokenized or encrypted form, and/or (e) if the Personal Information is received by CIMI in a particular card program, it typically will be stored in pseudonymous or deidentified form. In that regard, CIMI does not use Transaction Data to manufacture the identity of a Cardholder or to create, develop or manufacture new Personal Information about a Cardholder.

OUR PRIVACY POLICY – PERSONAL INFORMATION COLLECTED BY CARD DISTRIBUTORS

The CIMI Cards are sold and distributed by third party Card Distributors (defined above). Card Distributors may include the Redeeming Merchant for the Card and/or other third parties and service providers in the business of selling and distributing the CIMI Cards to consumers at third party locations or on online platforms. The Card Distributors are separate companies from CIMI. Each will have its own and separate policy addressing the collection of Personal Information, if any, from you in conjunction with the purchase of your CIMI Card. We encourage you to review the privacy policy of the Distributing Company. It may govern the privacy of your information in the Distributing Company’s hands. If Personal Information is collected by a Card Distributor, the Card Distributor typically will not disclose or share it with CIMI. Additionally, and consistent with policy objectives stated above, CIMI will endeavor to enter into a contract with a Card Distributor that bars the disclosure or sharing of Personal Information with CIMI. In the event, however, that Personal Information is disclosed by a Card Distributor with CIMI, then it will be subject to this Privacy Policy while in our hands.

OUR PRIVACY POLICY – PERSONAL INFORMATION RE CIMI CARDS SOLD IN BULK TO BUSINESSES

Depending upon the card program, CIMI Cards may be sold via bulk corporate sales to businesses (each a Bulk Business Buyer). Some Bulk Business Buyers may resell such cards to consumers as authorized Card Distributors; with respect to that practice, please review the separate section above on Personal Information Collected by Card Distributors. Other Bulk Business Buyers purchase CIMI Cards via bulk corporate sales and then hand them out as rewards or perks or otherwise provide them to others such as employees, customers, consumers, and participants at events or in conjunction with loyalty, awards, promotion, or incentive programs or as gifts, awards or perks. Some Bulk Business Buyers are companies engaged in the specific business of creating or managing incentive or rewards programs for others. The Bulk Business Buyers are separate companies from CIMI. Each may have its own and separate privacy policy that addresses the Personal Information, if any, collected from the end-user recipients to whom the CIMI Cards are ultimately provided. We encourage you to review the privacy policy of the Bulk Business Buyer. It may govern the privacy of your information in the hands of the business. If Personal Information is collected by a Bulk Business Buyer, the Bulk Business Buyer typically does not disclose or share it with CIMI. In that regard, Personal Information collected by a Bulk Business Buyer typically is viewed as being the property or proprietary information of the Bulk Business Buyer or its clients, and not of CIMI. Furthermore, it usually consists of information that is specific to the business of the Bulk Business Buyer or its clients and unrelated to the CIMI Card or program. Additionally, and consistent with policy objectives stated above, CIMI will endeavor to enter into a contract with a Bulk Business Buyer that bars the disclosure or sharing of Personal Information with CIMI. In the event, however, that Personal Information is shared by a Bulk Business Buyer with CIMI, then it will be subject to this Privacy Policy while in our hands..

OUR PRIVACY POLICY – PERSONAL INFORMATION COLLECTED BY CARD REDEEMING MERCHANTS

The CIMI Cards typically are closed-loop type cards, which means they are usable or redeemable to buy goods or services from a single merchant or restricted group of related merchants (the Redeeming Merchant as further defined above). The Redeeming Merchant typically is identified on the front of the card. Redeeming Merchants are separate companies from CIMI. Each may have its own and separate privacy policy that addresses the collection of Personal Information, if any, from you at the time of the use and redemption of a CIMI Card to buy the goods and/or services of the Redeeming Merchant. Additionally, the Redeeming Merchant also may serve as a Card Distributor selling CIMI Cards as, for example, in its bricks-and-mortar stores. In that capacity, a Redeeming Merchant also may have its own and separate privacy policy addressing the collection of Personal Information, if any, from you at the time of card purchase. We encourage you to review the privacy policy of the Redeeming Merchant. It governs the privacy of your information in the hands of the Redeeming Merchant. If Personal Information is collected by a Redeeming Merchant, the Redeeming Merchant typically does not disclose or share the Personal Information with CIMI. In that regard, Personal Information collected by a Redeeming Merchant typically is viewed as being the property or proprietary information of the Redeeming Merchant, and not of CIMI. Additionally, and consistent with the policy objectives stated above, CIMI will endeavor to enter into a contract with a Redeeming Merchant that bars the disclosure or sharing of Personal Information with CIMI. In the event, however, that Personal Information is disclosed by a Redeeming Merchant to CIMI, then it will be subject to this Privacy Policy while in our hands.

OUR PRIVACY POLICY – HOW WE USE YOUR PERSONAL INFORMATON

In the event Personal Information is received or collected by CIMI, CIMI will limit its use of your Personal Information to business purposes that are reasonable and necessary to perform its duties and responsibilities as the issuer of and/or service provider for the CIMI Cards. The following describes some of the more common circumstances illustrating the business purposes for which, and how, CIMI uses your Personal Information in the course of its business, if the Personal Information has been collected or received by CIMI:

Card Distributors. As described above, Personal Information may be collected by Card Distributors involved in the business of selling or distributing CIMI Cards. Typically, Personal Information will be collected by Card Distributors for the business purposes (a) to facilitate the fulfillment, delivery, and/or shipping of CIMI Cards that are sold online or via other remote sales settings such as catalog or phone sales, (d) for use in implementing and performing standard fraud control protocols at the time of online sales of CIMI Cards to consumers using credit cards and other payments instruments to make the purchase CIMI Cards in person-not-present situations, (c) as needed for use in a constant touch card program that is purposefully designed to interact sporadically or regularly with the Cardholders such as a loyalty or affinity card program, and/or (d) as further disclosed in the privacy policy of the Card Distributor. The type of information collected varies depending upon the card program, but usually is one or more of the items in the list of Typical Types Collected Information described above. Typically, the Card Distributor does not disclose or share such Personal Information with CIMI. Additionally, and consistent with the policy objectives stated above, CIMI will endeavor to enter into a contract with a Card Distributor barring the disclosure or sharing of Personal Information with CIMI. To the extent, however, that Personal Information is received, it will be subject to this Privacy Policy.

Note: In some prepaid card or prepaid access device programs, a card issuer and/or Card Distributor may be required by law to gather Personal Information on Cardholders (a) if such collection is required by anti-money laundering laws (the AML Regulations) unless an exemption to the AML Regulations is applicable, or (b) if such collection is required by another law or regulation. Your CIMI Card and card program has been designed by CIMI so that an exemption to the AML Regulation should apply, so Personal Information is not collected by CIMI or others pursuant to the AML Regulations. Nor is it collected per a requirement of another law or regulation.

Use by Bulk Business Buyers. As described above, Personal Information may be collected by Bulk Business Buyers engaged in bulk corporate sales programs where cards are bought in bulk and provided by the business ultimately to end-using recipients. Personal Information typically is collected for the business purposes (a) to facilitate the fulfillment, delivery, and/or shipping of CIMI Cards to the end-using recipients, and (b) as otherwise disclosed in the privacy policy of the Bulk Business Buyer or its clients. If Personal Information is collected by a Bulk Business Buyer, the business typically does not disclose or share the Personal Information with CIMI. In that regard, Personal Information collected by a Bulk Business Buyer typically is viewed as being the property or proprietary information of the Bulk Business Buyer or its clients, and not of CIMI, and it typically consists of information that is specific to the business of the Bulk Business Buyer or its clients and unrelated to the CIMI Card or card program. Additionally, and consistent with the policy objectives stated above, CIMI will endeavor to enter into a contract with a Bulk Business Buyer barring the disclosure or sharing of Personal Information with CIMI. In the event, however, that Personal Information is disclosed or shared by a Bulk Business Buyer with CIMI, then it will be subject to this Privacy Policy while in our hands.

Use by a Redeeming Merchant. As described above, Personal Information may be collected by a Redeeming Merchant. It typically is collected for the business purposes (a) if needed to facilitate the use of a CIMI Card by a Cardholder to buy goods and/or services from the Redeeming Merchant, particularly in on-line shopping environments, (b) in conjunction with requiring the Cardholder to move or redeem the CIMI Card into a wallet, account or application that is then used by the Cardholder at the Redeeming Merchant to access its good or services, (c) as needed for use in a constant touch card program that is purposefully designed to have the Redeeming Retailer and Cardholder interact sporadically or regularly such as in a loyalty or affinity program, and/or (d) as further disclosed in the privacy policy of the Redeeming Merchant. As also described above, some Redeeming Merchants also serve as Card Distributors and, as such, may collect Personal Information for the purposes described above for Card Distributors. The type of information collected by a Redeeming Merchant may vary depending upon the gift card program, but usually is one or more of the items in the list of Typical Types of Collected Information described above. If Personal Information is collected by a Redeeming Merchant, the Redeeming Merchant usually does not disclose or share the Personal Information with CIMI. In that regard, Personal Information collected by a Redeeming Merchant typically is viewed as being the property or proprietary information of the Redeeming Merchant, and not of CIMI, and it may consist of information that is specific to the business of the Redeeming Merchant and unrelated to the CIMI Card or card program. Additionally, and consistent with the policy objectives stated above, CIMI will endeavor to enter into a contract with a Redeeming Merchant barring the disclosure or sharing of Personal Information with CIMI. In the event, however, that Personal Information is disclosed or shared by a Redeeming Merchant with CIMI, then the Personal Information will be subject to this Privacy Policy while in our hands.

Consumer Constant Touch Programs. Depending upon the CIMI Card and the CIMI card program, Personal Information may be collected to facilitate interaction and communication between Cardholders and the Redeeming Merchant in card programs that are designed to sporadically or regularly touch or communicate with Cardholders such as some active loyalty, awards, rewards, incentive or affinity programs. The type of information collected varies depending upon the gift card program, but usually is a name and email address, although it may also be one or more of the other items in the list of the Typical Types of Collected Information described above; provided, however, that some retailer with loyalty, awards, rewards, incentive or affinity programs may collect additional types of Personal Information in support of the program (including bank information for the automatic reloading cards) so you should consult the retailer’s privacy policy. Most loyalty or affinity programs are the programs of a Redeeming Merchant and not CIMI. They have separate terms and conditions from the terms and conditions of the CIMI Card. The Personal Information such programs collect typically is for the loyalty or affinity program of the Redeeming Merchant and is not for the card program of CIMI. In that regard, the Personal Information typically is viewed as being the property or proprietary information of the Redeeming Merchant and not of CIMI. Additionally, and consistent with the policies objectives stated above, CIMI will endeavor to enter into a contract with a Redeeming Merchant barring the disclosure or sharing of Personal Information with CIMI. In the event, however, that Personal Information is shared by a Redeeming Merchant with CIMI, then it will be subject to this Privacy Policy while in our hands.

