CALIFORNIA RESIDENT PRIVACY NOTICE

CALIFORNIA RESIDENT PRIVACY NOTICE

CALIFORNIA RESIDENT PRIVACY NOTICE

Last Revised Date: May 9, 2025

This California Resident Privacy Notice (“California Policy”) provided by Thirty Madison, Inc., d/b/a Cove, Keeps, and Nurx (collectively “Thirty Madison”), and its subsidiaries and affiliates (“Thirty Madison”, “Company” or “We”) supplements the information contained in the Thirty Madison Online Privacy Policy (“Privacy Policy” or “Policy”) and the State Privacy Law Addendum (“Addendum”) and applies solely to individual residents of the State of California (“consumers” or “you”). This California Policy describes how Thirty Madison collects, uses, and shares information about you through our websites, social media, email exchanges, mobile apps, and other online services on which the Policy is posted (“Service”).

If you are a California resident, the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., as amended by the California Consumer Privacy Rights Act of 2020 and may be further amended from time to time, and its implementing regulations (collectively “CCPA”), provide you with certain rights with respect to your personal information, as that term is defined under the CCPA.

This California Policy describes your CCPA rights with respect to your personal information and explains how to exercise those rights, subject to CCPA exceptions.

Your privacy rights under the CCPA do not apply to all information that we might collect, use or disclose. For example, the CCPA does not apply to PHI governed by HIPAA, “medical information” governed by the California Confidentiality of Medical Information Act (“CMIA”), or other patient information we maintain in the same manner as PHI or “medical information.” The CCPA also excludes other categories of information.

Any terms defined in the CCPA have the same meaning when used in this California Policy.

COLLECTION, USE AND DISCLOSURE OF PERSONAL INFORMATION IN PRECEDING TWELVE (12) MONTHS

In the last twelve (12) months, we may have collected and used the following categories of personal information about you:

  • Identifiers (e.g., name, mailing address, email address, and telephone number, as well as unique identifiers such as your IP address, cookies or similar data)
  • Customer records information (e.g., name, address, telephone number, driver’s license number, insurance policy number, last 4 digits of credit or debit card number, medical information, or health insurance information)
  • Characteristics of protected classifications under California or Federal law (e.g., your gender or age)
  • Commercial Information (e.g., records of personal property, products, or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies)
  • Internet or other electronic network activity information (e.g., browsing history, activity, and service pages visited to help you get started, and information regarding your comments, reviews, suggestions, and other interactions with our Service)
  • Geolocation Information (e.g., general geographic region of your access to our Site, such as city, state)
  • Sensory data (e.g., audio, electronic or similar information) collected when you contact our customer care center by phone or when you upload a photograph of your government-issued ID card with a picture of your face
  • Professional or employment-related information (e.g., your occupation)
  • Inferences drawn from the information identified above (e.g. personal preferences, including product preferences, online preferences, and interests)
  • Sensitive personal information (e.g. information, including photographs, that reveals (a) government identifiers, such as your driver’s license, state ID, or passport number; (b) complete access credentials, such as usernames, financial account, or credit card number in combination with any required security or access code, password, or credentials allowing access to your account; and (c) information concerning your health or sex life (including sexual orientation)

We collect this personal information directly from you when you provide it to us; automatically as you navigate through the Site, as defined in the Privacy Policy; or from third party sources to help us determine whether a Thirty Madison product or service is right for you and to send promotional emails to customers and prospective customers. For more information about the sources from which we collect your personal information, please see Section 2 of the Privacy Policy.

We collect and use your personal information for our own business and commercial purposes, including to provide services to you; to audit interactions on the Site; to secure our Site and detect, protect, and investigate against security incidents; or to improve our Site (e.g., identify bugs, repair errors, and ensure that services function as intended). For more information about the purposes for which we use your personal information, please see Section 3 of the Privacy Policy.

