PRIVACY AND DATA SECURITY STATEMENT

Thank you for visiting A Year of Transformation, Inc.’s online and mobile resources, and for viewing this privacy and data security statement. This page provides a brief summary of our data collection, use, and protection practices. Our full privacy statement, contained in the pages that follow, serves to give notice about the types of personal information we collect, how we use it, who we share it with, and why, and what we do to try to protect it. We encourage you to read our full statement carefully.

Contacting Our Privacy OfficeIf you have any questions about our privacy and data security policies, procedures, and practices, including anything we say in this privacy statement, we encourage you to contact our Privacy Office.

A Year of Transformation, Inc.Attn: Copyright Agent870 E. North Union AvenueMidvale, Utah 84047Email: info@ayearoftransformation.comPhone: (801) 855-6555

This privacy statement was amended as of June 1st, 2024, and is effective as of that date. The English language version of this privacy statement is the controlling version regardless of any translation you may attempt.

NAVIGATING THROUGH THIS STATEMENT

You can use the links below to navigate to areas of this statement that apply specifically to you, or which may otherwise be of interest:

SOME IMPORTANT VOCABULARY

Although not itself a contract, this privacy statement is an important document that explains how we address some of our legal obligations and your related legal rights involving personal information. Clarity is, therefore, important. We’ll use this section to let you know about some words that have special meanings whenever you see them in this statement.Let’s start with the word “statement” itself: when we reference “this statement”, “this privacy statement” and “our statement”, we mean the Privacy and Data Security Statement you are reading now. Wherever we say “Company”, “we”, “us”, or “our”, we mean A Year of Transformation, Inc. We use the words “you” and “your” to mean you, the reader, and other visitors to our online and mobile resources who are, in all cases, over the age of 18. This age requirement is discussed in more detail later in the section titled “Children’s Privacy” below. When we talk about our “online and mobile resources”, we mean all websites, portals or other features we operate to allow you to interact with us and our systems, as well as the mobile apps we’ve created and distributed to let you interact with the content we provide. An “affinity action” is when you “follow” us, “like” us or take a similar or analogous action on our external social media presence. Finally, and perhaps most importantly, when we refer to “personal information”, we mean any data or data element, whether in electronic or other form, that, alone or in combination with other elements, can be used to distinguish, trace, or discover your identity. Certain data privacy laws include specific elements or defined terms for what they consider to be the personal information (or personal data) they govern. Where such data privacy laws apply, then the term “personal information” includes the specific elements and defined terms required by such laws.

WHO DO WE COLLECT PERSONAL INFORMATION FROM?

We collect personal information from four groups of data subjects:

The categories of information we collect from each of these groups, and the ways in which we use it, differ. It is important to note, however, that this privacy statement applies only to visitors and users of our online and mobile resources. Thus, the words “you” and “your” throughout this privacy statement mean only that category of data subject. As you may have noticed, it’s possible that the same person could fall into more than one group. For instance, someone who works for us might, on their day off, visit one of our general websites.

PRIVACY LAWS VARY FROM PLACE TO PLACE

Privacy and data protection laws vary around the world and among the individual United States. Our obligations arising under the majority of the world’s privacy laws, including U.S. federal and most state laws, are satisfied by individual risk assessments conducted by us to ensure we act reasonably and responsibly when processing your personal information. We refer to these as, “General Privacy Laws”. In some jurisdictions, however, privacy laws grant you, the data subject, certain specific rights regarding your personal information. We refer to these types of privacy laws as data subject rights-based laws or “DSR Privacy Laws.” Examples of DSR Privacy Laws include the U.S. State of California’s Consumer Privacy Protection Act or “CCPA”, and the European Union’s General Data Protection Regulation or “GDPR”.

WHAT PERSONAL INFORMATION DO WE COLLECT?

Generally, we collect personal information in two ways: that which you voluntarily provide to us, and that which we collect through automated/technical means. We describe that type of voluntary submission immediately below and we describe our automatic collection in the section titled “Automatically Collected Information” below. By using our online and mobile resources, you are signifying to us that you agree with this section of our privacy statement and that we may use and disclose your information as described.

