Specialty Program Group LLC Privacy Policy (U.S.) and Privacy Notice for California Residents

1. Updates to Policy, Accessibility of Policy, and Regional Differences

Updates to Policy

From time to time, we may change our privacy practices, which will require changes to this Policy. The latest version of this Policy will be posted on our websites, and the date it is effective will be displayed. We encourage you to look for updates and changes to this Policy when you access our websites. Your continued use of SPG's websites, mobile applications, and services following the posting of changes constitutes your acceptance of such changes with respect to your use of our websites, mobile applications, and services.

Accessibility

If you have special needs with regard to accessing the content of this Policy, contact us at: privacy.compliance@specialtyprogramgroup.com. Please include the words "Accessibility Issue" in your subject line and explain steps we can take to help you to review and understand this Policy.

Regional Differences

Certain jurisdictions provide enhanced Personal Information rights to residents depending on the jurisdiction and the reason SPG is processing Personal Information

2. Definition and Exclusions of Personal Information

"Personal Information" means any information that identifies you or can reasonably be linked to you or your household and includes data such as your name, postal address, email address, and telephone number. Due to the nature of our business as described further in the Section called "Information SPG Collects" below, Personal Information handled by SPG about you may also include:

• your name, Social Security Number, driver's license, or other government-issued identification;
• assets and income, occupation, and employment status, dependent information, and other relevant financial information;
• information relating to any of your past claims, driving history, certifications, license details, previous insurance policy details, previous accident and claims history including any driving convictions;
• information from reporting agencies and state and federal government agencies, such as state motor vehicle departments;
• information from other sources, such as medical or health care providers and other third parties with which you or we maintain a relationship including credit reference agencies, vetting and data validation agencies, advisory service providers, insurers, underwriters, reinsurers, business partners;
• your account activity and premium payment history;
• benefits information such as benefits elections, pension entitlement information, date of retirement and any relevant matters impacting your benefits;
• information about your interest in and attendance at SPG sponsored events, including feedback responses;
• information from social media interactions with SPG's social media presence, feedback forms or surveys;
• credit card, bank account or other account information as may be required to facilitate your payment of insurance premium or similar amounts, which payment generally is made through systems maintained by third parties, such as insurance carriers;
• passive tracking information from our website or the Internet, including information obtained through the use of internet "cookies" as detailed in the "Cookie Choices" section below; and
• inferences drawn from other Personal Information, precise geolocation data, and sensory data such as audio or visual information.

Personal Information does not include aggregated or anonymous information which does not identify and cannot reasonably be used to identify you or your household. It also does not include other categories of information excluded by state or federal law.

3. Information SPG Collects

We are generally unable to perform insurance brokerage or other insurance or financial industry services on your behalf without collecting, using, or disclosing your Personal Information, including sensitive Personal Information. Typically, you will provide your Personal Information directly to us as your broker, as part of a written application for insurance coverage. Other times, we may receive this and other Personal Information from third parties, including insurance carriers and other industry service providers, and other third parties with which you maintain a relationship (for example, your employer and providers of financial or medical services). We may also develop this information over time based on your direct or indirect interactions with us, such as through the use of cookies on our websites.

Please keep in mind that when you provide information to us on a third-party site or platform, the information you provide may be separately collected by the third-party site or platform. We encourage you to read the privacy policies of other sites and mobile applications that may collect your Personal Information.

When you hire SPG to broker insurance or advise you directly, we collect the amount and types of Personal Information that are required for us to perform or support services you requested. This includes information that may be required by an insurance carrier or an industry service provider in the course of providing you with insurance coverage or related services. If you use our websites, we may collect information about your device, browser and other information regarding your web usage using tracking tools described in this Policy. This information collection could include relevant market research designed to make our products and services better; this and other information may include the Personal Information as defined above. SPG also offers its products and services to organizations that act in the performance of their business or profession ("Commercial Clients"). For instance, if SPG performs insurance-related services for your employer (such as employee benefits, retirement, or risk management services), then SPG may need to collect and handle some of your Personal Information to perform those services. SPG refers to this work as our Commercial Business and in that situation, your employer would be a Commercial Client. In these cases, (1) SPG requires Commercial Clients (such your employer or retirement plan) to have appropriate authorization to provide your Personal Information to SPG, (2) SPG requires the client to provide the minimum amount of your Personal Information necessary for SPG to provide the requested services, and (3) SPG Processes the information pursuant to directions and security safeguards required by SPG's contract with the client. Please see "Information SPG Processes When Performing Services for Commercial Clients" below for more details.

4. Use of Cookies and Other Web Tracking Technologies

When you visit any website, it may store or retrieve information on your browser, often in the form of cookies. Cookies are files which can store information in your computer hard drive or other devices and help us and our partners to better understand user behavior. We may use cookies and other web tracking technologies such as pixels, web beacons and session recording tools (collectively, "Web Tracking Technologies") on our websites and mobile applications. Information collected in this manner might be about you, your preferences, or your device; it is primarily used to allow the website to work as you expect it to and to provide a more personalized web experience. This information is also used for security and fraud prevention purposes, to identify which parts of our websites people have visited, to facilitate and measure the effectiveness of advertisements and web searches, and to improve user experiences. We may combine information derived from Web Tracking Technologies with information provided directly by you.