In the past twelve (12) months, the following categories of personal information may have been disclosed to the following categories of third parties for one or more business purposes described below:

  • Identifiers: Service providers (who provide professional or other technical support functions to Company or the Site, including hosting service providers); advertisers and advertising networks; medical groups, pharmacies, and other similar business partners; affiliates, parents, and subsidiary organizations of the Company; social media companies; and internet cookie information recipients, such as analytics and behavioral advertising services.
  • Customer records information: Service providers; medical groups, pharmacies, and other similar business partners; and affiliates, parents, and subsidiary organizations of the Company.
  • Characteristics of protected classifications under California or Federal law: Service providers; medical groups, pharmacies, and other similar business partners; and affiliates, parents, and subsidiary organizations of the Company.
  • Commercial Information: Service providers; advertisers and advertising networks; medical groups, pharmacies, and other similar business partners; affiliates, parents, and subsidiary organizations of the Company; social media companies; and internet cookie information recipients, such as analytics and behavioral advertising services.
  • Internet or other electronic network activity information: Service providers; advertisers and advertising networks; affiliates, parents, and subsidiary organizations of the Company; social media companies; and internet cookie information recipients, such as analytics and behavioral advertising services.
  • Geolocation Information: Service providers; and affiliates, parents, and subsidiary organizations of the Company.
  • Sensory Data: Service providers; medical groups, pharmacies, and other similar business partners; and affiliates, parents, and subsidiary organizations of the Company.
  • Professional or employment-related information: Service providers; medical groups, pharmacies, and other similar business partners; and affiliates, parents, and subsidiary organizations of the Company.
  • Inferences. Service providers; medical groups, pharmacies, and other similar business partners; and affiliates, parents, and subsidiary organizations of the Company.

In addition, in the past twelve (12) months, the following categories of Sensitive personal information may have been disclosed to the following categories of third parties for one or more business purposes described below:

  • Government Identifiers: Service providers; medical groups, pharmacies, and other similar business partners; and affiliates, parents, and subsidiary organizations of the Company.
  • Complete account access credentials: Service providers; and affiliates, parents, and subsidiary organizations of the Company.
  • Health; sex life; or sexual orientation information: Service providers; medical groups, pharmacies, and other similar business partners; and affiliates, parents, and subsidiary organizations of the Company.

We disclose your personal information to provide the services you request; operate and maintain the security of our services; collect payment and process transactions; improve our services; comply with applicable laws or to respond to valid legal requests; and fulfill valid requests from other healthcare providers, labs and pharmacies.

For more information about the purposes for which we disclose your personal information, please see Section 4 of the Privacy Policy.

WE DO NOT USE OR DISCLOSE SENSITIVE PERSONAL INFORMATION FOR PURPOSES OTHER THAN THOSE EXPRESSLY PERMITTED UNDER THE CCPA.

SALE OR SHARING OF PERSONAL INFORMATION IN PRECEDING TWELVE (12) MONTHS

As noted in our Privacy Policy, we do not sell personal information as the term “sell” is commonly understood to require an exchange for money. However, the use of advertising and analytics cookies on our Site is considered a “sale” of personal information as the term “sale” is broadly defined in the CPRA to include both monetary and other valuable consideration. Using this broad definition, our “sale” is limited to our use of third-party advertising and analytics cookies and their use in providing behavioral advertising and their use in understanding how people use and interact with our Site. Our “sales” of your personal information in this matter is subject to your right to opt-out of those sales (see below section entitled RIGHT TO OPT-OUT OF SELLING OR SHARING PERSONAL INFORMATION).

In addition, the Company may “share” your personal information for the purpose of cross-context behavioral advertising, subject to your right to opt-out of that sharing (see below section entitled RIGHT TO OPT-OUT OF SELLING OR SHARING PERSONAL INFORMATION). Our “sharing” for the purpose of cross-context behavioral advertising would be limited to our use of third-party advertising cookies and their use in providing you cross-context behavioral advertising (i.e., advertising on other websites or in other mediums). When the recipients of your personal information disclosed for the purpose of cross-context behavioral advertising are also permitted to use your personal information to provide advertising to others, we also consider this disclosure as a “sale” for monetary or other valuable consideration under the CPRA.

