Last Updated and Effective on Aug 1, 2023.

Introduction

At Health4Heroes Inc., we respect your privacy. This Privacy Policy (“Policy”) is here to help you understand how we collect, process, and share your Personal Data (as defined below). We also describe your rights & choices with respect to how we process that Personal Data. Please read this Policy carefully.

Who We Are

This is the Policy of Health4Heroes (“Health4Heroes”, “Company”, “us”, “our”, or “we”), a Colorado 501(c)(3) charitable organization with offices at 1694 Topaz Dr., Loveland, CO 80537. You can contact us using the information below.

Scope & Acknowledgement

This Policy applies to information that relates to identified or identifiable individuals and households (“Personal Data”) collected through our “Services” which include:

• Our “Offline Services” such as when you attend an event or participate in one of our programs;

• Our “Digital Services” including:

o this website (“Website”), https://www.health4heroes.org/; o e-mails, texts and other electronic messages between you and us; and

o interactions with our content or services through third-party websites and services, if those services link to this Policy or you use them to direct your Personal Data to us.

This Policy reflects only how we collect and process Personal Data pertaining to our members, participants, and visitors to our Services (collectively, “users,” “you” or “your”). This Policy does not apply to information processed by other third parties, for example, when you visit a third-party website, attend a third-party event, or use a third-party’s services, unless those parties collect or process information on our behalf. Please review any relevant third-party’s privacy policy for information regarding their privacy practices.

Please read this Policy carefully to understand our policies and practices regarding your Personal Data and how we will treat it. If you do not agree with our policies and practices, your choice is not to use our Services. Your use of our Services indicates your acknowledgement of the practices described in this Policy.

Contact Us/Controller

The controller of your Personal Data is Health4Heroes. You may contact our data privacy team as follows:

--

Physical Address

Health4Heroes

1694 Topaz Dr.

Loveland, CO 80537

Rights Requests (where available under applicable law):

Email privacy@health4heroes.org, or call 970.661.3553.

--

Categories and Sources of Personal Data

• Categories of Personal Data We Process

The categories of Personal Data we process may include:

• Audio/Visual Data-Recordings and images collected at certain events or programs, as well as audio files and records, such as voicemails, call recordings, and the like.

• Biographical Data-Data relating to professional and employment history, qualifications, and similar biographic information.

• Contact Data-Identity Data we can use to contact you, such as email and physical addresses, phone numbers, social media or communications platform usernames/handles.

• Device / Network Data- Data regarding your device or interaction with a website, application, or advertisement (e.g. IP Address, MAC Address, SSIDs, application ID/AdID/IDFA, session navigation history and similar browsing metadata, and other data generated through applications and browsers, including cookies and similar technologies or other device identifiers or persistent identifiers), online user ID, device characteristics (such as browser/OS version), web server logs, application logs, first party cookies, third-party cookies, web beacons, clear gifs and pixel tags.

• General Location Data- Non-precise location data, e.g. information derived from the name of a business or related street address, or a city or region.

• Identity Data-Data such as your name, address, email address, telephone number, gender, date of birth, age and/or age range, account login details, e.g. username and password, avatar, or other account handles/usernames.

• Inference Data-Data reflecting your preferences, characteristics, predispositions, behavior, demographics, household characteristics, market segments, likes, favorites and other data or analytics.

• User Content-Unstructured/free-form data that may include any category of Personal Data, e.g. data that you give us in free text fields such as comment boxes.

• Sensitive Personal Data - Personal Data deemed “sensitive” under Colorado or other state laws, such as social security, driver’s license, state identification card, or passport number, account log-in and password, financial account, debit card, or credit card number; precise location data; racial or ethnic origin, religious or philosophical beliefs, etc. We collect the following categories of Sensitive Personal Data:

• “Government ID Data” Data relating to official government identification, such as driver’s license or passport numbers, including similar Identity Data protected as Sensitive Data under applicable law.

• “Payment Data” Information such as bank account details, payment card information, including similar data protected as Sensitive Data under applicable law.

• Sources of Personal Data We Process

We collect Personal Data from various sources, which include:

• Data you provide us-We receive Personal Data when you provide them to us, such as when you use our Services or sign-up to participate in any of our programs.

