Color Health Privacy Policy

1. Scope and Updates to this Privacy Policy
   This Privacy Policy applies to Personal Information processed by us, including through our website located at www.color.com (the “Site”) and in connection with our products and services other than Healthcare Services (defined below),including other websites, online applications, communications or other services operated by Color or its affiliates that link to or incorporate this Privacy Policy (“Other Services”). The Site and Other Services are collectively called the “Services.” 
   
   This Privacy Policy does not apply to the following: 
   • Our healthcare platform (“Platform”), healthcare services, screenings and tests (“Tests”) (together “Healthcare Services”), our processing of “Protected Health Information” as a “Covered Entity” or “Business Associate” under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) or of health information protected under state healthcare privacy laws (collectively “PHI”), which are governed by our Notice of Privacy Practices.
   • Our job applicants, or current and former employees, contractors and their beneficiaries and emergency contacts our (“Personnel”), which are instead governed by our Employee Privacy Notice (available from our People Operations Department). Our California Personnel may learn how to make a privacy rights requests to us in the “California Privacy Rights” section of this Privacy Policy. Our People Operations Department can be contacted at peopleops@color.com. 

Supplemental Policies. Color may provide additional privacy policies to individuals at the time we collect their Personal Information, in addition to this Privacy Policy. These additional privacy policies may supplement this Privacy Policy or may apply in lieu of this Privacy Policy. If you are a resident of California or Nevada, please see our Supplemental Policies below.

Notice Regarding Organizational Customer Data. In some cases, our organizational customer or partner (e.g., an employer, public health organization, educational institution, laboratory, or clinician) may enter into a written agreement with us where we process Personal Information on their behalf through their use of our Services (“Organizational Customer Data”). In that event, the organizational customers’ respective privacy policies govern their collection and use of Organizational Customer Data and you should direct inquiries related to that Personal Information to them and not to us. 

Changes to our Privacy Policy. We may revise this Policy, or Supplemental Policies, from time to time in our sole discretion, subject to applicable law. If there are any material changes to this Privacy Policy, we will post an updated copy on our Site and may otherwise notify you. You understand and agree that you will be deemed to have accepted the updated Privacy Policy if you continue to use our Services after the new Privacy Policy takes effect.

This Privacy Policy should be read in conjunction with our Terms of Service, Notice of Privacy Practices, and any other document or agreement that governs your relationship with us. By using our Services, you consent to our Terms of Service and the privacy practices disclosed in this Privacy Policy. Please do not use our Services if you do not consent.

2. Personal Information We Collect
   
   The categories of Personal Information we collect depend on how you interact with us, our Services, and the requirements of applicable law. We collect information that you provide to us, information we obtain automatically when you use our Services, and information from other sources as described below.
   1. Personal Information You Provide to Us Directly
      
      We may collect Personal Information that you provide to us, including in the following circumstances:
      • Business Account Creation. When you create an account we may collect Personal Information, such as name, email address, address, phone number, professional details, birth date, and any other information you provide.
      • Provision of Services. For some Services that do not require an account, we may collect Personal Information when you participate in our Services, such as name, email address, address, phone number, race, ethnicity, professional details, birth date, sex, and any other information you provide.
      • Your Communications with Us. We may collect Personal Information, such as email address, phone number, or mailing address when you request information about our Services, register for our newsletter, request customer or technical support, participate in trial inquiries, or otherwise communicate with us.
      • Surveys. We may contact you to participate in surveys. If you decide to participate, we may collect Personal Information from you in connection with the survey.
      • Interactive Features. We and others who use our Services may collect Personal Information that you submit or make available through our interactive features (e.g., messaging and chat features, commenting functionalities, sharing features, forums, blogs, and social media pages). Any information you provide using the public sharing features of our Services will be considered “public,” unless otherwise required by applicable law, and is not subject to the privacy protections referenced herein. Please exercise caution before revealing any information that may identify you in the real world to other users. If you share our Services with others through a sharing feature, the recipient will know if you have accessed our Site or Platform. If you receive an invitation through a sharing feature, the sender may know you have accessed our Site or Platform if you accept the invitation.  
      • Conferences, Trade Shows, and Other Events. We may collect Personal Information from individuals when we attend or host conferences, trade shows, and other events. 
      • Business Development and Strategic Partnerships. We may collect Personal Information from individuals and third parties to assess and pursue potential business opportunities. 
   2. Cookie Policy and Other Personal Information Collected Automatically
      
