Privacy

Page 1 of 10

SUN BASKET PRIVACY POLICY

Effective Date: This Privacy Policy (version 2.0) is effective July 1, 2020.

I. Introduction

Sun Basket, Inc., welcomes this opportunity to advise you of its approach to data

privacy.

For purposes of this Privacy Policy (the “Policy”), Sun Basket, Inc. may be referred to as

“Sun Basket,” “we,” “our,” or “us.” Sun Basket operates a website at

https://sunbasket.com, and a mobile application (collectively, our “Website”). This Policy

explains how we collect, use, store, and otherwise process personal information

(defined below) whether obtained through the Website, or off-line, except where

otherwise stated.

Terms used in this Policy that are defined in the California Consumer Privacy Act

(“CCPA”) are, for convenience, intended to have the same meaning as in the CCPA

(unless stated otherwise). In this Policy, “personal information” (which may be referred

to as “PI”) means (unless otherwise stated) information that is maintained in a manner

that identifies, relates to, describes, is reasonably capable of being associated with, or

could reasonably be linked, directly or indirectly to a particular individual (a natural

person) or household, excluding information lawfully available from federal, state, or

local government records.

By using Sun Basket’s services, and Website, you consent to the collection, storage,

and processing of your PI pursuant to this Policy, in any State in the United States, and

in any country to which we may transfer your PI in the course of our business

operations. As you review this Policy, keep in mind that legal protections for personal

information (and definitions of what is governed and how) are not the same in all

jurisdictions, inside and outside the United States, are rapidly evolving, and are

complex. Not all laws apply to all entities, individuals, or information, or in all locations,

or all circumstances. For region-specific disclosures, including for California, please see

Section IX, below. Except where explicitly referred to, this Policy does not address

personal information (i) of Sun Basket’s employees, job applicants, contractors, owners,

directors, or officers (to the extent their personal information is collected and used solely

within the context of those roles); or (ii) from communications between representatives

of another entity with Sun Basket’s representatives within the context of providing or

receiving a product of service (“business-to-business contacts”).

Page 2 of 10

II. Contacting Us

Data privacy is important to us. If you have questions about this Policy, wish to exercise

rights provided you pursuant to this Policy, or otherwise under applicable law (whether

or not referred to in this Policy), or due to a disability need to access the Policy in an

alternative format, you should contact us at (only):

By telephone: 855.204.7597 (toll-free); or

By e-mail: [email protected]

When contacting us, please do not provide any personal information beyond the

minimum necessary to verify your identity. We strive to limit the PI collected in

connection with verification, by matching information you provide with information about

you in our systems (if any). Certain requests, however, may require us to obtain

additional PI from you. What information or process may be required may differ

depending on whether you (or your household) have a password-protected account with

us. Depending on the circumstances, we may decline or limit responses to requests,

including for security where we are unable to verify identity, or where another entity is

responsible for that PI and any disclosures related to that PI (such as where Sun Basket

is providing or has provided services to that entity).

Please do not provide us personal information about others unless and until you have

received their permission to do so (for example, for referrals, gift deliveries).

If you have an account with us, you may correct or update your PI within it by logging

into your account at any time.

III. Changes to this Privacy Policy

We will update this Privacy Policy from time to time, including to adapt to changing

technologies, laws, and business practices. When we do, we will update the Effective

Date at the top of this Policy, and that change of Effective Date will serve as notice of

the update. Changes are effective when posted. Your continued use of our services and

the Website after a modified Policy is posted indicates your acceptance of its terms.

IV. Security

No data transmission over the Internet, or data storage, may be guaranteed as entirely

secure. We do implement reasonable physical, administrative, and technical measures

to protect PI from unauthorized access, destruction, use, modification, or disclosure.

Users can take steps also to protect themselves, such as by keeping confidential any

sensitive information; not accessing the Website from unsecure Wi-Fi; and when

discarding sensitive information, shredding or otherwise rendering it unreadable.

Page 3 of 10

For your convenience, the Website may contain links to other entity’s websites, and you

may be able to use a social media account (such as Facebook) to log into your Sun

Basket account. Sun Basket is not responsible for other websites or their privacy

practices. Links to other websites, or allowing logins from other sites’ accounts, are not

an endorsement by Sun Basket of, or representation that we are affiliated with, such

other entities. If you are interested in visiting such other websites (including by “liking”

us there), or if you wish to log into your account with us through your account with

another website, we urge you first to review and ensure that you are comfortable with

that site’s privacy policies, which may differ from ours.