• Data we collect automatically-We collect Personal Data about or generated by devices used to access our Digital Services.

• Partners-We receive Personal Data from other businesses or nonprofits who partner with us to provide our Services.

• Data we create or infer-We, certain partners, social media companies, and third parties operating on our behalf, create and infer Personal Data such as Preference Data or Aggregate Data based on our observations or analysis of other Personal Data processed under this Policy, and we may correlate this data with other data we process about you.

Data Processing Contexts / Notice at Collection

• Membership Registration

We process Identity Data, Contact Data, Biographical Data, Government ID and Inference Data when you register, create an account, and/or subscribe to our Services. We process Payment Data if you associate payment information with that account. Government ID Data is processed to validate service and eligibility to participate in our program.

We use this Personal Data to create and maintain your account, to provide the products and services you request, and for our Business Purposes. We may process Identity Data, Inference Data, and Contact Data for Advertising. We do not sell Payment Data or Government ID Data or use it for Business Purposes not permitted under applicable law.

• Event Attendance/Participation

We process Identity Data, Contact Data, and General Location Data when you register for or attend an in-person event operated by or on behalf of Health4Heroes. We also process Payment Data if you attend one of our ticketed or paid events. We may collect Audio/Visual Data in the form of action shots, group photos, or testimonial videos in some cases, subject to your rights and choices.

We process this Personal Data to provide updates about the event, as well as for our Business Purposes. We use Identity Data, Inference Data, and Contact Data collected in this context for our Advertising. We do not sell Payment Data.

Digital Services

• General

We process Device/Network Data, Contact Data, Identity Data, General Location Data, and Inference Data. You may also be able to complete donations or purchases, register for an account, or register for an event through our Digital Services.

We use this Personal Data as necessary to operate our Digital Services, such as keeping you logged in, delivering pages, etc., for our Business Purposes, and our other legitimate interests, such as:

• ensuring the security of our Services and other technology systems; and

• analyzing the use of our Services, including navigation patterns, clicks, etc. to help understand and make improvements to the Services.

We may process this Personal Data for our Advertising.

• Cookies and Similar Tracking Technologies

We process Identity Data, Device/Network Data, Contact Data, Inference Data, and General Location Data, in connection with our use of cookies and similar technologies on our Digital Services. We may collect this data automatically.

We and authorized third parties may use cookies and similar technologies for the following purposes:

• for “essential” purposes necessary for our Digital Services to operate (such as maintaining user sessions, CDNs, and the like);

• for “functional” purposes, such as to enable certain features of our Digital Services (for example, to allow a member to maintain an online shopping cart);

• for “analytics” purposes and to improve our Digital Services, such as to analyze the traffic to and on our Digital Services (for example, we can count how many people have looked at a specific page, or see how visitors move around the website when they use it, to distinguish unique visits/visitors to our Digital Services, and what website they visited prior to visiting our website, and use this information to understand user behaviors and improve the design and functionality of the website);

• for “retargeting,” Targeted Advertising, or other advertising and marketing purposes, including technologies that process Preference Data or other data so that we can deliver, buy, or target advertisements which are more likely to be of interest to you; and

• for “social media” e.g. via third-party social media cookies, or when you share information using a social media sharing button or “like” button on our Services or you link your account or engage with our content on or through a social networking website such as Facebook or Twitter.

We may also process this Personal Data for our Business Purposes and Advertising. See your Rights & Choices for information regarding opt-out rights for cookies and similar technologies.

We may allow third parties to view, edit, or set their own cookies or place web beacons on our Websites. We, or third-party providers, may be able to use these technologies to identify you across platforms, devices, sites, and services. Third parties may engage in Targeted Advertising using this data. Third parties have their own privacy policies and their processing is not subject to this Policy.

Testimonials/Public Posts

We process Identity Data, Inference Data, Contact Data, and User Content you post content (e.g. comments, forum and social media posts, etc.) on or through our Digital Services. We also process Identity Data, Contact Data, User Content, and Audio/Visual Data if you provide a testimonial or consent to inclusion of similar content in our marketing materials.

We process this Personal Data for our Business Purposes, and Advertising.