SPG uses different categories of cookies:

• Strictly Necessary Cookies. These cookies are necessary for the website or application to function and cannot be disabled. They are used where required to provide a specific feature or service that you have accessed or requested and that cannot be provided without the use of such cookies (e.g., actions like setting privacy preferences, logging into your account, or filing form fields). If you set your browser to block these cookies, then some parts of the website may not work.
• Performance or Analytical Cookies. These cookies allow measurement of website activity by tracking user visits, the geographic location of users, and the volume of users. We use these cookies to help us analyze and count visits and traffic sources so we can measure and improve the performance of our site. For instance, these cookies help us learn which pages are the most and least popular and understand how visitors move around the site. If you do not allow these cookies, SPG will not know when you have visited its website and will be unable to fully monitor the website's performance.
• Functional Cookies. These cookies enable the website to provide enhanced functionality and personalization. Some functional cookies may be developed by third party service providers whose services are incorporated into the website. Disabling these cookies may (i) disable third-party services and (ii) impact the overall ease of use of the website or application functionality.
• Targeting Cookies. These cookies collect information used to understand how visitors interact with our websites and online services. This information helps us: (a) to assess the effectiveness of web searches, (b) to provide you with a more customized experience, and (c) to provide personalized and relevant product offerings and advertisements. Social media cookies are a subset of Targeting Cookies that may share Personal Information you generate on SPG's website with social network websites and subject your data to those websites' privacy policies and user terms of service. These cookies may be developed by our advertising partners and collect information that may be used by SPG and its advertising partners to build a profile of your interests and to show you relevant advertisements on other websites. If you do not allow these cookies, you will experience less advertising that is curated to your interests.

5. Use and Disclosure of Personal Information

We generally only disclose your Personal Information to perform services on your behalf and provide you with the insurance products and services you expect from us. In addition, in order to operate our business and provide you with the services you request from us, information technology and other support service providers with which we maintain an arrangement may also have access to your Personal Information. Your Personal Information may be disclosed to third parties in connection with a merger, sale, or other transfer of organizational assets where Personal Information held by us about our clients is among the assets transferred.

We may from time to time disclose your Personal Information for the following reasons:

• to fulfill or meet the reason you provided the information and for our everyday business purposes, such as to obtain initial and renewal quotations for insurance or other insurance or financial industry services (including those procured proactively and/or in connection with the movement of a book of business from one provider to another) on your behalf; to obtain insurance (or similar products) on your behalf or to facilitate the performance of related services by other industry service providers; to maintain or service your account or insurance, including by reporting claims of loss to other industry service providers, such as insurance carriers and adjusters; to evaluate our performance or offerings; to allow risk management or actuarial evaluation of prospective or existing placements; to confer with medical professionals if necessary regarding a relevant claim; and to make reports to credit bureaus. We may also save your information to facilitate new quotations or placements.
• for legal reasons, such as to make required or advisable reports to insurance regulatory, law enforcement or other similarly situated authorities including government authorities; to respond to and comply with court orders, applicable law, and other legal requirements; and to defend ourselves against claims and to enforce our rights or protect our employees or property.
• for our own marketing purposes so that we may offer you our products and services, including using targeted or similar advertising on the internet. You will be given the opportunity to opt out of direct marketing from SPG, and you can change your marketing preferences by contacting SPG as set forth in this Policy.
• for joint marketing purposes so that we and any third-party product or service provider may together offer you products and services.
• for our affiliates' everyday business purposes, such as to process or service transactions or to provide or receive shared organizational services.
• for our affiliates' marketing purposes so that they may offer you their products and services using Personal Information, including eligibility information.
• for our and our affiliates' fraud prevention purposes where necessary to prevent and detect fraud.
• for non-affiliated third parties whenever you consent to such sharing, when the information cannot reasonably identify you, when business partners or third-party companies play a related or expected role in an insurance transaction, or as needed for SPG to participate in insurance support organizations. SPG may disclose to its referral partners with whom you already have a relationship certain Personal Information, including (i) campaign performance information such as the e-mail open rates, click rates, unsubscribe rates, and (ii) information about insurance coverage obtained because of the partner's referral to SPG. This information is disclosed to measure the impact of marketing and outreach campaigns and to calculate commissions.
• for our internal and external auditors, where necessary for company audits, complaint investigation or investigation of a security threat.
• for other purposes as may be permitted by law.
• to evaluate, negotiate or effect a business transaction (e.g., a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets) in which Personal Information held by us about our consumers or website users is among the assets evaluated or transferred.