Compliance with Unclaimed Property Laws. CIMI, and its affiliate Card Compliant, LLC, store and process Personal Information for the business purpose of determining and addressing compliance of each CIMI Card with applicable unclaimed property laws, including the first priority escheat rule and the third priority escheat rule, because Personal Information will impact the application of the unclaimed property laws. Additionally, we process Personal Information to identify and send unclaimed property escheat notices to Cardholders if and as required by unclaimed property laws, including notices that are required to disclose Personal Information in mailed and emailed escheat notices and in notices published in media publications. Additionally, we process Personal Information to complete and file reports with U.S. states and territories if and as required by unclaimed property laws, including reports that will disclose Personal Information to the U.S. states and territories. Additionally, CIMI may collect Personal Information for use to contact a Cardholder to determine if the Cardholder wishes to elect not to have a CIMI Card escheat to a state or territory per an unclaimed property law. Additionally, we use the Personal Information when responding to unclaimed property inquiries and audits by the U.S. states and territories, and when responding to inquiries by Cardholders about unclaimed property matters. To the extent Personal Information is stored or processed by us, it will be subject to this Privacy Policy.

Compliance with Privacy and Data Security Laws and Policies. CIMI may use Personal Information for the business purpose to comply with privacy laws, data security laws, and data protection or security contracts and/or policies that require us (a) to field or manage consumer consent and/or opt-in or opt-out requirements, (b) to manage consumer privacy rights including verification of privacy requests and verification of authorized agents if applicable, (c) to detect or address privacy and security data breaches or incidents as required by law, data protection agreements, and privacy and security policies, (d) to undertake security or privacy testing, (e) to protect against malicious, deceptive or fraudulent activity, and (f) to otherwise comply with laws, regulations and policies addressing privacy and data security. To the extent Personal Information is stored or processed by us, it will be subject to this Privacy Policy.

Compliance with AML Regulations and Policies. Certain AML Regulations require a prepaid card issuer, prepaid access provider, prepaid card seller and prepaid access seller to collect Personal Information about Cardholders, unless exempted from doing so by the AML Regulations. Your CIMI Card and card program have been designed to be exempt from the collection of such Personal Information per AML Regulations. Additionally, in certain situations, we may be required to use Personal Information to conduct OFAC checks if and as required by the regulations of the Office of Financial Assets Controls. If and to the extent that Personal Information is collected or received by us in conjunction with or for the purpose of addressing the AML Regulations and/or OFAC laws, then it will be subject to this Privacy Policy.

Direct Services. CIMI, and its affiliate Card Compliant, LLC, may process Personal Information for the business purpose of delivering or performing various direct services to Cardholders of CIMI Cards. The current service in which CIMI collects Personal Information from Cardholders is the Virtual Cash Out Service (VCO) in which Personal Information on a Cardholder will be collected, processed and used for the short-term transient use of performing the service of providing cash-out to Cardholders on CIMI Cards if requested by a Cardholder and if and as required by law. The Personal Information collected for the performance of this VCO service is provided by the Cardholder with the Cardholder’s consent, and usually is the name, residence address, email address, date of birth, phone number, and such other information as disclosed to the Cardholder at the outset of VCO service. The collected Personal Information is used to perform and fulfill the VCO service and/or to address fraud, misuse and abuse regarding the VCO service. The Personal Information is subject to this Privacy Policy. It will be retained for the period of time needed to carry out the service.

Customer Service. As described above, Personal Information may be collected by CIMI in response to customer service inquiries by Cardholders or users of CIMI Sites. Such information usually is a name and contact information provided by you. Such information is used to respond to, address and document the customer inquiry. To the extent Personal Information is received, it will be subject to this Privacy Policy.

Website Interactions. As described above, a CIMI Site may allow a Cardholder or site visitor to interact and communicate with us with respect to obtaining information. Personal Information may be collected by CIMI if a Cardholder or visitor interacts with us on a CIMI Site and elects to provide Personal Information to us. Such Personal Information is used for the business purpose of responding to the communication or inquiry from the Cardholder or visitor. To the extent Personal Information is received, it will be subject to this Privacy Policy.

CIMI Site Usage Audits and Analytics. Personal Information may be collected by CIMI from users of or visitors to a CIMI Site in the form of cookies or tracking analytics. Cookies and tracking analytics are used for several reasons including to make a CIMI Site perform more efficiently, to provide information to us, to try to match your preferences to what you may want to see on the website you are visiting, to improve your online experience, and to improve the CIMI Cards and services. See also the section below on Cookies and Related Analytics. If such Personal Information is collected by us, it will be subject to this Privacy Policy.

Audits, Reviews. Tests, Incidents, Inquiries and Investigations. CIMI will use or process Personal Information if and to the extent necessary and for the business purpose to comply with or to facilitate (a) reasonable and necessary audits or reviews by our third party auditors or reviews, (b) audits or reviews by third party regulators or authorities, (c) audits or reviews permitted or required by a contract between us and a client or contractor, (d) testers of our technology systems and modules including the systems and modules of Card Compliant, LLC, (e) reviews and testing of our information security systems and practices, (f) responses to incidents or inquiries involving Cardholders or CIMI Cards, (g) debugging to identify and repair errors that impair existing intended functionality, (h) investigating or prosecuting persons responsible for abusive, malicious, deceptive or fraudulent activities, and/or (i) investigations by third parties of fraud, misconduct, money laundering, crimes or other illicit activities. To the extent that Personal Information is received or collected, stored or processed by us, it will be subject to this Privacy Policy.

General. CIMI may also use Personal Information, if received or collected, for the following business purposes: to provide Cardholders with information about CIMI Cards; to remind Cardholders that they have an outstanding balance on a CIMI Card; to maintain or update contact data about you; to maintain the accuracy of the information we collect; to respond to your questions and concerns; to contact you as needed to perform our business activities; to measure interest in our CIMI Cards; to maintain and improve the CIMI Cards; for confidential research and analysis in connection with the development of new products and services; in the exercise or defense of legal claims or complaints; and as required to meet our legal obligations.

Other. If a Cardholder or any third party provides us with Personal Information for use in a manner not covered above in this Privacy Policy, we will limit use of that Personal Information to the specific reason for which it was provided to us or as otherwise permitted by law. CIMI treats Personal Information obtained from third parties, whether received on purpose or inadvertently, in accordance with this Privacy Policy.

Commercial Purposes: CIMI collects, receives, stores, uses, processes, shares, discloses and retains Personal Information for reasonable and necessary business purposes which are outlined above in this Privacy Policy. Unless specified otherwise for a specific CIMI Card and CIMI Card program at our Consumer Personal Information Disclosures Tab of the CIMI Card, CIMI does not use Personal Information for the commercial purpose of sending unsolicited advertising to a Cardholder. Nor does CIMI disclose or share Personal Information with third parties for such purposes. Furthermore, CIMI does not use Personal Information to support targeted advertising by CIMI directed at visitors of the CIMI Sites. Additionally, CIMI informs you that it will not separately monetize your Personal Information for profit without providing you with the consent or opt-out mechanisms if and as required by applicable privacy laws.

OUR PRIVACY POLICY – HOW WE SELL OR SHARE YOUR PERSONAL INFORMATION

We informed you above about how others provide Personal Information to CIMI. In this section of our Privacy Policy, we will inform you about how CIMI sells or shares your Personal Information with third parties if and when CIMI receives Personal Information.

Selling Personal Information: CIMI is not in the business of selling or marketing Personal Information to others for profit in the traditional sense of receiving cash, remuneration or remittance in exchange for the transfer of Personal Information. CIMI discloses or shares Personal Information with others for the reasonable and necessary business purposes outlined in this Privacy Policy. However, because some USA states or other foreign jurisdictions may consider the use of cookies or other third party tracking analytics on websites to constitute a form of data transfer in exchange for some form of consideration, CIMI has informed you if and how it uses cookies and third party tracking technologies. See the sections above on CIMI Site Usage and the section below on Cookies and Related Analytics. As explained there, visitors to a CIMI Site, including you, will be notified via a pop-up if cookies or third party analytics are used at the CIMI Site. Visitors will be provided an opportunity to consent to the use of cookies or to opt-out from our use of cookies and third party tracking analytics (with the exception of essential cookies) when they use the CIMI Site. If no pop-up appears at a CIMI Site, then visitors may assume that no cookies or third party analytics are being used at the CIMI Site. Additionally, CIMI further informs you that it will not monetize Personal Information for profit without providing the consent or opt-out mechanisms if and to the extent required by applicable privacy laws.

Sharing of Personal Information in the Form of Disclosing Information: In performing its business and operations, CIMI may disclose or share Personal Information to others for reasonable and necessary business purposes in performing its business as a card issuer and/or service provider regarding the CIMI Cards. The following describes some of the more common circumstances illustrating how CIMI may discloses Personal Information to third parties:

Card Compliant, LLC. Card Compliant, LLC (“CARD”) is a limited liability company formed under the laws of Kansas. It is the parent company of CIMI and an affiliate of CIMI for the purpose of this Privacy Policy. Additionally, CARD owns and operates certain regulatory and accounting compliance systems and modules that process and enrich Transaction Data, Demographic Data, and other data and information regarding prepaid card and prepaid access programs (including Personal Information depending upon the card program). CIMI retains and uses CARD and its processing systems to process Transaction Data and Demographic Data regarding the CIMI Cards, including your Personal Information if your Personal Information is received or collected by CIMI. When doing so, CIMI and CARD share or disclose Personal Information with each other regarding CIMI Cards, including your Personal Information. In that regard, CARD serves as a service provider for CIMI providing the regulatory compliance oriented services including: (a) maintaining or servicing cards and underlying ledger accounts for compliance purposes, (b) providing Cardholder or customer services, (c) providing regulatory compliance services and related reporting, (d) providing forecasting and accounting services, (e) processing or fulfilling VCO service requests including processing VCO payments to Cardholders (f) processing or fulfilling escheat notices, escheat reports, and escheat payments to U.S. States and territories, (g) verifying Cardholder information, and/or (h) providing analytic services. In doing so, CARD follows the privacy policies enunciated in this Privacy Policy.

Data Centers. Pursuant to a contract between CIMI (or its affiliate CARD) and one or more commercial data centers, the data and information received, collected, processed stored, enriched or created by CIMI regarding CIMI Cards is stored on data servers housed in commercial data base facilities that are not owned by CIMI. From the perspective of CIMI and its business operations, CIMI applies this Privacy Policy to the data and information stored at those facilities, including Personal Information. The data centers are in the USA.

The Cloud. We inform you that the Transaction Data and Demographic Data regarding CIMI Cards, including Personal Information, are stored, processed and transmitted using servers and systems that operate using the cloud and cloud technologies.

CIMI Site Usage. With respect to the Personal Information automatically collected by us from the usage by visitors of a CIMI Site, we share the information with third party analytics and search engine providers who assist us in the improvement of the CIMI Sites. See the sections above on CIMI Site usage. Currently, we provide such information collected from the Terms Now CIMI Sites to Google Analytics. The way that Google collects and processes data when delivering Google Analytics is described at www.google.com/policies/privacy/partners/. Visitors to CARD Sites will be provided an opportunity to consent to or to opt-out from Google Analytics via a pop-up at the CIMI Site. For more info, see the section below on Cookies and Related Analytics.