V. What Personal Information We Collect, Use, And Share, and Why

Sun Basket collects, uses, retains, and discloses information for various purposes. The

information collected, and the purposes for which it may be used, may vary based on

our relationship with you. We highlight some of our practices below and describe them

in more detail on the chart attached.

Personal information we collect

Among the PI Sun Basket collects, uses and discloses are:

From you: Personal information you may provide to us through using our services,

Website, or otherwise includes:

Contact information: such as first and last name, e-mail address (required to set

up and maintain an on-line account with us, or to receive e-mails from us), zip

code (when setting up an on-line account with us), physical mailing address

(required to receive a delivery), telephone number (optional), Facebook

Messenger ID, Click ID. This would include information about you, and anyone

about whom you provide us information. (Reminder: Before sharing another

person’s PI with us (such as for a gift, delivery, referral), please get their

permission).

Account profile/registration information: such as your username and password to

set up and maintain your on-line account with us, your interests and preferences

and any other information added to your on-line account.

Communications: such as information you share with us when you correspond

with us, whether in writing or via telephone, or anything you choose to post on

our Website. Please use care before posting anything on our Website, at which

point it will become publicly viewable, and do not post personal information about

you or others.

Transactional information: such as your order history, information we or our

vendors require in order to process your order including order details, billing and

delivery addresses, payment information (type of payment card (i.e., Visa or

Mastercard), credit or debit card numbers, name on card, card security codes

Page 4 of 10

(i.e., CVV), expiration dates). For customer security, Sun Basket does not itself

maintain your full credit or debit card numbers. Our payment-related vendors

receiving and maintaining credit or debit card numbers and other information are

expected to implement standard industry security measures.

From other sources:

We (or entities with which we contract) may collect information about you also

from our business partners (such as our advertising and marketing partners,

service providers, and entities for which we provide services), data brokers,

public sources and platforms (such as blogs, forums, social media). For example,

to let you know about offerings or services we hope you will particularly enjoy, we

may supplement the PI we have from you with information available elsewhere. If

you choose to log into our Website via another entity’s platform (such as

Facebook), or otherwise connect your account on that platform or network to

your account with us, we may collect information identifying your account with it,

and it may collect information, such as about your browsing. Please only use that

functionality if you want us to help you connect and share public content via your

social media account, and you are comfortable with that entity’s privacy policies.

Indirectly:

Some information is collected indirectly about you, your device(s), and your

activity on and through the Website, such as device data (such as your device’s

operating system type and version number, manufacturer and model, browser

type, screen resolution, IP address, website visited before ours, general location

(if your device is enabled to send that information); on-line activity data (such as

pages or screens viewed and for how long, navigation paths between pages or

screens, access dates, times and duration).

Some automatic data collection is facilitated by “cookies” (small data files placed

on your device’s hard drive when visiting a website or in e-mails sent to you) and

other technologies such as pixels (tags embedded invisibly on webpages or

within e-mails). Some recognize a device when it revisits our Website, let visitors

navigate efficiently between pages, remember preferences and what is in a

shopping cart, otherwise improve the browsing experience, help us understand

how our Website and e-mails are being used. (The Website may not work with

full functionality if certain, essential cookies are blocked). Some (whether ours, or

others’) recognize your devices over time, and when visiting other websites, or

across devices. Such technologies, and data from them, serve a variety of

purposes, including to personalize your experience on our site, provide

advertising we hope is better aligned with your interests, website analytics, and

your social media sharing. Some technologies you may be able to limit or

disable, such as through your browser’s or mobile device’s settings, or plug-ins.

Page 5 of 10

How we use your personal information

We use your personal information for the purposes described in this Policy, including

the chart linked above, or otherwise at the time of collection. These purposes include:

Service delivery: We may use your PI to establish and maintain your account with us;

enable you to order, pay for, and have delivered our products; process returns;

communicate with you about our services, including to provide customer support;

facilitate your log-in to the Website via other platforms (such as Facebook); provide,

improve, and operate our services and the Website, including their security (such as by

remembering devices from which you have previously logged in, sending you security

codes). We may share your PI with other entities who assist us in serving you, such as

payment processors, shippers, IT support, and customer support.

Marketing: We, or other entities on our behalf, may use your PI to market our services

to you. You can opt-out of our marketing (but not transactional) e-mails (by clicking

“unsubscribe”). You can opt-out of push notifications, and texts (if you had authorized

any) at any time. We (and other entities) may use your PI to advertise our services to

you across other websites or platforms (for example, Facebook), or devices.