      We and other parties that work with us may collect Personal Information automatically when you use our Services.
      • Automatic Collection of Personal Information. We and other parties may collect certain information automatically when you use our Services, such as your internet protocol (IP) address, user settings, MAC address, cookie identifiers, mobile carrier, mobile advertising and other unique identifiers, browser or device information, location information (including approximate location derived from IP address), and internet service provider. We and other parties may also automatically collect information regarding your use of our Services, such as pages that you visit before, during and after, using our Services, information about the links you click, the types of content you interact with, the frequency and duration of your activities, and other information about how you use our Services. 
      • Cookies and Other Technologies. We, as well as other parties such as vendors that provide content, advertising, or other functionality on our Services, may use cookies, pixel tags, and other technologies (“Technologies”) to automatically collect information through your use of our Services. 
        • Cookies. Cookies are small text files placed in device browsers that store preferences and facilitate and enhance your experience.
        • Pixel Tags/Web Beacons. A pixel tag (also known as a web beacon) is a piece of code embedded in our Services that collects information about engagement on our Services. The use of a pixel tag allows us to record, for example, that a user has visited a particular web page or clicked on a particular advertisement. We may also include web beacons in Services e-mails to understand whether messages have been opened, acted on, or forwarded.
      • Our uses of these Technologies fall into the following general categories: 
        • Operationally Necessary. This includes Technologies that allow you access to our Services and tools that are required to identify irregular website behavior, prevent fraudulent activity, improve security, or allow you to make use of our functionality.
        • Performance-Related. We may use Technologies to assess the performance of our Services, including as part of our analytic practices to help us understand how individuals use our Services (see Analytics below).
        • Functionality-Related. We may use Technologies that allow us to offer you enhanced functionality when accessing or using our Services. This may include identifying you when you sign into our Services or keeping track of your specified preferences, interests, or past items viewed.
        • Advertising- or Targeting-Related. We may use, or permit others to use, first-party or third-party Technologies to deliver content, including ads relevant to your interests, on our Services or on third-party digital properties. 
      • See Your Privacy Choices and Rights below to understand your choices regarding these Technologies.
      • Analytics. We may use Technologies and other third-party tools to process analytics information on certain portions of our Services. These Technologies may be used not only to better understand usage and improve functionality, but to help us better provide relevant advertisements, and may also share data with third parties (including social media and advertising technology companies) to help us track conversions, build custom audiences, and tailor our marketing campaigns. Some of these Technologies include but are not limited to:
        • Google Analytics. We use Google Analytics to track activity on our Site, including session duration, pages visited per session, and information about the device used to access our Site. More information is available here. To opt out of Google Analytics, you may disable cookies on your browser or install the Google Analytics Opt-Out Browser Ad-On.
        • LinkedIn Analytics. For more information about how LinkedIn uses your Personal Information, please visit LinkedIn Analytics’ Privacy Policy. To learn more about how to opt-out of LinkedIn’s choices regarding use of your information, please click here.
   3. Personal Information Collected From Other Sources

Vendors and Other Sources. We may obtain Personal Information about you from vendors and other sources, such as LinkedIn. For example, if you access our Services through a vendor application, such as an app store, a vendor login service, or a social or professional networking site, we may obtain Personal Information about you from that third-party application .

