PRIVACY POLICY AND NOTICE

Card Issuance & Management, Inc.

Last Updated Date: August 26, 2025

Notice: Visitors are welcome on this website. But visitors are not authorized to use this website, or any website to which this website links, to obtain information about a specific CIMI Card or Cardholder unless you are a legal holder of a CIMI Card or are otherwise permitted to do so under the terms and conditions of the CIMI Card. Any use of bots, crawlers, scripts or other automated means to test this websites for information, access data or to collect content is strictly prohibited unless expressly authorized by Card Issuer.

WHO WE ARE

Card Issuance & Management, Inc., also known as CIMI, is an Arizona corporation. Directly or through its subsidiaries, CIMI issues and/or services prepaid cards whether they are issued as a physical card or as a digital code, including (a) gift cards, (b) merchandise return cards, (c) loyalty, incentive and promotional cards, along with (d) related wallets, accounts and applications (collectively, the CIMI Cards). CIMI Cards are sold or given to cardholders. A cardholder may be a purchaser of a CIMI Card or a person who acquires a CIMI Card by gift or otherwise. Cardholders use a CIMI Card to purchase goods and/or services from a merchant in accordance with the terms and conditions of the CIMI Card. For more about CIMI, you can click here.

DEFINITIONS

This Privacy Policy and Notice is referred to herein as the Privacy Policy. Cardholders are referred to as Cardholders or as you, your or the like. CIMI and its subsidiaries and affiliates are referred to collectively as CIMI or as we, us, our or the like. When used herein, the terms include or including are deemed to be followed by the phrase “without limitation.” The terms or phrases Bulk Business Buyer, Card Distributor, CIMI Sites, Personal Information, Program Manager, Redeeming Merchants, Transaction Data and Transaction Processer are defined below in this Privacy Policy.

OUR PRIVACY POLICY – PERSONAL INFORMATION

Important: You must read this Privacy Policy. It describes our privacy policies with respect to collecting, receiving, using, storing, processing, sharing, retaining and protecting Personal Information if it is collected and received by us regarding CIMI Cards and CIMI services. It also informs you of the privacy rights you may hold per privacy laws. And it informs you of our privacy policies regarding the use of our websites. It is important that you understand what Personal Information we may collect about you and what we do with the Personal Information.

As used herein, Personal Information means and refers to personal data, personal information, and personally identifiable information as those phrases are defined in applicable privacy laws. Personal Information includes information that identifies, describes, or is linked to a particular consumer or household. Examples of Personal Information are names, postal addresses, residence addresses, email addresses, internet protocol addresses, social security numbers, driver’s license numbers, and passport numbers. We do not consider pseudonymized data, deidentified data or anonymous aggregated data to be Personal Information. Personal Information sometimes is referred to as being PII, which stands for personally identifiable information.

OUR PRIVACY POLICY – ITS PURPOSE

In the course of our business activities, we receive information and data regarding CIMI Cards and CIMI services. Depending upon the CIMI Card program, we may receive or collect Personal Information on Cardholders, including your Personal Information. We are committed to protecting the privacy of Personal Information of the Cardholders of CIMI Cards.

The purpose of this Privacy Policy is to inform you about the privacy policy of CIMI as it applies to the business activities of CIMI in issuing and servicing CIMI Cards, including your CIMI Card.

It informs you about how we collect, receive, use, store, process, share, retain and/or protect Personal Information in the course of issuing and servicing CIMI Cards and providing related services. It also informs you of your privacy rights and how the law may protect you. It also covers your use of the websites hosted and/or managed by CIMI and its affiliates (collectively, the CIMI Sites). For a list of the CIMI Sites, please see the Glossary provided below in this Privacy Policy.

Please note that additional information is provided in the Addendum on Jurisdiction Specific Privacy Notices and Disclosures attached hereto. The Addendum informs you about our handling of Personal Information under the specific laws of certain U.S. states and foreign jurisdictions.

This Privacy Policy will be changed from time to time, as more fully described in the section below on Changes to Our Privacy Policy. You may download a pdf version of the current Privacy Policy here or you may obtain access to copy by calling the toll free number, 855.971.7430.

OUR PRIVACY POLICY – OUR PRIVACY POLICY OBJECTIVES

The Privacy Policy of CIMI regarding CIMI Cards and CIMI Card programs is based and built upon the following six objectives.

First, Personal Information should be collected by or on behalf of CIMI only if it is needed for the business operations of CIMI as an issuer of or service provider for the CIMI Cards. In that regard, the typical CIMI Card is designed to be a simple anonymous card, like most retail gift cards, under which the identity of the cardholder is not known by the card issuer.

Second, to the extent that other companies and contractors (involved with the CIMI Cards or a CIMI Card program) may collect Personal Information in the course of their specific, respective businesses, then the Personal Information should not be shared with CIMI unless it is needed for the conduct of CIMI’s specific business. In those situations, CIMI should enter into contracts with third parties containing provisions that bar the disclosure or sharing of Personal Information with CIMI and thereby limit the unneeded disclosure or sharing of Personal Information among multiple separate companies. That typically occurs in two situations:

Card Program Required Collection. A client or contractor may collect Personal Information on behalf of or in furtherance of a CIMI Card program, such as for the limited purpose of getting the delivery address for a CIMI Card when sold on-line. The collected Personal Information is needed for the CIMI Card program but possession of the Personal Information at CIMI as the Card Issuer is not necessary. CIMI should enter into a contract with the Contractor barring the disclosure or sharing of the Personal Information with CIMI and keeping the Personal Information where it is needed which is with the client or contractor.

Dual Purpose Collection. A client or contractor may collect Personal Information on behalf of a CIMI Card program but also on behalf of or in furtherance of another program or endeavor other than the CIMI Card program. As an example, a Bulk Business Buyer may collect Personal Information for an employee incentive program for the purpose of getting the delivery address of an employee for the delivery of the CIMI Cards to the ultimate end-users but also collect additional personal employment information about the employment of the employee. The employment information is needed for the employer’s employment incentive program but is not related to the CIMI Card program. CIMI should enter into a contract with the Bulk Business Buyer barring the disclosure or sharing of the Personal Information with CIMI given its dual purpose nature, particularly since CIMI does not need the information at CIMI itself. A second example is an active incentive program of a Retailing Merchant in which a CIMI Card is involved, and information is collected for the delivery of the CIMI Card but also for the separate incentive program of the Redeeming Merchant.

Third, if Personal Information is received or collected by CIMI, then CIMI should limit the use of the Personal Information to uses that are reasonable and necessary for CIMI to carry out its business operations. Again, the business of CIMI typically is to issue or to service anonymous cards where the identity of the cardholder is unknown.

Fourth, if Personal Information is received or collected by CIMI, then CIMI should use commercially reasonable efforts to pseudonymize or deidentify the Personal Information while in the hands of CIMI.

Fifth, if Personal Information is received or collected by CIMI, then CIMI should retain Personal Information only for a designated time period needed to perform the task for which the Personal Information was collected, after which time CIMI should cease to retain the Personal Information per its document and data retention policy.

Sixth, if Personal Information is received or collected by CIMI, then CIMI should comply with applicable privacy laws governing the Personal Information during the time period from when the Personal Information is received or collected until it ceases to be retained by CIMI pursuant to CIMI’s document and data retention policy.

OUR PRIVACY POLICY – PERSONAL INFORMATION WE RECEIVE OR COLLECT

CIMI issues a variety of different CIMI Cards in a variety of different card programs. In each card program, CIMI will receive or collect transaction data regarding CIMI Cards from Transaction Processors, Program Managers, various contractors, and/or others. Transaction Data consists of a unique identifier or number for each CIMI Card and information regarding the card transactions arising from the purchase and use of the CIMI Card. The various types of card transactions may differ per card programs. Examples of the more common card transactions are activations, loads, reloads, redemptions, and/or balance inquiries.

We do not consider the Transaction Data received by CIMI regarding CIMI Cards, in and of itself without more, to be Personal Information under this Privacy Policy, for several reasons including (a) in most card programs, the Transaction Data is not associated with a particular consumer or household, (b) we do not receive or store the PINs or security numbers for the CIMI Cards, and (c) if the Personal Information is received by CIMI in a particular card program, it typically will be stored in pseudonymized or deidentified form. In that regard, CIMI does not use Transaction Data to ascertain or manufacture the identity of a Cardholder or to create, develop or manufacture new Personal Information about a Cardholder.

In addition to Transaction Data and depending upon the CIMI Card and card program, CIMI may or may not receive or collect Demographic Data on the CIMI Cards that will include Personal Information regarding a Cardholder, including you. To determine if your CIMI Card is in a card program in which CIMI receives or collects Personal Information, please visit the CIMI Site designated on the back of your CIMI Card and go to our Consumer Personal Information Disclosures Tab at the CIMI Site. The URL for that CIMI Site usually begins with the phrase “mycardterms.com.” If you currently are on the Terms Now CIMI Site for your CIMI Card, you may also go straight to the Tab by clicking here. The Consumer Personal Information Disclosures Tab will inform you if Personal Information is collected in conjunction with your specific CIMI Card. See also the section below in this Policy on About Our Consumer Personal Information Disclosures Tab.

Gift cards commonly are purchased by a Cardholder who may gift the CIMI Card to a gift recipient resulting in two Cardholders; namely, the card purchaser then the gift card recipient. This Privacy Policy applies to Personal Information collected on all consumers who are Cardholders, including both a gift card purchaser and/or a gift card recipient.

For CIMI Cards purchased by a business instead of a consumer, please see the information provided in a separate section below on Personal Information Re CIMI Cards Sold to Businesses.

In addition to the foregoing, CIMI informs you that CIMI may receive information about you or your CIMI Card with respect to the following business activities and sources:

Sources of Personal Information in General. If CIMI receives or collects Personal Information, it typically will be generated from the following sources: (a) CIMI may receive Personal Information about Cardholders that is collected by Card Distributors, Bulk Business Buyers, Redeeming Merchants, Transaction Processors, and/or Program Managers; such information, if received and stored by CIMI, will be given or transmitted by those entities to CIMI either directly or through commercial transaction processors, (b) CIMI itself may directly collect Personal Information from Cardholders while performing certain operational services for the Cardholders, (c) CIMI may collect Personal Information about or from the visitors at the CIMI Sites, (d) CIMI may be provided Personal Information in the course of incidents, audits, reviews and/or investigations, and (e) CIMI will collect Personal information if and when a consumer elects to contact CIMI for customer service. Each source of Personal Information is discussed more fully below.

Third Parties in General. CIMI receives a variety of information about the CIMI Cards which is received from or generated by companies and contractors involved in the operation and administration of the card program, including clients, program managers, transaction processors, data centers and providers, card inventory providers, Redeeming Merchants, Card Distributors, Bulk Business Buyers, regulators, auditors, government authorities, professionals, and others. The information received by CIMI from those third part sources includes Transaction Data, but typically does not include Personal Information. To the extent Personal Information is received or collected by us from these companies and contractors, it will be subject to this Privacy Policy.

Card Distributors. CIMI receives information about the CIMI Cards that is collected or generated by third parties that sell or distribute the CIMI Cards and/or manage the sales and distribution of the CIMI Cards (each a Card Distributor). With respect to Personal Information received or collected by such third parties, if any, please review the section below on Personal Information Collected By Card Distributors.

Redeeming Merchants. CIMI receives information about CIMI Cards emanating from the merchants that accept and redeem the CIMI Cards for the purchase of goods and/or services from the merchants (each a Redeeming Merchant). With respect to Personal Information received or collected by such merchants, if any, please review the section below on Personal Information Collected by Card Redeeming Merchants.

The CIMI Services. The CIMI Cards are supported by certain CIMI services that are available to Cardholders and accessible on CIMI Sites. Some of these CIMI services require the collection by CIMI of Personal Information. Currently, the service that requires Personal Information is the Virtual Cash Out Service (VCO), which supports requests by Cardholders to cash-out a CIMI Card if and as cash-out is required by law. The Personal Information collected by CIMI with respect to the VCO service is the Cardholder’s name, address, date of birth, email address, phone number, and such other information as is disclosed to the Cardholder at the time of the VCO Service. It is collected for the purpose of carrying out the VCO service and to prevent fraud, abuse, and misuse in providing the VCO service. If this CIMI service is provided to you, the Personal Information collected will be subject to this Privacy Policy.

Transaction Processors. In each CIMI Card program, the Transaction Data is processed and tracked by a commercial transaction processor (each a Transaction Processor) and is provided by such Transaction Processors to CIMI. Typically, the Transaction Data is generated at the points of card sales (i.e., at a Card Distributor) and at the points of card redemption (i.e., at a Redeeming Merchant). Some Transaction Processors may also serve as Program Managers or Card Distributors. CIMI may receive Personal Information from a Transaction Processor. If such information is received, it will be subject to this Privacy Policy.