Legal compliance: In addition to the uses and disclosures described in this Policy, we,

and our service providers, may use and disclose PI to (1) comply with laws, including

without limitation federal, state, and local laws; (2) comply with a civil, criminal, or

regulatory inquiry, investigation, subpoena, or summons by appropriate authorities; (3)

cooperate with law enforcement agencies concerning conduct or activity that we, our

service providers, or others reasonably and in good faith believe may violate law; (4)

exercise or defend legal claims; and (5) provide in a privileged communication.

Business transfers: PI may be transferred as part of a merger, acquisition, bankruptcy

(or other transaction in which an entity assumes control or all or part of Sun Basket).

Retention: We store and retain PI for no longer than necessary for our Business and

Commercial Purposes and in accordance with our legal and regulatory compliance

obligations, and legitimate business interests.

De-Identified or Aggregate Information: We may collect, use, and retain de-identified

and/or aggregate consumer information (by definition, that is not, or no longer, personal

information). We may disclose (including sell) it to third parties such as advertisers and

content distributors (for example, how many recipients of advertisements clicked on

them).

VI. No Personal Information Sold

Sun Basket does not sell, rent, trade, or otherwise transfer PI to others for monetary or

other valuable consideration; nor for another’s direct marketing, or other commercial,

purposes. This includes, without limitation, any PI collected through or to use the

Page 6 of 10

Website or Sun Basket’s services (including e-mails provided for newsletters or other

communications from Sun Basket); collected from Sun Basket’s job applicants,

employees, contractors, owners, directors, officers; collected from communications

between representatives for another entity with Sun Basket’s representatives within the

context of providing or received a product of service (“business-to-business contacts”);

or accessed by or accessible to Sun Basket through a contractual role with (for

example, providing services to) another entity (“controller”) that is responsible for the

information.

VII. On-Line Tracking and Do Not Track (“DNT”) Signals

Like many e-commerce websites and companies, we use tracking tools (including

cookies and pixels) to collect information when you visit our Website or receive our e-

mails. As described above, we, and other entities, may collect information, which may

include PI, about your on-line activities, over time, across third party websites and on-

line services (such as Facebook and Twitter), and across devices. Such technologies,

and data from them, serve a variety of purposes, including to provide advertising we

hope is better aligned with your interests, website analytics, and your social media

sharing.

“Do Not Track” (“DNT”) signals can be set in some web browsers, expressing a privacy

preference to opt out of tracking by websites and other online services over time and

across websites. However, unfortunately there is no universal standard for DNT signals,

or for recognizing all of them. Our Website does not respond to DNT signals or other

mechanisms with similar intent.

VIII. Children’s Privacy

Our Website is not intended for use by, or designed to attract, minors. We do not

knowingly collect or use (nor sell) personal information from or about anyone under age

16 (and have no actual knowledge of sales). If a parent or guardian believes we may

nonetheless have his/her child’s personal information, please contact us promptly using

the information in Section II so we can investigate and take appropriate action.

IX. Scope of Policy & Regional Supplements

Some laws (and notice requirements) apply only to entities engaged in certain types of

operations, that meet certain specific criteria, or that operate in certain jurisdictions.

Nothing in this Policy, including region-specific supplements and statutory references,

constitutes an admission that a particular law applies to Sun Basket, or to information to

which it may have access.

Except where explicitly referred to, this Policy does not address personal information (i)

of Sun Basket’s employees, job applicants, contractors, owners, directors, or officers (to

Page 7 of 10

the extent their personal information is collected and used solely within the context of

those roles); or (ii) from communications with “business-to-business contacts.”

The following supplemental disclosures are based on location and/or place of residency.

1. Personal Information collected about residents of the State of California

a. Inquiries about third party direct marketing (“Shine the Light”)

For purposes of this paragraph we refer to and use terms as defined in California’s

“Shine the Light” Law (Cal. Civil Code Section 1798.83). Certain California residents

who have an established business relationship with certain entities have a right to, once

per calendar year, request information about disclosures of categories of personal

information for another entity’s direct marketing purposes to the customer in the prior

year (if any). A “customer” is a Californian who provides personal information as part of

a transaction primarily for personal, family, or household purposes; the direct marketing

would similarly be for the customer’s personal, family, or household purposes. As noted

in Section VI, above, Sun Basket does not transfer personal information to others for

that other entity’s direct marketing purposes. Without conceding this law applies to Sun

Basket, to have a request considered, please use the contact information in Section II.

b. California Consumer Privacy Act (“CCPA”)

The California Consumer Privacy Act (“CCPA”) (Cal. Civil Code Section 1798.100, et

seq.), provides certain rights to residents of California, with respect to their personal

information (defined differently in the CCPA than in the “Shine the Light” law, and to

include “households” as and to be defined in the CCPA’s Regulations), with respect to

certain entities (which the CCPA specially defines as a business). If you are a California

resident (“you” for purposes of this section), know that the rest of this Policy still applies

to you. But in addition, you may have the following rights as to PI about you we have

collected (subject to identity verification, and certain legal limitations – request rights are

not absolute).