Compliance with Unclaimed Property Laws. Depending upon the CIMI Card, unclaimed property laws may require that we issue escheat due diligence notices sent by mail or otherwise to Cardholders, including notices that we may be required to publish in media publications. To comply with unclaimed property laws governing escheat due diligence notices, CIMI may share Personal Information with (a) a third party service provider used by CIMI to make mass mailings of escheat notices to Cardholders, and (b) newspaper or media companies selected for the publication of escheat notices if such notices must be published in public media per unclaimed property laws. Additionally, depending upon the CIMI Card, the unclaimed property laws may require that we report and escheat the CIMI Card to a USA state or territory. If required by unclaimed property laws, CIMI will provide and share Personal Information with the USA state or territory in the unclaimed property reports filed with such jurisdictions. Additionally, we share Personal Information with the USA states and territories, and their auditing companies, in response to unclaimed property regulatory inquires and/or unclaimed property audits by such jurisdictions.

Professional or Technical Support. CIMI may share Personal Information (as well as aggregated, pseudonymous, and deidentified data) with our attorneys, accountants, professional consultants, affiliates, co-development venturers, Card Distributers, Redeeming Merchants, Bulk Business Buyers, Transaction Processors, Program Managers, card inventory suppliers, and need to know contractors for the limited business purpose of issuing, servicing or enhancing CIMI Cards and CIMI Card programs. If we share Personal Information with such third parties, we will do so under agreements that require the third party to protect Personal Information in accordance with the principles described in this Privacy Policy. The third parties are authorized to use Personal Information only as needed to provide services to us and Cardholders.

Audits, Reviews, Tests, Incidents, and Investigations. CIMI will share Personal Information with others to the extent necessary to comply with or to facilitate (a) audits or reviews by our third party auditors or reviews, (b) audits or reviews by third party regulators or authorities, (c) audits or reviews permitted or required by a contract between us and a client or contractor, (d) reviews and testing of our proprietary systems including systems of Card Compliant, LLC, (e) reviews and testing of our information security systems and practices, (f) responses to incidents or inquiries involving Cardholders or CIMI Cards, and/or (g) investigations by third parties of incidents, security events, fraud, misconduct, money laundering, crimes or other illicit activities.

Legal Purposes. We will share your Personal Information with regulators, law enforcement agencies, public authorities and other governmental authorities when compelled to do so, or reasonably asked to do so, and/or with others if and as may be required by law.

Sale of CIMI. If CIMI or the business of CIMI were to be sold or transferred (such as by way of a merger, stock purchase, asset sale, or other transaction resulting in the transfer of CIMI’s business to a new owner or a successor) then Transaction Data and Demographic Data, including Personal Information, may be considered information or an asset that (a) we must disclose to the acquirer during the due diligence work regarding the transaction, and (b) we will be required to transfer to the acquirer or other successor of CIMI as a result of the transaction. We will use reasonable efforts to assure that a potential acquirer desiring to conduct due diligence with respect to such a transaction executes a confidentiality contract or similar non-disclosure agreement requiring the acquirer to handle Personal Information during the due diligence in a manner consistent with this Privacy Policy.

Bankruptcy. If a bankruptcy, insolvency or reorganization proceeding were to be brought by or against us, then Transaction Data and Demographic Data, including Personal Information, may be considered information of ours or an asset of ours and may be transferred or sold to one or more third parties. Should such a transfer or sale occur, we will use reasonable efforts to require that the transferee continue to handle Personal Information in a manner consistent with this Privacy Policy.

OUR PRIVACY POLICY – HOW WE RETAIN YOUR PERSONAL INFORMATION

Consistent with the policy objectives stated above, CIMI will retain Personal Information for the length of time determined by CIMI as needed to complete the tasks for which the Personal Information was collected, after which time the Personal Information will cease to be retained by CIMI and will be deleted per the document and data retention policies of CIMI, unless doing so will violate a law that specifically prohibits the exercise of this privacy and retention practice.

The specific time periods for retention of Personal Information may vary depending upon the task for which the Personal Information was collected. For a list of applicable retention periods, visit the CIMI Site designated on the back of your CIMI Card and go to the Consumer Personal Information Disclosures Tab. The URL for the CIMI Site usually begins with the phrase “mycardterms.com.”

In deleting your Personal Information, CIMI will use techniques that meet industry standards governing the erasure of computer data. We reserve the right to retain your Personal Data for a longer period in the event of an incident regarding you or your CIMI Card that leads us to believe there is the prospect of a need for the Personal Information for future dispute resolution with respect to a CIMI Card or your relationship with you.

In addition to the foregoing retention policy regarding Personal Information, we inform you that you may have a privacy right to request that CIMI delete or erase your Personal Information. In that regard, see the sections below on privacy rights including the section on What Are Privacy Rights and the section on Your Right to Delete or Erase.

OUR PRIVACY POLICY – HOW WE PROTECT PERSONAL INFORMATION

If Personal Information is received or collected by CIMI, the Personal Information will be stored as data primarily on data servers maintained at one or more commercial data centers owned or operated by companies regularly engaged in the business of storing sensitive data in secure settings pursuant to industry standards governing data security and privacy. These data centers are located in the USA. Additionally, CIMI will store and process Personal Information using appropriate technical and organizational measures to provide appropriate security, accuracy, integrity, and confidentiality. CIMI deploys commercially reasonable measures to protect Personal Information held by it from unauthorized destruction, loss, and alteration and from unauthorized disclosure or use. Such measures include (a) measures designed to comply with the Payment Card Industry (PCI) DSS security standards, and (b) operational controls subject to SOC audits. Personal Information received by CIMI from Card Distributors, Bulk Business Buyers, and/or Redeeming Merchants is transmitted to CIMI (or its affiliated Card Compliant, LLC) either directly by such entities or through commercial transaction processors and contractors using secure techniques.

YOUR PRIVACY RIGHTS – WHAT ARE THEY?

If you are a resident of certain U.S. states or are located in certain foreign countries or jurisdictions, then you may hold certain privacy rights regarding your Personal Information established by the privacy laws of those states or jurisdictions. Depending upon the jurisdiction, the privacy rights afforded by these laws may or may not include the following: (a) a right to know or be informed about how we handle Personal Information, (b) a right to access or be told the specific Personal Information held by us regarding you, (c) a right to correct or rectify the Personal Information in our hands if it is inaccurate, (d) the right to request deletion or erasure by us of Personal Information (also known as the right to be forgotten); (e) a right to consent to or opt-out of sale or sharing of your Personal Information by us with third parties, and (h) other rights, if any, that may be specified under the privacy laws specific to an applicable jurisdiction.

Important Notice: For more information about the privacy rights that may be available to you pursuant to the privacy laws of U.S. states or foreign jurisdictions, please review the Addendum for Jurisdiction Specific Privacy Notices and Disclosures. This Addendum is a material part of this Privacy Policy and is accessible either by scrolling below. The Addendum provides a privacy notice to you for each of the specific USA states that have a privacy law and for selected foreign jurisdictions. The Addendum is divided into two parts with Part A addressing the privacy laws in the United States of America and Part B addressing the privacy laws of selected foreign jurisdictions. It is important that you review the Addendum to understand your privacy rights. Below is a direct interactive path to privacy notices of the specific jurisdictions.

Jurisdiction Specific Privacy Notices and Disclosures – Interactive Table of Contents

Part A: Jurisdiction Specific Privacy Notices and Disclosures – United States of America
Privacy Notice to California Residents
Privacy Notice to Colorado Residents
Privacy Notice to Connecticut Residents
Privacy Notice to Delaware Residents
Privacy Notice to Iowa Residents
Privacy Notice to Maryland Residents
Privacy Notice to Minnesota Residents
Privacy Notice to Montana Residents
Privacy Notice to Nebraska Residents
Privacy Notice to New Hampshire Residents
Privacy Notice to New Jersey Residents
Privacy Notice to Oregon Residents
Privacy Notice to Tennessee Residents
Privacy Notice to Texas Residents
Privacy Notice to Utah Residents
Privacy Notice to Virginia Residents

Part B: Jurisdiction Specific Privacy Notices and Disclosures – International
Not Applicable

YOUR PRIVACY RIGHTS – WHAT WE RECOGNIZE AND AFFORD

Notice: With respect to the privacy rights that will be afforded or honored by CIMI, we will afford and honor the privacy rights if and as required by the privacy laws of the USA states and foreign jurisdictions, if and to the extent that they legally are applicable to you. In addition, and without limiting the forgoing, we inform you that we will afford all Cardholders the right to request deletion of their Personal Information. For the sake of clarity, we confirm that we will afford and honor privacy rights in two situations: (a) if and as required by an applicable privacy law, and/or (b) as stated in this Privacy Policy for all Cardholders with respect to the right to delete, even if you are in a jurisdiction without a privacy law affording the right to delete.

YOUR PRIVACY RIGHTS – YOUR RIGHT TO DELETE OR ERASE

Notice: Cardholders holding a CIMI Card shall have the right to make a verifiable request to CIMI asking CIMI to delete or erase the Personal Information collected by CIMI from the Cardholder. This right is also known as the right to be forgotten. Notwithstanding the foregoing, CIMI will not be required to comply with the request if the Personal Information is reasonably necessary for CIMI (a) to complete the task or transaction for which the Personal Information was collected, and/or (b) to perform the cardholder contract between CIMI and Cardholder. In that regard, we remind Cardholders that CIMI has an information retention policy under which your Personal Information, if collected, will cease to be maintained by CIMI after the passage of a designated period of time. See the section above on How We Retain Your Personal Information.

If we accept your request to delete, we will delete Personal Information held directly by us upon the earlier of (a) the date stated in the retention policy, or (b) forty-five (45) days after receipt of your verifiable request. We also will direct that our contractors holding Personal Information on our behalf delete the Personal Information. However, we will not have authority to direct the contractors of others to delete information. Nor will we have authority to direct a third party, such as a Redeeming Merchant or Bulk Business Buyer, to delete the information if we have reached a contract agreeing that the information is the property or proprietary information of the third party and not us, or if we otherwise have agreed with the third party that the Personal Information should not be disclosed or shared with us.

YOUR PRIVACY RIGHTS – YOUR RIGHT TO KNOW AND BE INFORMED

Notice: If an applicable privacy law requires it, then Cardholders shall have the right to make a verifiable request to CIMI that CIMI disclose to the Cardholder the information required to be disclosed to Consumers by the applicable privacy law; provided, however, that CIMI reserves the right to object to the request on grounds that the information has already been disclosed to you in this Privacy Policy. In that regard we remind you that CIMI has a retention policy under which your Personal Information, if collected, will cease to be maintained by CIMI after a designated period of time. See the section above on How We Retain Your Personal Information.

YOUR PRIVACY RIGHTS – YOUR RIGHT TO ACCESS SPECIFIC INFORMATION

Notice: If an applicable privacy law requires it, then Cardholders holding a CIMI Card shall have the right to make a verifiable request to CIMI asking that CIMI disclose to the Cardholder the specific pieces of Personal Information that CIMI has collected about the Cardholder. In that regard we remind you that CIMI has a retention policy under which your Personal Information, if collected, will cease to be maintained by CIMI after a designated period of time. See the section above on How We Retain Your Personal Information.

