Updated April 2024

Privacy Policy

Updated April 2024

1. INTRODUCTION
We know privacy is important to you.
We have provided this Privacy Statement to explain how we, Clubessential Holdings and our Affiliated Group Companies (collectively, “CEH,” “we,” “us” or “our”), collect, use, share and otherwise process personal information collected through our services. “Services,” for purposes of this Privacy Statement, shall include, as applicable, personal information provided through your interaction with our technology platforms, websites, mobile applications, social media pages, marketing activities, and related services, including setting up your account and collecting your personal information for billing purposes. “Personal information” means any information relating to an identified or identifiable natural person (as context requires, we may also refer to personal information as “personal data.” Our “Affiliated Group Companies” are identified below in Section 15.

2. OUR DIFFERENT ROLES
We provide Services to our customers, clients and subscribers (collectively, “Subscribers”) through an agreement with them, and solely for their benefit and the benefit of their authorized personnel and end users of the Services (collectively, “End Users”).
This Privacy Statement does not apply where we process personal information as a service provider (or data processor) on behalf of Subscribers. Where we act as a data processor, it will be the privacy policies of our Subscribers that will apply instead of this Privacy Statement. In that scenario, our data processing activities will be governed by the terms and conditions of our agreement with the Subscriber, including, without limitation, a Data Processing Addendum. If you have questions about our Subscribers’ privacy policies, or if you wish to exercise any of your privacy rights with regard to your personal information, please contact the Subscriber directly with whom you have a business relationship.
Where we act as a data controller, meaning we determine the purpose and means of the personal data processed (for example, in the management of a Subscriber’s account with us), this Privacy Statement will apply. Depending on the circumstances, there may be more than one data controller processing your personal information; for example, your parent company, franchisor, financial partner or employer may also be a data controller. In these situations, we act as an independent controller over our processing activities, meaning we determine how your personal information will be processed independently from these other data controllers. All other data controllers will have their own obligations under applicable privacy laws and we are not responsible for their processing activities. There may be other situations where we, as a data controller, may share your personal information with our Affiliated Group Companies and conduct processing activities as a joint controller for the purposes set forth in this Privacy Statement.

3. PERSONAL INFORMATION THAT WE COLLECT

The personal information that we collect or otherwise receive about you depends on the context of your interactions with us, how your account is configured, and the choices you make with respect to your privacy settings. The way we process your personal information may also depend on the particular Services you are using, where you are located, and applicable privacy laws.
3.1. Information You Provide to Us. We collect personal information that you provide to us, including:
(a) Contact Information and Account Data. We collect information from you (or your organization) when you activate Services, create an account with us, and/or upload content or data to our technology platform or systems. Personal information may include your name, title, company name, mailing address, contact for billing purposes, phone number, email address, communication preferences, business location details, and account credentials (such as your username and login).
(b) Personal Identifiers. We may collect information to verify your identity such as your name, date of birth, social security number, driver’s license number, government issued ID details, or similar information to verify your identity.
(c) Communication, Training, Support, Feedback and Related Data. We may collect personal information such as your name, email address, phone number and any other personal information that you choose to share when you contact us for support, to give us feedback, to participate in an optional survey, to attend our events, to receive training, or to otherwise communicate or engage with us. This information may include call center recordings and call monitoring records, chat and text records, voicemails, photographs and video images.
(d) Marketing Data. You may provide us with your contact information and preferences for receiving our marketing communications.
(e) Social Media and Websites. We receive content that you post to our social media pages or provide to us through our websites.
(f) Financial Information. We collect payment and billing-related information when you sign up for Services. Finance-related information may include a primary point of contact for billing-related purposes or your payment account details such as a bank account or credit card information.
3.2. Information Received from Others. From time to time, we may receive personal information about you from other sources, including:
(a) Authorized Users. Authorized users may provide information about you when they submit content through the Services. For example, your accountant or controller may enter payment details associated with your organization for us to be able to sendyou an invoice.
(b) Linked Third Party Services. We may receive information about you when you link a third-party service (i.e., social media accounts, payment service providers) with our Services or your account. For example, you may allow our Services to connect with a third-party payment processor or social media provider. The information we receive when you link or integrate our Services with a third party depends on the settings, permissions and privacy policies controlled by the third-party provider.
(c) Third-Party Vendors. We may receive information about you from third-party vendors and suppliers of ours that provide us with services or carry out functions related to the provision of our Services.
(d) Affiliated Group Companies. We may receive information about you from other Affiliated Group Companies, as permitted by this Privacy Statement.
(e) Business Partners. We may receive information about you and your activities from third party business partners, including resellers, joint marketers, payment service providers, market research firms, and companies that help us assess risk associated with our Services and technology platforms. Information that business partners provide may include billing information, contact information, company name, products and services that may be of interest to you, and the countries or places where your business operates.
(f) Public Information. We may collect information about you from publicly available sources, such as open government databases, social media platforms, and others.

