Colorado Resident Privacy Policy

Effective Date: July 1, 2023

Last Revised Date: September 5, 2023

This Colorado Resident Privacy Notice (“Colorado Notice”) provided by MISTR Inc. and its affiliates, including certain affiliated professional entities and MISTR, Inc. (“MISTR”, “Company” or “We“) supplements the information contained in MISTR Privacy Policy (“Privacy Policy” or “Policy”) and the State Privacy Law Addendum (“Addendum”) and applies solely to individual residents of the State of Colorado (“consumers” or “you”).

If you are a Colorado resident, the Colorado Privacy Act, C.R.S. §§ 6-1-1301 et seq. and its implementing regulations 4 CCR 904-3, as may be amended from time to time (collectively, “CPA”), provide you with certain rights with respect to your Personal Data, as that term is defined under and subject to the CPA.

This Colorado Notice describes your CPA rights with respect to your Personal Data and explains how to exercise those rights, subject to CPA exceptions.

Any terms defined in the CPA have the same meaning when used in this Colorado Policy.

The Right to Confirm/Access/Data Portability

You have the right to confirm whether we are using or disclosing your Personal Data and to access the specific pieces of Personal Data we have collected about you, upon verification of your identity. You also have the right to obtain such data in a portable format but no more than twice per calendar year.

The Right to Correct

You have the right to request that we correct the inaccurate or incomplete Personal Data that we collected and maintain about you. We may ask you for documentation to determine if the requested correction is accurate. We may have a reason under the CPA or other laws to deny your request, either in whole or in part. If so, we will explain that reason to you in our response.

The Right to Request Deletion

You have the right to request that we delete the Personal Data that we collected from you, subject to certain exceptions. Once we receive and confirm your verifiable consumer request, we will delete (and direct our service providers to delete) your Personal Data from our records, unless an exception applies. We may also have a reason under the CPA or other laws to deny your deletion request, either in whole or in part. If so, we will explain that reason to you in our response.

To Submit a Request to Exercise Your Right to Access, Correct or Delete

Email us at [email protected] to submit a request. We may ask you to provide additional Personal Information so that we can properly identify you in our dataset and to track compliance with a request. We will only use Personal Data provided in a request to review and comply with the request. If you choose not to provide this information, we may only be able to process your request to the extent we are able to identify you in our data systems. In certain circumstances, we may decline a request to exercise the rights described above.

Authentication

To protect consumers’ Personal Data and comply with the CPA and other privacy laws, we will use an authentication process to confirm your identity before we act on your requests. You or your authorized agent may make an authenticated consumer request related to your Personal Data. If an authorized agent makes the request on your behalf, we may require that you provide the agent written permission to do so and that you provide us a copy of the authorization or a copy of a power of attorney. We will employ reasonable measures to authenticate requests in order to detect fraudulent requests and prevent unauthorized access to your Personal Data. To meet our obligations, we are required to associate the information you provide in your request with the Personal Data we previously collected. If we suspect fraudulent or malicious activity, we may decline a request or ask that you provide further authenticating information. You are not required to create an account with us to make an authenticated consumer request. We will only use Personal Data you provide to authenticate your data rights request to authenticate your identity or authority to make the request. If you choose not to provide this information, we will only be able to process your request to the extent we are able to identify you in our data systems. We will not require you to pay a fee for authentication.

Response Timing and Format

We will try to respond to a verifiable consumer request within forty-five (45) days of receipt. If we are unable to process your request in such time, we will inform you of the delay in writing.

We will deliver our written response to your account (if you have one with us) or via email.

We charge no fee for your first data rights request but will charge a reasonable fee for each subsequent data rights request within a 12-month period. We reserve the right to charge a fee to process or respond to your verifiable consumer request if we determine that such request is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Right to Appeal

If we are unable to comply with all or a portion of your request, we will explain the reasons we cannot comply. You may appeal our decision by resubmitting a request and we will inform you of any action taken or not taken in response to the request and explain the reasons for our decision within forty-five (45) days of receiving the request.

If you have concerns regarding the result of an appeal, you may contact the Colorado Attorney General here or by calling 800-222-4444.

The Right to Opt-Out of Targeted Advertising, Sale of Personal Data and Certain Profiling

You have the right to direct us not to (i) process your Personal Data for the purposes of targeted advertising; (ii) sell Personal Data we have collected about you; or (iii) engage in profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning you (results in the provision or denial of financial or lending services, housing, insurance, education enrollment or opportunity, criminal justice, employment opportunities, health-care services, or access to essential goods or services).

To exercise an opt-out right, please email [email protected].

You may designate an authorized agent to exercise an opt-out right on your behalf.

If you have provided us with information to apply for or obtain a product or service, please refer to the Privacy Policy to learn about our privacy practices with respect to this information and how you may be able to opt-out of certain types of sharing with Authorized Third Parties, as that term is defined in the CPA.