6. Use of Automation for Insurance Quoting

SPG's online formats may utilize certain types of automation which assist insurance carrier partners ("insurers") with their underwriting of insurance. Such automation may result in the use of your Personal Information by the insurer to create predictions about insurance products and premium pricing, and information about insurance carrier market categories that would be appropriate for you. The goal of such an interaction would be for you to receive one or more insurance quotations or estimations of premium and coverage details. Each insurer will have methodologies, including underwriting algorithms, to help with making underwriting decisions. Insurers' underwriting decisions for insurance coverage, and the use of data for making those decisions, are each subject to the applicable privacy policy and privacy rights request process of that insurer. Your Personal Information is protected and is utilized consistently with the purposes and categories of this Policy, and the intention of our use of this technology is that it operates without improper biases. Based on applicable law, you may have the rights to: (a) opt-out of the processing of your Personal Information by automated decision-making technology that produces a legal or consequential effect, (b) correct inaccurate Personal Information used by automated decision-making technology to make a consequential decision about you, and/or (c) appeal, via human review if technically feasible, an adverse consequential decision concerning you arising from the use of automated decision-making technology. If available in your area, these rights can be exercised through the SPG Consumer Privacy Request Portal.

7. Your Privacy Rights and How to Exercise Them

Governments are increasingly granting consumers certain rights regarding their Personal Information. SPG honors requests in accordance with and to the extent required by applicable consumer privacy laws, which may vary depending on where you live. Depending on your state of residence, your rights may include:

To exercise any of these privacy rights, to make a related request, or to ask any question concerning this Privacy Policy, please contact us via any of the following methods:

• Visit the SPG Consumer Privacy Request Portal
• Email privacy.compliance@specialtyprogramgroup.com (please include "Personal Information Rights Request" in your subject line)
• Call us at 866-415-2207
• Write us at:
  Chief Legal Officer
  Specialty Program Group LLC
  150 N Riverside Plaza, 17th Floor
  Chicago, IL 60606

Please include your name, address, telephone number, and email address whenever you contact us. Depending upon the nature of your request, SPG may require you to provide additional information to verify your identity and authority to access or direct the processing of the Personal Information that is the subject of the request. SPG may deny certain privacy requests with respect to your Personal Information if we cannot verify your identity. You may also use an authorized agent to submit a request to exercise your privacy rights on your behalf. If you have an authorized agent submit a request on your behalf, SPG will require (i) you to provide the authorized agent with written permission to act on your behalf, and (ii) your agent to verify their identity directly with SPG. SPG may deny a privacy-related request from an agent that does not meet these requirements.

Situations Where Rights Cannot Be Granted

There may be situations where we cannot grant a particular request --- for example, if you ask us to delete your transaction data but we are legally obligated to keep a record of that transaction to comply with law or if we are unable to verify your identity through standard and reasonable means. We may also decline to grant a request where doing so would undermine our legitimate use of data for anti-fraud and security purposes, such as when you request deletion of an account that is being investigated for security concerns. Other reasons your privacy request may be denied could be that granting the request would jeopardize the privacy of others; that the request is substantively frivolous or vexatious; or that granting the request would be highly impractical in the context of our legitimate business purposes. If we are unable to fulfill your privacy request to access, review, delete or correct your Personal Information, we will provide you with an explanation

8. Cookie Choices

SPG gives you the ability to opt-out of cookies that are not essential to the services of the SPG-controlled websites and applications you use. This option is presented by SPG's Cookie Preference Center when you visit our websites (i) for the first time and (ii) after you clear your browser cache.

Your computers or devices also have tools within their browsers that allow you to manage your acceptance of cookies. These can include the ability to disable or block non-essential cookies, remove cookies, automatically accept cookies, or notify you when a cookie is received. Refer to "https://allaboutcookies.org/how-to-manage-cookies" for detailed explanations by browser (e.g., Google Chrome). Generally, disabling or rejecting cookies can negatively impact your user experience (e.g., because certain features of our website may not be available).

SPG uses both Adobe and Google as website service providers. To learn about Adobe Analytics privacy practices or to opt-out of Adobe cookies which are used to facilitate reporting, visit Adobe Privacy Center. To learn more about Google's privacy practices, visit the Google Privacy Center. To access and use the Google Analytics Opt-out Browser Add-on, visit Google Opt-out.

9. Global Privacy Control (GPC) Signal

In certain jurisdictions, you have the right to opt-out of the use, sharing, and sale of your Personal Information for targeted advertising purposes by broadcasting an opt-out preference signal, such as the Global Privacy Control ("GPC"), on browsers or extensions that support the GPC signal. A list of GPC-enabled available browsers or extensions is available here: https://globalprivacycontrol.org/#download. If you choose to use the GPC signal, you will need to turn it on for each supported browser or browser extension you use. Your request to opt-out will be linked to your browser identifier only. For more information about how to opt-out of the sale or sharing of your Personal Information, see the "Do Not Share or Sell My Personal Information Notice" below.

10. Sales of Personal Information

In the preceding twelve (12) months, we have shared information for cross-contextual behavioral advertising or targeted advertising purposes which might be considered a "sale" of Personal Information as defined by the laws of some jurisdictions. SPG does not knowingly sell the Personal Information of minors.

11. Do Not Share or Sell My Personal Information Notice

Notice of Right to Opt-out of Sharing:

In an increasing number of jurisdictions, you can request that SPG not: (a) sell your Personal Information, (b) share it with third parties for cross-context behavioral advertising purposes, or (c) process it for targeted advertising purposes.