Posts and testimonials may be public, or reposted on our Services. Content you provide may be publicly-available when you post it on our Services, or in some cases, if you reference, engage, or tag our official social media accounts or communications platforms.

Donations and Purchases

We process Payment Data, Identity Data, Inference Data, and Contact Data when you complete a purchase or donation. We do not permanently store your Payment Data, except at your request.

We process this Personal Data as necessary to perform or initiate a transaction with you, process your order, payment, or refund, carry out fulfillment and delivery, document transactions, and for our Business Purposes.

We may process Identity Data, Contact Data, and Device/Network Data for Advertising. We do not sell Payment Data or use it for Business Purposes not permitted under applicable law.

Marketing Communications

We process Device/Network Data, Contact Data, Identity Data, and Inference Data in connection with marketing emails, our newsletter, or similar communications, and when you open or interact with those communications. You may receive marketing communications if you consent and, in some jurisdictions, as a result of account registration or a purchase.

We process this Personal Data to contact you about relevant products or services and for our Business Purposes. We may use this data for our Advertising. See your Rights & Choices to limit or opt out of this processing.

Contact Us; Support

We collect and process Identity Data, Contact Data, and User Content when you contact us, e.g. through a contact us form, for support, or when you report a problem with our Services. If you call us via phone, we may collect Audio/Visual data from the call recording.

We process this Personal Data to respond to your request, and communicate with you, as appropriate, and for our Business Purposes. If you consent or if permitted by law, we may use

Identity Data and Contact Data to send you marketing communications and for our Advertising.

Feedback and Surveys

We process Identity Data, Contact Data, Inference Data, and User Content collected in connection with feedback surveys or questionnaires.

We process this Personal Data as necessary to respond to your requests/concerns, for our Business Purposes, and other legitimate interests, such as:

• analyzing users’ satisfaction; and

• to allow our third-party partners to communicate with users.

We may process this Personal Data for our Advertising. We may share Feedback/Survey data relating to third-party partners with those partners, who may use it for their own purposes.

Processing Purposes

Business Purposes

• Service Provision

We process any Personal Data as is necessary to provide the Services, and as otherwise necessary to fulfil our obligations to you, such as to provide you with the information and services you request, or to allow you to participate in interactive features on our Services. For example, if you give us an e-mail address to use the "e-mail a friend" feature of our Services, we will transmit the contents of that e-mail and your e-mail address to the recipients.

• Internal Processing and Service Improvement

We may use Personal Data for our Business Purposes related to improving our Services, understanding how our Services are used, for member service purposes, in connection with logs and metadata relating to service use, and for debugging, and similar purposes. Additionally, we may use Personal Data as necessary to as necessary to understand the performance of our Services, what products our members view or purchase, for internal purposes such as auditing or data analysis, use of the Services and performance improvement, or for troubleshooting.

• Security and Incident Detection

We may process Personal Data legitimate interests in/business purposes related to improving the security of our Websites, identifying and preventing crime or fraud, and detecting potential personal data breaches or incidents. We may analyze network traffic, device patterns and characteristics, maintain and analyze logs and process similar Personal Data in connection with our information security and anti-fraud activities.

• Aggregate Analytics

We process Personal Data as necessary in connection with our creation of aggregate analytics relating to how members, and users use our Services, such as the products and services used, service delivery metrics, member trends, and to create other reports regarding the use of our Services and other similar information and metrics. The resulting aggregate data will not contain information from which and user or member may be readily identified.

• Personalization

We process certain Personal Data in connection with our legitimate business interest in personalizing our Services. For example, aspects of the Services may be customized to you based on your interactions with our Services and other content. This processing may involve the creation and use of Inference Data relating to your preferences.

• Transactional Communications

We process certain Personal Data as appropriate in connection with our legitimate interests in/business purposes related to communicating with users about our Services. For example, we may reach out to you about your donation, account, or subscription, including expiration and renewal notices. Similarly, we may use your Personal Data to send important notices, such as communications about purchases and changes to our terms, conditions, and policies, or other information that relating to the products you have purchased or your use of our Service.