YOUR PRIVACY RIGHTS – YOUR RIGHT TO CORRECT OR RETIFY

Notice: If an applicable privacy law requires it, then Cardholders holding a CIMI Card shall have the right to make a verifiable request to CIMI asking that CIMI correct or rectify inaccurate Personal Information maintained by CIMI regarding the Cardholder; provided, however, that CIMI reserves the right to object to the request on grounds that it is unreasonable in light of the nature of the Personal Information and the purpose for which the Personal Information is being held or processed. In that regard we remind you that CIMI has a retention policy under which your Personal Information, if collected, will cease to be maintained by CIMI after a designated period of time. See the section above on How We Retain Your Personal Information.

YOUR PRIVACY RIGHTS – YOUR RIGHT TO OPT-OUT OF SALE OR SHARING

Notice: We provided notice to you above about the Personal Information that CIMI sells to or shares with third parties. See section on How We Sell or Share Your Personal Information. We hereby provide further notice to you that, if an applicable privacy law requires it, then Cardholders holding a CIMI Card shall have the right to opt-out of the sale or sharing by us of your Personal Information with third parties, if and to the extent that such right is required by the applicable privacy law.

Specific Rule Re Cookies and Related Analytics: With respect to cookies and Google Analytics, the visitors to the CIMI Sites (including you) will be provided the right to consent to or opt-out from the use of cookies and Google Analytics in response to a pop-up that will be provided at the CIMI Site. For more information, see the section above on How We Sell or Share Your Personal Information and the section below on Cookies and Related Analytics.

YOUR PRIVACY RIGHTS – YOUR OTHER PRIVACY RIGHTS

Notice: If an applicable privacy law requires it, then CIMI will afford you with such other privacy rights as specified in the applicable privacy law, if the privacy law legally is applicable to you. For more information on such other rights, if any, see the privacy notices provided to you with by us respect to certain USA states and foreign jurisdictions in the Addendum for Jurisdiction Specific Privacy Notices and Disclosures.

YOUR PRIVACY RIGHTS – HOW TO EXERCISE YOUR PRIVACY RIGHTS AND CHOICES

If you elect to do so, you may exercise one or more of your privacy rights by using one of the following methods to contact CIMI:

To submit a consumer request regarding your privacy rights, you may email us at privacyrights@cimicard.com and put the phrase “Consumer Privacy Rights Request” in the subject line of your email.
You may also submit a consumer request by sending a letter to the following address: Consumer Privacy Rights Request, Card Issuance & Management, Inc., 11610 Ash St., Suite 200, Leawood, KS 66211, Attention: Data Protection Officer.
You may also request delivery or disclosure of the information (that we are required to disclose or deliver by a privacy law per a Right to Know, a Right to Access or otherwise) by calling us at the toll free number, 855.971.7430.

Please remember that we will afford and honor privacy rights in two situations: (a) if and as required by an applicable privacy law, and/or (b) as stated above in this Privacy Policy for all Cardholders with respect to the right to delete even if you are in jurisdiction that does not have a privacy law affording the right to delete. In exercising your privacy rights, please also remember that we do not consider Transaction Data, pseudonymous data, deidentified data or Aggregated Data to be Personal Information.

If you submit a request to delete online, you will be asked to confirm separately that you want your Personal Information to be deleted. If we are required by a privacy law to deliver information to you, we will do so free of charge by mail or electronically at your election. If required by an applicable privacy law, we will deliver required information to you using a readily useable format that allows you to transmit the information from one entity to another entity without hindrance.

Our Policy Regarding Verifiable Requests: Unless prohibited by a privacy law, your request asserting a privacy right must be a request that is verifiable by us using commercially reasonable methods. To verify requests and the information in them, you will be required to provide, at a minimum, your name and email address, and you may be asked to respond to a confirmation email that will be sent to that email address. We may also ask that you provide a photo of an official government issued ID if permitted. Only you (or a designated authorized agent if permitted under the applicable privacy law) may make a verifiable consumer request related to your Personal Information. If you are an authorized agent making a request on the consumer’s behalf, then you should submit the request on behalf of a consumer via the one of the permitted the contact methods specified above in this section of our Privacy Policy. We reserve the right to request information to verify to the fullest extent that is not prohibited an applicable privacy law.

Our Policy Regarding Use of Authorized Agents: We permit the use of an authorized agent to make a privacy right request for you only if we are required to do so by an applicable privacy law. When we are required to do so by law, we will only permit the use of an authorized agent for the purpose of asserting the right to opt-out of a sale or sharing, with the exception residents of California. The use of an authorized agent will not be permitted for the submission of any other privacy right, including the right to delete, with the exception of residents of California. The California privacy laws permits use of an authorized agent to assert the right to delete, the right to correct, the tight to know, the right to access and the right to opt-out of sale or sharing. When an authorized agent is used, we will request verification of the authorized agent to the fullest extent allowed by the applicable privacy law.

Denial of Privacy Requests and Appeal: CIMI will notify you, at an email address provided by you, if your privacy request has been denied. Such notice will be provided within the later of (a) forty-five (45) days after we received your privacy request, or (b) such other longer period specified in the applicable privacy law. Some jurisdictions may grant you a right to appeal a denial to and with us. For information on those rights, if any, please go to the Addendum on Jurisdiction Specific Privacy Notices and Disclosures.

YOUR PRIVACY RIGHTS – RESOLVING PROBLEMS

If you have a comment, question, or complaint about how we are handling your Personal Information, please contact us to allow us an opportunity to resolve the matter. You may also submit a complaint to the appropriate regulatory authority. Information about where to submit concerns or complaints to government or regulatory authorities in a specific jurisdiction can be found in the Addendum for Jurisdiction Specific Privacy Notices and Disclosures, which is part of this Privacy Policy. However, we would appreciate the chance to address your concerns before you approach a regulatory authority, so please contact us if you have concerns.

PRIVACY PRACTICES – COOKIES AND RELATED ANALYTICS

CIMI uses cookies (small text files that a website saves on your computer or device when you visit a CIMI Site) and other tracking tools to automatically collect information about how you use a CIMI Site and otherwise interact with our services. The information collected might relate to you, or your device, and/or your use of a CIMI Site. It is mostly used to make a CIMI Site work as you expect it to work, to provide a more personalized web experience, and to analyze the use by visitors of the CIMI Sites. However, you can manage cookies by choosing not to allow certain types of cookies.

CIMI further informs you that we use Google Analytics on some of our Sites. It is a web analytics service provided by Google, Inc. Google Analytics uses Cookies or other tracking technologies to help us analyze how users interact with the Sites and Services, compile reports on their activity, and provide other services related to their activity and usage. The technologies used by Google may collect information such as your IP address, time of visit, whether you are a returning visitor, and any referring website. The information generated by Google Analytics will be transmitted to and stored by Google and will be subject to Google’s privacy policies.

CIMI further informs you that we may use Google reCAPTCHA, a free service provided by Google, Inc., to protect our Sites from spam and abuse. Google reCAPTCHA uses advanced risk analysis techniques to decipher between humans and bots using our Sites. Google reCAPTCHA works differently depending on what version is deployed. For example, you may be asked to check a box indicating that you are not a robot and Google reCAPTCHA may detect abusive traffic without user interaction. Google reCAPTCHA works by transmitting certain types of information to Google, such as the referrer URL, IP address, visitor behavior, operating system information, length of the visit, Cookies, and mouse movements. Your use of Google reCAPTCHA is subject to Google’s Privacy Policy and Terms of Service.

If a CIMI Site uses cookies or Google Analytics, then the visitors to the CIMI Site (including you) will be notified via a pop-up at the CIMI Site that cookies and Google Analytics are being used. Visitors will be provided an opportunity to consent to or opt-out from the use of cookies and Google Analytics when they are using the CIMI Site. If no pop-up appears at a CIMI Site, then visitors may assume that cookies and Google Analytics are not being used at the CIMI Site.

PRIVACY PRACTICES – WALLETS, ACCOUNTS AND APPLICATIONS

Some CIMI Cards are designed to be moved to or redeemed into a wallet, account or application. This Privacy Policy applies to the wallets, accounts, or applications to the extent that CIMI issues or services the wallet, account, or application.

PRIVACY PRACTICES – PERSONAL INFORMATION AT CARD SALES

The CIMI Cards will be sold in one or more of the following sales distribution channels: (a) in the first party brick-and-mortar sales channel where cards are physically sold in the stores of a retail client of CIMI (“Channel A”), (b) in the third party brick-and-mortar sales channel where cards are physically sold in stores of third party retailers participating in a third party distribution channel (“Channel B”), (c) in the first party on-line sales channel where cards are sold on-line to consumers (“Channel C”), (d) in the third party on-line sales channel where cards are sold on-line to card buyers by third party online sales companies (“Channel D”), and (e) in the bulk corporate sales channel where cards are sold in bulk to Bulk Business Buyers (the “Channel E”). Unless specified otherwise in the Consumer Personal Information Disclosures Tab for a specific CIMI Card, and consistent with policy objectives states above the following privacy practices shall apply in a CIMI card program:

Channel A. Personal Information will not be collected in Channel A at the time of the card sales. As a result the cards will be anonymous.
Channel B. Personal Information will not be collected in Channel A at the time of the card sales. As a result the cards will be anonymous.
Channel C. Personal Information may be collected at the time the cards are sold for the purpose of fulfilling the sale and delivering the cards to the correct addresses. The collected Personal Information will not be shared with CIMI. As a result, the cards will be physically anonymous on the records and data of CIMI.
Channel D. Personal Information may be collected at the time the cards are sold for the purpose of fulfilling the sale and delivering the cards to the correct addresses. The collected Personal Information will not be shared with CIMI. As a result, the cards will be physically anonymous on the records and data of CIMI.
Channel E. Personal Information may be collected at the time the cards are distrusted for the purpose of delivering the cards to the correct addresses. The collected Personal Information will not be shared with CIMI. As a result, the cards will be physically anonymous on the records and data of CIMI.

PRIVACY PRACTICES – CONSENT

In card programs where Personal Information is collected by CIMI about Cardholders, we will endeavor to obtain the consent of Cardholders to the collection of Personal Information. The objective will be (a) to inform a Cardholder that Personal Information is being collected and used, that the Personal Information is and will be processed by CIMI or its affiliates, and that Personal Information and data collected in foreign jurisdictions will be transferred to the United States of America; and (b) obtain the consent of Cardholders to the above, along with the consent and directive by Cardholders to delete the Personal Information per our limited retention policy. The methods used will be click wrap technologies and appropriate acknowledgements where click wrap is not usable. With respect to cookies and related website tracking technologies, see the consent processes described in the section above on Cookies and Related Analytic.

PRIVACY PRACTICES – MINORS AND CHILDREN

CIMI Cards may be purchased to be provided as gifts for minors. CIMI oversees the CIMI Sites. They provide general information for use by all Cardholders and visitors. As a general rule, they are designed for a general audience and, as such, are not directed to children under the age of 13. Individuals transacting business or accessing services at a CIMI Site are required to warrant or represent that they are either (a) age 18 or older. or (b) a parent or guardian for a younger consumer. That practice applies to giving consent if required by a privacy law. CIMI does not knowingly receive, collect, sell, or share Personal Information from individuals under the age of 16. If you become aware of Personal Information that we may have collected from minors or children under 16 years of age, please contact us at privacyrights@cimicard.com. We urge parents and guardians to regularly monitor and supervise the online activities of their minors and children.