Program Managers. In a typical CIMI Card program, certain program management tasks will be performed by third party service providers commonly known as program managers (each a Program Manager). Some Program Managers may also serve as a Transaction Processor and/or Card Distributor. CIMI may receive Personal Information from a Program Manager. If such information is received by CIMI, it will be subject to this Privacy Policy.

Customer Service. CIMI will receive or collect Personal Information about you in the event you elect to contact CIMI with respect to customer service and provide Personal Information during the contact. Such Personal Information typically consists of name and contact information. It is collected for customer service purposes only. If collected, it will be subject to this Privacy Policy.

Website Interaction. A CIMI Site may provide Cardholders and other visitors to a CIMI Site with the opportunity to contact or interact directly by email with us through or via the website. The information that a Cardholder or visitor elects to provide in making the contact with CIMI may include Personal Information provided by a Cardholder or the visitor. Such information usually consists of name and contact information. It is collected for the purpose of addressing the inquiry or comment of the Cardholder or visitor. If collected, it will be subject to this Privacy Policy.

CIMI Site Usage. With respect to your access and use of a CIMI Site, including this website, we automatically will collect information about how a Cardholder or other site visitor interacts with and uses a CIMI Site and services thereon. We will automatically collect various types of data including the date and time of access to the CIMI Site and the pages and other content that a Cardholder or visitor accesses or downloads. We also will automatically collect your internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other information about the devices you use to access this website. We will collect and use site usage data for system administration purposes to audit and monitor traffic on the CIMI Site and to improve the CIMI Site and the CIMI Cards and services. The information will be subject to this Privacy Policy. We do not use site usage data to ascertain the name or residence address of the CIMI Site user. For specific information about Cookies and related website analytics, please review the information provided to you in a separate section below on Cookies and Related Analytics.

Visitors to a CIMI Site. Visitors to the CIMI Sites may be individuals other than Cardholders. With respect to such visitors, the terms “you” and “your” and the like as used in this Privacy Policy include the visitor. With respect to such visitors, we will automatically collect data regarding their use of the CIMI Site. On that, see the section above on CIMI Site Usage. The visitor also may engage in website interactions with us at a CIMI Site as such interactions are described above. On that, see the section above on Website Interaction. The collected Personal Information regarding visitors to CIMI Sites will be subject to this Privacy Policy.

Other. With respect to Cardholders, we may receive Personal Information from other sources such as in investigations or audits of incidents, security matters, fraud, misconduct, money laundering, and crimes. To the extent such information constitutes Personal Information, it will be subject to this Privacy Policy unless the information is public information or exempt from applicable privacy laws.

The Types of Personal Information Received: If Personal Information is received or collected by CIMI, the categories and types of the Personal Information will vary depending upon the CIMI Card and the CIMI card program, but typically will include one or more of the following fields of identifiers about a Cardholder: name, residence address, zip code, email address, device and online identifiers, internet and website activities, date of birth, phone number, and/or variants or different combinations thereof (collectively and generally referred to in this Privacy Policy as the Typical Collected Information). With respect to processing a verifiable privacy right request, additional Personal Information may be collected from you for the purpose of verification including a government ID if permitted under the applicable privacy law. See the section below on How to Assert Your Privacy Rights and Choices.

Unless otherwise specifically and expressly disclosed in the terms and conditions for a CIMI Card or in this Privacy Policy, we will not receive or collect the following types of information about you: race or ethnicity, religious or philosophical beliefs, union membership, sex life or sexual orientation, health conditions, gender preference, political opinions, individual preferences and characteristics. education history, genetic and biometric data, background and criminal information, and audio or visual identification information.

As explained above, CIMI issues CIMI Cards in multiple unrelated card programs. The categories and items of Personal Information collected by us may vary from CIMI Card program to CIMI Card program. To determine the categories and type of Personal Information collected with respect to your specific CIMI Card please visit the CIMI Site designated on the back of your CIMI Card and go to our Consumer Personal Information Disclosures Tab on the CIMI Site. The URL for that CIMI Site usually begins with the phrase “mycardterms.com.” If you currently are on the Terms Now CIMI Site for your CIMI Card, you may also go straight to the Tab by clicking here.

OUR PRIVACY POLICY – PERSONAL INFORMATION COLLECTED BY CARD DISTRIBUTORS

The CIMI Cards are sold and distributed by Card Distributors (defined above). Card Distributors may include the Redeeming Merchant for the Card and/or other third parties and service providers in the business of selling and distributing the CIMI Cards to consumers at third party locations or on online platforms. The Card Distributors are separate companies from CIMI. Each may have its own policy that addresses the collection of Personal Information, if any, from you at the time of or in conjunction with the purchase of your CIMI Card. The privacy policy of a Distributing Company is the policy of the Distributing Company and not of CIMI. We encourage you to review the privacy policy of the Distributing Company. It may govern the privacy of your information in the hands of the Distributing Company. If Personal Information is collected by a Card Distributor, it usually does not disclose or share Personal Information with CIMI. Additionally, to prevent and limit the unnecessary disclosure and sharing of Personal Information among several separate companies, CIMI may enter into a contract with a Card Distributor that bars the disclosure or sharing of Personal Information with CIMI. In the event Personal Information is disclosed or shared by the Card Distributor with CIMI, then the Personal Information will be subject to this Privacy Policy while in our hands. The business purposes for which Card Distributors typically collect Personal Information are discussed further below in this Privacy Policy.

OUR PRIVACY POLICY – PERSONAL INFORMATION RE CIMI CARDS SOLD IN BULK TO BUSINESSES

Depending upon the card program, CIMI Cards may be sold via bulk corporate sales to businesses (each a Bulk Business Buyer). Some Bulk Business Buyers may resell such cards to consumers as authorized Card Distributors; with respect to that practice, please review the separate section above entitled Personal Information Collected by Card Distributors. Other Bulk Business Buyers purchase CIMI Cards via bulk corporate sales and then hand them out or otherwise provide them to others such as employees, customers, consumers, and participants in events typically in conjunction with loyalty, awards, promotion, or incentive programs or as gifts, awards or perks. Some Bulk Business Buyers are companies engaged in the business of creating or managing incentive programs for others. The Bulk Business Buyers are separate companies from CIMI. Each may have its own privacy policy that addresses the Personal Information, if any, collected from the end-user recipients to whom the CIMI Cards are ultimately provided. The privacy policy of the Bulk Business Buyer is the policy of the business and not of CIMI. We encourage you to review the privacy policy of the Bulk Business Buyer. It may govern the privacy of your information in the hands of the business.

If Personal Information is collected by a Bulk Business Buyer, it usually does not disclose or share the Personal Information with CIMI. In that regard, the Personal Information collected by a Bulk Business Buyer typically is viewed as being the property or proprietary information of the Bulk Business Buyer or its clients and not of CIMI, and it may consist of information that is specific to the business of the Bulk Business Buyer or its clients and unrelated to the CIMI Card or card program. Additionally, to prevent and limit the unnecessary disclosure and sharing of Personal Information among several separate companies, CIMI may enter into a contract with a Bulk Business Buyer that bars or prevents the disclosure or sharing of Personal Information with CIMI. In the event that Personal Information is shared by a Bulk Business Buyer with CIMI, then the Personal Information will be subject to this Privacy Policy while in our hands. The business purposes for which a Bulk Business Buyer typically collects Personal Information are discussed below in this Privacy Policy.

OUR PRIVACY POLICY – PERSONAL INFORMATION COLLECTED BY CARD REDEEMING MERCHANTS

The CIMI Cards typically are closed-loop type cards. That means they are usable or redeemable to buy goods or services from a single merchant or restricted group of related merchants (the Redeeming Merchant as further defined above). The Redeeming Merchant typically is identified on the front and/or back of the CIMI Card. Redeeming Merchants are separate companies from CIMI. The Redeeming Merchant may have its own privacy policy that addresses the collection of Personal Information, if any, from you at the time of the use and redemption of a CIMI Card to buy the goods and/or services of the Redeeming Merchant. Additionally, the Redeeming Merchant also may be a Card Distributor that sells CIMI Cards, for example, in its bricks-and-mortar stores. In its capacity as a Card Distributor, the company also may have its own privacy policy addressing the collection of Personal Information, if any, from you at the time of card purchase. The privacy policy of the Redeeming Merchant is the policy of the Redeeming Merchant and not of CIMI. We encourage you to review the privacy policy of the Redeeming Merchant. It governs the privacy of your information in the hands of the Redeeming Merchant.

If Personal Information is collected by a Redeeming Merchant, it usually does not disclose or share the Personal Information with CIMI. In that regard, the Personal Information collected by a Redeeming Merchant typically is viewed as being the property or proprietary information of the Redeeming Merchant and not of CIMI. Additionally, to prevent and limit the unnecessary disclosure and sharing of Personal Information among several separate companies, CIMI may enter into a contract with a Redeeming Merchant that bars or prevents the disclosure or sharing of Personal Information with CIMI. In the event that Personal Information is disclosed or shared by a Redeeming Merchant with CIMI, then the Personal Information will be subject to this Privacy Policy while in our hands. The business purposes for which Redeeming merchants typically collect Personal Information are discussed below.

OUR PRIVACY POLICY – HOW WE USE YOUR PERSONAL INFORMATON AND OUR BUSINESS PURPOSES

In the event Personal Information is received or collected by CIMI, CIMI will limit its use of your Personal Information to business purposes that are reasonable and necessary (a) to perform its duties and responsibilities as the issuer of and/or service provider for the CIMI Cards, and (b) to perform the ordinary and necessary business operations of the issuer of and/or servicer provider for prepaid cards. The following describes some of the more common circumstances illustrating the business purposes for which, and how, CIMI uses your Personal Information in the course of its business, if the Personal Information has been collected or received by CIMI:

Card Distributors. As described above, Personal Information may be collected by Card Distributors involved in the business of selling or distributing CIMI Cards. Typically, Personal Information will be collected by Card Distributors for the business purposes (a) to facilitate the fulfillment, delivery, and/or shipping of CIMI Cards that are sold online or via other remote sales settings such as catalog or phone sales, (d) for use in implementing and performing standard fraud control protocols at the time of online sales of CIMI Cards to consumers using credit cards and other payments instruments to make the purchase in person-not-present situations, (c) as needed for use in a card program that is purposefully designed to interact sporadically or regularly with the Cardholders such as a loyalty or affinity card program, and/or (d) as further disclosed in the privacy policy of the Card Distributor. The type of information collected varies depending upon the card program, but usually is one or more of the items in the list of Typical Collected Information described above. The Card Distributor usually does not disclose or share such Personal Information with CIMI. Additionally, to prevent and limit the unnecessary disclosure or sharing of Personal Information among several separate companies, CIMI may enter into a contract with a Card Distributor that bars or prevents the disclosure or sharing of Personal Information with CIMI. To the extent Personal Information is received or collected by us from a Card Distributor, it will be subject to this Privacy Policy.

Note: In some prepaid card programs, a card issuer and/or Card Distributor may be required to gather Personal Information on Cardholders (a) if such collection is required by anti-money laundering laws (the AML Regulations) unless an exemption to the AML Regulations is applicable, or (b) if such collection is required by another law or regulation. Your CIMI Card and card program has been designed by CIMI so that an exemption to the AML Regulation applies so Personal Information is not collected by CIMI or others pursuant to the AML Regulations. Nor is collected per another law.

Use by Bulk Business Buyers. As described above, Personal Information may be collected by Bulk Business Buyers engaged in bulk corporate sales programs where cards are bought in bulk and provided by the business ultimately to end-using recipients. Personal Information typically is collected for the business purposes (a) to facilitate the fulfillment, delivery, and/or shipping of CIMI Cards to the end-using recipients, and (b) as otherwise disclosed in the privacy policy of the Bulk Business Buyer or its clients. If Personal Information is collected by a Bulk Business Buyer, the business usually does not disclose or share the Personal Information with CIMI. In that regard, the Personal Information collected by a Bulk Business Buyer typically is viewed as being the property or proprietary information of the Bulk Business Buyer or its clients and not of CIMI, and it may consist of information that is specific to the business of the Bulk Business Buyer or its clients and unrelated to the CIMI Card or card program. Additionally, to prevent and limit the unnecessary disclosure or sharing of Personal Information among several separate companies, CIMI may enter into a contract with a Bulk Business Buyer that bars or prevents the disclosure or sharing of Personal Information with CIMI. In the event that Personal Information is disclosed or shared by a Bulk Business Buyer with CIMI, then the Personal Information will be subject to this Privacy Policy while in our hands.

