CRI Genetics, LLC (“CRI GENETICS,” “we,” “our,” or “us”) is committed to safeguarding your privacy. We ask that you carefully review this Privacy Policy, as it applies to all information CRI Genetics collects from and about you, whether in writing, verbally, or electronically. This includes information we collect from you while using CRIGenetics.com (the “Website”) and when you register your DNA sample kit through your account on the Website (collectively, our “Services”). By using the Services, you agree to the collection, use, and disclosure of your information, as described in this Privacy Policy. If you do not agree, please do not access or use the Services.

• California Notice of Collection of Personal and Genetic Information: CRI Genetics collects personal information listed below under “Information We Collect,” and which includes genetic information, for the purposes described below under “Information Use.” To learn more about your California privacy rights, please scroll down to “Your California Privacy Rights.” CRI does not retain identifiable genetic information and never sells this information to third parties. De-identified genetic or phenotypic information may be shared with or disclosed to third parties for research purposes only.

1. INFORMATION WE COLLECT

A. Types of Information We Collect

CRI Genetics collects information from you when you use our Services and when you choose to share information with us. Our Services uses our customers’ Personal Health Information (“PHI”) as defined under the Health Insurance Portability & Accountability Act (HIPAA), including but not limited to name, birthdate and contact information. It also involves our laboratory analyzing our customers’ DNA sample (the “Genetic Data”) which CRI Genetics uses to report results (the “Results”) directly to you.

B. Information Automatically Collected

When you visit or interact with the Services, CRI Genetics or its third-party advertisers and/or services providers may use a variety of technologies such as cookies, tags, scripts, and identifiers like your IP address and mobile device identifier. Tracking this data tells us whether you are a new or recurring visitor to our Website and allows us to remember your preferences. It also helps us analyze our Website to make improvements, serve targeted advertising, and collect limited demographic information for marketing purposes. These cookies and tracking data do not include sensitive data like your name or genetic information. CRI Genetics does not sell or share personal information in exchange for money from any other third parties. We may automatically collect the following information about you:

• Computer or Device Information. We may automatically collect your Internet Protocol (“IP”) address or other unique identifiers or information from the computer, mobile device, tablet, or other device you use to access the Services, including but not limited to your browser type, internet services provider, referring/exit pages, operating system, date/time stamp, and/or clickstream data. When accessing the Website through a mobile device, we may collect and store a unique identification numbers associated with your device (including, for example, a UDID, Unique ID for Advertisers, Google Ad ID, or Windows Advertising ID), mobile carrier, device type, model and manufacturer, mobile device operating system brand and model, IP address, phone number, and, depending on your mobile device settings, your geographical location data, including GPS coordinates or similar information regarding the location of your mobile device.
• Usage Information. We may collect information about your use of the Services, including the date and time you visit the Services, the areas or pages of the Services that you visit, the amount of time you spend viewing or using the Services, the number of times you return to the Services, other click-stream or usage data for the Services emails that you open, forward or click-through to our Services, and other sites that you may visit.
• Non-Personal Information. Use of the Website may result in the storage or collection of information that does not personally identify you (“Non-Personal Information”), such as demographic data, year (not date) of birth or age groups, geographic areas, gender, your computer type, screen resolution, operating system, mobile device details (if applicable), internet browser, and the website from which you came to the Website.
• Use of Third Party Analytic Technologies. We may use third parties’ analytics and tracking tools to better understand who is using the Services, how people are using the Services, how to improve the effectiveness of the Services and related content, and to help us or those third parties serve more targeted advertising to you across the Internet. These tools may combine information from your interaction with the Sites with information collected from other sources.

To learn more about your advertising choices relating to the collection and use of your information, please see the "Your Choices and Opt-Outs" section below.