Other Individuals/Referrals and Sharing Features. Our Services may allow individuals to share Personal Information about other people. For example, an individual may be able to share Personal Information about their family member in connection with referrals and inquiries. In order to share any health information about other individuals with Color in connection with receipt of our Services, individuals sharing health information must have the full and express consent of the other individual. Color reserves the right to require proof of such consent. See our Notice of Privacy Practices for more information with respect to PHI and our Covered Healthcare Services. Our referral services may also allow you to forward or share certain content with a friend or colleague, such as an email inviting your friend to use our Services. Please only share with us contact information of people with whom you have a relationship (e.g., relative, friend, neighbor, or co-worker).

3. How We Use Your Personal Information
   
   Please note that our use of your PHI is governed by our Notice of Privacy Practices, not this section. Similarly, this section does not apply to our Personnel. Contact our privacy@color.com for more information.
   
   We use your Personal Information for a variety of purposes, including but not limited to provide our Services, as detailed further below. 
   1. Provide Our Services
      
      We use your information to provide you with, or otherwise in connection with, our Services, such as:
      • Managing your information and accounts;
      • Providing access to certain areas, functionalities, and features of our Services;
      • Answering requests for customer or technical support;
      • Communicating with you about your account, activities on our Services, and policy changes;
      • Allowing you to register for products, Services, and events; and 
      • Otherwise operating our business, except as limited by applicable law.
   2. Administrative Purposes
      
      We use your information for various administrative purposes, such as:
      • Direct marketing, research and development (including marketing research), network and information security, and fraud prevention;
      • Contacting you in connection with potential future events, promotions, research and studies; 
      • Detecting security incidents, protecting against malicious, deceptive, fraudulent or illegal activity, and prosecuting those responsible for that activity;
      • Measuring interest and engagement in our Services; 
      • Improving, upgrading, or enhancing our Services; 
      • Developing new products and services;
      • Ensuring internal quality control and safety;
      • Authenticating and verifying individual identities, including requests to exercise your rights under this Privacy Policy;
      • Debugging to identify and repair errors with our Services;
      • Auditing relating to interactions, transactions, and other compliance activities;
      • Sharing Personal Information with third parties as needed to provide the Services;
      • Enforcing our agreements and policies; and
      • Carrying out activities that are required to comply with our legal obligations.
   3. Research
      
      We may use your Personal Information to inform you of research opportunities. You will not be paid for this use. 
      
      For research involving Healthcare Services or PHI, please see our Notice of Privacy Practices.
   4. To Create De-Identified and/or Aggregated Information
      
      We may use your Personal Information to create de-identified and/or aggregated information, such as demographic information, information about health or wellness, or other analyses we create. De-identified and/or aggregated information is not Personal Information, and we may use and disclose such information in a number of ways, including research, internal analysis, analytics, publications, making de-identified and/or aggregated information available to third parties, and any other legally permissible purposes. We will not re-identify data we intend to maintain as de-identified and not Personal Information.
   5. Marketing and Advertising Our Products and Services
      
      We may use targeted advertising cookies, including but not limited to Google Ads, to tailor and provide you with content, promotions, and advertisements as permitted by applicable law. Some of the ways we market to you include email campaigns, text messages, custom audiences advertising, and “interest-based” or “personalized” advertising, including through cross-device tracking. If you have any questions about our marketing practices, you may contact us at any time as set forth in “Contact Us” below. California residents have additional rights regarding the sale or sharing of their Personal Information and cross-context behavioral advertising, as explained in our Supplemental California Privacy Policy below.  See the Your Privacy Choices and Rights section below to understand your choices regarding interest-based advertising.
   6. With Your Consent
      
      We may use your Personal Information for other purposes that will be clearly disclosed to you at the time you provide Personal Information or otherwise with your consent.
   7. Other Purposes
      
      We may use Personal Information for other purposes as requested by you, as disclosed at collection or as otherwise not prohibited by applicable law. 
4. How We Disclose Your Personal Information
   
   Please note that disclosure of PHI is governed by our Notice of Privacy Practices, not this section.
   