• Compliance Safety, and Public Interest

We may also process any Personal Data as necessary to comply with our legal obligations, such as where you exercise your rights under data protection law and make requests, to ensure content or advertising is directed to users eligible to participate in advertised Websites or view such content/advertisements, for the establishment and defense of legal claims, or where we must comply with our legal obligations, lawful requests from government or law enforcement officials, and as may be required to meet national security or law enforcement requirements or prevent illegal activity. We may also process data to protect the vital interests of individuals, or on certain public interest grounds, each to the extent allowed under applicable law.

Advertising

• Targeted Advertising

In some jurisdictions, we may engage in interest-based or retargeted advertising which may be based on Personal Data that we obtain or infer from your activities on our Website, or across nonaffiliated websites, applications, or services in order to predict your preferences or interests (“Targeted Advertising”). This form of advertising includes various parties and service providers, including third-party data controllers, engaged in the processing of Personal Data in connection with advertising. These parties may be able to identify you across sites, devices, and over time.

We generally use Targeted Advertising for the purpose of raising awareness and fundraising for our Services, marketing our Services and third-party goods and services, and to send marketing communications, including by creating custom marketing audiences on third-party websites or social media platforms.

Disclosure/Sharing of Personal Data

We may share Personal Data with the following categories of third-party recipients and/or for the following reasons:

• Affiliates-We may share Personal Data internally with our current and future subsidiaries and affiliates.

• Service Providers- We may share your Personal Data with service providers who provide certain services or process data on our behalf in connection with our general business operations, service fulfillment and improvements, to enable certain features, and in connection with our Business Purposes.

• Sponsors, Advertisers, and Social Media Platforms- We may share certain Personal Data with social media platforms (e.g. as part of marketing), advertisers, or sponsors in support of our Business Purposes and Advertising. We may allow these third parties to operate through our Services.

• Partners- We may offer you the opportunity to use services operated by third parties (such as our event partners or sponsors), and if you choose to use these services, we will disclose the Personal Data that you direct us to provide to them or as is appropriate to fulfill your requests. You may also direct us to disclose this data to or interact with these third parties as part of attending an event or program (which does not involve a data sale by us). However, in other cases, these parties may also receive data for Advertising.

• Successors- We may share Personal Data in the event of a merger, divestiture, restructuring, reorganization, dissolution or other sale or transfer of some or all of the Company's assets, whether as a going concern or as part of bankruptcy, liquidation or similar proceeding, in which Personal Data held by the Company about our users is among the assets transferred.

• Lawful Recipients-In limited circumstances, we may, without notice or your consent, access and disclose your Personal Data, any communications sent or received by you, and any other information that we may have about you to the extent we believe such disclosure is legally required, to prevent or respond to a crime, to investigate violations of our Terms of Use, in the vital interests of us or any person (such as where we reasonably believe the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual or to public health or safety) or in such other circumstances as may be required or permitted by law. These disclosures may be made to governments that do not ensure the same degree of protection of your Personal Data as your home jurisdiction. We may, in our sole discretion (but without any obligation), object to the disclosure of your Personal Data to such parties.

Your Rights & Choices

• Your Rights - Generally

Residents of Colorado and other states may have rights in their Personal Data under applicable laws. You may send us an e-mail via our contact link to request access to, correct or delete any Personal Data that you have provided to us. Requests to delete certain data may require you to delete accounts or terminate your membership. We may not accommodate a request to change information if we believe the change would violate any law or legal requirement or cause the information to be incorrect.

You may have the following rights, subject to regional requirements, exceptions, and limitations.

• Confirm - Right to confirm whether we process your Personal Data.

• Access - Right to access the Personal Data we have collected about you.

• Portability - Right to request that we provide certain Personal Data in a common, portable format.

• Deletion - Right to delete certain Personal Data that we hold about you.

• Correction - Right to correct certain Personal Data that we hold about you.

• Opt-out or Limit Use and Disclosure of Sensitive Personal Data - Right to opt-out of the processing of certain Sensitive Data, or request that we limit certain uses of Sensitive Personal Data. This right does not apply in cases where we only use Sensitive Personal Data where necessary, or for certain business purposes authorized by applicable law.

• Publicity – If we post images where you can be identified, or if you’ve agreed to provide a testimonial or use your Personal Data for promotional or marketing purposes, you can request that we limit use of your Personal Data for those purposes on a going forward basis. We may not be able to limit uses by third parties, in printed or physical materials, or where uses are permitted by applicable law.