Voluntarily Submitted InformationIf you choose to participate in, or make use of certain activities and features available via our online and mobile resources, you will need to provide us with information about yourself. The types of personal information you will be submitting to us in those situations are almost always limited to basic identifiers such as your name, email address, mailing address, and phone number. Here are some of the ways you voluntarily give us your personal information:

If you prefer we not receive the above-described personal information, please don’t submit it. This means you shouldn’t participate in the applicable activities on, or use the applicable features available from our online and mobile resources. Such participation and use are strictly your choice. By not participating, you may limit your ability to take full advantage of the online and mobile resources, but most of the content in our online and mobile resources will still be available to you.

Automatically Collected InformationWhen you visit or use our online and mobile resources, basic information about your internet/electronic activity is automatically collected through your browser via tracking technologies, such as “cookies.” As just about everyone knows by now, cookies are small text files downloaded onto your computer or mobile device. Cookies allow us to collect your IP address and recognize your computer or mobile device and store some information about your preferences for using our online and mobile resources or past actions, such as:

Additional information about cookies and tracking technologies is available here .

If you access our online and mobile resources from a phone or other mobile device, the mobile services provider may transmit to us certain information such as uniquely identifiable mobile device information. That, in turn, allows us to collect mobile phone numbers and associate them with the mobile device identification information. Some mobile phone service providers also operate systems that pinpoint the physical location of devices and we may receive this geolocation data as well.When you use our online and mobile resources, we may allow third-party service providers to place their own cookies or similar technologies in order to engage in the same types of collection we describe above. For example, we use third-party “web analytics” services such as those offered by Google Analytics. For more example, we use third-party “web analytics” services such as those offered by Google Analytics. For more information on how Google specifically uses this data, go to Google's Privacy Policy . You can learn more about how to opt out of Google Analytics by going to Google Analytics Opt-out .

Finally, there’s a category of personal information we may collect that does not fit neatly into the “voluntarily submitted” or “automatically collected” categories. If you use both our app and a third-party mail service (such as Google’s Gmail, Yahoo! Mail, and the like) on your mobile device, you may have activated a setting that allows us to use certain technologies such as application programming interfaces to automatically access (sometimes referred to as “parse”) your mail as it relates to your use of our app. If you did activate the setting allowing us to do so, our use of any information we receive from those technologies will adhere to the requirements of the publisher of the applicable technology. This includes, if we use Google APIs, adhering to the Google API Services User Data Policy and its Limited Use requirements.

User Beware: External Sites, Apps, Links, and Social MediaWe maintain a presence on one or more external social media platforms such as Twitter, Facebook, YouTube, and LinkedIn. We may further allow the community features of our online and mobile resources to connect with, or be viewable from, that external social media presence. Similarly, our online and mobile resources may contain links to other websites or apps controlled by third parties. We are not responsible for the content on, or the privacy practices of, social media platforms, or any third-party sites or apps to which we link. Those apps, sites, and platforms are not controlled by us and therefore have their own privacy policies and terms of use. To be clear: neither this statement nor the terms of service appearing on or in any of our online and mobile resources apply to our social media presence or any third-party sites or apps to which we may link. That means even if you take an affinity action on our specific social media profile, and identifiers about you are automatically collected and given to us as a result, that collection and transfer are governed by the privacy policies and other terms of the applicable social media platform and are not our responsibility. If you have questions about how those apps, sites, and platforms collect and use personal information, you should carefully read their privacy policies and contact them using the information they provide.

HOW DO WE USE THE PERSONAL INFORMATION WE COLLECT?We use the personal information we collect only in the manner and through the means allowed by applicable law. That means we determine whether we have a lawful basis/legitimate business purpose to use your personal information before doing so. As stated in applicable law, such lawful bases/legitimate business purposes may include receiving express consent, operating our business, performing a contract, and complying with a legal obligation. More specifically, we use the personal information we collect as follows: We use the automatically collected personal information described in the section titled “Automatically Collected Information” to compile generic reports about popular pages/features of our online and mobile resources, and to see how users are accessing our online and mobile resources and in some cases (such as affinity actions) send materials to you. We use the personal information you voluntarily submitted, as described in the section titled “Voluntarily Submitted Information,” to respond back directly to you and/or send you the information you requested or about which you inquired. We also may use any such personal information you provide to customize our programs and newsletters to make them more relevant to you. We do not sell or rent personal information automatically collected by, or which you voluntarily provide when using our online and mobile resources. We use and retain your personal information in accordance with applicable law and as long as necessary to carry out the purposes described above in accordance with our internal data retention procedures.