   We may disclose Personal Information to other parties for a variety of business purposes, including to provide our Services, to protect us or others, or in the event of a major business transaction such as a merger, sale, or asset transfer, as described below.
   1. Disclosures to Provide Our Services
      
      The categories of recipients with whom we may share your Personal Information are described below.
      • Authorized Third Parties and Service Providers. We may disclose your Personal Information to our service providers and vendors that assist us with the provision of our Services. These entities include but are not limited to vendors that provide us with IT support, hosting, customer service, sending postal mail, marketing efforts and cooperatives, web analytics, and related services.
      • Color Organizational Customers and Authorized Users of Organizational Customers. Color’s Organizational Customers (e.g., enterprises, unions, trusts, employers, public sector organizations, educational institutions, and others) purchase our Services for their authorized users (e.g., employees, staff, students, dependents, and other specified persons). If you access our Services as an authorized user of one of Color’s Organizational Customers, that Color Organizational Customer may access or receive certain information associated with your use of the Services including Personal Information, eligibility, usage data, the contents of communications, files associated with your account, and, where applicable, testing results. We are not responsible for the Organizational Customer’s processing of your Personal Information. Please consult their privacy policies, notices and terms regarding their data practices
      • Other Parties with Whom You Interact. As described above in “Personal Information We Collect,” our Services may allow you to disclose Personal Information or interact with other parties. If you disclose or interact with another party (e.g., a social media platform via a plug-in), your Personal Information may also be subject to the other party’s privacy policy and their privacy policy, notice and terms govern their data practices. We are not responsible for that party’s processing of your Personal Information.
   2. Disclosures to Protect Us or Others
      
      We may access, preserve, and disclose to external parties, any information we store associated with you if we, in good faith, believe doing so is required or appropriate to: comply with law enforcement or national security requests and legal process, such as a court order or subpoena; protect your, our, or others’ rights, property, or safety; enforce our policies or contracts; collect amounts owed to us; or assist with an investigation or prosecution of suspected or actual illegal activity.
   3. Disclosure in the Event of Merger, Sale, or Other Asset Transfers
      
      If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, purchase or sale of assets, or transition of service to another provider, your information may be disclosed, sold or transferred as part of such a transaction, as permitted by law.
5. Your Privacy Choices and Rights
   
   Your Privacy Choices. The privacy choices you may have about your Personal Information are determined by applicable law and are described below. 
   • Email Communications. If you no longer wish to receive promotional emails from us, you can use the unsubscribe link found at the bottom of our promotional emails to opt out of receiving future promotional emails. Note that you will continue to receive transaction-related emails regarding products or Services you have requested. We may also send you other non-promotional communications regarding the Services for which you will not be able to opt out while you are using the Services (e.g., communications regarding our Services or updates to our Terms or this Privacy Policy). 
   • Text. You can opt-out by changing your settings in your Account Settings, or replying “STOP” or contacting us at privacy@color.com.
   • “Do Not Track.” Do Not Track (“DNT”) is a privacy preference that users can set in certain web browsers. We do not respond to or honor DNT signals or similar mechanisms transmitted by web browsers. However, we respond to “global privacy control” signals as explained in our Supplemental California Privacy Policy below.
   • Cookies and Personalized Advertising. You may stop or restrict the placement of Technologies on your device or remove them by adjusting your preferences as your browser or device permits. However, if you adjust your preferences, our Services may not fully work properly. In addition, we offer all users of our Site the ability to opt-out of Technologies that would be a “sale” or “share” under applicable CA Privacy Law using the cookie preference tool available on our Site here (or click the “Your Privacy Choices” link on the footer on our Site).

The online advertising industry also provides websites from which you may opt out of receiving targeted ads from data partners and other advertising partners that participate in self-regulatory programs. You can access these and learn more about targeted advertising and consumer choice and privacy by visiting the Digital Advertising Alliance. Note that this is different from the opt-out rights under California law explained in our Supplemental California Privacy Policy below. Please note you must separately opt out in each browser and on each device. 