To exercise your rights to opt-out of SPG selling or sharing your Personal Information for cross-context behavioral advertising purposes and/or processing it for targeted or personalized advertising purposes, take the following steps:

1. You can opt-out of certain forms of online sale, sharing, or targeted advertising by turning off non-essential cookies and tracking tools. To do so, interact with SPG's cookie consent tool (upon your first visit or by clicking the cookie settings icon) and disable non-essential cookies. Alternatively, you can utilize the GPC Signal; SPG's websites respond to universal opt-out preference signals, including the GPC, to the extent required by law.
2. To opt out of other kinds of sale, sharing, or targeted advertising, such as "offline" uses of Personal Information to support marketing campaigns, you must also complete and submit an opt-out request via the SPG Consumer Privacy Request Portal.

Effect of Opting-Out:

Your cookie selections are specific to the device, website, and browser you're using, and your selections are deleted whenever you clear your browser's cache. If you use another device or browser, you will need to opt-out on each device and browser. Blocking or clearing cookies from your browser may remove your opt-out settings, requiring you to opt-out again. After you have opted-out, you may still see advertisements for SPG's products and services because not all advertisements are placed using cookies or Personal Information. For example, you may see contextual ads online such as those based on the topic and content of a webpage you visit; some advertisements published to third party websites are simply made visible to all visitors to that website.

12. Retention of Your Information

SPG retains certain records of your Personal Information as necessary to operate our business and comply with our legal and regulatory obligations. Such records are retained for legally defined retention periods that may extend beyond the period for which we provide the Services to you or to our Commercial Clients. We have implemented appropriate measures to confirm that Personal Information is securely disposed of when no longer required.

13. Other Important Website and Mobile Application Information

Our website contains links to third party sites. If you click on one of those links, you will be taken to websites we do not control. This Policy does not apply to the information practices of those sites. You should read the privacy policies of those other websites carefully. We are not responsible for those third-party sites. Links to third party sites do not constitute or imply endorsement by us of the linked site or any material displayed on those sites.

To the extent that SPG provides mobile application access for your use, please note that your Personal Information may be collected. In addition to being subject to this Policy, your use of a downloaded application provided by SPG may also be subject to the privacy terms and conditions of the providers and developers of the application. SPG may have access to and utilize certain data collected by such providers or developers. SPG may utilize such data to better service your account, to improve the performance of the application, as well as for the other purposes set forth in this Policy.

SPG websites are not intended for children under 13 years of age. No one under age 13 may provide any information through our websites, and we do not knowingly collect Personal Information from children under thirteen. If you are under thirteen, do not use or provide any information on this website or otherwise provide any information about yourself to us, including your name, address, telephone number, email address, or any screen or username you may use. If we learn we have collected or received Personal Information from a child under thirteen without verification of parental consent, we will use commercially reasonable efforts to delete that information. If you believe we might have any information from or about a child under thirteen without parental consent, please contact us at the mailing address shown beneath the heading "Your Privacy Rights and How to Exercise Them."

14. Information SPG Processes When Performing Services for Commercial Clients

When SPG provides services to its Commercial Clients, SPG may collect, from the client, information about the client's business operations and Personal Information about you and your relationship with that client. For example, SPG offers services to employers and retirement plans, among others. During the course of providing these services, SPG (i) is informed that you are the client's employee or plan's participant, and (ii) receives Personal Information about you including, your name, contact details, date of birth, gender, marital status, certain financial information (like premiums you paid), employment details, benefit coverage, and other types of data described in the "Definition And Exclusions of Personal Information" and "Information SPG Collects" sections above. SPG may also collect data from public information sources including social media and other websites, government agencies, third-party service providers, and business partners. When SPG processes this information, it does so as the Commercial Client's data processor and only handles the Personal Information to provide its services to the Commercial Client. Accordingly, if you submit to SPG a Data Subject Access Right ("DSAR") Request (e.g., if you seek to exercise your privacy rights to access, correct, or delete Personal Information about you) concerning information provided to SPG by a Commercial Client, SPG will notify you that you must submit your DSAR Request directly to the Commercial Client.

15. Information Security

We maintain technical and organizational security measures reasonably designed to protect the security of your Personal Information against loss, misuse, and unauthorized access, disclosure, or alteration. SPG International Limited and its affiliates take steps to secure your Personal Information with appropriate levels of security around storage and use. Despite this, the security of information cannot be guaranteed. If you have reason to believe that your Personal Information maintained by us is no longer secure, please immediately notify us utilizing the contact information set forth above. In the event of a breach impacting your Personal Information, we intend to provide you with notification to the extent required by applicable law.

SPECIALTY PROGRAM GROUP LLC -- CALIFORNIA PRIVACY NOTICE

Privacy Notice for California Residents

Effective Date: August 1, 2024

This Privacy Notice for California Residents (this "Notice") supplements the information contained in the SPG Privacy Policy (the "Policy") and is provided on behalf of Specialty Program Group LLC and its subsidiaries listed here.

This Notice provides our "notice at collection" and provides certain mandated disclosures about our treatment of California residents' information, both online and offline. We adopt this Notice to comply with the California Consumer Privacy Act of 2018 as supplemented by the California Privacy Rights Act of 2020 (collectively, the "CCPA") and any terms defined in the CCPA have the same meaning when used in this Notice (unless separately defined in this Notice or the Policy). This Notice applies solely to residents of the State of California as defined in the CCPA ("California Residents") who do business with us directly and/or visit the mobile apps and websites of Specialty Program Group LLC and its subsidiaries ("our websites").