C. Information Collected From Other Sources

We may acquire information about you from other sources, or select third parties (i.e., business partners, services providers, analytics vendors, and advertising networks). We may use this information to help us maintain the accuracy of the information we collect, prevent fraud, personalize your experience with the Services, target our communications so that we can inform you of our or third party products, services, or other offers that may be of interest to you, and measure ad quality and responses. We may also combine information about you that we receive from third parties with other information about you that we collect when you use the Services or that you choose to share with us.

2. INFORMATION USE

A. Use by or for CRI Genetics

CRI Genetics recognizes the data it collects is very sensitive so we take privacy very seriously.

CRI Genetics may use the information we collect from and about you for the following business purposes:

• To provide you with the Services;
• To fulfill our contractual obligations;
• To respond to your inquiries, fulfill orders, and communicate with you when necessary;
• To review the usage and operation of our Sites, develop new products or services, improve the Services, and conduct analyses to enhance or improve our content, products, and services; and
• To use and disclose your payment or banking information only to process payments and prevent transaction fraud.

CRI Genetics may use information from and about you for the following commercial purposes:

• To provide you with customized content or targeted offers,
• To provide you with information, newsletters, and promotional material from CRI Genetics and, or on behalf of, our marketing partners and affiliates; and
• To use your data in an aggregated non-specific format for analytical and demographic purpose.

CRI Genetics may also use information you provide to us for other purposes disclosed at the time you provide your information or otherwise with your consent.

Additionally, if you use the Services to connect with third party services, you authorize us to use information from and about you, on your behalf, to interact with these third party services based on your requests.

B. Use for Interest-Based Advertising

We may use third parties to measure advertisements for us about our products and Services that are tailored to your online interest. We allow these third-party companies to use cookies, web beacons, pixel tags, and similar technology to collect certain data and other information about your online activity. This information is used for analytics and to display advertisements for CRI Genetics on the Services or across other websites, mobile applications, social media, or online services that you use.

You may adjust your device or Internet browser settings to limit certain tracking or to decline cookies, but by doing so, you may not be able to use certain features of the Services or take full advantage of all of our offerings. Please refer to your device’s settings or your Internet browser’s “Help” section for more information on how to delete and/or disable your device or browser from receiving cookies or controlling your tracking preferences.

3. INFORMATION WE SHARE WITH OTHERS

We may share your personal information with the following:

• Services Providers: We may share your information with third party services providers that provide business, professional, or technical support functions for us, help us operate our business and the Services, or administer activities on our behalf.
• Legal Matters; Safety: We may access and disclose your information in response to subpoenas, court orders, or other legal process. We may disclose your information to protect the security of our Services, servers, network systems, and databases. We also may disclose your information as necessary, if we believe that there has been a violation of our Terms of Use, any other legal document or contract related to our services, or the rights of any third party.
• Sale or Transfer of Business or Assets: If another entity acquires us or any of our assets, information we have collected about you may be transferred to such entity. In addition, if any bankruptcy or reorganization proceeding is brought by or against us, such information may be considered an asset of ours and may be sold or transferred to third parties. Should such a sale or transfer occur, we will use reasonable efforts to require that the transferee use personal information provided through the Services in a manner that is consistent with this Privacy Policy.

Aside from third parties mentioned above, CRI Genetics will not share personal data with third parties, except as necessary to protect the rights or property of CRI Genetics or other users, to enforce our Terms and Conditions, to prevent fraud or cybercrime, to permit us to pursue available remedies or limit the damages that we may sustain, to investigate rare cases involving reported of this Privacy Policy, or as required by law.

4. YOUR CHOICES AND OPT-OUTS

A. Opting Out of Interest-Based Advertising

As previously discussed, we may use third parties to measure and target advertisements. Because we often rely on third-party ad networks who may track you across websites over time for advertising purposes, we are not able to respond to your selection of the "Do Not Track" option provided by your browser. We cannot advise on whether your selection of "Do Not Track" option will have any effect on the collection of cookie information on our Website.