PRIVACY PRACTICES – DATA PROCESSING

We inform you that CIMI’s affiliate, Card Compliant, LLC (“CARD”), processes data concerning the CIMI Cards and the CIMI card programs including data that occasionally contains Personal Information concerning Cardholders. CARD does so on behalf of CIMI. The processing facilities are located in the USA, and the data received by CIMI or CARD is stored in commercial data centers located in the USA. The processing will be undertaken for the business purposes specified in this Privacy Policy.

PRIVACY PRACTICES – INTERNATIONAL DATA TRANSFERS

If you are located outside the United States of America, we inform you that we are headquartered in the USA and our data servers are located in the USA. Therefore, any Transaction Data regarding your CIMI Card will be transferred to and stored, used, or processed by us in the USA for the business purposes described in this Privacy Policy. While the United States may provide a lower level of legal privacy protection for your Personal Information than in your country, we will endeavor to protect your Personal Information using measures that are comparable or adequate to the protections required in your particular jurisdiction if it is legally applicable, and will take steps to only share your Personal Information with third parties that offer similar protections. In that regard, if the privacy law of a foreign jurisdiction is applicable, then we will observed the private practices described for the specific foreign jurisdictions in the Addendum for Jurisdiction Specific Privacy Notices and Disclosures. We further inform you that the Personal Information transferred to us in the United States may subject to access by others there that is required by governments, courts or law enforcement in the United States.

PRIVACY PRACTICES – AGGREGATED, PSEUDONYMOUS AND DEIDENTIFIED DATA

With respect to Transaction Data, CIMI does not collect or receive PINs or security numbers for the CIMI Cards except when required for its direct services described above. Furthermore, the CIMI Cards are intended to be anonymous cards. Thus, to the extent that Personal Information is collected for necessary collateral purposes, such as delivery to you of anonymous cards purchased on online, CIMI endeavors to pseudonymize the CIMI Cards by separating Card Numbers from Personal Information. In addition, with respect to such collateral Personal Information collected for individuals located in a foreign jurisdiction, CIMI endeavors to anonymous the CIMI Cards in the manner described for a specific foreign jurisdiction in the Addendum for Jurisdiction Specific Privacy Notices and Disclosures. We further inform you that CIMI (along with its affiliate Card Compliant, LLC) aggregates Transaction Data from multiple cards of a single card program or multiple cards from multiple card programs (the “Aggregated Data”). CIMI does so for analytical and statistical purposes including industry benchmarking. Aggregated Data may be derived from data that contained Personal Information, but Aggregated Data is pseudonymized or deidentified with the Personal Information being removed resulting in the Aggregated Data not revealing the identity of a particular consumer or household.

PRIVACY PRACTICES – PERSONAL DATA CONTROLLER

To the extent a personal data Controller is required to be designated under an applicable privacy law, then CIMI is hereby designated the Controller responsible for overseeing the collection and use Personal Information with respect to your CIMI Card and card program. If a different Controller applies to your CIMI CARD (other than CIMI) then the Controller will be identified in the Consumer Personal Information Disclosures Tab of the CIMI Site for your CIMI Card. For more, see the section below on About our Consumer Personal Information Disclosures Tab.

PRIVACY PRACTICES – DATA PROTECTION OFFICER

CIMI has appointed a Data Protection Officer who will be responsible for overseeing compliance with privacy laws and this Privacy Policy. You may contact CIMI or its Data Protection Officer in the manner set forth below.

PRIVACY PRACTICES – ABOUT OUR CONSUMER PERSONAL INFORMATION DISCLOSURES TAB

The Terms Now CIMI Site for your CIMI Card and program has a tab that is labeled the Consumer Personal Information Disclosures Tab. The information provided there will inform you (a) whether or not Personal Information is collected regarding your CIMI Card, (b) the categories or types of Personal Information, if any, collected in your CIMI Card program, (c) the identity of the personal data Controller for the CIMI Card program, and (c) the dates when the Personal Information, if collected, will cease to be retained by CIMI pursuant to its document and data retention program. To find the Consumer Personal Information Disclosures Tab, go to the CIMI Site designated on the back of your CIMI Card and go to the Consumer Personal Information Disclosures Tab. The URL for the CIMI Site usually begins with the phrase “mycardterms.com.”

MORE POLICIES – THIRD PARTY LINKS AND WEBSITES

The CIMI Sites, including this website, will have links to third-party websites, plug-ins and applications. Those third party websites, plug-ins and applications are not CIMI Sites. The links are provided solely to you for convenience. Your visit there will be subject to the privacy policies and terms of use specified at those sites, and not by our Privacy Policy. This Privacy Policy of CIMI applies only to CIMI Sites. For a list of CIMI Sites, visit the Glossary hereto. This Privacy Policy does not apply to non-CIMI Sites, including those of our business clients or other third parties that may link to or from our CIMI Sites. We are not responsible for the practices or workings of such other sites or applications, and encourage you to review the privacy policies of any third party site you visit. A link to or from a third-party site to or from a CIMI Site does not mean or imply (and should not be construed as meaning or implying) that we have reviewed or endorsed those third-party sites.

MORE POLICIES – CHANGES TO OUR PRIVACY POLICY

This version of our Privacy Policy was last updated as of the Last Updated Date specified above at the top of this Privacy Policy. We strive to keep our Privacy Policy current and compliant with existing and new privacy laws and the amendments thereto. Additionally, we strive to keep our Privacy Policy current with respect to changes to the CIMI Card, changes to its related services, and/or changes to its underlying technologies. As such, our Privacy Policy will be subject to regular review and will be modified by us from time to time. When changes to this Privacy Policy are made, we will post the updated version and specify the new Last Updated Date at the beginning of the Privacy Policy. We encourage you to check back regularly and review the Privacy Policy.

MORE POLICIES – CONSTRUCTION WITH PRIVACY LAWS AND SURVIVAL

CIMI issues and/or services CIMI Cards that are sold in all fifty U.S. states and in several foreign jurisdictions. The terms of this Privacy Policy shall apply except if and to the extent that the terms do not violate an applicable privacy law. If a provision of this Privacy Policy violates an applicable privacy law, then the provision shall be construed and deemed not to apply, with the rest of the Privacy Policy remaining in full force and effect.

MORE POLICIES – A LIMITATION

Except as provided above in the section on What We Recognize and Afford (with respect to the right to delete), CIMI reserves the right to take the position that it is not required to perform or act in a particular situation or circumstance on the grounds that CIMI is not required to do so by an applicable privacy law. In that regard, CIMI reserves the right to argue that its use of Personal Information is permitted under appliable privacy laws via an exemption or exception to the privacy law or via a provision in the privacy law that declares the activity to be a permissible use.

MORE POLICIES – A DISCLAIMER

CIMI is not a law firm. This Privacy Policy is not intended to provide legal advice to you. If you have legal questions about the application of a privacy law, then you should consult an attorney.

HOW TO CONTACT US

If you have any questions or comments regarding this Privacy Policy, you may contact the Data Protection Officer of CIMI in one or more of the following ways. You may email us at privacyrights@cimicard.com. You may write to us at: Card Issuance & Management, Inc., 11610 Ash St., Suite 200, Leawood, KS 66211, Attention: Data Protection Officer. And you may call us at the toll-free number, 855.971.7430.

ADDENDUM FOR JURISDICTION SPECIFIC PRIVACY AND NOTICES AND DISCLOURES

This Addendum for Jurisdiction Specific Privacy Notices and Disclosures is a part of the Privacy Policy of CIMI. It provides specific privacy notices and disclosures to Cardholders and you regarding specific privacy laws enacted or promulgated by various jurisdictions that may address the privacy of the Personal Information that CIMI receives or collects regarding CIMI Cards or use of CIMI Sites. This Addendum is divided into two parts. Part A provides privacy notices to Cardholders and you regarding jurisdictions within United States of America that have enacted or adopted a privacy law. Part B provides notices to Cardholders and you regarding selected foreign jurisdictions.

Important Notice: You should review this Addendum to fully understand your privacy rights. You should also continue to review the general sections of our Privacy Policy to which this Addendum is a part. To see the general sections of our Privacy Policy please scroll above. Below is an interactive path to privacy notices for specific jurisdictions.

Jurisdiction Specific Privacy Notices and Disclosures – Interactive Table of Contents

Part B: Jurisdiction Specific Privacy Notices and Disclosures – International
Not Applicable

Part A: Jurisdiction Specific Privacy Notices and Disclosures – United States of America

This Addendum Part A is a part of the Privacy Policy and Notice of CIMI. If you are a resident of certain U.S. states, then you may have privacy rights established by the privacy laws of a U.S. state regarding the Personal Information received or collected by CIMI. This Addendum Part A provides specific privacy notices and disclosures regarding the specific privacy laws of various U.S. states that may address the Personal Information CIMI receives or collects regarding CIMI Cards or the use of CIMI Sites.

Important Notice: You should review this Addendum Part A to fully understand your privacy rights. The specific privacy notices regarding specific jurisdictions are a part of our Privacy Policy You also should continue to review the general sections of our Privacy Policy. To see them, scroll above. Below is an interactive path to specific U.S. jurisdictions that have adopted privacy laws that may impact your Personal Information.

Jurisdiction Specific Privacy Notices and Disclosures – Interactive Table of Contents

PRIVACY NOTICE TO CALIFORNIA RESIDENTS

Last Updated Date: August 23, 2025

This Privacy Notice to California Residents (the “California Privacy Notice”) is provided by CIMI as a part of its Privacy Policy. In addition to reading this notice, you must also review the general sections of our Privacy Policy of which this California Privacy Notice is a part. Among other important disclosures, the general sections inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections, scroll above. If a conflict exists between this specific California Privacy Notice and the general sections of our Privacy Policy, then this California Privacy Notice shall control.

This California Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, California residents. If you are not a California resident, then this California Privacy Notice does not apply to you, and you should not rely on it.

California List of Categories of Personal Information That We Collect About Consumers (provided per CA Civil, Section 1798.130(5)(B)). Table A below provides a list of the categories of Personal Information we have collected for a business purpose in the 12 months preceding the Last Updated Date of this Privacy Policy and, for each category, provides the categories or sources of the Personal Information, and the categories of business purposes for which the Personal Information was collected.