6. Security of Your Information
   
   We take steps to ensure that your information is treated securely and in accordance with this Privacy Policy. Unfortunately, no system is 100% secure, and we cannot ensure or warrant the security of any information you provide to us. To the fullest extent permitted by applicable law, we do not accept liability for unauthorized access, use, disclosure, or loss of Personal Information. 
   
   By using our Services or providing Personal Information to us, you agree that we may communicate with you electronically regarding security, privacy, and administrative issues relating to your use of our Services. If we can learn of a security system’s breach, we may attempt to notify you electronically by email, or by posting a notice on our Services, or by mail.
7. International Data Transfers
   
   The Services are only intended for residents of the United States for use in the United States (including territories and protectorates). To the extent you access the Services from outside of the United States, you do so subject to the laws of the United States, which may be less protective than other jurisdictions. All information you provide will be stored or hosted on servers in the United States, but you acknowledge that all information processed by us may be accessed outside of the United States. You acknowledge that other countries outside of the United States may have data protection laws that are different from U.S. laws. We endeavor to safeguard your information consistent with the requirements of applicable U.S. laws and regulations.
   
   You agree that by providing any information to us, you are not violating any export ban or other legal restriction in the country of your residence.
8. Retention of Personal Information
   
   We store the Personal Information we collect as described in this Privacy Policy for as long as you use our Services, or as necessary to fulfill the purpose(s) for which it was collected, provide our Services, resolve disputes, establish legal defenses, conduct audits, pursue business purposes (including record keeping), enforce our agreements, and comply with applicable laws. 
9. Supplemental CALIFORNIA Privacy Policy
   
   This Supplemental California Privacy Policy (“California Policy”) is provided pursuant to the California Consumer Privacy Act, as amended, and regulations promulgated thereunder (collectively, “the CA Privacy Law”). This California Policy supplements our Privacy Policy, for residents of California. In California, the term “Consumer” is not limited to data subjects acting as individuals in a household goods and services context and includes individuals acting in a business-to-business context. We are not subject to state consumer privacy laws other than the CA Privacy Law. 
   
   This California Policy applies only to information governed by CA Privacy Law, which does not include PHI. This California Policy also does not cover Personal Information that may be collected about you as our Personnel, except that the “California Privacy Rights” section explains how our California Personnel may make privacy rights requests. For notice of our Personnel privacy practices, contact our People Operations Department.
   
   Unless otherwise noted, the disclosures herein cover our activities in the twelve (12) months preceding the Last Updated date, as well as our current practices.
   1. How and Why We Collect, Use, and Disclose Your Personal Information
      
      We may collect, use, and disclose Personal Information for valid purposes consistent with applicable laws as identified below and more fully described in our general Privacy Policy. Our business purposes generally fall into the following categories:
      • Providing Products or Services: Operating or distributing products and services, processing or fulfilling transactions, administering accounts, providing customer service, and verifying customer information.
      • Managing Interactions and Transactions: Performing services on behalf of the business, including maintaining or servicing accounts and providing customer service, verifying customer information, providing analytics services, and customizing your experience, offers and content.
      • Security and Debugging: Helping to ensure the security and integrity of our systems and data to the extent the use of the Consumer’s Personal Information is reasonably necessary and proportionate for these purposes. Debugging to identify and repair errors that impair existing functionality.
      • Advertising and Marketing: Auditing related to counting ad impressions to unique visitors, verifying positioning and quality of ad impressions, and auditing compliance with the CA Privacy Law. Short-term transient use including, but not limited to, for providing advertising and marketing services, except for cross-context behavioral advertising (i.e., targeted advertising), which is a separate commercial purpose described below for which there is a right to opt-out). Customizing your experience, offers, and content.
      • Quality Assurance:Undertaking activities to verify or maintain the quality or safety of our products and services, and to improve, upgrade, or enhance our products or services.
      • Research and Development: Undertaking internal research for technological development and demonstration.
      • Operation of our Business: For our additional legitimate business purposes that are compatible with the purposes of collecting your PD and that are not prohibited by law in the context that is not a “sale” or “share” under the CA Privacy Law, such as disclosing it to a person that processes PD on our behalf, such as our Processors, to the Consumer, or to other parties at the Consumer’s direction or through the Consumer’s action; for additional purposes explained at the time of collection (such as in the applicable privacy policy or notice); as required or permitted by applicable law; to the government or private parties, including litigants, to comply with law or legal process or to protect or enforce legal rights or obligations or prevent harm; and to assignees as part of an acquisition, merger, asset sale, or other transaction where another party assumes control over all or part of our business (“Corporate Transaction”) or otherwise with your consent (“Additional Business Purposes”).