Use by a Redeeming Merchant. As described above, Personal Information may be collected by a Redeeming Merchant. It typically is collected for the business purposes (a) if needed to facilitate the use of a CIMI Card by a Cardholder to buy goods and/or services from the Redeeming Merchant, particularly in an on-line shopping environment, (b) in conjunction with requiring the Cardholder to move or redeem the CIMI Card into a wallet, account or application that is then used by the Cardholder at the Redeeming Merchant to access its good or services, (c) as needed for use in a card program that is purposefully designed to have the Redeeming Retailer and Cardholder interact sporadically or regularly such as in a loyalty or affinity program, and/or (d) as further disclosed in the privacy policy of the Redeeming Merchant. As also described above, some Redeeming Merchants are also Card Distributors and, as such, may collect Personal Information for the purposes described above for Card Distributors. The type of information collected may vary depending upon the gift card program, but usually is one or more of the items in the list of Typical Collected Information described above.

If Personal Information is collected by a Redeeming Merchant, the company usually does not disclose or share the Personal Information with CIMI. In that regard, Personal Information collected by a Redeeming Merchant typically is viewed as being the property or proprietary information of the Bulk Business Buyer or its clients and not of CIMI, and it may consist of information that is specific to the business of the Redeeming Merchant and unrelated to the CIMI Card or card program. Additionally, to prevent and limit the unnecessary disclosure or sharing of Personal Information among several separate companies, CIMI may enter into a contract with a Redeeming Merchant that bars or prevents the disclosure or sharing of Personal Information with CIMI. In the event that Personal Information is disclosed or shared by a Bulk Business Buyer with CIMI, then the Personal Information will be subject to this Privacy Policy while in our hands.

Consumer Touch Programs. Depending upon the CIMI Card and the CIMI card program, Personal Information may be collected to facilitate interaction and communication between Cardholders and the Redeeming Merchant in card programs that are designed to sporadically or regularly touch or communicate with Cardholders such as some active loyalty, awards or affinity programs. The type of information collected varies depending upon the gift card program, but usually is a name and email address, although it may also be one or more of the other items in the list of the Typical Collected Information described above. Most loyalty or affinity programs are the programs of a Redeeming Merchant and not CIMI. They have separate terms and conditions from the terms and conditions of the CIMI Card. The Personal Information such programs collect typically is for the loyalty or affinity program of the Redeeming Merchant and not for the card program of CIMI. As such, the Personal Information typically is viewed as being the property or proprietary information of the Redeeming Merchant and not of CIMI. Additionally, to prevent and limit the unnecessary disclosure or sharing of Personal Information among several separate companies, CIMI may enter into a contract with a Redeeming Merchant that bars or prevents the disclosure or sharing of Personal Information with CIMI. The types of Personal Information collected in some sophisticated loyalty or affinity programs can include information beyond the Typical Collected Information described above. Therefore, we encourage you to review the privacy policy of the Redeeming Merchant. In the event that Personal Information is shared by a Redeeming Merchant with CIMI, then the Personal Information will be subject to this Privacy Policy while in our hands.

Compliance with Unclaimed Property Laws. CIMI, and its affiliate Card Compliant, LLC, store and process Personal Information for the business purpose of determining and addressing compliance of each CIMI Card with applicable unclaimed property laws, including the first priority escheat rule and the third priority escheat rule. If collected or received by us, certain Personal Information will impact the application of the unclaimed property laws. Additionally, we process Personal Information to identify and send unclaimed property escheat notices to Cardholders if and as required by unclaimed property laws, including notices that are required to disclose Personal Information in mailed and emailed escheat notices and in notices published in media publications. Additionally, we process Personal Information to complete and file reports with U.S. states and territories if and as required by unclaimed property laws, including reports that will disclose Personal Information to the U.S. states and territories. Additionally, CIMI may collect Personal Information for use to contact a Cardholder to determine if the Cardholder wishes to elect not to have a CIMI Card escheat to a state or territory per an unclaimed property law. Additionally, we use the Personal Information when responding to unclaimed property inquiries and audits by the U.S. states and territories. To the extent Personal Information is stored or processed by us, it will be subject to this Privacy Policy.

Compliance with Privacy and Data Security Laws and Policies. CIMI may use Personal Information for the business purpose to comply with privacy laws, data security laws, contracts and/or policies that require us (a) to field and manage consumer consent and/or opt-in or opt-out requirements, (b) to manage consumer privacy rights including the verification of privacy requests and verifications of authorized agents if applicable, (c) to detect or address privacy and security data breaches or incidents as required by law, data protection agreements, and privacy and security policies, (d) to undertake security or privacy testing, (e) to protect against malicious, deceptive or fraudulent activity, and (f) to otherwise comply with laws, regulations and policies addressing privacy and data security. To the extent Personal Information is stored or processed by us, it will be subject to this Privacy Policy.

Compliance with AML Regulations and Policies. Certain AML Regulations require a prepaid card issuer, prepaid access provider, prepaid card sellers and prepaid access sellers to collect Personal Information about Cardholders, unless exempted from doing so by the AML Regulations. Your CIMI Card and card program have been designed to be exempt from the collection of such Personal Information per the AML Regulations. Additionally, in certain situations, we reserve the right to use Personal Information to conduct OFAC checks if and as required by the Office of Financial Assets Controls. If and in the event that Personal Information is collected or received by us in conjunction with or for the purpose of the AML Regulations and/or OFAC laws, then it will be subject to this Privacy Policy.

CIMI Services. CIMI, and its affiliate Card Compliant, LLC, may process Personal Information for the business purpose of delivering or performing various services to Cardholders of CIMI Cards. The current service in which CIMI collects Personal Information is the Virtual Cash Out Service (VCO) in which Personal Information on a Cardholder will be collected, processed and used for the short-term transient use of performing the service of providing cash-out to Cardholders on CIMI Cards if and as required by law. The Personal Information collected for the performance of this VCO service usually is the name, residence address, email address, date of birth, phone number, and such other information as disclosed to the Cardholder at the outset of VCO service. The collected Personal Information typically is used to perform and fulfill the VCO service and/or to address fraud, misuse and abuse regarding the VCO service. To the extent Personal Information is received or collected by us, it will be subject to this Privacy Policy.

Customer Service. As described above, Personal Information may be collected by CIMI in response to customer service inquiries by Cardholders or users of CIMI Sites. Such information usually is a name and contact information. Such information is used to respond to, address and document the customer inquiry. To the extent Personal Information is received or collected by us, it will be subject to this Privacy Policy.
Website Interactions. As described above, a CIMI Site may allow a Cardholder or site visitor to interact and communicate with us with respect to obtaining information. Personal Information may be collected by CIMI if a Cardholder or visitor interacts with us on a CIMI Site and elects to provide Personal Information to us. Such Personal Information is used for the business purpose of responding to the inquiry or communication from the Cardholder or visitor. To the extent Personal Information is received or collected by us, it will be subject to this Privacy Policy.

CIMI Site Usage Audits and Analytics. Personal Information may be collected by CIMI from users of or visitors to a CIMI Site in the form of Cookies or tracking analytics. Such information is used for the business purposes described in the section above on CIMI Site Usage which is to audit and monitor traffic on the CIMI Site and to improve the CIMI Site and the CIMI Cards and services. See also the section below on Cookies and Related Analytics. To the extent such Personal Information is received or collected by us, it will be subject to this Privacy Policy.

Audits, Reviews. Tests, Incidents and Investigations. CIMI will use or process Personal Information if and to the extent necessary and for the business purpose to comply with or to facilitate (a) reasonable and necessary audits or reviews by our third party auditors or reviews, (b) audits or reviews by third party regulators or authorities, (c) audits or reviews permitted or required by a contract between us and a client or contractor, (d) testers of the propriety systems including the systems of Card Compliant, LLC, (e) reviews and testing of our information security systems and practices, (f) responses to incidents involving Cardholders or CIMI Cards, (g) debugging to identify and repair errors that impair existing intended functionality, (h) prosecuting persons responsible for malicious, deceptive or fraudulent activities, and/or (i) investigations by third parties of fraud, misconduct, money laundering, crimes or other illicit activities. To the extent Personal Information is received or collected, stored or processed by us, it will be subject to this Privacy Policy.

General. CIMI may use Personal Information, if received or collected, for the following business purposes: to provide Cardholders with information about CIMI Cards; to remind Cardholders that they have an outstanding balance on a CIMI Card; to maintain or update contact data about you; to maintain the accuracy of the information we collect; to respond to your questions and concerns; to contact you as needed to perform our business activities; to measure interest in our CIMI Cards; to maintain and improve the CIMI Cards; for confidential research and analysis in connection with the development of new products and services; in the exercise or defense of legal claims or complaints; and as required to meet our legal obligations. To the extent Personal Information is received or collected by us, it will be subject to this Privacy Policy.

Other. If a Cardholder or any third party provides us with Personal Information for use in a manner not covered above in this Privacy Policy, we will limit use of that Personal Information to the specific reason for which it was provided to us or as otherwise permitted by law. CIMI treats Personal Information obtained from third parties, whether received on purpose or inadvertently, in accordance with this Privacy Policy.

Notice. CIMI reserves the right to argue that its use of Personal Information is permitted under appliable privacy laws via an exemption or exception to the privacy law (including exemptions or exceptions to the law such as exemptions of certain businesses or exclusions of certain activities from application of the privacy law) or via a provision in the privacy law that declares the activity a permissible use.

Commercial Purposes: CIMI receives, stores, processes and shares Personal Information for reasonable and necessary business purposes which are outlined above in this section of our Privacy Policy. Unless specified otherwise for a specific CIMI Card and CIMI Card program at our Consumer Personal Information Disclosures Tab of the CIMI Card, CIMI does not use Personal Information for the commercial purpose of sending unsolicited advertising to a Cardholder’s addresses. Nor does CIMI disclose or share Personal Information with third parties for such purposes. Additionally, CIMI informs you that it will not monetize Personal Information for profit without providing the consent or opt-out mechanisms if and as required by applicable privacy laws.

OUR PRIVACY POLICY – HOW WE SELL OR SHARE YOUR PERSONAL INFORMATION

In the sections above of this Privacy Policy, we informed you about how others provide or share data and information with CIMI, including Personal Information. In this section of this Privacy Policy, we will inform you about how CIMI sells or shares your Personal Information with others if, and in the event that, CIMI receives Personal Information.

Selling of Personal Information: CIMI is not in the business of selling or marketing Personal Information to others for profit in the traditional sense of receiving cash, remuneration or remittance in exchange for the transfer of Personal Information. CIMI discloses or shares Personal Information for the reasonable and necessary business purposes outlined above in this Privacy Policy. However, because some U.S. states or other jurisdictions may consider the use of cookies or other third party tracking analytics on websites to constitute a form of data transfer in exchange for some form of consideration, CIMI has informed you if and how it uses cookies and third party tracking technologies. See the section below on Cookies and Related Analytics. As explained there, visitors to a CIMI Site, including you, will be notified if cookies or third party analytics are used at the CIMI Site via a pop-up at the CIMI Site. Visitors will then be provided an opportunity to opt-out from the collection of cookies and use of third party tracking analytics when you use the CIMI Site. If no pop-up appears at a CIMI Site, visitors may assume that no cookies or third party analytics are being used at the CIMI Site.

Sharing of Personal Information in the Form of Disclosing Information: In performing its business and operation, CIMI may disclose or share Personal Information to others for the reasonable and necessary business purposes described above in this Privacy Policy. The following describes some of the more common circumstances where CIMI discloses Personal Information to others for such business purposes:

Card Compliant, LLC. Card Compliant, LLC (“CC”) is a limited liability company formed under the laws of Kansas. It is the parent company of CIMI and an affiliate of CIMI for the purpose of this Privacy Policy. Additionally, CC owns and operates regulatory and accounting compliance systems that process Transaction Data, Demographic Data, and other data regarding prepaid card programs, including Personal Information depending upon the card program. CIMI uses CC and its systems to process Transaction Data and Demographic Data regarding the CIMI Cards, including your Personal Information if your Personal Information is received or collected by us. When doing so, CIMI and CC may share or disclose Personal Information with or to each other regarding CIMI Cards, including your Personal Information. In that regard, CC serves as a service provider for CIMI per a contract with CIMI providing the following services: (a) maintaining or servicing card accounts, (b) providing customer services, (c) providing regulatory compliance services, (d) providing forecasting and accounting services, (e) processing or fulfilling VCO requests, (f) verifying customer information, (g) processing VCO payments to Cardholders and escheat payments to U.S. States and territories, and (h) providing analytic services. In doing so, CC follows the privacy policies enunciated in this Privacy Policy. In addition, CC has its own Privacy Policy that you may access by clicking here.

Data Centers. Pursuant to a contract between CIMI and one or more commercial data centers, the data and information received, collected, processed stored, enriched or created by CIMI regarding CIMI Cards is stored on data servers housed in commercial data base facilities that are not owned by CIMI. From the perspective of CIMI and its business operations, this Privacy Policy applies to the data and information stored at those facilities, including Personal Information.