Table A. Categories of Personal Information Collected By Us

Category of Personal Information	Categories of Sources	Categories of Business Purpose
Demographic Information with Personal Identifiers (i.e., name, residence address, email address)	Service Providers (i.e., Transaction Processors, Program Managers, Card Distributors, Redeeming Merchants, Bulk Business Buyers)	Auditing; Detecting and preventing security incidents; Debugging to identify and repair errors; Short-term, transient use that is internal and not used to build a consumer profile; Performing services such as maintaining accounts, providing customer service, and fulfilling orders; Undertaking internal research; Undertaking activities to verify or maintain the quality of services.
Personal Identifiers (i.e.,name, residence address, email address, date of birth, phone number)	Cardholders (i.e., for VCO services)	Performing services such as maintaining accounts, providing customer service, fulfilling orders; and processing payments; Short-term, transient use that is internal and not used to build a consumer profile.
Location information (i.e., store location)	Cardholders (i.e., for VCO services)	Performing services such as maintaining accounts, providing customer service, fulfilling orders; and processing payments; Short-term, transient use that is internal and not used to build a consumer profile.
Demographic Information with Personal Identifiers	Investigators of incidents and governmental authorities.	Detecting and preventing security incidents; Undertaking activities to verify or maintain the quality of services; Prosecuting persons responsible for malicious, deceptive or fraudulent activities
Device and Online Identifiers	CIMI Sites	Auditing
Internet, application and network activity	CIMI Sites	Auditing
Geolocation data (such as IP address)	CIMI Sites	Auditing
Government Identifiers	Cardholders	To verify privacy right requests

Note: For more detailed information about the business purposes for which the Personal Information was collected see the above section of this Privacy Policy on How We Use Your Personal Information.

Note: Please remember that we do not consider Transaction Data, Pseudonymized Data, Deidentified Data or Aggregated Data to be Personal Information.

California List of Categories of Personal Information Sold or Shared (provided per CA Civil, Section 1798.130(5)(C)(i)). Table B below provides a list of categories of Personal Information that we have sold or shared to or with third parties in the 12 months preceding the Last Updated Date of this Privacy Policy and, for each category, provides the categories of recipients to which the Personal Information was sold or shared and the categories of business purposes for which Personal Information was sold or shared – as the term “share” is defined in the California privacy law. As explained above, CIMI is not in the business of selling Personal Information. Nor do we “share” Personal Information as “share” is defined in in the California privacy law. However, because some may consider the use of cookies or other third party tracking analytics on websites to constitute a form of data transfer in exchange for some form of consideration, CIMI has informed you how it uses cookies and third party tracking technologies. See the section below on Cookies and Related Analytics. In that regard, see also Table B below

Table B. Categories of Personal Information Sold or Shared by Us

Category of Personal Information	Categories of Recipients	Categories of Business Purpose
Device and Online Identifiers	Service Providers (i.e., website cookies and tracking analytics)	Auditing
Internet, application and network activity	Service Providers (i.e., website cookies and tracking analytics)	Auditing
Geolocation data such as IP address.	Service Providers (i.e., website cookies and tracking analytics)	Auditing.

Note: For more detailed information about the business purposes for which the Personal Information was collected, see the above section of this Privacy Policy on How We Use Your Personal Information.

Note: Please remember that we do not consider Transaction Data, Pseudonymized Data, Deidentified Data or Aggregated Data to be Personal Information.

California List of Categories of Personal Information Disclosed About Consumers for Business Persons and the Recipients (provided per CA Civil, Section 1798.130(5)(C)(ii)). Table C below provides a list of the categories of Personal Information that we have disclosed to others for a business purpose in the 12 months preceding the Last Updated Date of this Privacy Policy and, for each category, provides the categories of recipients to which the Personal Information was disclosed and categories of business purposes for which the Persona Information was disclosed.

Table C. Categories of Personal Information Disclosed By Us to Others

Category of Personal Information	Categories of Recipients	Categories of Business Purpose
Demographic Information with Personal Identifiers (i.e., name, residence address, email address)	Service Providers (i.e. Card Compliant and Data Centers)	Performing services such as maintaining accounts, providing customer service, fulfilling orders, Undertaking internal research; Undertaking activities to verify or maintain the quality of services.
Personal Identifiers (i.e.,name, residence address, email address, date of birth, phone number)	Service Providers (i.e., Transaction Processors for VCO)	Performing services like maintaining accounts, providing customer service, and fulfilling orders; Short-term, transient use that is internal and not used to build a consumer profile.
Personal Identifiers	Governmental Authorities	Regulatory compliance and legal obligations
Demographic Information with Personal Identifiers	Investigators of incidents and governmental authorities.	Detecting and preventing security incidents; Undertaking activities to verify or maintain the quality of services; Prosecuting persons responsible for malicious, deceptive or fraudulent activities.
Internet, application and network activity	Service Providers (i.e., website cookies and tracking analytics)	Auditing
Geolocation data (such as IP address)	Service Providers (i.e., website cookies and tracking analytics	Auditing.

Note: For more detailed information about the business purposes for which the Personal Information was collected, see the above section of this Privacy Policy on How We Use Your Personal Information.

Note: Please remember that we do not consider Transaction Data, Pseudonymized Data, Deidentified Data or Aggregated Data to be Personal Information.

Sale or Share of Personal Information of Consumers under 16 Years of Age: We do not knowingly sell or share (for cross-context behavioral advertising) the personal information of consumers under 16 years of age. For more information, see also the section above of this Privacy Policy on Minors and Children.

Notice to You About Our Retention of Personal Information: We retain your Personal Information for as long as necessary to fulfill the purposes for which we collect it as is more fully described above in the section of this Privacy Policy on How We Retain Your Personal Information.

Notice of Your California Consumer Privacy Rights: If you reside in California, then you have the following privacy rights per California privacy laws regarding your Personal Information as of the Last Updated Date of this California Privacy Notice:

The right to know the categories of Personal Information we’ve collected and the categories of sources from which we got the information.
The right to know the business purpose for collecting Personal Information.
The right to know the categories of third parties with whom we share that Personal Information.
The right to access the specific pieces of Personal Information we’ve collected and then gain access to the Personal Information.
The right to delete Personal Information that we collected from and/or about you, subject to certain exceptions.
The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
The right to opt out of having your Personal Information sold or shared for cross-context behavioral advertising.
The right to limit disclosure of sensitive personal information but know that we do not use your sensitive Personal Information (if at all) in a manner subject to that right.

How to Submit a Request to Know, Delete, and/or Correct: You may submit a privacy right request to exercise one of your California Consumer Privacy Rights by contacting us via one of the methods described in the section on How to Exercise Your Privacy Rights and Choices.

Verifiable Privacy Right Requests: Your privacy right request must be a verifiable request. For our policy on making a verifiable request, go the section of this Privacy Policy on How to Exercise Your Privacy Rights and Choices.

Use of an Authorized Agent: The privacy law of California allows for the use of an authorized agent to submit a privacy rights request on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices. If you are an authorized agent submitting a request to opt-out of the sale or sharing on the consumer’s behalf, the authorized agent must provide us with the consumer’s signed permission demonstrating your authorization to submit a request on the consumer’s behalf. We may also require the consumer verify their own identity directly with us and directly confirm with the business that they provided the authorized agent’s permission to submit the request.

Shine the Light Law. We do not disclose Personal Information obtained through our CIMI Sites or from our issuance or servicing of CIMI Cards to third parties for their direct marketing purposes. Accordingly, we have no obligations under California Civil Code § 1798.83.

PRIVACY NOTICE TO COLORADO RESIDENTS

Last Updated Date: August 22, 2025

This Privacy Notice to Colorado Residents (the “Colorado Privacy Notice”) is provided by CIMI as a part of its Privacy Policy. In addition to reading this notice, you must also review the general sections of our Privacy Policy of which this Colorado Privacy Notice is a part. Among other important disclosures, the general sections inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above. If a conflict exists between this specific Colorado Privacy Notice and the general sections of our Privacy Policy, then this Colorado Privacy Notice shall control.

This Colorado Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Colorado residents. If you are not a Colorado resident, then this Colorado Privacy Notice does not apply to you, and you should not rely on it.

Colorado Table on Collection, Use and Sharing of Personal Information: We may collect, use and process certain categories of Personal Information as described in the table below.

Category/Type of Personal Information	Processing Purpose	Used for Targeted Advertising?	Categories of Recipients/Purpose or Activity
Identifiers such as name, e-mail address, date of birth, phone number and/or IP address	Product and service fulfillment; communications and marketing; improve products, services, and operation, prevention of fraud; legal compliance.	No	Service providers, including for cloud storage, customer support, marketing and our Recipient and Purchaser Customers.
Commercial information such as records of products or services purchased from merchants, retailers or third-party sellers	Product and service fulfillment; communications and marketing; improve products, services, and operations; prevention of fraud; legal compliance.	No	Service providers, including for cloud storage, customer support, marketing and our Recipient and Purchaser Customers.
Financial information such as bank account, credit card, and prepaid payment card information	Product and service fulfillment; improve products, services, and operations; prevention of fraud; legal compliance.	No	Service providers, including for payment processing.
Internet or other similar network activity such as information regarding your interactions with the Site	Communications and marketing; improve products, services, and operations; prevention of fraud and other harm; legal compliance.	No	Service providers, including for analytics, cloud storage and customer support.
Geolocation data such as IP address	Product or service fulfillment, communications and marketing.	No	Service providers, including for analytics, cloud storage and customer support.

Notice of Your Colorado Consumer Privacy Rights: If you reside in Colorado, then you have the following privacy rights per Colorado privacy laws regarding your Personal Information as of the Last Updated Date of this Colorado Privacy Notice:

Right to Know and Access: The right to confirm whether or not we are processing your Personal Information and to access such Personal Information.
Right to Correct: The right to correct inaccuracies in your Personal Information, taking into account the nature of the Personal Information and our purposes of the processing of such Personal Information.
Right to Delete: The right to delete Personal Information provided by or obtained about you.
Right to Obtain a Copy: The right to obtain a copy of your Personal Information that you previously provided to us in a portable and to the extent technically feasible, readily useable format that allows you to transmit the data to another controller without hindrance, where the processing is carried out by automated means.
Right to Opt-Out: The right to opt out of the processing of your Personal Information for purposes of: (1) targeted advertising, (2) the sale of Personal Information, or (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Colorado Consumer Privacy Rights by contacting us via one of the methods described in the section above on How to Exercise Your Privacy Rights and Choices.

Verifiable Privacy Rights Requests: Your privacy right request must be a verifiable request. For our policy on making a verifiable request go the section of this Privacy Policy on How to Exercise Your Privacy Rights and Choices.

Use of an Authorized Agent: The privacy law of Colorado allows for the use of an authorized agent to submit a request to opt-out on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices.

Your Colorado Appeal Rights: If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cimicard.com. We will respond to an appeal within 45 days of receipt. If your appeal is denied and you are a Colorado resident, you may contact the Colorado Attorney General to submit a complaint at: https://coag.gov/file-complaint/.

PRIVACY NOTICE TO CONNECTICUT RESIDENTS

Last Updated Date: August 22, 2025

This Privacy Notice to Connecticut Residents (the “Connecticut Privacy Notice”) is provided by CIMI as a part of its Privacy Policy. In addition to reading this notice, you must also review the general sections of our Privacy Policy of which this Connecticut Privacy Notice is a part. Among other important disclosures, the general sections inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above. If a conflict exists between this specific Connecticut Privacy Notice and the general sections of our Privacy Policy, then this Connecticut Privacy Notice shall control.

This Connecticut Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Connecticut residents. If you are not a Connecticut resident, then this Connecticut Privacy Notice does not apply to you, and you should not rely on it.