3.3 Information Received Through Automatic Data Collection. We, our service providers, and our business partners may automatically log personal information about you, your computer or mobile device, such as:
(a) Device Information. We collect information from your devices, including information about how you interact with our Services and the products or services of our third-party service providers. This information includes device-specific identifiers, browser version, usage information, operating type, mobile network information, device settings and software data.
(b) Location Information. Certain features of our Services may collect your precise location information if you grant us permission to do so through your device settings.
(c) Communication Interaction Data. We or our third-party service providers may collect information from email providers, communication providers and social networks, such as your interaction with our emails, texts or other communications. We may do this through use of pixel tags (also known as clear GIFs) which may be embedded invisibly in our emails.
(d) Online Behavioral Data. We may automatically collect certain personal information about your use and interaction with our Services, including our websites, social media pages and marketing campaigns that we organize, including device information (such as your IP address and unique device ID), page view information and search results and links.
3.4 Information Received Through Cookies and Similar Technologies. We collect information when you access content, advertising, websites, interactive widgets, applications and other products (both on and off of our Services) where our data collection technologies such as web beacons, development tools, cookies and other technologies are present. These data collection technologies allow us to understand your activity on and off our Services and to store information when you interact with our Services. For more information, please review our Cookies Notice.

4. HOW WE USE PERSONAL INFORMATION
4.1 Use of Personal Information. We use personal information collected through the Services and through other means (for example, in person at one of our conferences or events) for the purposes described in this Privacy Statement, including:
▪ With your consent;
▪ To operate, audit and improve our Services and technology systems;
▪ To provide customer service and support;
▪ To provide and facilitate the delivery or products and services requested by you;
▪ To send you business-related information, including confirmations, invoices, technical notices, updates, security alerts, training information and administrative messages;
▪ To maintain your account with us;
▪ To enhance security, monitor and verify identity and service access, combat fraud, malware and other information security risks;
▪ To detect bugs, report errors and perform activities to maintain the quality and safety of our Services;
▪ To develop and send you marketing, sales and promotional communications in line with your selected communication preferences;
▪ To communicate with you about one of our events, conferences, webinars or demos;
▪ To implement or deploy our Services at your business location, either onsite or remotely;
▪ To respond to your comments or questions, or provide you with information that you have requested;
▪ To display and measure engagement with promotions across different devices and sites;
▪ To maintain legal and regulatory compliance; and
▪ To process your information for other legitimate business purposes such as data analysis, audits, collecting and assessing feedback, identifying usage trends, determining the effectiveness of marketing campaigns, and to evaluate and improve our products, services, marketing and business relationships.

4.2 Legal Basis for Processing for Subscribers in the EEA. If you reside in the European Economic Area (“EEA”), we collect and process personal information about you only where we have a legal basis for doing so under the EU’s General Data Protection Regulation 2016/679 (“EU GDPR”) and the United Kingdom’s Data Protection Act of 2018 (“UK GDPR”). The legal basis depends on the Services you use and how you use them. This means we collect and use your personal data only where:
▪ We need it to provide you with Services, including to operate the Services, provide customer support and to protect the integrity of the Services and our technology systems where other clients, customers and subscribers are concerned;
▪ It satisfies a legitimate interest, such as for research and development, to market and promote the Services, and to protect our legal rights and interests;
▪ You give us consent to do so for a specific purpose; or
▪ We need to process your personal information to comply with a legal obligation, including our provision of Services to you under an agreement with us.

