Privacy policy

1. Introduction

This privacy policy (the "Policy") sets forth the types of information that CFR Nominees USA, LLC, a Texas limited liability company d/b/a Campfront ("Provider", "us", or "we"), may collect from you (the "User" or "you") or that you may provide when you visit or access the software platform (the "Platform") and our practices for collecting, using, and disclosing that information. Because the Platform is designed to manage information about individuals attending summer and other camps, including minors under the age of 18 ("Attendees"), this Policy also describes the protections we apply to Attendee information, including information about children under the age of 13. This Policy applies only to information we collect or you provide via your use of the Platform or via any message or correspondence between you and Provider.

Please read this Policy carefully to understand our policies and practices regarding your information and how we will treat it. By using the Platform, User expressly agrees to be bound by this Policy, and by its continued use, User indicates its continued acceptance of the privacy policy. If you do not agree to the Policy, you must not access or use the Platform.

2. Information we collect or you provide

We collect or you provide several types of information from and about Users of the Platform and Attendees (as set forth below). Some Users of the Platform access and use the Platform in connection with their dependent(s) who are attending (or intend to attend, "Attendee"), one or more summer or other camps operated by a third-party person or entity (a "Camp"). The type of information we may collect regarding our Users and Attendees includes:

• Personally identifiable information of a User or Attendee, such as name, birth date, address, email address, telephone number or any other identifier by which a User may provide to us voluntarily through the Platform or by which we may require for you to register as a user of the Platform (collectively, the "Personal Information"); and/or
• Information which does not specifically identify a User or Attendee, such as any information you may post to the Platform but which may be considered sensitive or confidential, including, without limitation, healthcare-related or other medical information.

Categories of personal information collected

For purposes of applicable state privacy laws, the categories of Personal Information we collect include:

• Identifiers: name, date of birth, postal address, email address, telephone number, account credentials;
• Protected classification characteristics: age, date of birth;
• Health and medical information: allergies, medications, medical conditions, dietary restrictions, immunization records, physician contact information, health insurance information, and other healthcare-related information provided by Users on behalf of Attendees ("Health Data");
• Commercial information: transaction and billing records related to use of the Platform;
• Internet or electronic network activity: information collected automatically as described in Section 3;
• Geolocation data: approximate location derived from IP address.

Sensitive personal information

Certain information we collect is classified as "sensitive personal information" under applicable state privacy laws, including: (a) Health Data; (b) Personal Information of Attendees who are minors under the age of 16; and (c) precise geolocation data, if collected. We process sensitive personal information only for the purposes of providing the Platform services as described in this Policy. You have the right to limit our use of your sensitive personal information as described in Section 8A below.

For the avoidance of doubt, neither the Provider nor the Platform collects information directly from any Attendee. Attendees are not permitted to be Users of the Platform. Any such Personal Information or other information which is provided to the Provider or input into the Platform shall only be provided or input into the Platform by a User. Each User shall be over eighteen (18) years of age and the identity and age of such User shall have been verified prior to User's grant of access to the Platform.

Children's information

The Platform is designed to be used by adult Users (age 18 and over) to manage information about Attendees, who may be minors. We do not knowingly allow children under the age of 18 to create accounts or directly access the Platform. All information about minor Attendees is provided by an adult User who represents that they are the parent, legal guardian, or authorized representative of the Attendee.

We recognize the heightened sensitivity of children's information. With respect to information about Attendees under the age of 13, we apply the following protections:

• Data Minimization: We collect only the information about minor Attendees that is reasonably necessary to provide the Platform services as requested by the User and the applicable Camp;
• Purpose Limitation: We use Attendee information solely to provide and improve the Platform services and do not use it for marketing, advertising, profiling, or any secondary purpose;
• Parental Access and Deletion: A parent or legal guardian may at any time request to review, correct, or delete their child's information by contacting us at support@campfront.com. We will respond to verified requests within forty-five (45) days;
• Security: We apply enhanced security measures to Attendee information as described in Section 5A;
• Retention: We retain Attendee information only for as long as reasonably necessary to fulfill the purposes described in this Policy, subject to the retention schedule in Section 5B.

Health data

We collect Health Data solely for the purpose of enabling Camps to manage the health, safety, and welfare of Attendees. Health Data is provided voluntarily by Users and is shared only with the applicable Camp as a Permitted Disclosure (see Section 6). We do not use Health Data for any purpose other than providing the Platform services. We do not sell, share for cross-context behavioral advertising, or otherwise monetize Health Data. By providing Health Data through the Platform, you represent that you have the authority to provide such information and consent to its processing as described in this Policy.

3. Automatic data collection technologies

Through your use of the Platform, certain information may be automatically collected via certain automatic data collection technologies. This information may include, without limitation:

(i) Details of your visits to the Platform, other communication data, and the resources that you access and use on the Platform.