The Cloud. We inform you that the Transaction Data and Demographic Data regarding CIMI Cards, including Personal Information, are stored, processed and transmitted using servers and systems that operate using the cloud and cloud technologies.

CIMI Site Usage. We may share Personal Data derived from the usage of visitors of a CIMI Site with third party analytics and search engine providers that assist us in the improvement of our Site, subject to our Cookies Policy. Currently, the Terms Now CIMI Sites regarding CIMI Cards uses one such third party tracking system which is Google Analytics. The way that Google collects and processes data when delivering Google Analytics is described at www.google.com/policies/privacy/partners/. You will be provided with an opportunity to opt-out from Google Analytics via a pop-up at the CIMI Site. For more information, please see the section below on Cookies and Related Analytics.

Compliance with Unclaimed Property Laws. Depending upon the CIMI Card, unclaimed property laws may require that we issue escheat due diligence notices sent by mail or otherwise to Cardholders, including notices we may be required to publish in media publications. To comply with such unclaimed property laws governing such escheat due diligence notices, CIMI may share Personal Information with (a) a third party vendor used by CIMI to make mass mailings of escheat notices to Cardholders, and (b) newspaper or media companies selected for the publication of escheat notices if such notices must be published in public media per unclaimed property laws.

Additionally, depending upon the CIMI Card, the unclaimed property laws may require that we report and escheat the CIMI Card to a U.S. state or territory. If and as required by such unclaimed property laws, CIMI will provide and share Personal Information with the U.S. state or territory in the unclaimed property reports filed by us with such jurisdictions. Additionally, we share Personal Information with the U.S. states and territories, and their auditing companies, in response to unclaimed property regulatory inquires and/or unclaimed property audits by such jurisdictions.

Professional or Technical Support. CIMI may share Personal Information, as well as aggregated, anonymous, or nonidentifiable data, with our affiliates, investors, co-development venturers, Card Distributers, Redeeming Merchants, Bulk Business Buyers, card transaction processors, card program managers, card inventory suppliers, contractors acting on our behalf, and need to know contractors for the limited purposes of servicing the CIMI Cards and/or the Cardholders of CIMI Cards and performing the contracts and terms and condition that we have reached with Cardholders. If we share Personal Information with such companies, we will do so under agreements that require the third party to use and protect the Personal Data in accordance with the principles described in this Privacy Policy. These third parties are authorized to use your Personal Information only as needed to provide services to us and for Cardholders.

Audits, Reviews, Tests, Incidents and Investigations. CIMI will share Personal Information with others if and to the extent necessary to comply with or to facilitate (a) audits or reviews by our third party auditors or reviews, (b) audits or reviews by third party regulators or authorities, (c) audits or reviews permitted or required by a contract between us and a client or contractor, (d) testers of propriety systems including the systems of Card Compliant, LLC, (e) reviews and testing of our information security systems and practices, (f) responses to incidents involving Cardholders or CIMI Cards, and/or (g) investigations by third parties of fraud, misconduct, money laundering, crimes or other illicit activities. To the extent Personal Information is received or collected, stored or processed by us, it will be subject to this Privacy Policy.

Legal Purposes. We will share your Personal Information with regulators, law enforcement agencies, public authorities and other governmental authorities when compelled to do so, or reasonably asked to do so.

Sale of CIMI. If CIMI or the business of CIMI were to be sold or transferred (such as by way of a merger, stock purchase, asset sale, or other transaction resulting in the transfer of CIMI’s business to a new owner or a successor) then Transaction Data and Demographic Data, including Personal Information, may be considered information or an asset that (a) we must disclose to the acquirer during the due diligence work regarding the transaction, and (b) we will be required to transfer to the acquirer or other successor of CIMI as a result of the transaction. We will use reasonable efforts to assure that a potential acquirer desiring to conduct due diligence with respect to such a transaction executes a confidentiality contract or similar non-disclosure agreement requiring the acquirer to handle Personal Data during the due diligence in a manner inconsistent with this Privacy Policy.

Bankruptcy. If a bankruptcy, insolvency or reorganization proceeding were to be brought by or against us, then Transaction Data and Demographic Data, including Personal Information, may be considered information or an asset of ours and may be transferred or sold to one or more third parties. Should such a transfer or sale occur, we will use reasonable efforts to require that the transferee continue to handle Personal Information in a manner consistent with this Privacy Policy.

OUR PRIVACY POLICY – HOW WE RETAIN YOUR PERSONAL INFORMATION

Consistent with Privacy Policy Objectives described above, CIMI will retain Personal Information for the length of time determined by CIMI as needed to complete the tasks for which the Personal Information was collected, after which time the Personal Information will cease to be retained by CIMI and will be deleted per the document and data retention policies of CIMI, unless doing so will violate a law that specifically prohibits the exercise of this privacy and retention practice.

The specific time periods for retention of Personal Information may vary depending upon the task for which the Personal Information was collected. For a list of applicable retention periods, visit the CIMI Site designated on the back of your CIMI Card and go to the Consumer Personal Information Disclosures Tab. The URL for the CIMI Site usually begins with the phrase “mycardterms.com.” If you are currently on the Terms Now CIMI Site for your CIMI Card, you may also go straight to the Tab by clicking here. In deleting your Personal Information, CIMI will use techniques that meet industry standards governing the destruction of computer data. We reserve the right to retain your Personal Data for a longer period in the event of an incident regarding you or your CIMI Card that leads us to reasonably believe there is the prospect of a need for the Personal Information for future dispute resolution with respect to our relationship with you.

In addition to the foregoing retention policy regarding Personal Information, we inform you that you may have a privacy right to request that CIMI cease from retaining your Personal Information. In that regard, see the sections below on privacy rights including the section on What They Generally Are and the section on Your Right to Delete.

OUR PRIVACY POLICY – HOW WE PROTECT PERSONAL INFORMATION

If Personal Information is received or collected by CIMI, the Personal Information will be stored as data primarily on data servers maintained at one or more commercial data centers owned or operated by companies regularly engaged in the business of storing sensitive data in secure settings pursuant to industry standards governing data security and privacy. Additionally, CIMI deploys commercially reasonable measures to protect Personal Information from destruction, loss, and alteration, and from authorized disclosure or use. Such measures include (a) measures designed to comply with the Payment Card Industry (PCI) DSS security standards, and (b) operational controls subject to SOC audits. Personal Information received by CIMI from Card Distributors, Bulk Business Buyers, and/or Redeeming Merchants is transmitted to CIMI (or its affiliated Card Compliant, LLC) either directly by such entities or through commercial transaction processors using secure techniques.

YOUR PRIVACY RIGHTS – WHAT THEY GENERALLY ARE

If you are a resident of certain U.S. states or are located in certain foreign countries or jurisdictions, then you may hold certain privacy rights regarding your Personal Information established by the laws of those states or jurisdictions. Depending upon the jurisdiction, the privacy rights afforded by these laws may or may not include the following: (a) a right to know about how we handle Personal Information, (b) a right to access or be told the specific Personal Information held by us regarding you, (c) a right to correct the Personal Information in our hands if it is inaccurate, (d) the right to request deletion by us of Personal Information; (e) a right to opt-out of sale or sharing of your Personal Information by us with third parties, and (h) other rights, if any, that may be specified under the laws specific to an applicable jurisdiction.

Important Notice: For more information about the privacy rights that may be available to you pursuant to the privacy laws of U.S. states or foreign jurisdictions, please review the Addendum for Jurisdiction Specific Privacy Notices and Disclosures. This Addendum is a material part of this Privacy Policy and is accessible either by clicking here or by scrolling below. The Addendum provides a privacy notice to you for each of the specific U.S. states that have a privacy law and for selected foreign jurisdictions. The Addendum is divided into two parts with Part A addressing the privacy laws in the United States and Part B addressing the privacy laws of selected foreign jurisdictions. It is important that you review the Addendum to understand your privacy rights. Below is a direct interactive path to privacy notices of the specific jurisdictions.

Jurisdiction Specific Privacy Notices and Disclosures – Interactive Table of Contents

YOUR PRIVACY RIGHTS – WHAT WE RECOGNIZE AND AFFORD

With respect to the privacy rights that will be afforded or honored by CIMI, we will afford and honor the privacy rights if and as required by the privacy laws of the U.S. states and foreign jurisdictions, if and to the extent that they legally are applicable to you. In addition, and without limiting the forgoing, we inform you that we will afford all Cardholders the right to request deletion of their Personal Information. For the sake of clarity, we confirm that we will afford and honor privacy rights in two situations: (a) if and as required by an applicable privacy law, and/or (b) as stated in this Privacy Policy for all Cardholders with respect to the right to delete, even if you are in a jurisdiction without a privacy law affording the right to delete.

YOUR PRIVACY RIGHTS – YOUR RIGHT TO DELETE

Notice: Cardholders holding a CIMI Card shall have the right to make a verifiable request to CIMI asking CIMI to delete the Personal Information collected by CIMI from the Cardholder on behalf of CIMI; provided, however, that CIMI will not be required to comply with the request if the Personal Information is reasonably necessary for CIMI (a) to complete the task or transaction for which the Personal Information was collected, and/or (b) to perform the cardholder contract between CIMI and Cardholder. In that regard, we remind Cardholders that CIMI already has an information retention policy under which your Personal Information, if collected, will cease to be maintained by CIMI after the passage of a designated period of time. See the section above on How We Retain Your Personal Information.

If we accept your request to delete your Personal Information, then we will delete the Personal Information held directly by us upon the earlier of (a) the date stated in the retention policy or (b) forty-five (45) days after receipt of your verifiable request to delete. We also will direct that our contractors holding Personal Information on our behalf delete the Personal Information. However, we will not have authority to direct the contractors of others to delete information. Nor will we have authority to direct a third party, such as a Redeeming Merchant or Bulk Business Buyer, to delete the information if we have reached a contract agreeing that the information is the property or proprietary information of the third party and not us, or if we otherwise have agreed that the Personal Information should not be shared with us.

YOUR PRIVACY RIGHTS – YOUR RIGHT TO OPT-OUT OF SALE OR SHARING

Notice: In this Privacy Policy, we provided notice to you of the Personal Information that CIMI sells to or shares with third parties. See the section above on How We Sell or Share Your Personal Information. We hereby provide further notice to you that if an applicable privacy law requires it, Cardholders holding a CIMI Card shall have the right to opt-out of sale or sharing to the extent required by the applicable privacy law.

Cookies and Related Analytics: With respect to Cookies and Google Analytics, the visitors to the CIMI Sites (including you) will be provided the right to opt-out from the Cookies and Google Analytics in response to a pop-up that will be provided at the CIMI Site. For more information on that, see the section above on How We Sell or Share Your Personal Information and the section above on Cookies and Related Analytics.

YOUR PRIVACY RIGHTS – YOUR RIGHT TO KNOW CERTAIN INFORMATION

Notice: If an applicable privacy law requires it, then Cardholders holding a CIMI Card shall have the right to make a verifiable request to CIMI that CIMI disclose to the Cardholder the various items of information that CIMI is required to disclose to consumers about Personal Information by the applicable privacy law; provided, however, that CIMI reserves the right to object to the request on grounds that the information has already been disclosed in this Privacy Policy. In that regard we remind you that CIMI has a retention policy under which your Personal Information, if collected, will cease to be maintained by CIMI after a designated period of time. See the section above on How We Retain Your Personal Information.

YOUR PRIVACY RIGHTS – YOUR RIGHT TO ACCESS SPECIFIC INFORMATION

Notice: If an applicable privacy law requires it, then Cardholders holding a CIMI Card shall have the right to make a verifiable request to CIMI asking that CIMI disclose to the Cardholder the specific pieces of Personal Information that CIMI has collected about the Cardholder. In that regard we remind you that CIMI has a retention policy under which your Personal Information, if collected, will cease to be maintained by CIMI after a designated period of time. See the section above on How We Retain Your Personal Information.

YOUR PRIVACY RIGHTS – YOUR RIGHT TO CORRECT INACCURATE INFORMATION

Notice: If an applicable privacy law requires it, then Cardholders holding a CIMI Card shall have the right to make a verifiable request to CIMI that CIMI correct inaccurate Personal Information maintained by CIMI regarding the Cardholder; provided, however, that CIMI reserves the right to object to the request on grounds that it is unreasonable in light of the nature of the Personal Information and the purpose for which the Personal Information is being held or processed. In that regard we remind you that CIMI has a retention policy under which your Personal Information, if collected, will cease to be maintained by CIMI after a designated period of time. See the section above on How We Retain Your Personal Information. Generally, we welcome requests to correct material errors or inaccuracies with respect to the following (a) necessary contact information, (b) delivery information regarding the delivery of a CIMI Card, and (c) data needed to comply with unclaimed property laws, such as information needed to send escheat due diligence notices and to file escheat reports with the applicable U.S. states or territories.