If you have consented to our use of personal information for a specific purpose, you have the right to change your mind at any time, but this will not affect any processing that has already taken place. Where we are using your information because we have a legitimate interest in doing so, you have the right to object to that use, although, in some cases, this may mean no longer being able to use the Services.

5. WHEN WE SHARE YOUR PERSONAL INFORMATION
We do not disclose and share your personal data with third parties other than as follows:
▪ Where it has been de-identified, including through aggregation or anonymization;
▪ When you instruct us to do so;
▪ With your consent, for example, when you agree to our disclosing your personal information with other third parties subject to their separate privacy policies and practices;
▪ With our Affiliated Group Companies;
▪ With third party vendors, consultants and other service providers who work with us and need access to your personal information to carry out their work function. Examples include vendors and third-party service providers who provide assistance with marketing, scheduling, billing, payment processing, data analysis, fraud detection and prevention, network and IT system security, technical support and customer service;
▪ With third party business partners who are involved in providing products and services to our Subscribers, including filling product requests, providing training or customer support, or implementing the Services.
▪ To comply with laws or to respond to lawful requests and legal process;
▪ To protect our rights and property (including that of our agents, representatives and business partners), and to enforce our agreements, policies and terms of service;

▪ In order to protect any individual’s vital interests (but only where we believe it reasonably necessary in order to protect that individual’s vital interests); and
▪ In connection with or during negotiation of any business transfer, merger, financing, acquisition, dissolution transaction or proceeding involving sale, transfer, divestiture or disclosure of all or a portion of our business or assets to another company.

6. DATA SECURITY
Although no company or service can guarantee complete security, we use appropriate technical and organizational measures to protect personal information that we collect and process. We have implemented information security policies, password protection protocols, rules and other technical measures to protect the personal information under our control from unauthorized access, improper use or disclosure, and unlawful destruction or accidental loss. The measures we use are designed to provide a level of security appropriate to the risk of processing your personal information. While information security risks are always evolving, so are the controls. The controls that we have implemented are periodically reviewed as part of internal and external audits.

7. RETENTION AND DELETION
We retain personal information that we collect from you where we have an ongoing legitimate business need for doing so (for example, to comply with applicable legal requirements or to enforce our agreement with you). When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it; or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible. When processing personal information of End Users on behalf of Subscribers, we will retain such End User data for as long as we are required under our agreement with the Subscriber; for as long as the Subscriber asks us to retain the End User data; or as required by applicable law.

8. PROTECTING CHILDREN’S PRIVACY
Our Services are not intended or directed to children under the age of 13. We do not knowingly collect personal information from children without prior parent consent. If you believe we may have information from a child, please contact us.

9. THIRD-PARTY SITES AND SERVICES
This Privacy Statement does not apply to the practices of companies that we do not own or control, or to people that we do not employ or manage. If our Services include links to third-party websites, please be aware that we are not responsible for the privacy practices of these third parties. We encourage you to familiarize yourself with the privacy policies for third-party companies so you have an understanding about how your personal information might be collected and used by them.

10. YOUR PRIVACY RIGHTS AND CHOICES
10.1 Privacy Rights for Subscribers. Certain privacy laws around the world, including the EU GDPR, UK GDPR and the California Consumer Privacy Act (as modified by the California Privacy Rights Act, which takes effect July 1, 2023 (together, the “CCPA”), provide users with rights related to their personal information. Consistent with those laws, we give you the choice of accessing, editing, or removing certain information, as well as choices about how we contact you. You may change or correct your account information through your account settings. You may also remove certain optional information that you no longer wish to be publicly available through the Services. You can also request to permanently close your account and delete your personal information. Depending on your location, you may also be entitled to other rights.
▪ Right to Access & Portability. You can access certain personal information associated with your account by visiting your account privacy settings. You can request a copy of your personal information by emailing us at privacy@clubessentialholdings.com with the subject heading: “Information Request.”
▪ Right to Correction. You have the right to request that we rectify inaccurate information about you. By visiting your account settings, you can correct and change certain personal information associated with your account.
▪ Right to Restrict Processing. In certain cases where we process your personal information, you may also have the right to restrict or limit the ways in which we use such information.
▪ Right to Deletion. In certain circumstances, you have the right to request the deletion of your personal information, except information we are required to retain by law, regulation, or to protect the safety, security, and integrity of the Services and our other clients or customers.
▪ Right to Object. If we process your information based on our legitimate interests as explained above, or in the public interest, you can object to this processing in certain circumstances. In such cases, we will cease processing your information unless we have compelling legitimate grounds to continue processing or where it is needed for legal reasons.
▪ Right to Withdraw Consent. Where we rely on consent, you can choose to withdraw your consent to our processing of your personal information using specific features provided to enable you to withdraw consent, like an email unsubscribe link in an email or your account privacy preferences. If you have consented to share your precise device location details but would no longer like to continue sharing that information with us, you can revoke your consent to the sharing of that information through the settings on your mobile device.