In the last twelve (12) months, we may have “sold” (for monetary or other valuable consideration) or “shared” (for the purpose of cross-context behavioral advertising) the following categories of personal information to the following categories of third parties:

  • Identifiers: advertisers and advertising networks; social media companies; and internet cookie information recipients, such as analytics and behavioral advertising services.
  • Customer records information: Not sold or shared.
  • Characteristics of protected classifications under California or Federal law: Not sold or shared.
  • Commercial Information: advertisers and advertising networks; social media companies; and internet cookie information recipients, such as analytics and behavioral advertising services.
  • Internet or other electronic network activity information: advertisers and advertising networks; social media companies; and internet cookie information recipients, such as analytics and behavioral advertising services.
  • Geolocation Information: Not sold or shared.
  • Sensory Data: Not sold or shared.
  • Professional or employment-related information: Not sold or shared.
  • Inferences: Not sold or shared.

WE DO NOT SELL OR SHARE SENSITIVE PERSONAL INFORMATION TO ANY THIRD-PARTIES.

We may sell or share the categories of personal information described above for the purposes of Site analytics (which helps us to estimate the size of our user base and their usage patterns), and to provide you with targeted advertising on other websites, which is based on your activities on the Site and other online activities.

THE RIGHT TO KNOW / SPECIFIC INFORMATION

You have the right to know and request the following information relating to the personal information we may have collected and disclosed:

  • The categories of personal information we have collected about you;
  • The categories of sources of the personal information;
  • The purposes for collecting, selling, or sharing the personal information; and
  • If we sold, shared or disclosed your personal information for a business purpose, two separate lists disclosing: the categories of personal information that was disclosed for a business purpose and the categories of recipients of such information; and the categories of personal information that we sold to or shared with third parties and the categories of recipients of such information.

We are not required to provide you with this information more than twice in a twelve (12) month period.

THE RIGHT TO ACCESS You have the right to access and obtain a copy of the specific pieces of personal information we have collected about you, upon verification of your identity. Please note that in response to your request, we may not provide you with personal information that would create a substantial, articulable, and unreasonable risk to your personal information, your account with the Company, or the security of our systems and networks, including, for example, your driver’s license or other government issued identification number, your financial account number, or your account password or security answers, as applicable.

THE RIGHT TO CORRECT You have the right to request that we correct inaccurate personal information that we collected and maintain about you. In some cases, we may require you to provide reasonable documentation to show that the personal information we have about you is incorrect and what the correct personal information may be. We may also not be able to accommodate your request if we believe it would violate any law or legal requirement or cause the information to be incorrect or if the personal information is subject to another exception under the CCPA.

THE RIGHT TO REQUEST DELETION You have the right to request that we delete the personal information that we collected from you, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your personal information from our records, unless an exception applies. Some exceptions to your right to delete include, but are not limited to, if we are required to retain your personal information to complete the transaction or provide you the goods and services for which we collected the personal information or otherwise perform under our contract with you, to detect security incidents or protect against other malicious activities, and to comply with legal obligations. We may also retain your personal information for other internal and lawful uses that are compatible with the context in which we collected it.

THE RIGHT NOT TO RECEIVE DISCRIMINATORY TREATMENT You have the right not to receive discriminatory treatment for exercising any consumer rights described in this California Policy or the CCPA.

TO SUBMIT A REQUEST TO EXERCISE YOUR RIGHT TO KNOW, ACCESS, CORRECT AND DELETE

To exercise your rights to know, access, correct and delete, you or your agent may contact us at:

  • Cove: Phone (877) 456-2683; Email care@withcove.com
  • Keeps: Phone (833) 745-3377; Email help@keeps.com
  • Nurx: Phone (800) 321-NURX; Email nurx-support@thirtymadison.com

We may ask you to provide additional personal information, such as name, address, or e- mail, so that we can properly identify you in our dataset to track compliance with a request. We will only use personal information provided in a request to review and comply with the request. If you choose not to provide this information, we may only be able to process your request to the extent we are able to identify you in our data systems. In certain circumstances, we may decline a request to exercise the rights described above.