YOUR PRIVACY RIGHTS – YOUR OTHER PRIVACY RIGHTS

Notice: If an applicable privacy law requires it, then CIMI will afford you with such other privacy rights as specified in the applicable privacy law, if the privacy law legally is applicable to you. For more information on such other rights, if any, see the privacy notices provided to you with respect to certain U.S. states and foreign jurisdictions in the Addendum for Jurisdiction Specific Privacy Notices and Disclosures, which can be accessed by clicking here.

YOUR PRIVACY RIGHTS – HOW TO EXERCISE YOUR PRIVACY RIGHTS AND CHOICES

If you elect to do so, you may exercise your one or more of your privacy rights using one of the following methods:

To submit a consumer request regarding your privacy rights, you may email us at privacyrights@cimicard.com and put the phrase “Consumer Privacy Rights Request” in the subject line of your email.
You may also submit a consumer request by sending a letter to the following address: Consumer Privacy Rights Request, Card Issuance & Management, Inc., 11610 Ash St., Suite 200, Leawood, KS 66211, Attention: Data Privacy Manager.
You may also exercise your privacy rights by going to the footer of CIMI’s website and selecting the interactive link “Exercise Your Privacy Right Here.”
You may also request delivery or disclosure of the information (that we are required to disclose or deliver by a privacy law per a Right to Know, a Right to Access or otherwise) by calling us at the toll free number, 855.971.7430.
You may also exercise your privacy rights directly from this Privacy Policy at this CIMI Site by clicking the interactive button provided below:

If you submit a request to delete online, you will be asked to confirm separately that you want your Personal Information to be deleted. If we are required by a privacy law to deliver information to you, we will do so free of charge by mail or electronically at your election. If required by an applicable privacy law, we will deliver required information to you using a readily useable format that allows for you to transmit the information from one entity to another entity without hindrance.

In exercising your privacy rights, please remember that we do not consider Transaction Data, Pseudonymized Data, Deidentified Data or Aggregated Data to be Personal Information. For the sake of clarity, we confirm that we will afford and honor privacy rights in two situations: (a) if and as required by an applicable privacy law, and/or (b) as stated above in this Privacy Policy for all Cardholders with respect to the right to delete even if you are in jurisdiction that does not have a privacy law affording the right to delete.

Our Policy Regarding Verifiable Requests: Your request asserting a privacy right must be a verifiable request that is verifiable by us using commercially reasonable methods. To verify requests and the information in them, you will be required to provide, at a minimum, your name and an email address and you may be asked to respond to a confirmation email that will be sent to that email address. We may also ask that you provide a photo of an official government issued ID. Only you (or a designated authorized agent if permitted under the applicable privacy law) may make a verifiable consumer request related to your Personal Information. If you are an authorized agent making a request on the consumer’s behalf, then you should submit the request on behalf of a consumer via the one of the permitted the contact methods specified above in this section of our Privacy Policy. We reserve the right to request information for verifications to the extent that is not prohibited an applicable privacy law.

Our Policy Regarding Use of Authorized Agents: We permit the use of an authorized agent to make a privacy right request for you only if we are required to do so by a privacy law. When we are required to do so by law, we will only permit the use of an authorized agent for the purpose of asserting the right to opt-out of a sale or sharing, with the exception residents of California. The use of an authorized agent will not be permitted for the submission of any other privacy right, including the right to delete, with the exception of residents of California. The California privacy laws permits use of an authorized agent to assert the right to delete, the right to correct, the tight to know, the right to access and the right to opt-out of sale or sharing. When an authorized agent is used, we will request verification of the authorized agent to the fullest extent allowed by the applicable privacy law. As stated above, the right to opt-out of sale or sharing is provided to all Cardholders including Cardholders in jurisdictions without a privacy law. The right to use an authorized agent, however, only applies to Cardholders from jurisdictions with a privacy law.

Denial of Privacy Requests and Appeal: CIMI will notify you, at an email address provided by you, if your privacy request has been denied. Such notice will be provided within the later of (a) forty five (45) days after we received your privacy request, or (b) such other longer period specified in the applicable privacy law. Some jurisdictions may grant you a right to appeal a denial to and with us. For those rights, if any, please go to the Addendum on Jurisdiction Specific Privacy Notices and Disclosures.

YOUR PRIVACY RIGHTS – RESOLVING PROBLEMS

If you have a comment, question, or complaint about how we are handling your Personal Data, please contact us to allow us to resolve the matter. If you are located in the European Economic Area you may submit a complaint regarding the processing of your Personal Data to a regulatory authority. In the United Kingdom, the regulatory authority for data protection is the Information Commissioner’s Office (“ICO”) that can be reached at www.ico.org.uk. Additional information about where to submit concerns or complaints to government or regulatory authorities in a specific jurisdiction can be found in the Addendum for Jurisdiction Specific Privacy Notices and Disclosures, which is part of this Privacy Policy and can be reached by clicking here. However, we would appreciate the chance to address your concerns before you approach the ICO or other regulatory authority, so please contact us first if you have concerns.

MORE POLICIES – COOKIES AND RELATED ANALYTICS

CIMI uses cookies (small text files that a website saves on your computer or device when you visit a CIMI Site) and other tracking tools to automatically collect information about how you use a CIMI Site and otherwise interact with our Services. The information collected might relate to you, or your device, your use of a CIMI Site and is mostly used to make a CIMI Site work as you expect it to work, to provide a more personalized web experience, and to analyze the use by visitors of the CIMI Sites. Most web browsers are set to accept cookies by default. However, you can choose not to allow certain types of cookies, which may impact your experience on the CIMI Site. For more specific information about how we use cookies and similar tracking devices, please review our separate Cookies Policy by clicking here.

CIMI informs you that it also uses Google Analytics, a web analytics service provided by Google, Inc. Google Analytics uses cookies to help us analyze how users interact with a CIMI Site, compile reports on their activity, and provide other services related to their activity and usage. The technologies used by Google may collect information such as your IP address, time and nature of your visit, whether you are a returning visitor, and the incidents of any referring website. The information generated by Google Analytics is transmitted to and stored by Google and is subject to Google’s privacy policies. You can learn more about Google’s partner services, and also can learn how to opt out of tracking of analytics by Google by clicking here.

If a CIMI Site uses cookies or Google Analytics, then the visitors to the CIMI Site will be provided a pop-up advising of such and providing the visitor a right to opt-out.

MORE POLICIES – WALLETS, ACCOUNTS AND APPLICATIONS

[Note: This Section should be used and added if a wallet, etc. is used in a card program].

MORE POLICIES – AGGREGATED, PSEUDONYMIZED AND DEIDENTIFIED DATA

CIMI and is affiliate Card Compliant, LLC collect, use and aggregate data from multiple cards in a card program or from multiple card programs (the Aggregated Data) for analytical and statistical purposes including industry benchmarking. This Aggregated Data can be derived from data that contained Personal Information (if we have received or collected Personal Information), but Aggregated Data is not itself considered by us to be Personal Information, because the Aggregated Data will be pseudonymized or deidentified with the identities of the consumers removed so the data will not directly or indirectly reveal or be tied to the identity of a particular consumer or household. For example, we may create such Aggregated Data from Transaction Data to determine the general usage patterns concerning CIMI Cards.

MORE POLICIES – THIRD PARTY LINKS AND WEBSITES

The CIMI Sites, including this website, will have links to third-party websites, plug-ins and applications. Such links are provided solely for convenience. Those other websites, plug-ins and applications are not CIMI Sites. Your visit there will be subject to the privacy policies and terms of use specified at those sites, and not by our Privacy Policy. This Privacy Policy of CIMI applies only to CIMI Sites and CIMI Cards. For a list of CIMI Sites, visit the Glossary hereto. This Privacy Policy does not apply to non-CIMI Sites, including those of a Redeeming Merchant or a Card Distributor, or other third parties that may link to or from our CIMI Sites. We are not responsible for the practices or workings of such other sites or applications, and encourage you to review the privacy policies of any third party site you visit. A link to or from a third-party site to or from a CIMI Site does not mean or imply (and should not be construed as meaning or implying) that we have reviewed or endorsed those third-party sites.

MORE POLICIES – MINORS AND CHILDREN

CIMI Cards may be purchased to be provided as gifts for minors. CIMI oversees the CIMI Sites. They provide general information for use by all Cardholders and visitors and, as a general rule, are designed for a general audience and, as such, are not directed to children under the age of 13. Individuals transacting business at a CIMI Site typically are required to warrant or represent that they are either (a) age 18 or older. or (b) a parent or guardian for a younger consumer. CIMI does not knowingly receive, collect, sell, or share Personal Information from individuals under the age of 16. If you become aware of Personal Information that we may have collected from minors or children under 16 years of age, please contact us at privacyrights@cimicard.com. We urge parents and guardians to regularly monitor and supervise the online activities of their minors and children.

MORE POLICIES – INTERNATIONAL DATA TRANSFERS

If you are located outside the United States, please note that we and our data servers are located in the United States. Any information that you provide to us from another country may be transferred to and processed by us in the United States. While the United States may provide a lower level of legal privacy protection for your Personal Information than in your country, we will make efforts to protect your information in accordance with requirements applicable to the law in your particular jurisdiction if it is legally applicable, and will take steps to only share your Personal Information with third parties that offer similar protections.

MORE POLICIES – PERSONAL DATA CONTROLLER

To the extent a Controller is required to be designated under an applicable privacy law, then CIMI is hereby designated the Controller responsible for overseeing your Personal Information with respect to you CIMI Card and card program. CIMI has appointed a data privacy manager who is responsible for overseeing questions regarding this Privacy Policy. You may contact CIMI or its data privacy manager in the manner set forth below.

MORE POLICIES – ABOUT OUR CONSUMER PERSONAL INFORMATION DISCLOSURES TAB

The Terms Now CIMI Site for your CIMI Card program has a tab that is labeled the Consumer Personal Information Disclosures Tab. The information provided there will inform you (a) whether or not Personal Information is or is not collected regarding your CIMI Card, (b) the categories of Personal Information, if any, collected in the CIMI Card program, and (c) the dates when the Personal Information, if collected, will cease to be retained by CIMI pursuant to its document and data retention program. To find the Consumer Personal Information Disclosures Tab, go to the CIMI Site designated on the back of your CIMI Card and go to the Consumer Personal Information Disclosures Tab. The URL for the CIMI Site usually begins with the phrase “mycardterms.com.” If you currently are on the Terms Now CIMI Site for your CIMI Card, you may also go straight to the Consumer Personal Information Disclosures Tab by clicking here.

MORE POLICIES – CHANGES TO OUR PRIVACY POLICY

This version of our Privacy Policy was last updated as of the Last Updated Date specified above at the top of this Privacy Policy. We strive to keep our Privacy Policy current and compliant with existing and new privacy laws and the amendments thereto. Additionally, we strive to keep our Privacy current with respect to changes to the CIMI Card, changes to its related services, and/or changes to its underlying technologies. As such, our Privacy Policy will be subject to regular review and will be modified by us from time to time. When changes to this Privacy Policy are made, we will post the updated version and specify the new Last Updated Date at the beginning of the Privacy Policy. We encourage you to check back regularly and review the Privacy Policy.

MORE POLICIES – CONSTRUCTION WITH PRIVACY LAWS AND SURVIVAL

CIMI issues and/or services CIMI Cards that are sold in all fifty U.S. states and in several foreign jurisdictions. The terms of this Privacy Policy shall apply except if and to the extent that the terms do not violate an applicable privacy law. If a provision of this Privacy Policy violates an applicable privacy law, then the provision shall be construed and deemed not to apply, with the rest of the Privacy Policy remaining in full force and effect.

MORE POLICIES – A LIMITATION

Except as provided above in the section on What We Recognize and Afford (with respect to the right to delete), CIMI reserves the right to take the position that it is not required to perform or act in a particular situation or circumstance on the grounds that CIMI is not required to do so by an applicable privacy law.

MORE POLICIES – A DISCLAIMER

CIMI is not a law firm. This Privacy Policy is not intended to provide legal advice to you. If you have legal questions about the application of a privacy law, then you should consult an attorney.

HOW TO CONTACT US

If you have any questions or comments regarding this Privacy Policy, you may contact the data privacy manager of CIMI in any one or more of the following ways. You may email us at privacyrights@cimicard.com. You may write to us at: Card Issuance & Management, Inc., 11610 Ash St., Suite 200, Leawood, KS 66211, Attention: Data Privacy Manager. And you may call us at the toll-free number, 855.971.7430.

ADDENDUM FOR JURISDICTION SPECIFIC PRIVACY NOTICES AND DISCLOURES

This Addendum for Jurisdiction Specific Privacy Notices and Disclosures is a part of the Privacy Policy of CIMI. It provides specific privacy notices and disclosures to Cardholders and you regarding specific privacy laws enacted or promulgated by various jurisdictions that may address the privacy of the Personal Information that CIMI receives or collects regarding CIMI Cards or use of CIMI Sites. This Addendum is divided into two parts. Part A provides privacy notices to Cardholders and you regarding jurisdictions within United States of America that have enacted or adopted a privacy law. Part B provides notices to Cardholders and you regarding selected foreign jurisdictions.