WHEN/WITH WHOM DO WE SHARE PERSONAL INFORMATION?We may share your personal information as described below. This sharing applies to the personal information of all four groups of data subjects.

AffiliatesWe may share personal information with other corporate affiliates who will use such information in the same way as we can under this statement.

Legal RequirementsWe may disclose personal information to government authorities and other third parties when compelled to do so by such government authorities, or at our discretion or otherwise as required or permitted by law, including responding to court orders and subpoenas.

To Prevent HarmWe also may disclose such information when we have reason to believe that someone is causing injury to or interference with our rights or property, or harming or potentially harming other persons or property.

Business Sale/PurchaseIf we, or any of our affiliates, sell or transfer all or substantially all of our assets, equity interests, or securities, or are acquired by one or more third parties as a result of an acquisition, merger, sale, reorganization, divestiture, consolidation, or liquidation, personal information may be one of the transferred assets.

Vendors and Business PartnersWe also share personal information with those of our vendors and business partners who need it to perform under the contracts we have with them. As part of our Data Security Program, we have adopted standards for those vendors and business partners who receive personal information from us. We attempt to bind such vendors and business partners to those standards via written contracts. Such standards include expectations that when we share personal information with our vendors and business partners, they will comply with all applicable privacy and data security laws and regulations and our Security Program, and will contractually require and cause their subcontractors and agents to do the same. For any personal information our vendors and business partners process or store at their own locations, we further expect them to use technology infrastructure meeting, at least at the facilities level, minimum recognized standards for security controls. Such recognized standards include those published by the International Standards Organization, the National Institute of Standards and Technology, or any reasonably equivalent standards.

Please note, however, that we cannot guarantee that all of our vendors and business partners will agree to the above-described contractual requirements; nor can we ensure that, even when they do agree, they will always fully comply.

HOW DO WE PROTECT COLLECTED PERSONAL INFORMATION?Our Data Security ProgramWe have adopted, implemented, and maintain an enterprise-wide corporate information security and privacy program that includes technical, organizational, administrative, and other security measures designed to protect, as required by applicable law, against reasonably anticipated or actual threats to the security of your personal information (the “Security Program”). Our Security Program was created with reference to widely recognized industry standards such as those published by the International Standards Organization and the National Institute of Standards and Technology. It includes, among many other things, procedures for assessing the need for and employing encryption and multi-factor authentication as appropriate, or using equivalent compensating controls. We, therefore, have every reason to believe our Security Program is reasonable and appropriate for our business and the nature of foreseeable risks to the personal information we collect. We further periodically review and update our Security Program, including as required by applicable law.

Our Incident Response and Management PlanDespite the significant investment we’ve made in, and our commitment to, the Security Program including enforcement of our third-party oversight procedures, described above, we cannot guarantee that your personal information, whether during transmission or while stored on our systems, otherwise in our care, or the care of our vendors and business partners, will be free from either failed or successful attempts at unauthorized access or that loss or accidental destruction will never occur. Except for our duty under applicable law to maintain the Security Program, we necessarily disclaim, to the maximum extent the law allows, any other liability for any such theft or loss of, unauthorized access or damage to, or interception of any data or communications including personal information. All that said, as part of our Security Program, we have specific incident response and management procedures that are activated whenever we become aware that your personal information was likely to have been compromised. Those procedures include mechanisms to provide, when circumstances and/or our legal obligations warrant, notice to all affected data subjects within the timeframes required by law, as well as to give them such other mitigation and protection services (such as the credit monitoring and identity theft insurance) as may be required by applicable law. We further require, as part of our vendor and business partner oversight procedures, that such parties notify us within the timeframes required by law if they have any reason to believe that an incident adversely affecting personal information we provided to them has occurred.