Notice of Your Connecticut Consumer Privacy Rights: If you reside in Connecticut, then you have the following privacy rights per Connecticut privacy laws regarding your Personal Information as of the Last Updated Date of this Connecticut Privacy Notice:

The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Connecticut Consumer Privacy Rights by contacting us via one of the methods described in the section above on How to Exercise Your Privacy Rights and Choices.

Verifiable Privacy Right Requests: Your privacy right request must be a verifiable request. For our policy on making a verifiable request go the section of this Privacy Policy on How to Exercise Your Privacy Rights and Choices.

Use of an Authorized Agent: The privacy law of Connecticut allows for the use of an authorized agent to submit a privacy rights request on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices.

Your Connecticut Appeal Rights: If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cimicard.com. We will respond to an appeal within 60 days of receipt. If your appeal is denied and you are a Connecticut resident, you may contact the Connecticut Attorney General to submit a complaint at: https://portal.ct.gov/AG/Common/Complaint-Form-Landing-page

PRIVACY NOTICE TO DELAWARE RESIDENTS

Last Updated Date: August 22, 2025

This Privacy Notice to Delaware Residents (the “Delaware Privacy Notice”) is provided by CIMI as a part of its Privacy Policy. In addition to reading this notice, you must also review the general sections of our Privacy Policy of which this Delaware Privacy Notice is a part. Among other important disclosures, the general sections inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above. If a conflict exists between this specific Delaware Privacy Notice and the general sections of our Privacy Policy, then this Delaware Privacy Notice shall control.

This Delaware Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Delaware residents. If you are not a Delaware resident, then this Delaware Privacy Notice does not apply to you, and you should not rely on it.

Notice of Your Delaware Consumer Privacy Rights: If you reside in Delaware, then you have the following privacy rights per Delaware privacy laws regarding your Personal Information as of the Last Updated Date of this Delaware Privacy Notice:

The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.
The right to obtain a list of categories of third parties to which we have disclosed your personal information.

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Delaware Consumer Privacy Rights by contacting us via one of the methods described in the section above on How to Exercise Your Privacy Rights and Choices.

Use of an Authorized Agent: The privacy law of Delaware allows for the use of an authorized agent to submit a privacy rights request on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices.

Your Delaware Appeal Rights: If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cimicard.com. We will respond to an appeal within 60 days of receipt. If your appeal is denied and you are a Delaware resident, you may contact the Delaware Department of Justice to submit a complaint at: https://attorneygeneral.delaware.gov/fraud/cmu/complaint/#:~:text=If%20you%20are%20unable%20to,%40delaware.gov%20for%20assistance.

PRIVACY NOTICE TO IOWA RESIDENTS

Last Updated Date: August 22, 2025

This Privacy Notice to Iowa Residents (the “Iowa Privacy Notice”) is provided by CIMI as a part of its Privacy Policy. In addition to reading this notice, you must also review the general sections of our Privacy Policy of which this Iowa Privacy Notice is a part. Among other important disclosures, the general sections inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above. If a conflict exists between this specific Iowa Privacy Notice and the general sections of our Privacy Policy, then this Iowa Privacy Notice shall control.

This Iowa Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Iowa residents. If you are not a Iowa resident, then this Iowa Privacy Notice does not apply to you, and you should not rely on it.

Notice of Your Iowa Consumer Privacy Rights: If you reside in Iowa, then you have the following privacy rights per Iowa privacy laws regarding your Personal Information as of the Last Updated Date of this Iowa Privacy Notice:

The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
The right to opt out of our processing your Personal Information for the “sale” of your personal information (as that term is defined by applicable law).

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Iowa Consumer Privacy Rights by contacting us via one of the methods described in the section above on How to Exercise Your Privacy Rights and Choices.

Verifiable Privacy Right Request: Your privacy right request must be a verifiable request. For our policy on making a verifiable request go the section of this Privacy Policy on How to Exercise Your Privacy Rights and Choices.

Use of an Authorized Agent: The privacy law of Iowa does not mention the use of an authorized agent to submit a privacy rights request on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices.

Your Iowa Appeal Rights: If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cimicard.com. We will respond to an appeal within 60 days of receipt. If your appeal is denied and you are an Iowa resident, you may contact the Iowa Attorney General to submit a complaint at: https://www.iowaattorneygeneral.gov/for-consumers/file-a-consumer-complaint.

PRIVACY NOTICE TO MARYLAND RESIDENTS

Last Updated Date: August 22, 2025

This Privacy Notice to Maryland Residents (the “Maryland Privacy Notice”) is provided by CIMI as a part of its Privacy Policy. In addition to reading this notice, you must also review the general sections of our Privacy Policy of which this Maryland Privacy Notice is a part. Among other important disclosures, the general sections inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above. If a conflict exists between this specific Maryland Privacy Notice and the general sections of our Privacy Policy, then this Maryland Privacy Notice shall control.

This Maryland Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Maryland residents. If you are not a Maryland resident, then this Maryland Privacy Notice does not apply to you, and you should not rely on it.

Notice of Your Maryland Consumer Privacy Rights: If you reside in Maryland, then you have the following privacy rights per Maryland privacy laws regarding your Personal Information as of the Last Updated Date of this Maryland Privacy Notice:

The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
The right to delete Personal Information about you that we collected from or about you, unless the law requires we must retain the Personal Information.
The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.
The right to obtain a list of categories of third parties to which we have disclosed your personal information.

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Maryland Consumer Privacy Rights by contacting us via one of the methods described in the section above on How to Exercise Your Privacy Rights and Choices.

Use of an Authorized Agent: The privacy law of Maryland allows for the use of an authorized agent to submit a privacy rights request on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices. .

Your Maryland Appeal Rights: If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cimicard.com. We will respond to an appeal within 60 days of receipt. If your appeal is denied and you are a Maryland resident, you may contact the Maryland Attorney General Consumer Protection Division to submit a complaint at: https://www.marylandattorneygeneral.gov/Pages/CPD/Complaint.aspx.

PRIVACY NOTICE TO MINNESOTA RESIDENTS

Last Updated Date: August 22, 2025

This Privacy Notice to Minnesota Residents (the “Minnesota Privacy Notice”) is provided by CIMI as a part of its Privacy Policy. In addition to reading this notice, you must also review the general sections of our Privacy Policy to which this Minnesota Privacy Notice is a part. Among other important disclosures, the general sections inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above. If a conflict exists between this specific Minnesota Privacy Notice and the general sections of our Privacy Policy, then this Minnesota Privacy Notice shall control.

This Minnesota Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Minnesota residents. If you are not a Minnesota resident, then this Minnesota Privacy Notice does not apply to you, and you should not rely on it.

Notice of Your Minnesota Consumer Privacy Rights: If you reside in Minnesota, then you have the following privacy rights per Minnesota privacy laws regarding your Personal Information as of the Last Updated Date of this Minnesota Privacy Notice:

The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
The right to delete Personal Information about you that we collected from or about you.
The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.
The right to obtain a list of categories of third parties to which we have disclosed your personal information.

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Minnesota Consumer Privacy Rights by contacting us via one of the methods described in the section above on How to Exercise Your Privacy Rights and Choices.

Use of an Authorized Agent: The privacy law of Minnesota allows for the use of an authorized agent to submit a privacy right request on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices. .

Your Minnesota Appeal Rights: If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cimicard.com. We will respond to an appeal within 45 days of receipt. If your appeal is denied and you are a Minnesota resident, you may contact the Minnesota Attorney General to submit a complaint at: https://www.ag.state.mn.us/office/complaint.asp#:~:text=If%20you%20have%20questions%20about,657%2D3787%20(Outside%20the%20Twin.

PRIVACY NOTICE TO MONTANA RESIDENTS

Last Updated Date: August 22, 2025

This Privacy Notice to Montana Residents (the “Montana Privacy Notice”) is provided by CIMI as a part of its Privacy Policy. In addition to reading this notice, you must also review the general sections of our Privacy Policy of which this Montana Privacy Notice is a part. Among other important disclosures, the general sections inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above. If a conflict exists between this specific Montana Privacy Notice and the general sections of our Privacy Policy, then this Montana Privacy Notice shall control.

This Montana Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Montana residents. If you are not a Montana resident, then this Montana Privacy Notice does not apply to you, and you should not rely on it.

Notice of Your Montana Consumer Privacy Rights: If you reside in Montana, then you have the following privacy rights per Montana privacy laws regarding your Personal Information as of the Last Updated Date of this Montana Privacy Notice:

The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Montana Consumer Privacy Rights by contacting us via one of the methods described in the section above on How to Exercise Your Privacy Rights and Choices.

Use of an Authorized Agent: The privacy law of Montana allows for the use of an authorized agent to submit a privacy rights request on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices. .

Your Montana Appeal Rights: If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cimicard.com. We will respond to an appeal within 60 days of receipt. If your appeal is denied and you are a Delaware resident, you may contact the Montana Attorney General to submit a complaint at: https://dojmt.gov/consumer/consumer-complaints/.

PRIVACY NOTICE TO NEBRASKA RESIDENTS

Last Updated Date: August 22, 2025

This Privacy Notice to Nebraska Residents (the “Nebraska Privacy Notice”) is provided by CIMI as a part of its Privacy Policy. In addition to reading this notice, you must also review the general sections of our Privacy Policy of which this Nebraska Privacy Notice is a part. Among other important disclosures, the general sections inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above. If a conflict exists between this specific Nebraska Privacy Notice and the general sections of our Privacy Policy, then this Nebraska Privacy Notice shall control.

This Nebraska Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Nebraska residents. If you are not a Nebraska resident, then this Nebraska Privacy Notice does not apply to you, and you should not rely on it.

Notice of Your Nebraska Consumer Privacy Rights: If you reside in Nebraska, then you have the following privacy rights per Nebraska privacy laws regarding your Personal Information as of the Last Updated Date of this Nebraska Privacy Notice:

The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Nebraska Consumer Privacy Rights by contacting us via one of the methods described in the section above on How to Exercise Your Privacy Rights and Choices.

Use of an Authorized Agent: The privacy law of Nebraska allows for the use of an authorized agent to submit a privacy rights request on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices. .

Your Nebraska Appeal Rights: If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cimicard.com. We will respond to an appeal within 60 days of receipt. If your appeal is denied and you are a Nebraska resident, you may contact the Nebraska Attorney General to submit a complaint at: https://ago.nebraska.gov/constituent-complaint-form.

PRIVACY NOTICE TO NEW HAMPSHIRE RESIDENTS

Last Updated Date: August 22, 2025

This Privacy Notice to New Hampshire Residents (the “New Hampshire Privacy Notice”) is provided by CIMI as a part of its Privacy Policy. In addition to reading this notice, you must also review the general sections of our Privacy Policy of which this New Hampshire Privacy Notice is a part. Among other important disclosures, the general sections inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above. If a conflict exists between this specific New Hampshire Privacy Notice and the general sections of our Privacy Policy, then this New Hampshire Privacy Notice shall control.

This New Hampshire Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, New Hampshire residents. If you are not a New Hampshire resident, then this New Hampshire Privacy Notice does not apply to you, and you should not rely on it.