First, in the twelve months prior to the Effective Date of this Policy, our PI collections,

categories of sources, uses, and disclosures were as described in the Policy, including

the chart linked in Section V, above.

Next, a Californian has the right to request any, or all, of the following from us, about

his/her personal information collected or disclosed, in the twelve months prior to his/her

request:

(i) the categories of your PI we collected; and/or

(ii) the categories of sources of that PI; and/or

(iii) the business purpose, or commercial purpose (both as defined in the CCPA)

for which your PI was collected, or sold (if sold); and/or

Page 8 of 10

(iv) the categories of “third parties” (as defined in the CCPA) to which each

category of your PI was disclosed or sold (if any); and/or

(v) the categories of your PI disclosed for a business purpose, or sold, to third

parties (if any); and/or

(vi) the specific pieces of PI collected about you. We will advise you if

Regulations implementing the CCPA prohibit us from providing certain types of

PI you request.

Please be aware that the CCPA does not require a business to respond to, and we will

not respond to, more than two requests for PI per Californian, per year. Also, the CCPA

permits us to decline to act on a request, or charge a reasonable fee, at our discretion,

for “manifestly unfounded or excessive” requests.

Next, a Californian has the right to request deletion of his/her PI we have collected, at

any time. Understand however, that this right is not absolute. California law permits us

to retain and not delete PI in certain circumstances (including by way of example, where

the PI is necessary to complete the transaction for which it was collected; to provide a

good or service requested by you or reasonably anticipated within the context of Sun

Basket’s ongoing business relationship with you; to comply with legal obligations; to

detect security incidents, and protect against and prosecute those responsible for

malicious, deceptive, fraudulent, or illegal activity; for lawful internal uses compatible

with the context in which the PI was provided; and in archived or backup systems

subject to certain limitations). Per the CCPA, we will also keep records, for at least two

years, of requests to know, and to delete.

Next, a Californian has the right to direct a business that sells personal information, not

to sell his/her personal information (the right to “opt-out”). Sun Basket does not believe

its PI disclosures, as described in this Policy, are sales, as understood under the CCPA.

There is no right under the CCPA to opt-out of disclosures or relationships other than

those that are sales.

Next, Californians have the right to exercise CCPA rights without being discriminated

against as a result. Do be aware that if you do not provide, or you request we delete,

information we need in order to provide our services to you, we may not be able to

provide you those services. The CCPA permits differential pricing and services,

including financial incentives, related to the collection, retention, or sale of PI

(collectively for purposes of this Policy, “incentives”), where the incentives are

reasonably related to the value of the PI. If/when Sun Basket offers such incentives,

additional information will be provided so you can make an informed decision about

whether to participate.

You may authorize an agent to submit and communicate with us about requests to

know or to delete on your behalf. For us to recognize someone as an “authorized agent”

for you, know that the CCPA requires the person or entity to be registered with the

California Secretary of State, to conduct business in California, and the CCPA prohibits

agents from using any information collected from or about you other than to fulfill your

Page 9 of 10

requests, for verification, or for fraud prevention. For privacy and security purposes,

unless otherwise required by law we may require the following information before

communicating with an agent on your behalf, and we may notify you of additional or

different requirements: You will need you to verify directly with us your identity, and that

you are a Californian; you will need to verify directly with us that you authorize the agent

to act on your behalf, and/or your agent must submit proof satisfactory to us that you

have authorized the agent to act on your behalf, which may include a copy of your

signed permission.

Finally, the CCPA excludes or limits certain categories from rights listed above:

1. Business-to-Business Contacts: Personal information that may be exchanged in

communications between representatives for another entity with Sun Basket’s

representatives, solely within the context of providing or receiving a product of

service (business-to-business contacts), is exempt from CCPA rights (other than

the right to “opt-out” of sale, where PI is otherwise sold).

2. Employees, job applicants, owners, directors, officers, contractors: Personal

information collected and used solely in the context of a Californian’s role as

employee, job applicant, owner, director, officer, or contractor, including PI

collected and used solely as emergency contacts or to administer benefits, is

exempt from certain CCPA rights, notably including the right to request

information, or deletion. Where required, Californians in those categories will be

provided notices specific to their situations separately from this Policy (for

example, from Sun Basket’s Human Resource Department, for applicants and

employees).