Updates to this Notice and Accessibility

We reserve the right to amend this Notice at our discretion and at any time. When we make changes to this Notice, we will post the updated Notice on the websites and update the Notice's effective date. We encourage you to look for updates and changes to this Notice when you access our websites. Your continued use of our websites and mobile applications following the posting of changes constitutes your acceptance of such changes with respect to your use of the websites and mobile applications.

Accessibility

If you have special needs with regard to accessing the content of this Notice, we recommend that you or someone on your behalf, contact us by email at: privacy.compliance@specialtyprogramgroup.com. Please indicate "Accessibility Request" in your subject line to help us to identify this request.

Definition and Exclusions of Personal Information and Sensitive Personal Information under the CCPA and at Specialty Program Group LLC

Generally, Personal Information under the CCPA and in this Notice means information that identifies (whether directly or indirectly) you, such as your name, postal address, email address, and telephone number. Due to the nature of our business, Personal Information we collect may also include:

• your name, Social Security Number, driver's license, or other government-issued identification;
• assets and income, occupation and employment status, dependent information and other relevant financial information;
• information relating to any of your past claims, driving history, certifications, license details, previous insurance policy details, previous accident and claims history including any driving convictions;
• information from reporting agencies and state and federal government agencies, such as state motor vehicle departments;
• information from other sources, such as medical or health care providers and other third parties with which you or we maintain a relationship including credit reference agencies, vetting and data validation agencies, advisory service providers, insurers, underwriters, reinsurers, other insurance brokers, business partners;
• your account activity and premium payment history;
• benefits information such as benefits elections, pension entitlement information, date of retirement and any relevant matters impacting your benefits;
• information about your interest in and attendance at SPG sponsored events, including feedback responses;
• information from social media interactions with SPG's social media presence, feedback forms or surveys;
• credit card, bank account or other account information as may be required to facilitate your payment of insurance premium or similar amounts, which payment generally is made through systems maintained by third parties, such as insurance carriers;
• passive tracking information from our websites or the Internet, including information obtained through the use of internet "cookies" as detailed in the "Cookie Notice and Notice of Other Web Technologies" of our U.S. Privacy Policy; and
• inferences drawn from other Personal Information, precise geolocation data, and sensory data such as audio or visual information.

Personal Information as defined under the CCPA does not include:

• Publicly available information from government records as defined under Civil Code Section 1798.140;
• Deidentified or aggregated consumer information;
• Health or medical information to the extent covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA) or clinical trial data; and
• Personal information to the extent covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA) and the Driver's Privacy Protection Act of 1994.

Certain types of Personal Information are considered "Sensitive Personal Information" under the CCPA. Specifically, Sensitive Personal Information is a specific type of Personal Information defined specifically as its own category under California law in the CCPA as information that reveals a consumer's:

• Social Security, driver's license, state identification card, or passport number;
• Account login, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account;
• Precise geolocation;
• Racial or ethnic origin, religious or philosophical beliefs, or union membership;
• Mail, email, and text message content, unless the business is the intended recipient of the communication;
• Genetic data; and/or
• Biometric information, which may reference certain physiological, biological, or behavioral characteristics; or DNA information; which could potentially establish an individual's identity. Retina scans, fingerprints or voice recordings could also be considered such information.

Personal Information We Collect

The following categories of Personal Information and/or Sensitive Personal Information may have been collected from California Residents within the last twelve (12) months. Personal Information that falls under the definition of Sensitive Personal Information under the CCPA has been noted in the second column below.

Category	California Sensitive Personal Information may be considered to be within this Category (YES or NO)	Examples of Personal Information	Collected
A. Identifiers	YES	A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers.	YES
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80I).	YES	A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information. Some personal information included in this category may overlap with other categories.	YES
C. Protected classification characteristics under California or federal law.	YES	Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).	YES
D. Commercial information.	NO	Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.	YES
E. Biometric information.	YES	Genetic, physiological, behavioral and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns and sleep, health, or exercise data.	NO
F. Internet or other similar network activity.	NO	Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement.	YES
G. Precise geolocation data.	YES	Physical location or movements within a geographic area that is equal to or less than the area of a circle with a radius of 1,850 feet.	YES
H. Sensory data.	YES	Audio, electronic, visual, thermal, or similar information.	YES
I. Professional or employment-related information.	NO	Current or past job history.	YES
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).	YES	Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.	YES
K. Inferences drawn from other personal information.	YES	Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities and aptitudes.	YES

Sources of Personal Information We Collect

We may obtain the categories of Personal Information listed above from the following categories of sources:

• Directly from you -- for example, from insurance applications or in connection with your other communications with us.
• From third parties -- for example, from insurance carriers and other industry service providers, other insurance brokers, and other third parties with which you maintain a relationship, such as an employer, financial service or medical or health providers, or any industry provider from which we purchase or acquire industry assets or operations. This may occasionally include referral sources.
• Indirectly from you -- for example, from observing your actions on our websites, including through the use of "cookies" as described on our websites, as permitted, or described in those other third-party sites' own privacy policies, or as may otherwise be developed over time based on your interactions with us.