(ii) Information about your computer and internet connection, including your IP address, operating system, and browser type.

The technologies we use for automatic data collection may include cookies or browser cookies. A cookie is a small file placed on the hard drive of your computer. You may refuse to accept browser cookies by activating the appropriate setting on your browser. However, if you select this setting, you may be unable to access certain parts of the Platform. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you direct your browser to the Platform.

4. Third party products

Certain third-party products are integrated within the Platform for use by User (each a "Third-Party Product"), which may include, but not be limited to, payment processing product(s) provided by Stripe, Inc. and certain SMS messaging products. For the sake of clarity, Provider does not store, access, or process, the full credit card number, expiration date, or security code of any User or any SMS messages sent or received by any User (unless such SMS messages are sent by Provider). Each Third-Party Product is governed by its own terms of service and privacy policy. We encourage you to review the privacy policies of all Third-Party Products, including Stripe's privacy policy available at https://stripe.com/privacy. We are not responsible for the privacy practices of Third-Party Products.

5. How we use your information

We use information that we collect about you or which you provide about you (or an Attendee), including any Personal Information (except as otherwise set forth herein or in accordance with applicable law):

(i) To register you as a User.

(ii) To provide you with information, products, or services that you request from us.

• To allow you to participate in interactive features on the Platform.
• Improve the Platform, including by analyzing your information and creating aggregated, de-identified, anonymized data derived from information you input in the Platform (the "Aggregated Data") to develop, maintain, analyze, improve, optimize, and measure the Platform and its features and how Users interact with the Platform.
• In any other way we may describe when you provide the information.
• For any other purpose with your consent.

We do not use your information to contact you about third-parties' goods and services that may be of interest to you. We do not disclose your Personal Information or other information to any third party for this purpose except as may be set forth below.

5A. Security of your information

We implement and maintain reasonable administrative, technical, and physical security measures designed to protect Personal Information, including Health Data and information about minor Attendees, from unauthorized access, use, alteration, and destruction. These measures include:

• Encryption of Personal Information in transit (TLS 1.2 or higher) and at rest;
• Access controls limiting access to Personal Information to authorized personnel on a need-to-know basis;
• Regular security assessments and vulnerability testing;
• Employee training on data protection and privacy obligations;
• An incident response plan for the identification, containment, and notification of security incidents, including data breaches (see Section 5C).

No method of transmission or storage is 100% secure. While we strive to protect your Personal Information, we cannot guarantee its absolute security.

5B. Data retention

We retain Personal Information only for as long as reasonably necessary to fulfill the purposes for which it was collected, comply with our legal obligations, resolve disputes, and enforce our agreements. Specific retention periods are as follows:

• User account information: Retained for the duration of the User's active relationship with a Camp using the Platform, and for a period of twelve (12) months following the termination or expiration of that relationship, unless a longer retention period is required by law;
• Attendee Personal Information (including Health Data): Retained for the duration of the Attendee's active enrollment or participation with a Camp using the Platform, and for a period of twelve (12) months following the end of that participation, unless a longer retention period is required by law or requested by the applicable Camp for legitimate record-keeping purposes;
• Automatic data collection information (cookies, IP addresses, usage data): Retained for a period of twelve (12) months from the date of collection;
• Aggregated Data: May be retained indefinitely as it does not contain identifiable information.

Following the applicable retention period, we will securely delete or anonymize the relevant Personal Information in accordance with our data deletion procedures. You may request earlier deletion of your Personal Information as described in Section 8A.

5C. Data breach notification

In the event of a security breach that results in unauthorized access to, or acquisition of, Personal Information that compromises the security, confidentiality, or integrity of such information, we will:

• Promptly investigate the nature and scope of the breach;
• Take reasonable steps to contain the breach and mitigate harm;
• Notify affected Users and, where applicable, parents or legal guardians of affected minor Attendees, in accordance with the timeframes and methods required by applicable state law;
• Notify applicable regulatory authorities, including the Federal Trade Commission where required for breaches involving health-related information, in accordance with applicable law;
• Provide affected individuals with information about the breach, the types of information involved, and steps they can take to protect themselves.

We maintain and regularly test an incident response plan to ensure prompt and effective response to security incidents.

6. Disclosure of your information

The information that you provide to the Provider via the Platform is being provided for the purpose of being disclosed to and used by the applicable Camp for which the User is either an employee or is a User on behalf of an Attendee (a "Permitted Disclosure"). Other than a Permitted Disclosure, which Permitted Disclosure Provider is not directly making but is facilitating on User's behalf, Provider does not disclose Personal Information (or any other information) that it collects or you provide as described in this Policy except, in compliance with applicable law, Provider may disclose information that we collect or you provide as follows:

(i) To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of the Provider's assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Information is among the assets transferred.

(ii) For any other purpose disclosed by us when you provide the information.

(iii) With your consent.