Notice of Your New Hampshire Consumer Privacy Rights: If you reside in New Hampshire, then you have the following privacy rights per New Hampshire privacy laws regarding your Personal Information as of the Last Updated Date of this New Hampshire Privacy Notice:

The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your New Hampshire Consumer Privacy Rights by contacting us via one of the methods described in the section above on How to Exercise Your Privacy Rights and Choices.

Use of an Authorized Agent: The privacy law of New Hampshire allows for the use of an authorized agent to submit a privacy rights request on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices. .

Your New Hampshire Appeal Rights: If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cimicard.com. We will respond to an appeal within 60 days of receipt. If your appeal is denied and you are a New Hampshire resident, you may contact the New Hampshire Attorney General to submit a complaint at: https://www.doj.nh.gov/citizens/consumer-protection-antitrust-bureau/consumer-complaints.

PRIVACY NOTICE TO NEW JERSEY RESIDENTS

Last Updated Date: August 22, 2025

This Privacy Notice to New Jersey Residents (the “New Jersey Privacy Notice”) is provided by CIMI as a part of its Privacy Policy. In addition to reading this notice, you must also review the general sections of our Privacy Policy to which this New Jersey Privacy Notice is a part. Among other important disclosures, the general sections inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above. If a conflict exists between this specific New Jersey Privacy Notice and the general sections of our Privacy Policy, then this New Jersey Privacy Notice shall control.

This New Jersey Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, New Jersey residents. If you are not a New Jersey resident, then this New Jersey Privacy Notice does not apply to you, and you should not rely on it.

Notice of Your New Jersey Consumer Privacy Rights: If you reside in New Jersey, then you have the following privacy rights per New Jersey privacy laws regarding your Personal Information as of the Last Updated Date of this New Jersey Privacy Notice:

The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your New Jersey Consumer Privacy Rights by contacting us via one of the methods described in the section above on How to Exercise Your Privacy Rights and Choices.

Verifiable Privacy Right Request: Your privacy right request must be a verifiable request. For our policy on making verifiable a request go the section of this Privacy Policy on How to Exercise Your Privacy Rights and Choices.

Use of an Authorized Agent: The privacy law of New Jersey allows for the use of an authorized agent to submit a privacy rights request on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices. .

Your New Jersey Appeal Rights: If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cimicard.com. We will respond to an appeal within 45 days of receipt. If your appeal is denied and you are a New Jersey resident, you may contact the New Jersey Division of Consumer Affairs to submit a complaint at: https://www.njconsumeraffairs.gov/Pages/Consumer-Complaints.aspx.

PRIVACY NOTICE TO OREGON RESIDENTS

Last Updated Date: August 22, 2025

This Privacy Notice to Oregon Residents (the “Oregon Privacy Notice”) is provided by CIMI as a part of its Privacy Policy. In addition to reading this notice, you must also review the general sections of our Privacy Policy of which this Oregon Privacy Notice is a part. Among other important disclosures, the general sections inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above. If a conflict exists between this specific Oregon Privacy Notice and the general sections of our Privacy Policy, then this Oregon Privacy Notice shall control.

This Oregon Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Oregon residents. If you are not an Oregon resident, then this Oregon Privacy Notice does not apply to you, and you should not rely on it.

Notice of Your Oregon Consumer Privacy Rights: If you reside in Oregon, then you have the following privacy rights per Oregon privacy laws regarding your Personal Information as of the Last Updated Date of this Oregon Privacy Notice:

The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.
The right to obtain a list of categories of third parties to which we have disclosed your personal information.

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Oregon Consumer Privacy Rights by contacting us via one of the methods described in the section above on How to Exercise Your Privacy Rights and Choices.

Use of an Authorized Agent: The privacy law of Oregon allows for the use of an authorized agent to submit a privacy rights request on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices. .

Your Oregon Appeal Rights: If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cimicard.com. We will respond to an appeal within 45 days of receipt. If your appeal is denied and you are an Oregon resident, you may contact the Oregon Attorney General to submit a complaint at: https://justice.oregon.gov/consumercomplaints/.

PRIVACY NOTICE TO TENNESSEE RESIDENTS

Last Updated Date: August 22, 2025

This Privacy Notice to Tennessee Residents (the “Tennessee Privacy Notice”) is provided by CIMI as a part of its Privacy Policy. In addition to reading this notice, you must also review the general sections of our Privacy Policy of which this Tennessee Privacy Notice is a part. Among other important disclosures, the general sections inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above. If a conflict exists between this specific Tennessee Privacy Notice and the general sections of our Privacy Policy, then this Tennessee Privacy Notice shall control.

This Tennessee Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Tennessee residents. If you are not a Tennessee resident, then this Tennessee Privacy Notice does not apply to you, and you should not rely on it.

Notice of Your Tennessee Consumer Privacy Rights: If you reside in Tennessee, then you have the following privacy rights per Tennessee privacy laws regarding your Personal Information as of the Last Updated Date of this Tennessee Privacy Notice:

The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
The right to opt out of the “sale” of your personal information (as that term is defined by applicable law).

How to Submit Your Tennessee Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Tennessee Consumer Privacy Rights by contacting us via one of the methods described in the section on How to Exercise Your Privacy Rights and Choices.

Use of an Authorized Agent: The privacy law of Tennessee does not mention the use of an authorized agent to submit a privacy rights request on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices.

Your Tennessee Appeal Rights: If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cimicard.com. We will respond to an appeal within 60 days of receipt. If your appeal is denied and you are a Tennessee resident, you may contact the Tennessee Attorney General to submit a complaint at: https://www.tn.gov/attorneygeneral/working-for-tennessee/file-a-consumer-complaint.html. The Office of the Attorney General and Reporter can be contacted at: Office of the Attorney General and Reporter, P.O. Box 20207, Nashville, TN 37202-0207; Telephone: (615) 741-3491.

PRIVACY NOTICE TO TEXAS RESIDENTS

Last Updated Date: August 22, 2025.

This Privacy Notice to Texas Residents (the “Texas Privacy Notice”) is provided by CIMI as a part of its Privacy Policy. In addition to reading this notice, you must also review the general sections of our Privacy Policy of which this Texas Privacy Notice is a part. Among other important disclosures, the general sections inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above. If a conflict exists between this specific Texas Privacy Notice and the general sections of our Privacy Policy, then this Texas Privacy Notice shall control.

This Texas Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Texas residents. If you are not a Texas resident, then this Texas Privacy Notice does not apply to you, and you should not rely on it.

Notice of Your Texas Privacy Rights: If you reside in Texas, then you have the following privacy rights regarding your Personal information per Texas privacy laws as of the Last Updated Date of this Texas Privacy Notice:

The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How to Submit Your Texas Consumer Privacy Right Request : You may submit a privacy right request to exercise one of your Texas Consumer Privacy Rights by contacting us via one of the methods described in the section above on How to Exercise Your Privacy Rights and Choices.

Use of an Authorized Agent: The privacy law of Texas allows for the use of an authorized agent to submit a privacy rights request on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices.

Your Texas Appeal Rights: If we deny your consumer privacy right request, you have the right to appeal the denial to us by contacting us at privacyrights@cimicard.com. We will respond to an appeal within 60 days of receipt. If your appeal is denied and you are a Texas resident, you may contact the Texas Attorney General to make a complaint at: https://consumerprotection.texasattorneygeneral.gov/consumercomplaintportal/s/flow/TCP_Complaint_Input_Data_Privacy.

PRIVACY NOTICE TO UTAH RESIDENTS

Last Updated Date: August 22, 2025

This Privacy Notice to Utah Residents (the “Utah Privacy Notice”) is provided by CIMI as a part of its Privacy Policy. In addition to reading this notice, you must also review the general sections of our Privacy Policy of which this Utah Privacy Notice is a part. Among other important disclosures, the general sections inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above. If a conflict exists between this specific Utah Privacy Notice and the general sections of our Privacy Policy, then this Utah Privacy Notice shall control.

This Utah Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Utah residents. If you are not a Utah resident, then this Utah Privacy Notice does not apply to you, and you should not rely on it.

Notice of Your Utah Privacy Rights: If you reside in Utah, then you have the following privacy rights regarding your Personal information per Utah privacy laws as of the Last Updated Date of this Utah Privacy Notice:

The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How to Submit Your Utah Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Utah Consumer Privacy Rights by contacting us via one of the methods described in the section above on How to Exercise Your Privacy Rights and Choices.

Use of an Authorized Agent: The privacy law of Utah does not mention the use of an authorized agent to submit a privacy rights request on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices.

PRIVACY NOTICE TO VIRGINIA RESIDENTS

Last Updated Date: August 22, 2025

This Privacy Notice to Virginia Residents (the “Virginia Privacy Notice”) is provided by CIMI as a part of its Privacy Policy. In addition to reading this notice, you must also review the general sections of our Privacy Policy of which this Virginia Privacy Notice is a part. Among other important disclosures, the general sections inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above. If a conflict exists between this specific Virginia Privacy Notice and the general sections of our Privacy Policy, then this Virginia Privacy Notice shall control.

This Virginia Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Virginia residents. If you are not a Virginia resident, then this Virginia Privacy Notice does not apply to you, and you should not rely on it.

Notice of Your Virgina Consumer Privacy Rights: If you reside in Virginia, then you have the following privacy rights per Virginia privacy laws regarding your Personal Information as of the Last Updated Date of this Virginia Privacy Notice:

The right to confirm whether or not we are processing your Personal Information and to access or to be provided such Personal Information, subject to certain exceptions.
The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by the applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How to Submit Your Virginia Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Virginia Consumer Privacy Rights by contacting us via one of the methods described in the section on How to Exercise Your Privacy Rights and Choices.

Verifiable Privacy Right Requests: Your privacy right request must be made as a verifiable request. For our policy on making a verifiable request go the section of this Privacy Policy on How to Exercise Your Privacy Rights and Choices.

Use of an Authorized Agent: The privacy law of Virginia does not mention the use of an authorized agent to submit a privacy rights request on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices.

Your Virginia Appeal Rights: If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cimicard.com. We will respond to an appeal within 60 days of receipt. If your appeal is denied and you are a Virginia resident, you may contact the Virginia Attorney General to make a complaint at: https://www.oag.state.va.us/consumer-protection/index.php/file-a-complaint.

ADDENDUM PART B – JURISDICTION SPECIFIC PRIVACY NOTICES AND DISCLOSURES ADDENDUM – FOREIGN JURISDICTIONS

Your CIMI Card program is a domestic gift card program with cards usable and redeemable only in the United States of America. When used, this Addendum Part B concerns foreign jurisdictions. Therefore, it is omitted from this Privacy Policy.

GLOSSARY FOR PRIVACY POLICY

This Glossary is a part of our Privacy Policy. The CIMI Sites subject to our Privacy Policy consist of websites managed or hosted by CIMI and/or its affiliates including Card Compliant, LLC. They can be found at: cardcompliant.com, cimicard.com, compliancelibraries.com, mycardterms.com, stopgiftcardscams.com, and the Terms Now websites for a particular CIMI Card and card program with an address that begins with “mycardterms.com.”