Important Notice: You should review this Addendum to fully understand your privacy rights. You should also continue to review the general sections of our Privacy Policy to which this Addendum is a part. To see the general sections of our Privacy Policy please scroll above. Below is an interactive path to privacy notices for specific jurisdictions.

Jurisdiction Specific Privacy Notices and Disclosures – Interactive Table of Contents

ADDENDUM PART A – JURISDICTION SPECIFIC PRIVACY NOTICES AND DISCLOSURES ADDENDUM – UNITED STATES OF AMERICA

This Addendum Part A is a part of the Privacy Policy and Notice of CIMI. If you are a resident of certain U.S. states, then you may have privacy rights established by the privacy laws of a U.S. state regarding the Personal Information received or collected by CIMI. This Addendum Part A provides specific privacy notices and disclosures regarding the specific privacy laws of various U.S. states that may address the Personal Information CIMI receives or collects regarding CIMI Cards or the use of CIMI Sites. For foreign jurisdictions you should go to Addendum Part B by clicking here.

Important Notice: You should review this Addendum Part A to fully understand your privacy rights. The specific privacy notices regarding specific jurisdictions are a part of our Privacy Policy You also should continue to review the general sections of our Privacy Policy. To see them, scroll above. Below is an interactive path to specific U.S. jurisdictions that have adopted privacy laws that may impact your Personal Information.

Jurisdiction Specific Privacy Notices and Disclosures – Interactive Table of Contents

PRIVACY NOTICE TO CALIFORNIA RESIDENTS

Last Updated Date: August 23, 2025

This Privacy Notice to California Residents (the California Privacy Notice) is provided by CIMI as a part of our Privacy Policy. You must also review the general sections of our Privacy Policy to which this California Privacy Notice is a part. Among other important disclosures, the general sections of our Privacy Policy inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections, scroll above. If a conflict exists between this specific California Privacy Notice and the general sections of our Privacy Policy, then this California Privacy Notice shall control.

This California Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, California residents. If you are not a California resident, then this California Privacy Notice does not apply to you, and you should not rely on it.

California List of Categories of Personal Information That We Collect About Consumers (provided per CA Civil, Section 1798.130(5)(B)). Table A below provides a list of the categories of Personal Information we have collected for a business purpose in the 12 months preceding the Last Updated Date of this Privacy Policy and, for each category, provides the categories or sources of the Personal Information, and the categories of business purposes for which the Personal Information was collected.

Table A. Categories of Personal Information Collected By Us

Category of Personal Information	Categories of Sources	Categories of Business Purpose
Demographic Information with Personal Identifiers (i.e., name, residence address, email address)	Service Providers (i.e., Transaction Processors, Program Managers, Card Distributors, Redeeming Merchants, Bulk Business Buyers)	Auditing; Detecting and preventing security incidents; Debugging to identify and repair errors; Short-term, transient use that is internal and not used to build a consumer profile; Performing services such as maintaining accounts, providing customer service, and fulfilling orders; Undertaking internal research; Undertaking activities to verify or maintain the quality of services.
Personal Identifiers (i.e.,name, residence address, email address, date of birth, phone number)	Cardholders (i.e., for VCO services)	Performing services such as maintaining accounts, providing customer service, fulfilling orders; and processing payments; Short-term, transient use that is internal and not used to build a consumer profile.
Location information (i.e., store location)	Cardholders (i.e., for VCO services)	Performing services such as maintaining accounts, providing customer service, fulfilling orders; and processing payments; Short-term, transient use that is internal and not used to build a consumer profile.
Demographic Information with Personal Identifiers	Investigators of incidents and governmental authorities.	Detecting and preventing security incidents; Undertaking activities to verify or maintain the quality of services; Prosecuting persons responsible for malicious, deceptive or fraudulent activities
Device and Online Identifiers	CIMI Sites	Auditing
Internet, application and network activity	CIMI Sites	Auditing
Geolocation data (such as IP address)	CIMI Sites	Auditing
Government Identifiers	Cardholders	To verify privacy right requests

Note: For more detailed information about the business purposes for which the Personal Information was collected see the above section of this Privacy Policy on How We Use Your Personal Information.

Note: Please remember that we do not consider Transaction Data, Pseudonymized Data, Deidentified Data or Aggregated Data to be Personal Information.

California List of Categories of Personal Information Sold or Shared (provided per CA Civil, Section 1798.130(5)(C)(i)). Table B below provides a list of categories of Personal Information that we have sold or shared to or with third parties in the 12 months preceding the Last Updated Date of this Privacy Policy and, for each category, provides the categories of recipients to which the Personal Information was sold or shared and the categories of business purposes for which Personal Information was sold or shared – as the term “share” is defined in the California privacy law. As explained above, CIMI is not in the business of selling Personal Information. Nor do we “share” Personal Information as “share” is defined in in the California privacy law. However, because some may consider the use of cookies or other third party tracking analytics on websites to constitute a form of data transfer in exchange for some form of consideration, CIMI has informed you how it uses cookies and third party tracking technologies. See the section below on Cookies and Related Analytics. In that regard, see also Table B below

Table B. Categories of Personal Information Sold or Shared by Us

Category of Personal Information	Categories of Recipients	Categories of Business Purpose
Device and Online Identifiers	Service Providers (i.e., website cookies and tracking analytics)	Auditing
Internet, application and network activity	Service Providers (i.e., website cookies and tracking analytics)	Auditing
Geolocation data such as IP address.	Service Providers (i.e., website cookies and tracking analytics)	Auditing.

Note: For more detailed information about the business purposes for which the Personal Information was collected, see the above section of this Privacy Policy on How We Use Your Personal Information.

Note: Please remember that we do not consider Transaction Data, Pseudonymized Data, Deidentified Data or Aggregated Data to be Personal Information.

California List of Categories of Personal Information Disclosed About Consumers for Business Persons and the Recipients (provided per CA Civil, Section 1798.130(5)(C)(ii)). Table C below provides a list of the categories of Personal Information that we have disclosed to others for a business purpose in the 12 months preceding the Last Updated Date of this Privacy Policy and, for each category, provides the categories of recipients to which the Personal Information was disclosed and categories of business purposes for which the Persona Information was disclosed.

Table C. Categories of Personal Information Disclosed By Us to Others

Category of Personal Information	Categories of Recipients	Categories of Business Purpose
Demographic Information with Personal Identifiers (i.e., name, residence address, email address)	Service Providers (i.e. Card Compliant and Data Centers)	Performing services such as maintaining accounts, providing customer service, fulfilling orders, Undertaking internal research; Undertaking activities to verify or maintain the quality of services.
Personal Identifiers (i.e.,name, residence address, email address, date of birth, phone number)	Service Providers (i.e., Transaction Processors for VCO)	Performing services like maintaining accounts, providing customer service, and fulfilling orders; Short-term, transient use that is internal and not used to build a consumer profile.
Personal Identifiers	Governmental Authorities	Regulatory compliance and legal obligations
Demographic Information with Personal Identifiers	Investigators of incidents and governmental authorities.	Detecting and preventing security incidents; Undertaking activities to verify or maintain the quality of services; Prosecuting persons responsible for malicious, deceptive or fraudulent activities.
Internet, application and network activity	Service Providers (i.e., website cookies and tracking analytics)	Auditing
Geolocation data (such as IP address)	Service Providers (i.e., website cookies and tracking analytics	Auditing.

Note: For more detailed information about the business purposes for which the Personal Information was collected, see the above section of this Privacy Policy on How We Use Your Personal Information.

Note: Please remember that we do not consider Transaction Data, Pseudonymized Data, Deidentified Data or Aggregated Data to be Personal Information.

Sale or Share of Personal Information of Consumers under 16 Years of Age: We do not knowingly sell or share (for cross-context behavioral advertising) the personal information of consumers under 16 years of age. For more information, see also the section above of this Privacy Policy on Minors and Children.

Notice to You About Our Retention of Personal Information: We retain your Personal Information for as long as necessary to fulfill the purposes for which we collect it as is more fully described above in the section of this Privacy Policy on How We Retain Your Personal Information.

Notice of Your California Consumer Privacy Rights: If you reside in California, then you have the following privacy rights per California privacy laws regarding your Personal Information as of the Last Updated Date of this California Privacy Notice:

The right to know the categories of Personal Information we’ve collected and the categories of sources from which we got the information.
The right to know the business purpose for collecting Personal Information.
The right to know the categories of third parties with whom we share that Personal Information.
The right to access the specific pieces of Personal Information we’ve collected and then gain access to the Personal Information.
The right to delete Personal Information that we collected from and/or about you, subject to certain exceptions.
The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
The right to opt out of having your Personal Information sold or shared for cross-context behavioral advertising.
The right to limit disclosure of sensitive personal information but know that we do not use your sensitive Personal Information (if at all) in a manner subject to that right.

How to Submit a Request to Know, Delete, and/or Correct: You may submit a privacy right request to exercise one of your California Consumer Privacy Rights by contacting us via one of the methods described in the section above of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here. You may also exercise your privacy rights directly from this webpage by clicking the button provided below:

Verifiable Privacy Right Requests: Your privacy right request must be a verifiable request. For our policy on making a verifiable request, go the section of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here.

Use of an Authorized Agent: The privacy law of California allows for the use of an authorized agent to submit a privacy rights request on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices. If you are an authorized agent submitting a request to opt-out of the sale or sharing on the consumer’s behalf, the authorized agent must provide us with the consumer’s signed permission demonstrating your authorization to submit a request on the consumer’s behalf. We may also require the consumer verify their own identity directly with us and directly confirm with the business that they provided the authorized agent’s permission to submit the request.

Shine the Light Law. We do not disclose Personal Information obtained through our CIMI Sites or from our issuance or servicing of CIMI Cards to third parties for their direct marketing purposes. Accordingly, we have no obligations under California Civil Code § 1798.83.

PRIVACY NOTICE TO COLORADO RESIDENTS

Last Updated Date: August 22, 2025

This Privacy Notice to Colorado Residents (the Colorado Privacy Notice) is provided by CIMI as a part of our Privacy Policy. You must also review the general sections of our Privacy Policy to which this Colorado Privacy Notice is a part. Among other important disclosures, the general sections of our Privacy Policy inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above. If a conflict exists between this specific Colorado Privacy Notice and the general sections of our Privacy Policy, then this Colorado Privacy Notice shall control.

This Colorado Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Colorado residents. If you are not a Colorado resident, then this Colorado Privacy Notice does not apply to you, and you should not rely on it.

Colorado Table on Collection, Use and Sharing of Personal Information: We may collect, use and process certain categories of Personal Information as described in the table below.

Category/Type of Personal Information	Processing Purpose	Used for Targeted Advertising?	Categories of Recipients/Purpose or Activity
Identifiers such as name, e-mail address, date of birth, phone number and/or IP address	Product and service fulfillment; communications and marketing; improve products, services, and operation, prevention of fraud; legal compliance.	No	Service providers, including for cloud storage, customer support, marketing and our Recipient and Purchaser Customers.
Commercial information such as records of products or services purchased from merchants, retailers or third-party sellers	Product and service fulfillment; communications and marketing; improve products, services, and operations; prevention of fraud; legal compliance.	No	Service providers, including for cloud storage, customer support, marketing and our Recipient and Purchaser Customers.
Financial information such as bank account, credit card, and prepaid payment card information	Product and service fulfillment; improve products, services, and operations; prevention of fraud; legal compliance.	No	Service providers, including for payment processing.
Internet or other similar network activity such as information regarding your interactions with the Site	Communications and marketing; improve products, services, and operations; prevention of fraud and other harm; legal compliance.	No	Service providers, including for analytics, cloud storage and customer support.
Geolocation data such as IP address	Product or service fulfillment, communications and marketing.	No	Service providers, including for analytics, cloud storage and customer support.

Notice of Your Colorado Consumer Privacy Rights: If you reside in Colorado, then you have the following privacy rights per Colorado privacy laws regarding your Personal Information as of the Last Updated Date of this Colorado Privacy Notice:

Right to Know and Access: The right to confirm whether or not we are processing your Personal Information and to access such Personal Information.
Right to Correct: The right to correct inaccuracies in your Personal Information, taking into account the nature of the Personal Information and our purposes of the processing of such Personal Information.
Right to Delete: The right to delete Personal Information provided by or obtained about you.
Right to Obtain a Copy: The right to obtain a copy of your Personal Information that you previously provided to us in a portable and to the extent technically feasible, readily useable format that allows you to transmit the data to another controller without hindrance, where the processing is carried out by automated means.
Right to Opt-Out: The right to opt out of the processing of your Personal Information for purposes of: (1) targeted advertising, (2) the sale of Personal Information, or (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Colorado Consumer Privacy Rights by contacting us via one of the methods described in the section above of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here. You may also exercise your privacy rights directly from this webpage by clicking the button provided below:

Verifiable Privacy Rights Requests: Your privacy right request must be a verifiable request. For our policy on making a verifiable request go the section of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here.