We use the following third-party tracking services to track your IP address and identify mobile devices by using cookies:

• Google Analytics (see how Google uses data when you use its partners’ sites or apps)
• Adroll, to track your IP address and identify mobile devices by using cookies. Adroll also collects “hashed” (scrambled) identifiers from e-mail addresses for tracking you across devices for targeted advertising. These identifiers may be shared with Adroll’s advertising partners. Adroll has information about opting out of cross-device tracking here and additional information for California residents here.
• Crazy Egg, which offers an opt-out feature here.
• Facebook Pixel, to track your IP address and identify mobile devices by using cookies so we can deliver relevant advertising.

You can decline to be tracked for these purposes by adjusting the settings in your web browser or your privacy settings on your mobile device. Doing so will mean we may not be able to remember your preferences or deliver relevant advertising to you. Another way to opt out is by following the instructions:

• To learn more about such interest-based advertising, and to opt out of such collection and use for interest-based advertising by the Digital Advertising Alliance (DAA) participating companies, please visit http://optout.aboutads.info.
• To opt-out of the use of your mobile device ID for targeted advertising, please see http://www.aboutads.info/appchoices.

Even if you opt out, you still may receive advertising from us that is not customized based on your Services or usage information, or advertising from other third parties if they are not a DAA participating company.

B. Unsubscribing from our Marketing Communications

Our customers may also receive promotional offers from us. If you do not want to continue to receive such emails from us, you may opt out at any time by using the unsubscribe link listed in the email or by changing your email preferences.

Your instructions to limit the use of your information for these purposes will be processed as soon as reasonably practicable. Additionally, we are not responsible for informing third parties or affiliates with whom we have already shared your personal information of any changes requested pursuant to this section, or for removing information from or causing information to be removed from the databases or records of such entities.

5. YOUR CALIFORNIA PRIVACY RIGHTS

A. Your Rights

If you are a California resident, you may take advantage of the following rights:

• Right to Know: If you are a California resident, you may request, up to two times each year, that we disclose to you the categories and/or the specific pieces of personal information that we collect, use, disclose, and may sell. We will respond to your request within 45 days unless we need additional time, in which case we will let you know. You may also request, up to one time each year, information about our disclosure of personal information about you to third parties or affiliated companies that do not share the same brand name for their direct marketing purposes.
• Right to Delete: Subject to certain exceptions, you may request that we delete personal information that we have collected from you. Note that there are some reasons we will not be able to fully address your request, such as if we need to complete a transaction for you, to detect and protect against fraudulent and illegal activity, to exercise our rights, or to comply with a legal obligation.
• Right to Opt Out of the Sale of Personal Information: As described below, we share personal information with certain third parties to enable personalized ads on our Services. You may request to opt out of these "sales" (as defined by California law) of personal information at any time using the Do Not Sell My Personal Information link at the bottom of our homepage, or contact us at legal@crigenetics.com or 1-800-571-9216.

To make a right to know or deletion request, please contact us at legal@crigenetics.com or 1-800-571-9216. You must put the statement “Your California Privacy Rights” in the subject field. We are not responsible for notices that are not labeled or sent properly, or do not have complete information. We may take steps to verify your identity before responding to your request by asking you a series of questions about your previous interactions with us.

If you use an authorized agent to make a request, please have the agent contact us at legal@crigenetics.com or 1-800-571-9216. We may require the authorized agent to provide proof that you gave the agent signed permission to submit the request. We may also require you to verify your identity directly with us prior to fulfilling the authorized agent request.

If you exercise any of the foregoing rights, we will not discriminate against you, such as by denying or restricting your access to our Services.

B. Personal Information Collection and Disclosures

In addition to the information provided elsewhere in this Privacy Policy, below are the categories of personal information that CRI Genetics has collected and disclosed over the past 12 months:

• Identifiers/Biographical Information: These include your name, postal and email address, phone number, unique identifiers, and characteristics of protected classifications under California or federal law.
• Commercial information: Your purchase and usage history, and preferences.
• Internet/Electronic Activity: Your geolocation information, IP address, web/app browsing and search history related to our Services, and information regarding your interaction(s) with the Services.
• Genetic Information: This includes your genetic data and coding collected from the physical sample you provide to us.
• Profile Inferences: The inferences that we draw from your information and web activity to create a personalized profile so we can better identify goods and services that may be of interest.
• Financial Information: This includes your bank card and credit card information used to process payments.