The chart below provides disclosure of typical processing purposes by category of Personal Information. Where we make available applicable Personal Information to recipients, such as our service providers, we do so for the same Business Purposes described below. These examples may vary depending on the nature of your interactions with us. In addition to our collection, use and disclosure for business purposes, we may process limited Personal Information in a manner that is deemed a “sale,” or “sharing” as more fully described in Section 9.E, below.

In addition, any or all of the categories of Personal Information described above may be disclosed as part of Additional Business Purposes described above (e.g. directed or requested by you, as part of a Corporate Transaction or as necessary to comply with law or legal process).

9. 2. Sensitive Personal Information
      
      We may collect, use, and disclose sensitive Personal Information for business purposes consistent with applicable laws, as identified below. Where we transfer applicable sensitive Personal Information to recipients, such as our service providers, we do so for the same business purposes described below. These examples may vary depending on the nature of your interactions with us

In addition, any or all of the categories of Sensitive Personal Information described above may be disclosed as part of Additional Business Purposes described above (e.g. directed or requested by you, as part of a Corporate Transaction or as necessary to comply with law or legal process).

We do not process Sensitive Personal Information in a manner that is deemed a “sale,” or “sharing.”

9. 3. Sources of Personal Information
      
      Please see “Personal Information We Collect” in Section 2 above.
   4. How Long We Keep Your Personal Information 
      
      Please see “Retention of Personal Information” in Section 8 above. Because the retention periods within a particular category of Personal Information or sensitive Personal Information varies greatly, it is not practical to provide exact retention periods by category of Personal Information; provided however, we only retain Personal Information for so long as there is a business or legal purpose for doing so.
   5. Sharing and Selling of Personal Information 
      
      We do not sell or share Personal Information for money. 
      
      However, when you visit our Site, we may allow certain third-party companies (like advertising or analytic providers including but not limited to providers like Google Ads) to collect information through cookies and other similar technologies. Because California law defines “sale” and “share” broadly, this type of interaction is considered a “sale”, or “sharing” for purpose of cross-context behavioral or other marketing or operational purpose. The following are categories of Personal Information (but not Sensitive Personal Information) shared with such third-party companies (“Third-Party Digital Businesses”):
      • Identifiers
      • Internet or other electronic network activity
      • Geolocation data
      • Commercial information
      • Inferences 

The Third-Party Digital Businesses to whom this Personal Information is shared or sold are advertisers, publishers, and adtech and other Third-Party Digital Businesses. 

We offer you the ability to opt out of sales and sharing of your Personal Information, as set forth in the “Right to Opt Out” section below.

We do not have actual knowledge that we sell or share the Personal Information of consumers under sixteen (16) years of age.

9. 6. California Privacy Rights
      
      Subject to meeting the requirements for verification and limitations permitted by the CA Privacy Law, Color provides Consumers residing in California with the California Privacy Rights described in this section. For residents of states without Consumer privacy rights, we will consider requests but will apply our discretion with respect to and if and how we process such requests. 
      