The CCPA provides California residents with the following additional rights:
▪ Right to Know. California residents may request disclosure of the specific pieces and/or categories of personal information that the business has collected about them, the categories of sources for that personal information, the business or commercial purposes for collecting the information, the categories of personal information that we have disclosed, and the categories of third parties with which the information was shared.
▪ Right to Opt-Out of the “Sale” of Personal Information. We do not “sell” personal information as that term is traditionally understood. We also do not knowingly “sell” personal information of consumers under 16 years of age. settings.

Limiting use of, or deleting, your personal information may impact features and functionalities that rely on that information. However, we will not discriminate against you for exercising any of your rights, including otherwise denying you use of the Services, providing you with a different level or quality of Services, or charging you a different price.

10.2 Privacy Rights of End Users. If you are an End User and the personal information pertaining to you as an individual has been submitted to us by or on behalf of a Subscriber, and you wish to exercise any data protection rights you may have with respect of such data under applicable law – including the right to access, port, correct, amend or delete such data – please send your request directly to the Subscriber with whom you have a business relationship. We have limited ability to access or correct a

Subscriber’s content or data. If, as an End User, you make your request directly to us, please provide the name of the Subscriber who submitted your personal information to our Services, and we will refer your request to that Subscriber and support them as we are able in responding to the request in a reasonable timeframe.
10.3 Exercising Your Privacy Rights. If you would like to manage, change, limit or delete your personal information, you can do so via your account settings in the Services. Alternatively, you can exercise any of the rights above by contacting us at privacy@clubessentialholdings.com.
10.4 Verification Procedures. To help protect privacy and the security of your personal information, we may ask you to provide us with additional information to verify your identity and/or ownership rights before we fulfill your privacy rights request. If we cannot verify your identity or your ownership rights in the data, we may not be able to act on your request until proper documentation is provided.
10.5 How to Opt Out from our Marketing. You can opt out from receiving marketing communications from us by:
▪ Clicking on the unsubscribe link within each marketing email;
▪ Updating your communication preferences within the Services (go to the account settings menu); or
▪ By contacting us directly to have your contact information removed from our distribution list.
Please note that even after you opt out from receiving marketing messages from us, you may continue to receive generic (non-targeted) ads and transactional (non-promotional) messages from us regarding our business relationship with you.

11. HOW WE TRANSFER DATA INTERNATIONALLY
We reserve the right to store and process your personal information in the United States and in any other country where we, our Affiliated Group Companies and our third-party service providers have operations in accordance with and as permitted by applicable privacy laws. Some of these countries may have privacy or data protection laws that are different from the laws of your country (and, in some cases, may not be as protective). When we transfer, store or process personal information outside of your jurisdiction (including to or in the United States), we take appropriate safeguards to require that your personal information remains protected in accordance with this Privacy Statement and applicable privacy laws.
Some of these recipients of your personal information are located in countries for which the European Commission and the United Kingdom Government (as and where applicable) have issued adequacy decisions, which means that these countries are recognized as providing an adequate level of data protection under applicable United Kingdom and/or European data protection laws and the transfer is therefore permitted under Article 45 of EU GDPR.
Other recipients of your personal information are located in countries outside the EEA or United Kingdom that are not the subject of an adequacy decision, for example, the United States. In these cases, we may use the Standard Contractual Clauses approved by the European Commission or, as applicable, the International Data Transfer Agreement approved by the United Kingdom Government, to help ensure your personal information is protected. Please contact us for additional information about the transfer safeguards we and our Affiliated Group Companies rely on.