Use of an Authorized Agent: The privacy law of Colorado allows for the use of an authorized agent to submit a request to opt-out on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices.

Your Colorado Appeal Rights: If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cimicard.com. We will respond to an appeal within 45 days of receipt. If your appeal is denied and you are a Colorado resident, you may contact the Colorado Attorney General to submit a complaint at: https://coag.gov/file-complaint/.

PRIVACY NOTICE TO CONNECTICUT RESIDENTS

Last Updated Date: August 22, 2025

This Privacy Notice to Connecticut Residents (the Connecticut Privacy Notice) is provided by CIMI as a part of our Privacy Policy. You must also review the general sections of our Privacy Policy to which this Connecticut Privacy Notice is a part. Among other important disclosures, the general sections of our Privacy Policy inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above. If a conflict exists between this specific Connecticut Privacy Notice and the general sections of our Privacy Policy, then this Connecticut Privacy Notice shall control.

This Connecticut Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Connecticut residents. If you are not a Connecticut resident, then this Connecticut Privacy Notice does not apply to you, and you should not rely on it.

Notice of Your Connecticut Consumer Privacy Rights: If you reside in Connecticut, then you have the following privacy rights per Connecticut privacy laws regarding your Personal Information as of the Last Updated Date of this Connecticut Privacy Notice:

The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Connecticut Consumer Privacy Rights by contacting us via one of the methods described in the section above of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here. You may also exercise your privacy rights directly from this webpage by clicking the button provided below:

Verifiable Privacy Right Requests: Your privacy right request must be a verifiable request. For our policy on making a verifiable request go the section of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here.

Use of an Authorized Agent: The privacy law of Connecticut allows for the use of an authorized agent to submit a privacy rights request on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices.

Your Connecticut Appeal Rights: If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cimicard.com. We will respond to an appeal within 60 days of receipt. If your appeal is denied and you are a Connecticut resident, you may contact the Connecticut Attorney General to submit a complaint at: https://portal.ct.gov/AG/Common/Complaint-Form-Landing-page

PRIVACY NOTICE TO DELAWARE RESIDENTS

Last Updated Date: August 22, 2025

This Privacy Notice to Delaware Residents (the Delaware Privacy Notice) is provided by CIMI as a part of our Privacy Policy. You must also review the general sections of our Privacy Policy to which this Delaware Privacy Notice is a part. Among other important disclosures, the general sections of our Privacy Policy inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above. If a conflict exists between this specific Delaware Privacy Notice and the general sections of our Privacy Policy, then this Delaware Privacy Notice shall control.

This Delaware Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Delaware residents. If you are not a Delaware resident, then this Delaware Privacy Notice does not apply to you, and you should not rely on it.

Notice of Your Delaware Consumer Privacy Rights: If you reside in Delaware, then you have the following privacy rights per Delaware privacy laws regarding your Personal Information as of the Last Updated Date of this Delaware Privacy Notice:

The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.
The right to obtain a list of categories of third parties to which we have disclosed your personal information.

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Delaware Consumer Privacy Rights by contacting us via one of the methods described in the section above of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here. You may also exercise your privacy rights directly from this webpage by clicking the button provided below:

Use of an Authorized Agent: The privacy law of Delaware allows for the use of an authorized agent to submit a privacy rights request on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices.

Your Delaware Appeal Rights: If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cimicard.com. We will respond to an appeal within 60 days of receipt. If your appeal is denied and you are a Delaware resident, you may contact the Delaware Department of Justice to submit a complaint at: https://attorneygeneral.delaware.gov/fraud/cmu/complaint/#:~:text=If%20you%20are%20unable%20to,%40delaware.gov%20for%20assistance.

PRIVACY NOTICE TO IOWA RESIDENTS

Last Updated Date: August 22, 2025

This Privacy Notice to Iowa Residents (the Iowa Privacy Notice) is provided by CIMI as a part of our Privacy Policy. You must also review the general sections of our Privacy Policy to which this Iowa Privacy Notice is a part. Among other important disclosures, the general sections of our Privacy Policy inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above. If a conflict exists between this specific Iowa Privacy Notice and the general sections of our Privacy Policy, then this Iowa Privacy Notice shall control.

This Iowa Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Iowa residents. If you are not a Iowa resident, then this Iowa Privacy Notice does not apply to you, and you should not rely on it.

Notice of Your Iowa Consumer Privacy Rights: If you reside in Iowa, then you have the following privacy rights per Iowa privacy laws regarding your Personal Information as of the Last Updated Date of this Iowa Privacy Notice:

The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
The right to opt out of our processing your Personal Information for the “sale” of your personal information (as that term is defined by applicable law).

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Iowa Consumer Privacy Rights by contacting us via one of the methods described in the section above of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here. You may also exercise your privacy rights directly from this webpage by clicking the button provided below:

Verifiable Privacy Right Request: Your privacy right request must be a verifiable request. For our policy on making a verifiable request go the section of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here.

Use of an Authorized Agent: The privacy law of Iowa does not mention the use of an authorized agent to submit a privacy rights request on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices.

Your Iowa Appeal Rights: If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cimicard.com. We will respond to an appeal within 60 days of receipt. If your appeal is denied and you are an Iowa resident, you may contact the Iowa Attorney General to submit a complaint at: https://www.iowaattorneygeneral.gov/for-consumers/file-a-consumer-complaint.

PRIVACY NOTICE TO MARYLAND RESIDENTS

Last Updated Date: August 22, 2025

This Privacy Notice to Maryland Residents (the Maryland Privacy Notice) is provided by CIMI as a part of our Privacy Policy. You must also review the general sections of our Privacy Policy to which this Maryland Privacy Notice is a part. Among other important disclosures, the general sections of our Privacy Policy inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above. If a conflict exists between this specific Maryland Privacy Notice and the general sections of our Privacy Policy, then this Maryland Privacy Notice shall control.

This Maryland Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Maryland residents. If you are not a Maryland resident, then this Maryland Privacy Notice does not apply to you, and you should not rely on it.

Notice of Your Maryland Consumer Privacy Rights: If you reside in Maryland, then you have the following privacy rights per Maryland privacy laws regarding your Personal Information as of the Last Updated Date of this Maryland Privacy Notice:

The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
The right to delete Personal Information about you that we collected from or about you, unless the law requires we must retain the Personal Information.
The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.
The right to obtain a list of categories of third parties to which we have disclosed your personal information.

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Maryland Consumer Privacy Rights by contacting us via one of the methods described in the section above of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here. You may also exercise your privacy rights directly from this webpage by clicking the button provided below:

Use of an Authorized Agent: The privacy law of Maryland allows for the use of an authorized agent to submit a privacy rights request on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices. .

Your Maryland Appeal Rights: If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cimicard.com. We will respond to an appeal within 60 days of receipt. If your appeal is denied and you are a Maryland resident, you may contact the Maryland Attorney General Consumer Protection Division to submit a complaint at: https://www.marylandattorneygeneral.gov/Pages/CPD/Complaint.aspx.

PRIVACY NOTICE TO MINNESOTA RESIDENTS

Last Updated Date: August 22, 2025

This Privacy Notice to Minnesota Residents (the Minnesota Privacy Notice) is provided by CIMI as a part of our Privacy Policy. You must also review the general sections of our Privacy Policy to which this Minnesota Privacy Notice is a part. Among other important disclosures, the general sections of our Privacy Policy inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above. If a conflict exists between this specific Minnesota Privacy Notice and the general sections of our Privacy Policy, then this Minnesota Privacy Notice shall control.

This Minnesota Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Minnesota residents. If you are not a Minnesota resident, then this Minnesota Privacy Notice does not apply to you, and you should not rely on it.

Notice of Your Minnesota Consumer Privacy Rights: If you reside in Minnesota, then you have the following privacy rights per Minnesota privacy laws regarding your Personal Information as of the Last Updated Date of this Minnesota Privacy Notice:

The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
The right to delete Personal Information about you that we collected from or about you.
The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.
The right to obtain a list of categories of third parties to which we have disclosed your personal information.

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Minnesota Consumer Privacy Rights by contacting us via one of the methods described in the section above of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here. You may also exercise your privacy rights directly from this webpage by clicking the button provided below:

Use of an Authorized Agent: The privacy law of Minnesota allows for the use of an authorized agent to submit a privacy right request on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices. .

Your Minnesota Appeal Rights: If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cimicard.com. We will respond to an appeal within 45 days of receipt. If your appeal is denied and you are a Minnesota resident, you may contact the Minnesota Attorney General to submit a complaint at: https://www.ag.state.mn.us/office/complaint.asp#:~:text=If%20you%20have%20questions%20about,657%2D3787%20(Outside%20the%20Twin.

PRIVACY NOTICE TO MONTANA RESIDENTS

Last Updated Date: August 22, 2025

This Privacy Notice to Montana Residents (the Montana Privacy Notice) is provided by CIMI as a part of our Privacy Policy. You must also review the general sections of our Privacy Policy to which this Montana Privacy Notice is a part. Among other important disclosures, the general sections of our Privacy Policy inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above. If a conflict exists between this specific Montana Privacy Notice and the general sections of our Privacy Policy, then this Montana Privacy Notice shall control.

This Montana Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Montana residents. If you are not a Montana resident, then this Montana Privacy Notice does not apply to you, and you should not rely on it.

Notice of Your Montana Consumer Privacy Rights: If you reside in Montana, then you have the following privacy rights per Montana privacy laws regarding your Personal Information as of the Last Updated Date of this Montana Privacy Notice:

The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Montana Consumer Privacy Rights by contacting us via one of the methods described in the section above of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here. You may also exercise your privacy rights directly from this webpage by clicking the button provided below:

Use of an Authorized Agent: The privacy law of Montana allows for the use of an authorized agent to submit a privacy rights request on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices. .

Your Montana Appeal Rights: If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cimicard.com. We will respond to an appeal within 60 days of receipt. If your appeal is denied and you are a Delaware resident, you may contact the Montana Attorney General to submit a complaint at: https://dojmt.gov/consumer/consumer-complaints/.

PRIVACY NOTICE TO NEBRASKA RESIDENTS

Last Updated Date: August 22, 2025

This Privacy Notice to Nebraska Residents (the Nebraska Privacy Notice) is provided by CIMI as a part of our Privacy Policy. You must also review the general sections of our Privacy Policy to which this Nebraska Privacy Notice is a part. Among other important disclosures, the general sections of our Privacy Policy inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above. If a conflict exists between this specific Nebraska Privacy Notice and the general sections of our Privacy Policy, then this Nebraska Privacy Notice shall control.

This Nebraska Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Nebraska residents. If you are not a Nebraska resident, then this Nebraska Privacy Notice does not apply to you, and you should not rely on it.

Notice of Your Nebraska Consumer Privacy Rights: If you reside in Nebraska, then you have the following privacy rights per Nebraska privacy laws regarding your Personal Information as of the Last Updated Date of this Nebraska Privacy Notice:

The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Nebraska Consumer Privacy Rights by contacting us via one of the methods described in the section above of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here. You may also exercise your privacy rights directly from this webpage by clicking the button provided below:

Use of an Authorized Agent: The privacy law of Nebraska allows for the use of an authorized agent to submit a privacy rights request on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices. .

Your Nebraska Appeal Rights: If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cimicard.com. We will respond to an appeal within 60 days of receipt. If your appeal is denied and you are a Nebraska resident, you may contact the Nebraska Attorney General to submit a complaint at: https://ago.nebraska.gov/constituent-complaint-form.

PRIVACY NOTICE TO NEW HAMPSHIRE RESIDENTS

Last Updated Date: August 22, 2025

This Privacy Notice to New Hampshire Residents (the New Hampshire Privacy Notice) is provided by CIMI as a part of our Privacy Policy. You must also review the general sections of our Privacy Policy to which this New Hampshire Privacy Notice is a part. Among other important disclosures, the general sections of our Privacy Policy inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above. If a conflict exists between this specific New Hampshire Privacy Notice and the general sections of our Privacy Policy, then this New Hampshire Privacy Notice shall control.

This New Hampshire Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, New Hampshire residents. If you are not a New Hampshire resident, then this New Hampshire Privacy Notice does not apply to you, and you should not rely on it.

Notice of Your New Hampshire Consumer Privacy Rights: If you reside in New Hampshire, then you have the following privacy rights per New Hampshire privacy laws regarding your Personal Information as of the Last Updated Date of this New Hampshire Privacy Notice:

The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your New Hampshire Consumer Privacy Rights by contacting us via one of the methods described in the section above of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here. You may also exercise your privacy rights directly from this webpage by clicking the button provided below:

Use of an Authorized Agent: The privacy law of New Hampshire allows for the use of an authorized agent to submit a privacy rights request on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices. .