Use of Personal Information

We may from time to time use your Personal Information for the following reasons:

• to fulfill or meet the reason you provided the information and for our everyday business purposes, such as to obtain quotations for insurance or other insurance or financial industry services (including those procured proactively and/or in connection with the movement of a book of business from one provider to another) on your behalf; to obtain insurance (or similar products) on your behalf or to facilitate the performance of related services by other industry service providers; to maintain or service your account or insurance, including by reporting claims of loss to other industry service providers, such as insurance carriers and adjusters; to evaluate our performance or offerings; to allow risk management or actuarial evaluation of prospective or existing placements; to confer with medical professionals if necessary regarding a relevant claim; and to make reports to credit bureaus. We may also save your information to facilitate new quotations or placements.
• for legal reasons, such as to make required or advisable reports to insurance regulatory, law enforcement or other similarly situated authorities including government authorities; to respond to and comply with court orders, applicable law, and other legal requirements; and to defend ourselves against claims and to enforce our rights or protect our employees or property.
• for our own marketing purposes, so that we may offer you our products and services, including through the use of targeted or similar advertising on the internet.
• for joint marketing purposes, so that we and any third-party product or service provider may together offer you products and services;
• for our affiliates' everyday business purposes, such as to process or service transactions or to provide or receive shared organizational services.
• for our affiliates' marketing purposes so that they may offer you their products and services.
• for our and our affiliates' fraud prevention purposes, where necessary to prevent and detect fraud.
• for non-affiliated third parties, whenever you consent to such sharing, when the information cannot reasonably identify you, when business partners or third-party companies play a related or expected role in an insurance transaction, or as needed for SPG to participate in insurance support organizations.
• for our internal and external auditors, where necessary for company audits, complaint investigation or investigation of a security threat.
• for other purposes, as may be permitted by law, as described to you when collecting your Personal Information or as otherwise set forth in the CCPA.
• to evaluate, negotiate or effect a business transaction (e.g., a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets), in which Personal Information held by us about our consumers or website users is among the assets evaluated or transferred.

Sharing of Personal Information under the CCPA

Under the CCPA, the Sharing of Personal Information means sharing, disclosing, disseminating, making available or otherwise communicating a consumer's Personal Information to a third party for uses such as targeted advertising for the benefit of the business.

California residents have certain rights under the CCPA around limiting the Sharing of their Personal Information.

The CCPA addresses two distinct categories of information disclosure by businesses, differentiating the Sharing of Personal Information for a Commercial Purposes from the Disclosure of Personal Information for a Business Purpose, as described below.

Sharing of Personal Information for a Commercial Purpose

The CCPA defines the Sharing of Personal Information for a Commercial Purpose as including the sale or sharing of a customer's Personal Information for monetary or other consideration paid to the sharing business.

In accordance with that definition, in the preceding twelve (12) months, SPG has Shared Personal Information for a Commercial Purpose as disclosed within the Policy, including specifically as described in our Cookie Notice and Notice of Other Web Technologies in relation to sharing personal information for cross-contextual behavioral advertising or targeted advertising.

As provided by the CCPA, California consumers have the right to opt-out of the "sale" of personal information to third parties. To opt-out of the "sale" or "sharing" of personal information related to targeted advertising, interest based advertising and cross context behavioral advertising, take the following steps:

1. Turn off Social Media, Targeting and Advertising cookies by using the cookie consent mechanism available on our websites or by enabling the Global Privacy Control ("GPC") signal on your browser; and
2. Complete and submit a request using the SPG Consumer Privacy Request Portal

Your cookie selections are specific to the particular device, browser, and website you use. If you use another device or browser, you will need to opt out on each device and browser. Blocking or deleting cookies from your browser may remove your opt-out settings, requiring you to opt-out again.

Disclosure of Personal Information for a Business Purpose

The CCPA excludes from the definition of Sharing Personal Information any use of Personal Information which was requested by you (the customer), including the expected and typical use of that information by a third party for the reasonably necessary purposes to achieve the requested service. Such an information transfer is considered the Disclosure of Personal Information for a Business Purpose under the CCPA.

In the preceding twelve (12) months, we may have Disclosed the following categories of Personal Information for a Business Purpose:

Category A: Identifiers
Category B: California Customer Records Personal Information categories
Category C: Protected classification characteristics under California or federal law
Category D: Commercial information
Category F: Internet or other similar network activity
Category H: Sensory Data
Category I: Professional or employment-related information
Category J: Non-public education information
Category K: Inferences drawn from other Personal Information

We may Disclose to the following categories of third parties your Personal Information for a Business Purpose to perform services on your behalf and to provide you with the insurance products and services you expect from us:

• Service providers.
• Insurance carriers and other industry service providers.
• Other third parties with which you or we maintain a relationship regarding your insurance.

Sales of Personal Information

In the preceding twelve (12) months, we have sold or shared Personal Information as defined by the CCPA, as described herein and in our Cookie Notice and Notice of Other Web Technologies in the Policy in relation to sharing personal information for cross-contextual behavioral advertising or targeted advertising.