In the last 12 months (from the Effective Date listed at the top of the Policy), CRI Genetics has collected the above listed categories of personal information for the business and commercial purposes listed above under “Information Use.” The sources of the personal information are disclosure by you, automatic collection of information about your online activity, third party analytics tools, service providers, advertising networks, and other select third parties (as defined above).

Categories of Personal Information Disclosed:

• In the past 12 months (from the Effective Date listed at the top of the Policy), CRI Genetics has disclosed the following categories of personal information for a business purpose: Identifiers/Biographical Information, Genetic data, Commercial Information, Internet/Electronic Activity, Profile Inferences, Financial Information associated with you. We disclose these categories of personal information to our service providers as described above in “Information We Share With Others.”

Categories of Personal Information "Sold":

• To be clear, CRI Genetics does not sell any genetic information or other sensitive personal information in exchange for money. Under California law, “sale” is a broad term that encompasses information provided to advertising companies so that we can provide more personalized advertising for you on our site and other sites you visit. In the last 12 months (from the Effective Date listed at the top of the Policy), to the extent there were any sales, it was limited to the following categories of personal information so that we could provide you with a more personalized advertising experience:
  • Identifiers/Biographical Information (limited in scope and not in combination with other identifying PI), shared with advertising networks and data analytics providers,
  • Internet/Electronic Activity, shared with advertising networks and data analytics providers, and
  • Profile Inferences, shared with advertising networks and data analytics providers.

C. Information Related to Genetic Testing and Data

• Collection Methods: CRI is never in possession of your physical genetic sample. When you make a purchase of a genetic testing kit, the kit is mailed directly to you. . You create an online account, register the kit, and personally swab your mouth to create the genetic sample. You will then ship the sample directly to our third-party laboratory where the lab will extract the genetic coding from the sample. The laboratory will send the genetic coding through an encrypted process to CRI so we can input the data into our algorithm and provide you with test results. The laboratory destroys all physical samples every six months.
• Use: With your consent, CRI may use genetic data to provide you with genetic reports. CRI may use pseudonymous information for research purposes after obtaining additional consent. CRI does not sell genetic data.
• Consent: CRI obtains consent from you prior to collecting, testing, and storing genetic data. You may review your consent choices for these various potential uses in CRI’s customer portal where CRI hosts your ability to review your options on the use of your genetic data.
• Maintenance: CRI stores your physical sample after obtaining your consent. The physical genetic sample is destroyed every six months. You may request that the sample be destroyed sooner. CRI maintains only pseudonymized genetic data in secure encrypted locations.
• How to Access Your Data: Under California law, California residents my request access to their data.
• How to Delete Your Data: Under California law, California residents may request any stored identifiable genetic data be deleted. CRI retains only pseudonymized genetic data.

6. EEA & UK RIGHTS NOTICE

CRI respects your privacy rights and provides you with reasonable access and rights to the personal information that you may have provided through your use of the Services. We process your data with your consent as stated in this privacy policy.

If you live in the European Economic Area or United Kingdom, you are entitled to the following rights:

• Right to Access the personal data we hold about you and the purposes for which we are using it. We may ask for proof of identity to verify the request. We will work to respond to your request within one calendar month, and let you know if we need additional time.
• Right to Rectify the personal data which is incorrect or requires updating.
• Right to Erase any personal information pertaining to you. We will assess any deletion request after verifying your identity and work to respond within one calendar month, and let you know if we need additional time.
• Right to Object to processing the personal data we process, under certain conditions.
• Right to Data Portability of the data we have collected from you. Under certain conditions, you may request that we transfer your data to another organization, or directly to you.
• Right to Lodge a Complaint with the supervisory authority in your jurisdiction.