Your New Hampshire Appeal Rights: If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cimicard.com. We will respond to an appeal within 60 days of receipt. If your appeal is denied and you are a New Hampshire resident, you may contact the New Hampshire Attorney General to submit a complaint at: https://www.doj.nh.gov/citizens/consumer-protection-antitrust-bureau/consumer-complaints.

PRIVACY NOTICE TO NEW JERSEY RESIDENTS

Last Updated Date: August 22, 2025

This Privacy Notice to New Jersey Residents (the New Jersey Privacy Notice) is provided by CIMI as a part of our Privacy Policy. You must also review the general sections of our Privacy Policy to which this New Jersey Privacy Notice is a part. Among other important disclosures, the general sections of our Privacy Policy inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above. If a conflict exists between this specific New Jersey Privacy Notice and the general sections of our Privacy Policy, then this New Jersey Privacy Notice shall control.

This New Jersey Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, New Jersey residents. If you are not a New Jersey resident, then this New Jersey Privacy Notice does not apply to you, and you should not rely on it.

Notice of Your New Jersey Consumer Privacy Rights: If you reside in New Jersey, then you have the following privacy rights per New Jersey privacy laws regarding your Personal Information as of the Last Updated Date of this New Jersey Privacy Notice:

The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your New Jersey Consumer Privacy Rights by contacting us via one of the methods described in the section above of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here. You may also exercise your privacy rights directly from this webpage by clicking the button provided below:

Verifiable Privacy Right Request: Your privacy right request must be a verifiable request. For our policy on making verifiable a request go the section of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here.

Use of an Authorized Agent: The privacy law of New Jersey allows for the use of an authorized agent to submit a privacy rights request on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices. .

Your New Jersey Appeal Rights: If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cimicard.com. We will respond to an appeal within 45 days of receipt. If your appeal is denied and you are a New Jersey resident, you may contact the New Jersey Division of Consumer Affairs to submit a complaint at: https://www.njconsumeraffairs.gov/Pages/Consumer-Complaints.aspx.

PRIVACY NOTICE TO OREGON RESIDENTS

Last Updated Date: August 22, 2025

This Privacy Notice to Oregon Residents (the Oregon Privacy Notice) is provided by CIMI as a part of our Privacy Policy. You must also review the general sections of our Privacy Policy to which this Oregon Privacy Notice is a part. Among other important disclosures, the general sections of our Privacy Policy inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above. If a conflict exists between this specific Oregon Privacy Notice and the general sections of our Privacy Policy, then this Oregon Privacy Notice shall control.

This Oregon Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Oregon residents. If you are not an Oregon resident, then this Oregon Privacy Notice does not apply to you, and you should not rely on it.

Notice of Your Oregon Consumer Privacy Rights: If you reside in Oregon, then you have the following privacy rights per Oregon privacy laws regarding your Personal Information as of the Last Updated Date of this Oregon Privacy Notice:

The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.
The right to obtain a list of categories of third parties to which we have disclosed your personal information.

How to Submit a Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Oregon Consumer Privacy Rights by contacting us via one of the methods described in the section above of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here. You may also exercise your privacy rights directly from this webpage by clicking the button provided below:

Use of an Authorized Agent: The privacy law of Oregon allows for the use of an authorized agent to submit a privacy rights request on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices. .

Your Oregon Appeal Rights: If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cimicard.com. We will respond to an appeal within 45 days of receipt. If your appeal is denied and you are an Oregon resident, you may contact the Oregon Attorney General to submit a complaint at: https://justice.oregon.gov/consumercomplaints/.

PRIVACY NOTICE TO TENNESSEE RESIDENTS

Last Updated Date: August 22, 2025

This Privacy Notice to Tennessee Residents (the Tennessee Privacy Notice) is provided by CIMI as a part of our Privacy Policy. You must also review the general sections of our Privacy Policy to which this Tennessee Privacy Notice is a part. Among other important disclosures, the general sections of our Privacy Policy inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above. If a conflict exists between this specific Tennessee Privacy Notice and the general sections of our Privacy Policy, then this Tennessee Privacy Notice shall control.

This Tennessee Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Tennessee residents. If you are not a Tennessee resident, then this Tennessee Privacy Notice does not apply to you, and you should not rely on it.

Notice of Your Tennessee Consumer Privacy Rights: If you reside in Tennessee, then you have the following privacy rights per Tennessee privacy laws regarding your Personal Information as of the Last Updated Date of this Tennessee Privacy Notice:

The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
The right to opt out of the “sale” of your personal information (as that term is defined by applicable law).

How to Submit Your Tennessee Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Tennessee Consumer Privacy Rights by contacting us via one of the methods described in the section above of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here. You may also exercise your privacy rights directly from this webpage by clicking the button provided below:

Use of an Authorized Agent: The privacy law of Tennessee does not mention the use of an authorized agent to submit a privacy rights request on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices.

Your Tennessee Appeal Rights: If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cimicard.com. We will respond to an appeal within 60 days of receipt. If your appeal is denied and you are a Tennessee resident, you may contact the Tennessee Attorney General to submit a complaint at: https://www.tn.gov/attorneygeneral/working-for-tennessee/file-a-consumer-complaint.html. The Office of the Attorney General and Reporter can be contacted at: Office of the Attorney General and Reporter, P.O. Box 20207, Nashville, TN 37202-0207; Telephone: (615) 741-3491.

PRIVACY NOTICE TO TEXAS RESIDENTS

Last Updated Date: August 22, 2025.

This Privacy Notice to Texas Residents (the Texas Privacy Notice) is provided by CIMI as a part of its Privacy Policy. You must also review the general sections of our Privacy Policy to which this Texas Privacy Notice is a part. Among other important disclosures, the general sections of our Privacy Policy inform you about (a) our Privacy Policy objectives, (b ) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above. If a conflict exists between this specific Texas Privacy Notice and the general sections of our Privacy Policy, then this Texas Privacy Notice shall control.

This Texas Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Texas residents. If you are not a Texas resident, then this Texas Privacy Notice does not apply to you, and you should not rely on it.

Notice of Your Texas Privacy Rights: If you reside in Texas, then you have the following privacy rights regarding your Personal information per Texas privacy laws as of the Last Updated Date of this Texas Privacy Notice:

The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.1
The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How to Submit Your Texas Consumer Privacy Right Request : You may submit a privacy right request to exercise one of your Texas Consumer Privacy Rights by contacting us via one of the methods described in the general Privacy Policy in the section How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here. You may also exercise your privacy rights directly from this webpage by clicking the button provided below:

Use of an Authorized Agent: The privacy law of Texas allows for the use of an authorized agent to submit a privacy rights request on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices.

Your Texas Appeal Rights: If we deny your consumer privacy right request, you have the right to appeal the denial to us by contacting us at privacyrights@cimicard.com. We will respond to an appeal within 60 days of receipt. If your appeal is denied and you are a Texas resident, you may contact the Texas Attorney General to make a complaint at:

https://consumerprotection.texasattorneygeneral.gov/consumercomplaintportal/s/flow/TCP_Complaint_Input_Data_Privacy.

PRIVACY NOTICE TO UTAH RESIDENTS

Last Updated Date: August 22, 2025

This Privacy Notice to Utah Residents (the Utah Privacy Notice) is provided by CIMI as a part of our Privacy Policy. You must also review the general sections of our Privacy Policy to which this Utah Privacy Notice is a part. Among other important disclosures, the general sections of our Privacy Policy inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above. If a conflict exists between this specific Utah Privacy Notice and the general sections of our Privacy Policy, then this Utah Privacy Notice shall control.

This Utah Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Utah residents. If you are not a Utah resident, then this Utah Privacy Notice does not apply to you, and you should not rely on it.

Notice of Your Utah Privacy Rights: If you reside in Utah, then you have the following privacy rights regarding your Personal information per Utah privacy laws as of the Last Updated Date of this Utah Privacy Notice:

The right to confirm whether or not we are processing your Personal Information and to access such Personal Information, subject to certain exceptions.
The right to correct inaccurate Personal Information that we maintain about you, subject to certain exceptions.
The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How to Submit Your Utah Consumer Privacy Right Request: You may submit a privacy right request to exercise one of your Utah Consumer Privacy Rights by contacting us via one of the methods described in the general Privacy Policy in the section How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here. You may also exercise your privacy rights directly from this webpage by clicking the button provided below:

Use of an Authorized Agent: The privacy law of Utah does not mention the use of an authorized agent to submit a privacy rights request on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices.

PRIVACY NOTICE TO VIRGINIA RESIDENTS

Last Updated Date: August 22, 2025

This Privacy Notice to Virginia Residents (the Virginia Privacy Notice) is provided by CIMI as a part of our Privacy Policy. You must also review the general sections of our Privacy Policy to which this Virginia Privacy Notice is a part. Among other important disclosures, the general sections of our Privacy Policy inform you about (a) our Privacy Policy objectives, (b) what we view as Personal Information, (c) the Personal Information we receive or collect, (d) how we use the Personal Information, (e) how we sell or share Personal Information, (f) how we retain Personal Information, and (g) how we protect Personal Information. To see the general sections scroll above. If a conflict exists between this specific Virginia Privacy Notice and the general sections of our Privacy Policy, then this Virginia Privacy Notice shall control.

This Virginia Privacy Notice section of our Privacy Policy is intended solely for, and is applicable only to, Virginia residents. If you are not a Virginia resident, then this Virginia Privacy Notice does not apply to you, and you should not rely on it.

Notice of Your Virgina Consumer Privacy Rights: If you reside in Virginia, then you have the following privacy rights per Virginia privacy laws regarding your Personal Information as of the Last Updated Date of this Virginia Privacy Notice:

The right to confirm whether or not we are processing your Personal Information and to access or to be provided such Personal Information, subject to certain exceptions.
The right to delete Personal Information about you that we collected from or about you, subject to certain exceptions.
The right to obtain a copy of your Personal Information in a portable format that allows you to transmit the information to another entity, subject to certain exceptions.
The right to opt out of our processing your Personal Information for purposes of (1) targeted advertising; (2) the “sale” of your personal information (as that term is defined by the applicable law); and (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning you.

How to Submit Your Virginia Consumer Privacy Right Request : You may submit a privacy right request to exercise one of your Virginia Consumer Privacy Rights by contacting us via one of the methods described in the section above of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here. You may also exercise your privacy rights directly from this webpage by clicking the button provided below

Verifiable Privacy Right Requests: Your privacy right request must be made as a verifiable request. For our policy on making a verifiable request go the section of this Privacy Policy on How to Exercise Your Privacy Rights and Choices. You may go to that section by clicking here.

Use of an Authorized Agent: The privacy law of Virginia does not mention the use of an authorized agent to submit a privacy rights request on your behalf. Our policy on the use of such agents can be found at the section on How to Exercise Your Privacy Rights and Choices.

Your Virginia Appeal Rights: If we deny your consumer privacy right request, then you have the right to appeal the denial to us by contacting us at privacyrights@cimicard.com. We will respond to an appeal within 60 days of receipt. If your appeal is denied and you are a Virginia resident, you may contact the Virginia Attorney General to make a complaint at: https://www.oag.state.va.us/consumer-protection/index.php/file-a-complaint.

ADDENDUM PART B – JURISDICTION SPECIFIC PRIVACY NOTICES AND DISCLOSURES ADDENDUM – FOREIGN JURISDICTIONS

This Addendum Part B is a part of the Privacy Policy of CIMI. If you are a resident of or located in a foreign jurisdiction, then you may have privacy rights established by the privacy laws of the foreign jurisdiction regarding the Personal Information received or collected by CIMI. This Addendum Part B provides specific privacy notices and disclosures regarding the specific privacy laws of various foreign jurisdictions that may address the Personal Information CIMI receives or collects regarding CIMI Cards or the use of CIMI Sites. For the United States of America, go to Part A of this Addendum by clicking here.

Important Notice: You should review this Addendum Part B to fully understand your privacy rights. The specific privacy notices regarding specific jurisdictions are a part of our Privacy Policy. You also should continue to review the general sections of our Privacy Policy. To see them, scroll above. Below is an interactive path to foreign jurisdictions that have adopted privacy laws that may impact your Personal Information.

Jurisdiction Specific Privacy Policies and Notices – Interactive Table of Contents

GLOSSARY FOR PRIVACY POLICY

This Glossary is a part of our Privacy Policy. The CIMI Sites subject to our Privacy Policy consist of websites managed or hosted by CIMI and/or its affiliates including Card Compliant, LLC. They can be found at: cardcompliant.com, cimicard.com, mycardterms.com, and the Terms Now websites for a particular CIMI Card and card program with an address that begins with “mycardterms.com.”