Global Privacy Control (GPC) Signal

You have the right to opt out of the use of your personal information for targeted advertising purposes. You may download one of the supported browsers or extensions to send the Global Privacy Control ("GPC") signal, which will transmit your request to opt-out of targeted advertising automatically. A list of GPC enabled available browsers or extensions is available here: https://globalprivacycontrol.org/#download.

Your computers or devices also have tools within their browser settings that allow you to manage your acceptance of cookies. These can include the ability to disable or block cookies, remove cookies, automatically accept cookies or to notify you when a cookie is received. Generally disabling or rejecting cookies can impact your user experience; Certain features of our website may not be available if all cookies are disabled, and therefore, disabling, particularly of strictly necessary cookies, may not be available.

Information Specific to Employment Data of Specialty Program Group LLC

In addition, for recruitment and/or employment purposes, in the past twelve (12) months we have collected or may have collected and retained the following categories of Personal Information as necessary from California residents. Personal Information that falls under the definition of Sensitive Personal Information under the CCPA has been noted in the second column below:

Category	California Sensitive Personal Information may be considered to be within this Category (YES or NO)	Examples of Personal Information	Collected
Additional personal details, contact details and identifiers.	YES	Additional personal details for recruitment/employment purposes, such as national identification number, Social Security number, insurance information, marital/civil partnership status, domestic partners, dependents, emergency contact information, and military history; professional/personal calendar availability/scheduling information for meeting/communication purposes.	YES
Education information and professional or employment-related information.	NO	Information about your education and professional or employment-related information, such as your employment history.	YES
Sensitive data for recruitment purposes.	YES	Certain types of sensitive information when permitted by local law or with your consent, such as health/medical information (including disability status), trade union membership information, religion, race or ethnicity, minority flag, and information on criminal convictions and offences. We collect this information for specific purposes, such as health/medical information in order to accommodate a disability or illness (subject to legal limits on the timing of collection of such information and other applicable limitations) and to provide benefits; background checks and diversity-related Personal Information (such as race or ethnicity) in order to comply with legal obligations and internal policies relating to diversity and anti-discrimination.	YES
Documentation required under immigration laws.	YES	Data on citizenship, passport data, and details of residency or work permit (a physical copy and/or an electronic copy).	YES, as to employees, some job candidates, and contractors of Specialty Program Group LLC
Financial information for payroll/benefits purposes.	YES	Your banking and other relevant financial details we need for payroll/benefits purposes.	YES
Talent management information.	YES	Information necessary to complete a background check, details on performance decisions and outcomes, performance feedback and warnings, e-learning/training programs, performance and development reviews (including information you provide when asking for/providing feedback, creating priorities, updating your input in relevant tools), driver's license and car ownership information, and information used to populate biographies.	YES
Requested recruitment information.	NO	Information requested to provide during the recruitment process, to the extent allowed by applicable law.	YES
Recruitment information you submit.	NO	Information that you submit in résumés / CVs, letters, writing samples, or other written materials (including photographs).	YES
Information generated by us during recruitment.	NO	Information generated by interviewers and recruiters related to you, based on their interactions with you or basic Internet searches where allowed under applicable law.	YES
Recruitment information received from third parties.	NO	Information related to you provided by third-party placement firms, recruiters, or job-search websites, where applicable.	YES
Audiovisual information processed during recruitment.	YES	Photograph, and images/audio/footage captured on CCTV or other video systems when visiting our office or captured in the course of recruitment events or video recruitment interviews.	YES
Recommendations.	NO	Recommendations related information provided on your behalf by others.	YES
Employment history and background checks.	YES	Information about your prior employment, education, and where applicable and allowed by applicable law, credit history, criminal records or other information revealed during background screenings.	YES
Diversity related information.	YES	Information about race / ethnicity / religion / disability / gender and self-identified LGBT status, for purposes of government reporting where required by law, as well as to understand the diversity characteristics of our workforce, subject to legal limits.	YES
Assessment information.	YES	Information generated by your participation in psychological, technical or behavioral assessments. You will receive more information about the nature of such assessments before your participation in any of them.	YES

Retention of Your Information

SPG retains certain records of your Personal Information as necessary to operate our business and comply with our legal and regulatory obligations. Such records are retained for legally defined retention periods that may extend beyond the period for which we provide the Services to you. We have implemented appropriate measures to confirm that Personal Information is securely disposed when no longer required.

Your Rights and Choices

The CCPA at Section 7011 (e)(2) provides California Residents with specific rights regarding their Personal Information:

(A) Access. The right to know what Personal Information the business has collected about the consumer, including the categories of Personal Information, the categories of sources from which the Personal Information is collected, the business or commercial purpose for collecting, selling, or sharing Personal Information, the categories of third parties to whom the business discloses Personal Information, and the specific pieces of Personal Information the business has collected about the consumer;

(B) Deletion. The right to delete Personal Information that the business has collected from the consumer, subject to certain exceptions;

(C) Correction. The right to correct inaccurate Personal Information that a business maintains about a consumer;

(D) Opt-out of Sale or Sharing. If the business sells or shares Personal Information, the right to opt-out of the sale or sharing of their Personal Information by the business;

(E) Limitation on the Use of Sensitive Personal Information. If the business uses or discloses sensitive Personal Information for reasons other than those set forth in section 7027, subsection (m), the right to limit the use or disclosure of sensitive Personal Information by the business; and

(F) Non-discriminatory Treatment. The right not to receive discriminatory treatment by the business for the exercise of privacy rights conferred by the CCPA, including an employee's, applicant's, or independent contractor's right not to be retaliated against for the exercise of their CCPA rights.