For requests and communications regarding the CCPA, please use the contact

information in Section II.

2. Personal information collected from other States’ residents

Recognizing that data protection laws are evolving throughout the United States,

individuals wishing to exercise rights under jurisdictions not specifically referenced in

this Policy are welcome to contact us using the information in Section II. We will

evaluate, and comply to the extent required under applicable law. For example:

Nevada law allows certain website visitors to direct entities not to sell their covered

information. What information is covered, and what it means to sell, are different,

narrower categories than in the CCPA. Specifically, only if covered information is sold,

for resale, may a consumer opt-out. Without conceding this law applies to Sun Basket,

for requests under the Nevada law please use the contact information in Section II.

3. Personal information collected from outside the United States

Page 10 of 10

The Website is owned and operated by Sun Basket in the United States. Data will be

accessible to us, our affiliates, vendors, and suppliers, there, and in other countries to

which we may transfer data in the course of our business operations (subject to the

disclosure practices described in the Policy). If you visit our Website or otherwise

communicate with us from outside the United States it will necessarily result in the

transfer of data across international boundaries. By doing so, you consent to collection,

storage, and processing of your data in any State in the United States, and in any

country to which we may transfer your data in the course of our business operations,

which may have different (including lesser) data protection standards than does your

country of residence.

Sun Basket’s services are not available outside the United States. Nor is the Website

intentionally directed at individuals outside the United States. Some laws apply to

certain information gathered from or about individuals outside the United States, under

certain circumstances. Without conceding that any apply to Sun Basket, out of an

abundance of caution to the extent any personal information is collected from within the

European Economic Area (“EEA”), and if the General Data Protection Regulation

(“GDPR”) applies to it, that information will be governed by the supplemental

disclosures attached. Those supplemental disclosures will, as to that information (only),

where required by the GDPR, take precedence over anything to the contrary in this

Policy. Individuals wishing to exercise rights under the GDPR, or other international

regimes not specifically addressed in the Policy, should contact Sun Basket using the

information in Section II. We will evaluate, and comply with requests to the extent

required under applicable law.

Page 1 of 9

SUN BASKET PRIVACY POLICY

PERSONAL INFORMATION COLLECTION CHART

This chart supplements Sun Basket’s Privacy Policy (version 2.0), and is effective July 1, 2020.

A middle column lists examples (as “representative data elements”) provided by the California Consumer Privacy Act (“CCPA”) to

help explain what each category means. That an example is listed does not mean we necessarily collect it. Please read below where

we identify which we do collect. (This chart does not address personal information of job applicants, employees, directors, officers,

contractors, or business-to-business contacts, collected in the context of those roles).

Where we say we do not collect certain types of personal information (“PI”), please do not include it in your communications with

us, or in content you post on our Website (“your public content”). PI nonetheless received, or received from unexpected or

otherwise unlisted sources, will be handled in accordance with the Policy. Any information (whether otherwise personal or not) you

choose to provide for posting on our Website will be publicly viewable on the Website. Potential Website visitors should be

considered potential recipients for any public content.

“Personal information” includes the following, but only if/when it identifies, relates to, describes, is reasonably capable of being

associated with, or could be reasonably linked, directly or indirectly, with a particular individual or household:

CATEGORIES OF PI

FROM WHICH WE

MAY COLLECT

SOURCES WE MAY

COLLECT PI FROM

REPRESENTATIVE DATA

ELEMENTS MAY INCLUDE

PURPOSE(S) OF COLLECTION –

HOW WE MAY USE THE PI

CATEGORIES OF RECIPIENTS

WE MAY SHARE PI WITH

A. Identifiers.

You.

Your browsers

and/or devices

(including through

technologies such

Contact information: Real

name; alias; postal address;

telephone number; email

address.

We collect names, e-mail

addresses, and zip codes from

Contact information (name,

address, e-mail address,

telephone number, Facebook

Messenger ID, Click IDs), for

our Business and Commercial

Purposes (described in more

detail at the end of this chart).

Companies with which we

have contractual

relationships, to administer

our relationship with you

(such as for e-mails,

customer support, credit

card transactions, product

Page 2 of 9

CATEGORIES OF PI

FROM WHICH WE

MAY COLLECT

SOURCES WE MAY

COLLECT PI FROM

REPRESENTATIVE DATA

ELEMENTS MAY INCLUDE

PURPOSE(S) OF COLLECTION –

HOW WE MAY USE THE PI

CATEGORIES OF RECIPIENTS

WE MAY SHARE PI WITH

as cookies and

pixels).

Data brokers.

those who choose to create

password-protected accounts

with us (“account-holders”).