(iv) To comply with any court order, law, or legal process, including to respond to any government or regulatory request.

(v) To our service providers and contractors who perform services on our behalf and who are contractually obligated to protect Personal Information in a manner consistent with this Policy and applicable law.

We do not sell Personal Information as defined under applicable state privacy laws. We do not share Personal Information for cross-context behavioral advertising. We do not use or disclose sensitive Personal Information for purposes other than those permitted under applicable state privacy laws.

7. Aggregated data

Notwithstanding anything herein to the contrary, User grants to Provider a license to use certain data it inputs into the Platform to create the Aggregated Data. For the avoidance of doubt, the Aggregated Data is de-identified and anonymized and does not contain any identifiable information of any person. Provider employs technical and organizational measures to ensure that Aggregated Data cannot reasonably be used to identify any individual, including any Attendee. Provider will not attempt to re-identify any individual from Aggregated Data and will contractually prohibit any recipients of Aggregated Data from doing so. In compliance with applicable law, including the de-identification requirements of the CCPA and TDPSA, Provider may create, use, and disclose Aggregated Data to its parent company, subsidiaries, and affiliated companies for business analytics, product improvement, industry benchmarking, and the legitimate internal business purposes of the Provider and its corporate group. Aggregated Data derived from information about Attendees under the age of 13 shall be subject to the same use restrictions as non-aggregated Attendee information and shall not be used for any purpose other than improving the Platform.

8. State privacy rights

8A. Your privacy rights

Depending on your state of residence, you may have some or all of the following rights regarding your Personal Information and the Personal Information of Attendees for whom you are a parent or legal guardian:

• Right to Know/Access: You may request that we disclose the categories and specific pieces of Personal Information we have collected about you or your Attendee(s), the categories of sources from which the information was collected, the business or commercial purpose for collection, and the categories of third parties with whom we share it;
• Right to Delete: You may request that we delete Personal Information we have collected from or about you or your Attendee(s), subject to certain exceptions permitted by law;
• Right to Correct: You may request that we correct inaccurate Personal Information we maintain about you or your Attendee(s);
• Right to Data Portability: You may request a copy of your Personal Information in a structured, commonly used, and machine-readable format;
• Right to Opt-Out of Sale or Sharing: Although we do not sell Personal Information or share it for cross-context behavioral advertising, you may submit an opt-out request and we will honor it;
• Right to Limit Use of Sensitive Personal Information: You may request that we limit our use of sensitive Personal Information (including Health Data and information about minor Attendees) to the purposes necessary to provide the Platform services;
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

8B. How to exercise your rights

To submit a request to exercise any of the rights described above, you may email us at support@campfront.com with the subject line "Privacy Rights Request."

We will respond to your request within forty-five (45) days of receipt. If we require additional time (up to an additional forty-five (45) days), we will inform you of the reason and extension period in writing. There is no fee to submit a request unless the request is manifestly unfounded or excessive.

8C. Verification

To protect your privacy and security, we will take reasonable steps to verify your identity before fulfilling your request. Verification may require you to provide information that matches the Personal Information we maintain about you. For requests related to Attendee information, we will verify that the requestor is the parent, legal guardian, or authorized representative of the Attendee. You may also designate an authorized agent to make a request on your behalf, provided you furnish the agent with signed written authorization and we are able to verify your identity.

8D. Texas residents

If you are a Texas resident, you have rights under the Texas Data Privacy and Security Act ("TDPSA"), including the rights to access, correct, delete, and obtain a copy of your Personal Information, and to opt out of the processing of your Personal Information for targeted advertising, sale, or profiling. To exercise these rights, please contact us as described in Section 8B. We will respond to your request within forty-five (45) days. If we decline your request, you may appeal by contacting us at support@campfront.com with the subject line "Privacy Appeal." If you are not satisfied with our response to your appeal, you may contact the Texas Attorney General.

8E. California residents

If you are a California resident, you have rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"). In addition to the rights described in Section 8A, California residents have the right to know, for the twelve (12) month period preceding the request: the categories of Personal Information collected, the sources of that information, our business or commercial purpose for collecting it, the categories of third parties with whom it is shared, and the specific pieces of Personal Information collected. California residents also have the right to request deletion and to opt out of sale or sharing of Personal Information. We have not sold or shared Personal Information in the preceding twelve (12) months. For metrics regarding privacy requests received, please contact us at support@campfront.com.

9. Changes to our policy

This Policy may be amended from time to time by Provider. No prior notice of any amendment(s) is required. All changes are effective immediately when posted. Your continued use of the Platform following the effective date of a revised Policy means that you accept and agree to the revised Policy. You are expected to check this page frequently so you are aware of any changes, as they are binding on you.

10. Contact information

To ask questions or comment about this Policy and our privacy practices, contact us at support@campfront.com.

If you have a disability and would like to access this Policy in an alternative format, please contact us at the email address above.