At any time, you may request or assert any of the rights above by emailing us at legal@crigenetics.com. If you believe there has been a violation of your privacy rights, please contact us at the email above. In some cases, you may also update your registration information in the customer portal.

You may decline to share certain personal information with us, in which case we may not be able to provide to you some of the features and functionality of the Services.

We will retain your personal data for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. In some circumstances we may anonymize your personal data (so that it can no longer be associated with you) for analytics purposes, in which case we may use this information indefinitely without further notice to you.

CRI takes appropriate steps to ensure that your personal data is properly stored in a secure environment to prevent unauthorized access. We use a lab based in the United States to process your genetic sample, but the sample goes directly from you to the lab. Our contract with the lab includes appropriate safeguards to guarantee the security of your data.

As described above in “Information Automatically Collected,” CRI uses cookies in a range of ways to improve our Services. Cookies are text files which contain information about your internet usage that is held in your browser or your computer’s hard drive. There are different types of cookies.

The types of cookies we use:

• Strictly Necessary Cookies. These cookies are essential to enable you to move around the Website and use its features. These cookies allow us to provide some of the basic functionalities off our Website.
• Performance Cookies. These cookies generally collect information about how visitors use our website so that we can improve our Services. These cookies do not collect identifiable information.
• Functionality Cookies. These cookies allow our Website to remember the choices you make as you browse the Website. They provide more enhanced and personal features. The information collected is anonymized, and they cannot track your browsing activity on other sites once you leave the Website.

To turn off cookies, you may set your browser not to accept cookies. However, this setting may impact your user experience on our Website.

7. EXTERNAL LINKS

The Site may have links to third-party websites, which may have privacy policies that differ from our own. We are not responsible for the practices of such sites.

8. PUBLICATION OF USER SUBMISSIONS

Any information you may disclose on our Services (e.g., ratings and reviews), in blogs, on message boards, in chat rooms, on social media, or in other public areas becomes public information. Please exercise caution when disclosing personal information in these public areas, including personal health information.

9. CHILDREN'S PRIVACY

The Site is not directed to children and is intended for persons over the age of eighteen (18) (“Adults”). Persons under the age of eighteen (“Minors”) must consult with their parent(s) or legal guardian to determine if the Services is appropriate for use. When a Minor uses the Services, CRI Genetics will hold the parent or legal guardian responsible for the Minor’s actions, and the parent or legal guardian will be deemed to have consented to the use of the Minor’s data by CRI Genetics.

10. DATA SECURITY

CRI Genetics takes your trust and confidence in us seriously. To prevent unauthorized access or disclosure, to maintain data accuracy, and to ensure the appropriate use of information, CRI Genetics uses a range of physical, technical, and administrative measures to safeguard data. While we make every effort to help ensure the integrity and security of our network and systems, we cannot guarantee our security measures.

All connections to and from our website are encrypted using Secure Socket Layer (SSL) technology.

11. DATA STORAGE

Genetic Data is created and stored in our lab when analyzing a customer’s DNA sample. DNA samples are stored at our lab for six months after testing. We keep your data, including PHI and Results, on file indefinitely unless you request otherwise.

Your personal information may be stored on servers in the United States and is subject to the laws of the United States, where the data protection and other laws may differ from those of other countries.

12. REVISIONS TO THIS PRIVACY POLICY

We reserve the right, at our sole discretion, to change, modify, add, remove, or otherwise revise portions of this Privacy Policy at any time. When we do, we will post the change(s) on the Sites. Your continued use of the Services following the posting of changes to these terms means you accept these changes. If we change the Privacy Policy in a material way, we will provide appropriate notice to you.

13. HOW TO CONTACT US

If you have questions about this Privacy Statement, the Website, or the Services, or wish to request access to, modify, delete, or receive information about the data we collect, please email CRI Genetics at legal@crigenetics.com.