We collect e-mail addresses

from those who request e-mail

communications from us

through our Website, and

telephone numbers from those

who request text

communications from us. From

customers, we collect mailing

and billing addresses (which ae

necessary to process orders),

and phone numbers (which are

optional but may be helpful for

customer service). We also

collect addresses and phone

numbers from those who opt

to provide them to us, for

example when populating their

accounts with us.

We do not collect social

security numbers; driver’s

license numbers; passport

numbers; similar personal

identifiers including state

identification numbers.

These may include to

communicate with you,

administer our relationship

with you, including providing

products and services and e-

mail newsletters and push

notifications you request from

us, and market our services.

IP address, for our Business

and Commercial Purposes,

including to make sure our

Website works properly with

your device; to recognize your

device and your preferences

when you return to our

Website; where maintained in

a manner by which we may be

able to reasonably identify you,

to market our services to you;

to assist you in sharing content

from our Website or accessing

links from our Website; to

protect the integrity of our

Website such as by identifying

and preventing fraud and

unauthorized users; for our

analytical purposes.

delivery) and otherwise

operate our business,

including to help us maintain

the security and functionality

of our Website and other

assets (including IT vendors);

to assist us in analyzing use

of our Website and other

services (such as analytics

providers); to help us market

our services (such as

advertisers; digital

publishers; survey providers);

to companies providing data

enrichment, and/or e-mail

and physical address

verification, to us.

For customers’ (and shipping

recipients’) contact

information, categories of

recipients also include those

necessary for payment

processing (by way of

example, payment

processors, payment card

networks, banks); order

fulfillment (for examples,

Page 3 of 9

CATEGORIES OF PI

FROM WHICH WE

MAY COLLECT

SOURCES WE MAY

COLLECT PI FROM

REPRESENTATIVE DATA

ELEMENTS MAY INCLUDE

PURPOSE(S) OF COLLECTION –

HOW WE MAY USE THE PI

CATEGORIES OF RECIPIENTS

WE MAY SHARE PI WITH

We may collect other unique

personal numbers, such as

account username, Facebook

Messenger IDs, and Click IDs.

Internet Protocol (“IP”)

address. (Like other data, an IP

address is only PI if it identifies,

relates to, describes, is

reasonably capable of being

associated with, or could be

reasonably linked, directly or

indirectly, with a particular

individual or household).

shippers) and return

processing.

As shorthand in the rest of

this chart, for convenience

we will refer to the above

collectively as “companies

with which we have

contractual relationships.”

Other entities, such as social

media sites to assist you in

sharing content from or

linking to them from our

Website.

B. Cal. Civ. Code Sec.

17980.80(e)

categories. (Those

that are redundant

of another CCPA

category are

addressed in the

more specific

sections of this

chart).

You.

Signature; physical

characteristics or description;

insurance policy number; bank

account number; credit card

number; debit card number; or

any other financial information,

medical information, or health

insurance information.

Credit or debit card numbers

(and related information such

as expiration dates, card

Your credit or debit card

number, or other payment

information, for our Business

Purposes, to administer our

relationship with you, including

providing products and services

you request from us.

Your signature, for security of

deliveries.

Companies with which we

have contractual

relationships, for payment

processing (by way of

example, payment

processors, payment card

networks, banks).

Page 4 of 9

CATEGORIES OF PI

FROM WHICH WE

MAY COLLECT

SOURCES WE MAY

COLLECT PI FROM

REPRESENTATIVE DATA

ELEMENTS MAY INCLUDE

PURPOSE(S) OF COLLECTION –

HOW WE MAY USE THE PI

CATEGORIES OF RECIPIENTS

WE MAY SHARE PI WITH

security codes) are collected

via our Website from

customers, for and through our

payment processors. We may

also maintain information such

as redacted payment card

numbers.

We do not collect (and you

should not provide us) any

medical or insurance

information, or any other

financial information, from or

about Website visitors,

account-holders, or customers.

That someone searches for, or

purchases, certain meal plans

does not disclose medical

information.

Our shipping vendors may

collect signatures upon

deliveries.

C. Certain statutory

classifications.

You.

Data brokers.

We may collect, such as age,

gender, race, religion,

disability.

For our Business Purposes, if

relevant to administering our

relationship with you or your

household (such as using your

preferred gender identifier in

Companies with which we

have contractual

relationships.