12. ADDITIONAL DISCLOSURES FOR CALIFORNIA RESIDENTS

12.1 Shine the Light. California law entitles residents to ask for notice describing what categories of personal information we share with third parties for their own direct marketing purposes. We do not share any personal information with third parties for direct marketing purposes.
12.2 Notice of Collection. In addition to the rights and choices described above in Section 10, the CCPA requires disclosure of the categories of personal information collected over the past 12 months. While this information is provided in greater detail in Section 3, titled “Personal Information That We Collect,” the categories of personal information that we have collected (as described by the CCPA) are:
▪ Identifiers, including name, email address, location name, physical address.
▪ Other individual records such as phone number, billing address, or credit or debit card information. This category includes personal information protected under pre-existing California law (Cal. Civ. Code 1798.80(e)) and overlaps with other categories listed here.
▪ Demographics, such as your age or gender. This category includes data that may qualify as protected classifications under other California or federal laws.
▪ Commercial information, including purchases, transaction data, and engagement with the Services.
▪ Internet activity, including your interactions with the Services and what led you to those Services.
▪ Sensory visual data, such as pictures posted on the Service.
▪ Geolocation data provided through location enabled services such as WiFi and GPS.
▪ Inferences, including information about your interests, preferences and favorites. 12.3 Sources and Purposes for Our Collection. We collect these categories of personal information from the sources described above, and we use these categories of personal information for our business and commercial purposes as described in Section 4, titled “How We Use Personal Information,” including providing and improving the Services, maintaining the safety and security of the Services, processing payments and sales transactions, and for marketing purposes. 12.4 “Do Not Track” Signals. Some browsers have incorporated Do Not Track (“DNT”) features that can send a signal to the websites you visit indicating you do not wish to be tracked. Because there is not yet a common understanding of how to interpret the DNT signal, our Services do not currently respond to browser DNT signals. You can use the range of other tools we provide to control data collection and use, including the ability to opt out from receiving marketing from us as described above. 12.5 Accessibility. If you have a disability and would like to access this policy in an alternative format, please contact us by email at privacy@clubessentialholdings.com.

13. CHANGES TO THIS PRIVACY STATEMENT

We may update this Privacy Statement from time to time, so you should check back periodically. If we make changes that are material, we will provide you with appropriate notice before such changes take effect.

14. HOW TO CONTACT US
Your information is controlled by Clubessential Holdings, LLC and the Affiliated Group Company with whom you have a business relationship. If you have questions about this Privacy Statement or our privacy practices, please direct your inquiry to Clubessential Holdings, LLC and the relevant Affiliated Group Company at the contact information listed below.

15. AFFILIATED GROUP COMPANIES

UNITED STATES Clubessential
Clubessential, LLC
Attn: Privacy Team
4600 McAuley Place, Ste. 350
Cincinnati, OH 45242
Email: privacy@clubessentialholdings.com

ClubReady
ClubReady, LLC
Attn: Privacy Team
14515 North Outer Forty, Ste. 300
Chesterfield, MO 63017
Email: privacy@clubready.com

foreUP
Golf Compete, Inc. d/b/a foreUP
Attn: Privacy Team
1064 S N County Blvd., Ste. 260
Pleasant Grove, UT 84062
Email: privacy@foreup.com

Vermont Systems
RecTrac, LLC d/b/a Vermont Systems
Attn: Privacy Team
12 Market Place
Essex Junction, VT 05452
Email: privacy@vermontsystems.com

EUROPEAN ECONOMIC AREA (EEA) Innovatise
Innovatise GmbH
Attn: Privacy Team
Goethestraße 4-8
60313 Frankfurt am Main
Germany
Email: privacy@innovatise.com

TAC
TAC Informatiostechnologie GmbH
Attn: Privacy Team
Schildbach 211
8230 Hartberg, Austria
Email: privacy@tac.eu.com

Exerp
Exerp ApS
Attn: Privacy Team
Rued Langgaards Vej 8, 2 Floor
2300 Copenhagen, Denmark
Email: dpo@exerp.com

EEA Representative
Attn: Lawrence Goodman
lgoodman@clubessentialholdings.com