The following sections describe these CCPA rights in further detail and explain how to exercise those rights.

Access to Specific Information and Data Portability Rights

You have the right to request that we disclose certain information to you about our collection and use of your Personal Information over the past twelve (12) months. Once we receive and confirm your verifiable consumer request for Access rights (see "Exercising Access, Data Portability and Deletion Rights"), we will disclose to you to the extent reasonably available, and to the extent that we can continue to protect your data while providing such disclosure:

• The categories of Personal Information we collected about you.
• The categories of sources for the Personal Information we collected about you.
• Our business or commercial purpose for collecting or selling that Personal Information.
• The categories of third parties with whom we share that Personal Information.
• The categories of Personal Information shared for a business purpose for each category of recipients.
• The specific pieces of Personal Information we collected about you (also called a data portability request).

In addition to the rights listed above, you may request limitations on the use of your Sensitive Personal Information consistent with the terms and limitations described in the CCPA, and pursuant to Civil Code Section 1798.120 et.seq. Limited use of Sensitive Information may continue to include those uses which the average consumer would reasonably expect in context, and for uses which are reasonably necessary and proportionate for our business.

Deletion Request Rights

You have the right to request that we delete any of your Personal Information that we collected from you and retained. Once we receive and confirm your verifiable consumer request (see "Exercising Access, Data Portability and Deletion Rights"), we will delete your Personal Information from our records, unless an exception applies.

We may deny your deletion request in whole or in part for other reasons and exceptions described in the CCPA.

Exercising Access, Data Portability and Deletion Rights

To exercise the access, data portability and deletion rights described above, please submit a verifiable consumer request to us by:

• Visiting the SPG Consumer Privacy Request Portal
• Emailing us at: privacy.compliance@specialtyprogramgroup.com
• Calling us at: 866-415-2207

To protect your information and privacy, only you, or someone legally authorized to act on your behalf, may make a verifiable consumer request related to your Personal Information. Please indicate in your subject line "California Privacy Rights Request" so that we can better respond to you. Designated agents making any request will be required to provide signed permission for the agent to submit a request. In addition, when an authorized agent submits a request, we may also require that you verify your own identity directly to us or confirm with us that you have requested that the agent to submit the request. You may also make a verifiable consumer request on behalf of your minor child.

You may only make a verifiable consumer request for access or data portability twice within a 12-month period. The verifiable consumer request must:

• Provide sufficient information as we may request that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative of such person, which may include personal and/or commercial identifiers, such as an insurance policy number. Depending on the sensitivity of the information you are requesting, we may ask for additional information to verify your identity.
• Describe your request with sufficient detail that allows us to properly understand, evaluate and respond to it.

We cannot provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you. We will only use Personal Information provided in a verifiable consumer request to verify the requestor's identity or authority to make the request.

Response Timing and Format

We will acknowledge receipt of your request within ten (10) days. We will endeavor to respond in substance to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time, we will inform you of the extension period which may not exceed an additional forty-five (45) days beyond the original forty-five (45) day period.

Any disclosures we provide will only cover the 12-month period preceding the verifiable consumer request's receipt. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide your Personal Information that is readily usable and should allow you to transmit the information from one entity to another entity without significant hindrance.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

• Deny you goods or services.
• Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
• Provide you a different level or quality of goods or services.
• Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

Other California Privacy Rights

California's "Shine the Light" law (Civil Code Section § 1798.83) permits users of our website who are California Residents to request certain information regarding our disclosure of Personal Information to third parties for their direct marketing purposes. To make such a request, please write us at the mailing address shown beneath the heading "Contact Information for Requests under this Notice."

Contact Information for Requests under this Notice

If you have any questions or comments about this Notice, the ways in which we collect and use your Personal Information described herein, and in the Policy, your choices, and rights regarding such use, or wish to exercise your rights under California law, please contact us at:

Postal Address:
Chief Legal Officer
Specialty Program Group LLC
150 N Riverside Plaza, 17th Floor
Chicago, IL 60606

Or by:

• Visiting us at: the SPG Consumer Privacy Request Portal
• Emailing us at: privacy.compliance@specialtyprogramgroup.com
• Calling us at: 866-415-2207

Please indicate the purpose of your Email in the subject line, for instance "California Privacy Rights Request," so that we can identify your Email properly.

Situations Where Rights Cannot Be Granted

There may be situations where we cannot grant a particular request --- for example, if you ask us to delete your transaction data but we are legally obligated to keep a record of that transaction to comply with law, or if we are unable to verify your identity through standard and reasonable requirements. We may also decline to grant a request where doing so would undermine our legitimate use of data for anti-fraud and security purposes, such as when you request deletion of an account that is being investigated for security concerns. Other reasons your privacy request may be denied could be that granting the request would jeopardize the privacy of others; that the request is substantively frivolous or vexatious; or that granting the request would be highly impractical in the context of our legitimate business purposes.