Dosh Holdings LLC, a subsidiary of Cardlytics, Inc. (the “Company,” “we,” “us,” “Dosh” and “our”) is committed to treating your personal information with respect and sensitivity. This privacy policy (this “Privacy Policy”) explains how we may collect, store, use, and disclose information when you access or use (1) our website located at www.dosh.com and all of our other websites to which this Privacy Policy is posted (collectively, the “Website”); (2) our mobile applications to which this Privacy Policy is posted (collectively, the “Application”); and (3) any services, content, and features made available by us through the Website or the Application (together with the Website and the Application, the “Services”). Our affiliates, including our parent company Cardlytics, Inc., have their own privacy policies that apply to data they collect from the products, services, and applications they provide. Any data collected pursuant to this Policy that is disclosed to our affiliates will still be treated consistently with this Policy
‍YOUR ACCEPTANCE OF THIS PRIVACY POLICYBy accessing or using the Services, you consent to our collection, storage, use, and disclosure of your information as described in this Privacy Policy. The provisions contained in this Privacy Policy supersede all prior notices and statements regarding our privacy practices with respect to the Services. If you do not agree to every provision of this Privacy Policy, you may not access or use the Services.
‍PROTECTING CHILDREN’S PRIVACYThe Services are not directed, or intended to be attractive, to children under the age of 13. We do not knowingly collect personal information from children under the age of 13. If you are under the age of 13, do not use the Services or submit any information to us. If we learn we have collected or received personal information from a child under the age of 13 without verification of parental consent, we will delete that information. If you believe we might have any personal information from or about a child under the age of 13, please contact us.
‍TYPES OF INFORMATION WE COLLECT AND HOW WE COLLECT ITPersonal Information and Anonymous Information - When you access or use the Services, we may collect information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with you or your household (“Personal Information”), and we may also collect information that cannot reasonably be linked to you (“Anonymous Information”). When Anonymous Information is, directly or indirectly, associated or combined with Personal Information, such Anonymous Information will be considered Personal Information for purposes of this Privacy Policy.

Information You Provide to Us. In general, you may visit the Website or download the Application without telling us who you are or sharing any Personal Information with us. When you register for an account for the Services (an “Account”), use other aspects of the Services, or communicate with us for customer service or technical support for the Services, we may ask you to provide certain Personal Information, such as your name, email address, postal address, mobile number, and payment account information. Additionally, if we are required by law for governmental and tax purposes, we may ask you to provide us or our service providers certain government identification numbers, including but not limited to your Social Security Number or Taxpayer Identification Number. We may also ask you whether you want to receive text messages relating to the Services. By providing your mobile phone number, you expressly consent to receive text messages from us relating to the Services at that number. Third-party data and message fees may apply. You may decline to provide certain Personal Information to us, but, if you do so, certain features of the Services may not be available to you or the performance of certain features of the Services may be limited or not work at all.

Information Collected from Devices. When you access or use the Services via a computer or mobile device, including, without limitation, a desktop computer, laptop, mobile phone, tablet, or other electronic device (each, a “Device”), we may collect information from your Device, such as your Device type and manufacturer, your Device operating system and version, your mobile carrier, your Device identifiers, your mobile phone number, your IP address, your browser type, your network connection type, information about the webpage that referred you to the Website or that you visited prior to the Website, and your behavior and activity on the Website and the Application. In addition, if you download the Application to your mobile Device, we may collect information from your mobile Device about your location while you are accessing or using the Application and while you are not accessing or using the Application. We may use this information to provide targeted offers to you and notify you of nearby third-party locations where you may use the Services. You may opt out of the collection of location data at any time by changing your settings on your mobile Device. However, if you do so, certain features of the Services may not be available to you or the performance of certain features of the Services may be limited or not work at all.

Information Collected by Cookies and Similar Tracking Technologies. When you access or use the Services, we may place small data files on your Device that assign random, unique numbers to your Device to enable us to recognize your Device when you use the Services. These data files may be cookies, pixel tags, other local shared objects, or similar technologies provided by your browser or associated applications (collectively, “Cookies”). We may use Cookies to recognize your Device, manage and store your settings and preferences for the Services, improve the Services, offer targeted products and services to you, and collect and analyze information about your access and use of the Services. The Cookies we use in connection with the Services may include the following:

Session Cookies: Session Cookies are temporary Cookies that expire and are automatically erased when you close your browser window. We may use session Cookies to grant you access to content and to enable actions that require you to be logged into your Account to perform.