• Submission of Requests

You may exercise your right to opt-out as set forth in the “Your Choices” section below. You or your agent may also submit requests to access, confirm, export delete, correct, or limit use of Personal Data by contacting us at privacy@health4heroes.org. We will verify whether and to what extent you have rights under applicable law, as well as your identity. If you have any questions or wish to appeal any refusal to take action in response to a rights request, contact us at privacy@health4heroes.org. We will respond to any request to appeal within the time period required by law.

• Verification of Rights Requests

If you submit a request, we typically must verify your identity to ensure that you have the right to make that request, reduce fraud, and to ensure the security of Personal Data. If an agent is submitting the request on your behalf, we reserve the right to validate the agent’s authority to act on your behalf.

We may require that you match personal information we have on file in order to adequately verify your identity. If you have an account, we may require that you log into the account to submit the request as part of the verification process. We may not grant access to certain Personal Data to you if prohibited by law or if we cannot appropriately verify.

Your Choices

• Marketing Communications

You can withdraw your consent to receive marketing communications by clicking on the unsubscribe link in an email (for email), by responding with “OPT-OUT,” STOP, or other supported unsubscribe message (for SMS), by adjusting the push message settings for our mobile apps using your device operating system (for push notifications), or for other communications, by contacting us using the information below. To opt-out of the collection of information relating to email opens, configure your email so that it does not load images in our emails.

• Withdrawing Your Consent/Opt-Out

You may withdraw any consent you have provided at any time. The consequence of you withdrawing consent might be that we cannot perform certain services for you, such as locationbased services, personalizing or making relevant certain types of advertising, or other services conditioned on your consent or choice not to opt-out.

• Cookies, Similar Technologies, and Targeted Advertising

• General- If you do not want information collected through the use of cookies, you can manage/deny cookies and related technologies using your browser’s settings menu. You may need to opt out of third-party services directly via the third-party. For example, to opt-out of Google’s analytic and marketing services, visit Google Analytics Terms of Use, the Google Policy, or Google Analytics Opt-out. If you disable or refuse cookies, please note that some parts of this site may then be inaccessible or not function properly.

• Targeted Advertising- You may opt out or withdraw your consent to Targeted Advertising by submitting requests to third-party partners, including for the vendors listed below:

• Google Ads

• Doubleclick

• Digital Advertising Alliance’s opt-out

• Network Advertising Initiative opt-out

• Do-Not-Track - Our Services do not respond to your browser’s do-not-track request.

Data Security

We implement and maintain commercially reasonable security measures to secure your Personal Data from unauthorized processing. We cannot guarantee that any information will be absolutely secure. When we process information, we may pseudonymize, de-identify, or anonymize data in order to protect your Personal Data during processing.

Data Retention

We retain Personal Data for so long as it is reasonably necessary to achieve the relevant processing purposes described in this Privacy Policy, or for so long as is required by law. What is necessary may vary depending on the context and purpose of processing. We generally consider the following factors when we determine how long to retain data (without limitation):

• Retention periods established under applicable law;

• Industry best practices;

• Whether the purpose of processing is reasonably likely to justify further processing;

• Risks to individual privacy in continued processing;

• IT systems design considerations/limitations; and

• The costs associated with continued processing, retention, and deletion.

We will review retention periods periodically and may pseudonymize or anonymize data held for longer periods.

Children Under the Age of 13

Our Services are not intended for children under 13 years of age. We do not knowingly collect Personal Data from children under 13. Further, we do not knowingly collect Personal Data from minors. If we learn that we have inadvertently done so, we will promptly delete it. Do not access or use the Services if you are not of the age of majority in your jurisdiction unless you have the consent of your parent or guardian.

Changes to Our Privacy Policy

We may change this Policy from time to time. We will post changes on this page. We will notify you of any material changes, if required, via email or notices on our Services. Your continued use of our Services constitutes your acknowledgement of any revised Policy.

International Transfers

We operate in and use service providers located in the United States. If you are located outside the U.S., your Personal Data may be transferred to the U.S. The U.S. may not provide the same legal protections guaranteed to Personal Data in foreign countries. Contact us for more information regarding transfers of data to the U.S.