YOUR RIGHTS AND OPTIONSIf we are using your personal information to send you marketing materials, such as newsletters or product alerts via text or email, you may opt out by following the opt-out instructions in the email or other communication (e.g., by responding to the text with “STOP”). In addition, certain of our online and mobile resources will provide a centralized opt-out link allowing you to opt out of any programs in which you may have enrolled using that particular online and mobile resource. When we receive your request, we will take reasonable steps to remove your name from our distribution lists, but it may take time to do so. You may still receive materials for a period after you opt out. In addition to opting out, you have the ability to access, amend and delete your personal information by contacting us using the contact information below. Opting out of or changing affinity actions or other submissions or requests made on our external social media presence will likely require that you do so directly on that applicable platform as we do not control their procedures.Some browsers have a “do not track” feature that lets you tell websites that you do not want to have your online activities tracked. At this time, we do not specifically respond to browser “do not track” signals.

CHILDREN’S PRIVACY

Federal law imposes special restrictions and obligations on commercial website operators who direct their operations toward, and collect and use information from children under the age of 13. We take those age-related requirements very seriously, and, consistent with them, do not intend for our online and mobile resources to be used by children under the age of 18, and certainly not by those under the age of 13. Moreover, we do not knowingly collect personal information from minors under the age of 18. If we become aware that anyone under the age of 18 has submitted personal information to us via our online and mobile resources, we will delete that information and not use it for any purpose whatsoever. We encourage parents and legal guardians to talk with their children about the potential risks of providing personal information over the Internet.

THE CALIFORNIA CONSUMER PRIVACY ACT

When we collect personal information from California residents we become subject to, and those residents have rights under, the California Consumer Privacy Act or “CCPA”. This section of our statement is used to allow us to fulfill our CCPA obligations and explain your CCPA rights. For purposes of this section, the words “you” and “your” mean only such California residents.

What did we collect from California Residents? We collected the following categories of personal information within the last 12 months:

What Personal Information did we disclose for a business purpose? We may have disclosed the categories of personal information listed above for one or more business purposes permitted by the CCPA during the last 12 months.

What Personal Information did we sell? We do not sell, and within the last 12 months have not sold, personal information to third parties.

What sources did we obtain Personal Information from and why did we collect it? Please re-review the section of this privacy statement titled “Who Do We Collect Personal Information From?” to understand the scope of purposes and the sources from which we collect it. Similarly, we urge you to re-read the section of this statement titled “With Whom Do We Share Personal Information?” where we describe the categories of third parties with which we may share your personal information and why.

Rights of California Residents You have the following rights under the CCPA. It’s important to us that you know that if you exercise these rights, we will not discriminate against you by treating you differently from other California residents who use our sites and mobile resources or purchase our services but did not exercise their rights.

You, or an authorized agent acting on your behalf, can exercise the Right to Know up to two different times every 12 months. To exercise these rights, contact us at info@ayearoftransformation.com or (801) 855-6555. We may ask you to fill out a request form. The CCPA only allows us to act on your request if we can verify your identity and/or your agent’s authority to make the request, so you will also need to follow our instructions for identity verification. If you make a verifiable request per the above, we will confirm our receipt and respond in the time frames prescribed by the CCPA.

CHANGES TO THIS PRIVACY STATEMENT We reserve the right to change or update this statement from time to time. Please check our online and mobile resources periodically for such changes since all information collected is subject to the statement in place at the time of collection. Typically, we will indicate the effective/amendment date at the beginning of this statement. If we feel it is appropriate, or if the law requires, we’ll also provide a summary of changes we’ve made near the end of the new statement.

CONTACTING US If you have questions about our privacy statement or privacy practices, please contact our Privacy Office:

A Year of Transformation, Inc.Attn: Copyright Agent870 E. North Union AvenueMidvale, Utah 84047Email: info@ayearoftransformation.comPhone: (801) 855-6555

If you are an individual located in a GDPR Jurisdiction and we obtain your consent to process your personal information, you may withdraw your consent at any time by contacting us at info@ayearoftransformation.com.