Persistent Cookies: Persistent Cookies are Cookies that remain in your browser until they expire or you manually delete them. We may use persistent Cookies to better understand usage patterns so we can improve the Services. For example, we may use a persistent Cookie to associate you with your Account or to remember your choices for the Services. By accessing or using the Services, you consent to the placement of Cookies on your Devices as described in this Privacy Policy. If you prefer not to receive Cookies through the Services, you may control how your browser responds to Cookies by adjusting the privacy and security settings of your web browser. Unless you set your browser settings to refuse all Cookies, our systems may issue Cookies when you access or use the Services. If you set your browser settings to refuse all Cookies, the performance of certain features of the Services may be limited or not work at all. In some of our email messages to you, we may use “click-through URLs” linked to content on the Website or the Application. We track click-through data to help us understand and analyze interest in topics and use of the Services.  Do Not Track. Do Not Track (“DNT”) is an optional browser setting that allows you to express your preferences regarding tracking by advertisers and other third parties. We do not currently use technology that recognizes “Do Not Track” signals from your web browser due to lack of standardization regarding how that signal should be interpreted.

Information Collected from Other Third Parties. We may collect Personal Information from third-party social networks, subject their respective privacy policies and your privacy settings. We may also collect Device identifiers from third-party devices present at certain third-party locations, such as retail stores, restaurants, and other points of interest. Such devices may use wifi, near field communication (NFC), or Bluetooth low-energy (BLE) beacon technology to transmit signals about the location of your Device to us so that we may notify you via push message that you are near a location where you may use the Services.

Transaction Information - When you link an eligible credit or debit card (a “Payment Card”) to your Account, we may collect transaction information, from your Payment Card Network (e.g., Visa, Mastercard, American Express) (“Transaction Information”). Transaction Information includes certain information about your transactions, last 4 digits of your card number, and merchant name. By linking a Payment Card to your Account, you authorize: (a) us to share your Payment Card information with the third parties that enable us to provide the Services, such as the payment processor Braintree (“Third-Party Service Providers”) and your Payment Card Network so it knows you enrolled for the Services; and (b) the Payment Card Network to (i) monitor transactions on your Payment Card to identify qualifying purchases in order to determine whether you qualify for or earn an offer linked to your Payment Card in connection with the Services; and (ii) share such Transaction Information with us to provide the Services to you. You may opt-out of such transaction monitoring on the Payment Card(s) you have registered by de-linking them through the Services or by terminating your Account. Please note that if you opt-out of transaction monitoring, certain features of the Services may not be available to you or the performance of certain features of the Services may be limited or not work at all. Notwithstanding anything to the contrary in this Privacy Policy or the Terms of Service, we will use Payment Card and transaction information solely as follows: to confirm a qualifying purchase or return to match transactions to confirm whether you qualify for an offer or statement credit; to create a record of the transaction information and thereafter maintain and use data in connection with the provision of Services; to provide targeted offers that may be of interest to you; to conduct analysis for the improvement and optimization of the Services; to inform participating merchants where a transaction occurred as needed for the merchant to confirm a specific transaction occurred or points should be awarded; for example, we may share the date and amount of your purchase and the last 4 digits of your card number so the merchant can verify your purchase with its records or confirm if there is a missing or disputed transaction; to provide participating merchants aggregated and anonymized information relating specifically to registered Payment Card activity solely to allow participating merchants to assess the results of their campaign; to provide information in order to respond to a request from government authority or a payment organization involved in a transaction with you or a merchant; and to enable the sharing, exchange and use of transaction information described above and herein by and among us, the Payment Card Networks, applicable Third-Party Service Providers and applicable merchants.
‍HOW WE USE PERSONAL AND ANONYMOUS INFORMATIONWe may use Anonymous Information as described elsewhere in this Privacy Policy and for research and commercial purposes, such as to improve the Services. We may use Personal Information for our general commercial purposes including to: provide the Services and notices related thereto;• analyze, improve and customize the Services; provide customer and technical support for the Services; send you announcements, newsletters, promotional materials, and other information about the Services and third-party products and services that we think may be of interest to you; detect, prevent and investigate actual or suspected fraud, hacking, infringement, or other misconduct involving the Services;• collect fees and other amounts owed in connection with the Services; and• comply with tax and other applicable laws.
‍HOW WE SHARE PERSONAL AND ANONYMOUS INFORMATIONWe may share Anonymous Information with third parties as described elsewhere in this Privacy Policy and for our commercial purposes. We may share Personal Information with our corporate affiliates (e.g., parent company, sister companies, subsidiaries, joint ventures, or other companies under common control) to help provide, maintain, and improve our Services. We do not share Personal Information with third-parties, except: if you request or authorize it; to complete a transaction or provide a service requested by you; to our Third-Party Service Providers that provide services to support the Services, such as payment processing, data analysis, email delivery, hosting, order fulfillment, infrastructure, network storage, customer service, technical support, and promotional services and who are bound by contractual obligations to keep Personal Information confidential and use it only for the purposes for which we disclose it to them; to comply with applicable laws, rules, and regulations, including but not limited to tax laws; to comply with governmental and regulatory requests, court orders, and subpoenas; to protect our rights, property, and safety and the rights, property, and safety of our users and others; to enforce our rights arising from any contracts entered into between you and us, including the Terms of Service; with merchants that you transact with that already have Personal Information about you for the purpose of verifying offer-qualifying transactions; and; if the disclosure is done as part of a purchase, transfer, or sale of services or assets (e.g., in the event that substantially all of our assets are acquired by another party, your Personal Information may be one of the transferred assets) or in the event of bankruptcy. When we disclose Personal Information to third parties or to Third Party Service Providers, we enter into a contract that describes the purpose and requires the recipient to keep that Personal Information confidential and not use it for any purpose except performing that contract. In the preceding twelve (12) months, we have not sold Personal Information or shared Personal Information for the purpose of cross-context behavioral advertising.
‍YOUR CHOICES ABOUT YOUR INFORMATIONYou may opt not to receive promotional emails from us by contacting us or by following the “unsubscribe” instructions in any promotional email you receive from us. Please note, however, that we may still send you non-promotional emails about your relationship with us. You can review and change your Account information via the Website or the Application. To terminate your Account and your right to use the Services please delete your Account via the Website or the Application and immediately discontinue all use of the Services. Please visit this link for information on how to delete your account.
‍INFORMATION YOU SHARE SOCIALLYThe Services may allow you to connect and share your actions, comments, content, and information publicly or with friends. The Company and the Payment Card Networks are not responsible for maintaining the confidentiality of any information you share publicly or with friends. In addition, the Services may allow you to connect with us on, share on, and use third-party websites, applications, and services. Please be mindful of your personal privacy needs and the privacy needs of others as you choose to connect and share information with friends and others. We cannot control the privacy or security of information you choose to make public or share with others. We also do not control the privacy practices of third parties. Please contact those websites and services directly if you want to learn about their privacy practices.
‍HOW WE PROTECT YOUR INFORMATIONWe have, and require our Third-Party Service Providers to have, administrative, technical, and physical safeguards in place in our respective physical facilities and in our respective computer systems, databases, and communications networks that are reasonably designed to protect information contained within such systems from loss, misuse, and alteration. The measures we use may include storing Personal Information on secured servers, transmitting Personal Information using encryption technologies, and auditing and reviewing our data collection and storage practices. To be clear, we do not store your Payment Card account information, and we do not have control over or responsibility for your Payment Card account information. When you provide your Payment Card account information through the Website or the Application, it is stored and/or processed by our Third-Party Service Providers in order for you to use the Services. Our contracts with these third parties require them to have administrative, technical, and physical safeguards to protect the security and confidentiality of such information. No method of electronic transmission or storage is 100% secure. Therefore, we cannot guarantee absolute security of your Personal Information. You also play a role in protecting your Personal Information. Please safeguard your username and password for your Account and do not share them with others. If we receive instructions using your Account log-in information, we will consider that you have authorized the instructions. You agree to notify us immediately of any unauthorized use of your Account or any other breach of security related to the Services. We reserve the right, in our sole discretion, to refuse to provide the Services, terminate your Account, and to remove or edit content.