Page 5 of 9

CATEGORIES OF PI

FROM WHICH WE

MAY COLLECT

SOURCES WE MAY

COLLECT PI FROM

REPRESENTATIVE DATA

ELEMENTS MAY INCLUDE

PURPOSE(S) OF COLLECTION –

HOW WE MAY USE THE PI

CATEGORIES OF RECIPIENTS

WE MAY SHARE PI WITH

communications; addressing

disability accommodations you

may request; complying with

legal obligations related to

children); our Commercial

Purposes, to better market our

services to you; to identify

likely demographics to tailor

our marketing.

D. Commercial

information.

You.

Such as records of personal

property, products or services

purchased, obtained, or

considered, or other

purchasing or consuming habits

or tendencies.

We collect, as to searches on

our Website and transactions

with us.

For Business Purposes, where

relevant to administering our

relationship with and to

provide our services to you

(such as completing your

transactions, and returns); for

Commercial Purposes, to

market our services.

Companies with which we

have contractual

relationships.

E. Biometric

information

(physiological,

biological, or

behavioral

None.

We do not collect biometric

information, such as

fingerprints, retina images,

voice recordings, from which

an identifier template can be

N/A

Page 6 of 9

CATEGORIES OF PI

FROM WHICH WE

MAY COLLECT

SOURCES WE MAY

COLLECT PI FROM

REPRESENTATIVE DATA

ELEMENTS MAY INCLUDE

PURPOSE(S) OF COLLECTION –

HOW WE MAY USE THE PI

CATEGORIES OF RECIPIENTS

WE MAY SHARE PI WITH

characteristics that

can be used to

establish individual

identity, either alone

or in combination

with other data).

extracted; keystroke patterns

or rhythms, gait patterns or

rhythms; sleep, health, or

exercise data that contain

identifying information.

F. Internet or other

electronic network

information.

Your browsers,

and/or devices’

interaction with our

Website or e-mails

from us, or links to

our Website,

including from

cookies, pixels, web

beacons, and

similar technology,

Click IDs.

We collect, such as browsing

history, search history,

information regarding your

interaction with an internet

website, application, or

advertisement.

We collect device information

such as operating system and

browser used, type of device

(such as laptop, tablet,

smartphone), device cookie

settings.

For our Business and

Commercial Purposes,

including to present our online

services to you and make sure

our Website works properly

with your device; to market our

services; to assist you in

sharing content from our

Website or accessing links from

our Website; to protect the

integrity of our Website such as

by identifying and preventing

fraud and unauthorized users;

to monitor and improve our

Website; and for our analytical

purposes.

Companies with which we

have contractual

relationships.

Other entities, to assist you

in sharing content from or

linking to them from our

Website.

G. Geolocation data.

Your browsers

and/or devices.

We may collect information

about physical location from

geolocation features on your

For our Business and

Commercial Purposes,

including to protect the

Companies with which we

have contractual

relationships.

Page 7 of 9

CATEGORIES OF PI

FROM WHICH WE

MAY COLLECT

SOURCES WE MAY

COLLECT PI FROM

REPRESENTATIVE DATA

ELEMENTS MAY INCLUDE

PURPOSE(S) OF COLLECTION –

HOW WE MAY USE THE PI

CATEGORIES OF RECIPIENTS

WE MAY SHARE PI WITH

device (if permitted by your

settings choices); and from

your device’s IP address.

integrity of our Website such as

by identifying and preventing

fraud and unauthorized users;

to monitor and improve our

Website; to market our

services, including to provide

Website users access to

products available in their

geographic areas; and for our

analytical purposes.

H. Audio, electronic,

visual, or similar

information.

You.

We may collect, such as voice

recordings (for example, your

communications with or

messages left for customer

service); photos, videos (if you

provide to us; if you post on

our Website).

For Business Purposes,

including to communicate with

you, and otherwise administer

our relationship with you; for

Commercial Purposes, to

market our services (photos or

videos you choose to post on

our Website).

Companies with which we

have contractual

relationships.

I. Professional or

employment-related

information.

None.

We do not collect.

N/A

J. Certain Education

information (non-

None.

We do not collect.

N/A

Page 8 of 9

CATEGORIES OF PI

FROM WHICH WE

MAY COLLECT

SOURCES WE MAY

COLLECT PI FROM

REPRESENTATIVE DATA

ELEMENTS MAY INCLUDE

PURPOSE(S) OF COLLECTION –

HOW WE MAY USE THE PI

CATEGORIES OF RECIPIENTS

WE MAY SHARE PI WITH

publicly available

education

information

protected by federal

law (FERPA)).

K. Inferences.

You.

Your browser or

device, including

your online usage.

Analytics providers.

Data brokers.

We collect references,

characteristics, psychological

trends, predispositions,

behavior, attitudes,

intelligence, abilities, aptitudes.