      To submit a request to exercise any of these rights, or to submit a request as an authorized agent, please submit a request by calling 844-352-6567 or submitting your request via our Consumer Rights Request Form . We do not accept or process requests to exercise California Privacy Rights through other means (e.g., via fax, chats, social media, etc.). Please respond to any follow-up inquiries we make to help us complete your request. 
      
      Please note that if you submit a request to know, to delete, or to correct, you will be asked to provide two to three (2-3) pieces of reliable Personal Information that we will match against our records to verify your identity. You may designate an authorized agent to make a request on your behalf; however, you will still need to verify your identity directly with us before your request can be processed. 
      
      Right to Know. You have the right to know what Personal Information we have collected about you, which includes:
       
      • The categories of Personal Information we have collected about you, including:
        • The categories of sources from which the Personal Information was collected;
        • Our business purposes or commercial for collecting, selling, or sharing Personal Information;
        • The categories of recipients to which we disclose Personal Information;
        • The categories of Personal Information that we sold, and for each category identified, the categories of third parties to which we sold that particular category of Personal Information; 
        • The categories of Personal Information that we disclosed for a business purpose, and for each category identified, the categories of recipients to which we disclosed that particular category of Personal Information.
      • The specific pieces of Personal Information we have collected about you, subject to certain exceptions.
        
      • Right to Delete Your Personal Information. You have the right to request that we delete Personal Information we collected from you, subject to certain exceptions. 
      • Right to Correct Inaccurate Information. If you believe the Personal Information we maintain about you is inaccurate, you have the right to request that we correct that information.
      • Right to Opt Out. You have the right to opt out of the sale of your Personal Information, and to request that we do not share your Personal Information for targeted advertising. 
        
        Third-Party Digital Businesses (defined above) may associate cookies and other Technologies that collect Personal Information about you on our Services, or otherwise collect and process Personal Information that we make available about you, including digital activity information and identifiers. We understand that giving access to Personal Information on our Services or otherwise, to Third-Party Digital Businesses could be deemed a sale/sharing under the CA Privacy Law and as such, we will treat such Personal Information (e.g., cookie ID, IP address, and other online IDs and Internet or other electronic activity data) collected by Third-Party Digital Businesses, where not limited to acting as our service provider, as a sale or sharing that is subject to a request to opt out under the CA Privacy Law. You may opt-out by visiting our cookie preference center on our Site, which you can access here and via the “Cookie Preferences” link on our Site footer, which you need to complete on each device and browser you use and if you clear cookies or change settings your opt-out may be lost.
        
        Opt-out preference signals (also known as global privacy control or GPC): The CA Privacy Law requires businesses to process GPC signals, which are referred to in the CA Privacy Law as opt-out preference signals (“OOPS”), which are signals sent by a platform, technology, or mechanism, enabled by individuals on their devices or browsers, that communicate the individual’s choice to opt-out of the sale and sharing of personal information. To use an OOPS/GPC, you can download an internet browser or a plugin to use on your current internet browser and follow the settings to enable the OOPS/GPC. We have configured the settings of our cookie preference center (a/k/a consent management platform) to receive and process GPC signals on our Site. We process OOPS/GPC with respect to sales and sharing that may occur in the context of collection of cookie Personal Information by Technologies online by Third-Party Digital Businesses, discussed above, and apply it to the specific browser on which you enable OOPS/GPC. We do not: (1) charge a fee for use of our service if you have enabled OOPS/GPC; (2) change your experience with any product or service if you use OOPS/GPC; or (3) display a notification, pop-up, text, graphic, animation, sound, video, or any interstitial in response to the OOPS/GPC. 
      • Right to Limit Use and Disclosure of Sensitive Personal Information. With regard to Personal Information that qualifies as Sensitive Personal Information under CA Privacy Law, if you elect to provide us with that Sensitive Personal Information you will have consented to such Processing. We only Process Sensitive Personal Information Processing for purposes of providing Services and other limited purposes (e.g., compliance with law and legal process, defending claims, etc.) for which you are not entitled to limit our retention and use. We do not Sell Sensitive Personal Information or Share it for targeted advertising. 
      • Right to Non-Discrimination for the Exercise of Your Privacy Rights. We will not discriminate or retaliate against you for your exercise of your California Privacy Rights. 
      • Automated Decision Making (“ADM”) / Profiling. We do not engage in automated decision making or profiling that is currently subject to a California Privacy Rights request under CA Privacy Law.
   7. Notice of Incentive Programs
      