You may designate an authorized agent to exercise your rights on your behalf. We may request that your authorized agent submit proof of identity and that they have been authorized exercise your rights on your behalf. We may deny a request from your authorized agent to exercise your rights on your behalf if they fail to submit adequate proof of identity or adequate proof that they have the authority to exercise your rights.

RESPONSE TIMING AND FORMAT We will endeavor to respond to a verifiable consumer request within forty-five (45) days of receipt. If we are unable to process your request in such time, we will inform you of the delay in writing. If you have an account with us, we will deliver our written response to that account or via email. If you do not have an account with us, we will deliver our written response by mail or email. Information provided in response to a consumer request will be provided free of charge, up to twice.

We reserve the right to charge a fee to process or respond to your verifiable consumer request if we determine that such request is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

RIGHT TO APPEAL If we are unable to comply with all or a portion of your request, we will explain the reasons we cannot comply. You may appeal our decision by resubmitting a request and we will inform you of any action taken or not taken in response to the request and explain the reasons for our decision within sixty (60) days of receiving the request.

RIGHT TO OPT-OUT OF SELLING OR SHARING PERSONAL INFORMATION

AS OF AUGUST 2023, WE DO NOT SELL OR SHARE PERSONAL INFORMATION WE HAVE COLLECTED ABOUT YOU UNLESS YOU OPT-IN (CONSENT) TO SUCH SALE OR SHARING. When you visit our Site, we provide you with a cookie banner based on your location (as determined by your IP address – we may incorrectly infer your location if you use a VPN or other similar service). For users identified to be located in California, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) define “selling” Personal Information to include providing it to a third party in exchange for money or valuable services. We may disclose data in any of the categories above to certain third parties for commercial purposes, in our products and services or in exchange for valuable services, such as advertising or social media engagement services, which may constitute a “sale” under the CCPA/CPRA. You may opt-out by clicking Your Privacy Choices on the bottom of the Site homepage and changing your cookie settings by clicking the toggle next to Do Not Sell or Share My personal information (so the toggle is not green)

We also honor opt-out preference signals in a “frictionless” manner, which means, if you use an opt-out preference signal, we will not (i) charge you a fee or require any valuable consideration; (ii) change your experience with our Service; (iii) display a notification, pop-up, text, graphic, animation, sound, video, or any interstitial content in response to the opt-out preference signal.

Some browsers and browser extensions support the “Global Privacy Control” (GPC) that can send a signal to the websites you visit indicating your choice to opt-out from certain types of data processing, including data sales and/or targeted advertising. We have configured our cookie consent manager to honor GPC signals and will make reasonable efforts to respect your choices.

PERSONAL INFORMATION RETENTION PERIOD The Company will retain your personal information for the entire time that you keep your account open, or until you request we delete your personal information. After this period, we may retain your personal information for a period of twelve (12) months, or for any of the reasons described below, whichever is longer. We may retain any or all categories of personal information when your information is subject to one of the following exceptions:

  • when stored in our backup and disaster recovery systems. Your personal information will be deleted when the backup media your personal information is stored on expires or when our disaster recovery systems are updated;
  • when necessary for us to exercise or defend legal claims;
  • when necessary to comply with a legal obligation;
  • when stored in the same document or record with other personal information. Your personal information will be deleted upon the expiration of the last exception that applies to such document or record; or
  • when necessary to help ensure the security and integrity of our Website and IT systems.

Your personal information will be deleted when we no longer require your personal information for any of the above purposes.

CHILDREN UNDER 18 As noted in Section 9 of our Privacy Policy, we do not target children under the age of 18, and we do not knowingly collect personal information from children under the age of 18. If we learn that we have collected personal information from someone under 18, we will promptly delete that information.