RETENTION OF PERSONAL INFORMATION
Subject to applicable law, which might, from time to time, oblige us to store your Personal Information for a certain period of time, we will retain Personal Information only for as long as necessary to provide the Services and to fulfill the purposes outlined in this Privacy Policy. In the event you or Dosh terminates your account, you agree that we may retain your data for one year from the date of termination for audit and merchant invoicing purposes. After expiry of the applicable retention periods, your Personal Information will be deleted.

LINKS TO THIRD-PARTY WEBSITES AND APPLICATIONS
When you access or use the Services, you may be directed to other websites or applications that are beyond our control. We may also allow third-party websites or applications to link to the Services. We are not responsible for the privacy practices of any third parties or the content of linked websites and applications. We encourage you to read the applicable privacy policies and terms and conditions of such parties, websites, and applications.
‍CALIFORNIA RESIDENTS’ ADDITIONAL PRIVACY RIGHTSIf you are a California resident, this section applies to you. This section describes how we collect, use, and share your Personal Information in our capacity as a “business” under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2021 (the “CPRA”), and the rights you have with respect to your Personal Information. For purposes of this section, “Personal Information,” and “Sensitive Personal Information” have the meanings given in the CPRA and do not include information excluded from the CPRA’s scope. Under the CPRA, subject to exceptions, California residents who use our Services or visit our Website have the following rights regarding their data:

The right to know the categories of Personal Information we’ve collected and the categories of sources from which we got the information (see TYPES OF INFORMATION WE COLLECT AND HOW WE COLLECT IT and below); The right to know the business purposes for collecting or disclosing your Personal Information (see TYPES OF INFORMATION WE COLLECT AND HOW WE COLLECT IT and below); The right to know the categories of third parties with whom we’ve disclosed Personal Information (see HOW WE SHARE PERSONAL AND ANONYMOUS INFORMATION); The right to access the specific pieces of Personal Information we’ve collected about you; The right to request the deletion of the Personal Information we have collected about you; and The right to request the correction of inaccurate Personal Information.