      From time-to-time, we may offer referral programs or other incentivized data collection programs (“Incentives”) in compliance with applicable laws. For example, we may offer Incentives to you such as gift cards in connection with these programs, wherein you provide your Personal Information in exchange for a reward, or provide Personal Information regarding your dependents, friends or colleagues (such as their email address). Each program may have additional terms, available on the program page or at program sign-up. The Incentives will be described in the program page, or at Program sign-up. 
   8. Response Timing and Formats
      
      We endeavor to respond to California Privacy Rights requests within the applicable timeframe under the CA Privacy Law. As permitted by the CA Privacy Law, if we require more time, we will inform you of the reason and extension period in writing.
      
      The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Information that is readily usable and that allows you to transmit the information from one entity to another without hindrance.
      
      We do not charge a fee to process or respond to your California Privacy Rights request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
      
      Consistent with the CA Privacy Law and our interest in the security of your Personal Information, we will not deliver you information regarding your Social Security number, driver’s license number, or other government-issued ID number, financial account number, an account password, or answers to security questions in response to a California Privacy Rights request; however, you may be able to access some of this information yourself through your account if you have an active account with us.
   9. Our Rights and the Rights of Others
      
      Notwithstanding anything to the contrary, we may collect, use, and disclose your Personal Information as required or permitted by applicable law and this may override your rights under the CA Privacy Law. In addition, we are not required to honor your requests to the extent that doing so would infringe upon our or another party’s rights or conflict with applicable law.
   10. California “Shine the Light”
       
       We do not share personal information governed by the California Shine the Light (“STL”) law with third parties or affiliates for those third parties’ or affiliates’ own direct marketing purposes as we understand STL. However, we offer the opt-out of sale and sharing as explained above. California residents may make STL requests, including requesting information about our compliance with this law, by contacting us as noted below in Section 13. 
10. Supplemental Nevada Privacy Policy
    
    We do not and will not sell your personal information as sales are defined in Nevada Revised Statutes Chapter 603A. If you have any questions, please contact us as set forth in “Contact Us” below.
11. Children’s Privacy
    
    The Site and collection of Personal Information are not directed to children under 18 years old (or other age as required by local law), and we do not knowingly collect Personal Information from children online.
    
    If you are a parent or guardian and believe your child has uploaded Personal Information to or via our Site or other Service without your consent, you may contact us as described in “Contact Us” below. If we become aware that a child under 13 years old (or other age as required by law) has provided us with Personal Information in violation of applicable law, we will take measures which may include deletion of any Personal Information, unless we have a legal obligation to keep all or a portion of it, and terminate the child’s account, if applicable. Some Services may be available to minors 13-17 years of age with verified parental or guardian consent. 
12. Third Party Websites/Applications
    
    The Services may contain links to other websites/applications and other websites/applications may reference or link to our Services. These services are not controlled by us. We encourage our users to read the privacy policies and terms of each website and application with which they interact. We do not endorse, screen, or approve, and are not responsible for, the privacy practices or content of such websites or applications. Providing Personal Information to other websites or applications is at your own risk. 
13. Contact Us
    
    Color is the controller of the Personal Information we process under this Privacy Policy. 
    
    If you have any questions about our privacy practices or this Privacy Policy, please contact us at:
    
    Color Health, Inc. 
    Attention: Legal Department
    831 Mitten Rd.
    Burlingame, CA U.S.A., 94010
    Email: privacy@color.com 
    Phone: 844-352-6567