For our Business and

Commercial Purposes,

including to personalize your

Website experience; to market

our services; for our analytical

purposes.

Companies with which we

have contractual

relationships.

L. Other PI (and non-

personal

information).

You.

Others, who may

share information

about you (such as

to refer you to us,

or to purchase a

delivery from us to

you).

Data brokers.

Social media sites.

We may collect potential

individual and/or household

demographics, such age

ranges, gender distribution,

educational levels, purchasing

habits, family compositions.

To enhance or supplement our

existing information, for our

Business and Commercial

purposes as set forth

elsewhere in this Policy,

including tailoring our

marketing.

Companies with which we

have contractual

relationships.

Page 9 of 9

CATEGORIES OF PI

FROM WHICH WE

MAY COLLECT

SOURCES WE MAY

COLLECT PI FROM

REPRESENTATIVE DATA

ELEMENTS MAY INCLUDE

PURPOSE(S) OF COLLECTION –

HOW WE MAY USE THE PI

CATEGORIES OF RECIPIENTS

WE MAY SHARE PI WITH

Information in the

public sphere.

We provide here for convenience CCPA definitions of “business” and “commercial” purposes:

“Business purpose” means use of PI to achieve our, or our service providers’, operational purposes, or other notified purposes,

provided the use is reasonably necessary and proportionate to achieve the operational purpose for which the PI was collected or

processed, or for another operational purpose that is compatible with the context in which the PI was collected: (1) Auditing related

to a current interaction with you and concurrent transactions, and auditing compliance with this and other standards; (2) detecting

security incidents; protecting against malicious, deceptive, fraudulent, or illegal activity; and prosecuting those responsible; (3)

debugging to identify and repair errors that impair intended functionality; (4) short-term, transient use (where not disclosed to a

third party and used to build a consumer profile or otherwise alter your experience outside the current interaction); (5) performing

services on behalf of us or our service provider, including maintaining or servicing accounts; providing customer service; processing

or fulfilling orders and transactions; verifying customer information; processing payments; providing financing; providing advertising

or marketing for our services; providing us analytics about our services; or providing similar services on our or our service providers’

behalf; (6) internal research for technological development and demonstration; (7) activities to verify or maintain the quality or

safety of a service or device that is owned, manufactured, manufactured for, or controlled by us, and to improve, upgrade, or

enhance that service or device; and (8) information related to job applicants, employees, directors, officers, and contractors,

collected and used in those contexts, including emergency contacts and benefit administration.

“Commercial purpose” means to advance one’s commercial or economic interests, such as by inducing someone to buy, rent, lease,

join, subscribe to, provide, or exchange products, goods, property, information, or services, or enabling or effecting, directly or

indirectly, a commercial transaction.

Page 1 of 1

SUN BASKET PRIVACY POLICY

GDPR ADDENDUM

Effective Date: This GDPR ADDENDUM (“Addendum”) is effective July 1, 2020.

As noted in our Privacy Policy (the “Policy”), which this Addendum supplements, our

services, and Website, are not intentionally directed at individuals outside the United

States. Out of an abundance of caution, to the extent personal information may be

collected from within the European Economic Area (“EEA”) to which the General Data

Protection Regulation (“GDPR”) applies, that personal information (for this Addendum

and Section IX(3) of the Policy, as defined in the GDPR) will be governed by the GDPR,

and this Addendum, which will, as to that information, take precedence over anything to

the contrary in the Policy.

If you have questions about or wish to exercise any privacy rights pursuant to this

Addendum or the Policy, or otherwise under applicable law (whether or not referred to in

the Policy), or wish to correct your personal information, contact us using the

information in Section II of the Policy.

Those in the EEA may have the following rights, depending on the relation of the entity

collecting, using, or disclosing it to them, or to the EEA:

Right of access: To obtain confirmation of whether, and where, personal information

may be processed; for personal information processed, its categories, purposes, and

how applicable retention periods are determined; categories of recipients; a copy of

personal information held;

Right of portability: In certain circumstances, to receive a copy of the personal

information in a structured, commonly used, machine-readable format that supports re-

use, or to request personal information’s transfer to another;

Right to rectification: To correct inaccurate or incomplete personal information without

undue delay;

Right to erasure: In certain circumstances, to require erasure of personal information

without undue delay, if the continued processing of personal information is unjustified;

Right to restriction: In certain circumstances, to require processing of personal

information to be limited to certain purposes;

Right to object: To object to or decline marketing activities, for any reason. We will

assess other objections based on your particular situation. There is a right to lodge a

complaint with local EU data protection authorities. See http://ec.europa.eu.