Dosh does not sell or share your Personal Information with or to third parties as we understand those terms to be defined by the CPRA and its implementing regulations. Dosh does not use or disclose your Sensitive Personal Information other than to provide you with the Services and as permitted by California law.

We have collected the following categories of Personal Information from or about consumers within the last twelve (12) months:

‍Identifier:
A real name, alias, postal address, unique personal identifier, online identifier, IP address, taxpayer identification number, social security number, email address, account name, or other similar identifiers.

‍Commercial Information:
‍Products or services purchased, obtained or considered, or other purchasing or consuming histories or tendencies.

‍Internet or other similar network activity:
Information on a consumer’s interaction with a website or app.

‍Geolocation Data:
Physical location data.

We obtain Personal Information directly from you, indirectly from you via third-party service providers that you agree Dosh may receive such information from, and from internet cookies/pixels.

We will not collect additional categories of Personal Information or use the Personal Information we collected for materially different, unrelated, or incompatible purposes without providing you with notice and obtaining your explicit consent. As a California resident, you may exercise your right to know, to correct, or to delete by emailing us at legal@dosh.cash. We may require you to verify your identity prior to accessing or deleting your information. You may also designate an authorized agent to make a request to know, correct, or delete. We may deny a request from an authorized agent that does not submit proof of authorization. California residents have the right to not be discriminated against if they choose to exercise their privacy rights.

California Law also permits California residents to request certain information once per year regarding disclosure of any “personal information” (as that term is defined under California’s “Shine the Light” law) disclosed to third parties for such third parties’ direct marketing purposes. We do not currently disclose personal information protected under California’s “Shine the Light” law with third parties for their direct marketing purposes.

We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time, we will notify you of the extension and provide an explanation of the reason for the extension in writing, and we will provide you with a response no later than ninety (90) days of receipt of the request.

VIRGINIA RESIDENTS’ ADDITIONAL PRIVACY RIGHTS
If you are a Virginia resident, this section applies to you. This section describes the rights you have with respect to your Personal Data, under Virginia’s Consumer Data Protection Act (“VCDPA”). For purposes of this section, “Personal Data,” has the meaning given in the VCDPA and does not include information excluded from the CDPA’s scope. Under the VCDPA, subject to exceptions, Virginia residents have certain rights regarding their data, including, as applicable to users of Dosh Services: The right to access the specific pieces of Personal Data we’ve collected about you; The right to request the deletion of the Personal Data we have collected about you; and  The right to request that we correct inaccurate Personal Data.

As a Virginia resident, you may exercise your right to know, to correct, or to delete by emailing us at legal@dosh.cash. We may require you to verify your identity prior processing your request. Virginia residents have the right to not be discriminated against if they choose to exercise their privacy rights. We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time, we will notify you of the extension and provide an explanation of the reason for the extension in writing, and we will provide you with a response no later than ninety (90) days of receipt of the request.

If we deny your request to access, correct, or delete your information, you may appeal our decision by emailing us at legal@dosh.cash with the subject “Appeal of Consumer Rights Request.” You must appeal our decision within 45 days of your receipt of our denial. If you have concerns about the results of an appeal, you may contact the Virginia attorney general.
‍CHANGES TO THIS PRIVACY POLICYWe may revise this Privacy Policy from time to time in our sole discretion, subject to applicable law. When we revise this Privacy Policy, we will post the revised version on the Website and the Application. The revised Privacy Policy will be effective upon posting on the Website and the Application, unless otherwise set forth therein or as otherwise required by applicable law. You are free to decide whether or not to accept a revised version of this Privacy Policy, but accepting this Privacy Policy, as revised, is required for you to continue accessing and using the Services. If you do not agree to this Privacy Policy or any revised version of this Privacy Policy, your sole recourse is to terminate your access to and use of the Services. Except as otherwise expressly stated by us, your access to and use of the Services are subject to the version of this Privacy Policy in effect at the time of your access or use of the Services.
‍CONTACT USIf you have any questions regarding this Privacy Policy or the Services, please contact us.