I. OBJECTIVE

The goal of RUNABETTERSET, LLC (RABS) is to apply uniform, adequate and global data protection and privacy standards for the handling of user (User) personal information (User Information).

II. SCOPE

These Binding Corporate Rules (Corporate Rules) are corporate guidelines that apply to the processing of User Information by RABS.

User Information means information relating to an identifiable User. An identifiable User is an individual who can be identified, directly or indirectly, based upon the information collected about the individual in the context of RABS providing a Service to them. The term Service applies to a website or other product offered by RABS for use by a User. The term User applies to individuals that have utilized a Service provided by RABS.

RABS does not knowingly process User Information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or User Information concerning health, sexual life or criminal records. To the extent Sensitive Information is manifestly made public by the User and provided to RABS, RABS does not process it for their own purposes.

III. APPLICATION OF LAWS

With varying legal requirements throughout the world relating to data protection, RABS’s Corporate Rules establishes a consistent set of requirements to help ensure the appropriate use of User Information.

All RABS employees and contractors are obligated to comply with these Corporate Rules.

Collection and processing of User Information shall occur in accordance with the Service’s terms and conditions, the law applicable to the User and the guidelines established by these Corporate Rules. Where applicable law is more protective than the guidelines set forth by the Corporate Rules, RABS will process User Information in accordance with the applicable law. If applicable law provides for a lower level of protection, the guidelines of the Corporate Rules shall apply. The Corporate Rules are binding obligations and failure to follow them may result in employee corrective action, including termination and other penalties as provided by law.

Where RABS has reason to believe that applicable law may prevent compliance with the Corporate Rules resulting in a substantial effect on the protections provided by the Corporate Rules, RABS will inform the relevant data protection authorities (except where prohibited by law enforcement or other government official).

Where there are multiple interpretations of the commitments, terms or definitions made in these Corporate Rules, RABS shall interpret the Corporate Rules in a way that is most consistent with the basic concepts of relevant privacy regimes, laws and regulations.

IV. PRINCIPLES FOR PROCESSING PERSONAL INFORMATION

Processing means any operation or set of operations which is performed upon User Information, whether or not by automatic means such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking erasure or destruction.

RABS observes the following processing principles for User Information:

• process User Information fairly and lawfully;

• provide notice to Users about the processing of their personal information and their rights;

• collect User Information for specified, legitimate purposes and not process further in ways incompatible with those purposes;

• maintain User Information in adequate and relevant ways, in relation to the purposes for which they are collected;

• keep User Information accurate and up-to-date as reasonably possible;

• process User Information in a way that is relevant and not excessive for the purposes which they are collected and used;

• store User Information for as long as necessary for the Services; and

• protect User Information with appropriate physical, technical and organizational security measures to prevent unauthorized access, unlawful processing and unauthorized or accidental loss, destruction and damage.

Where the processing involves automatic decision-making or processing which significantly affects the User (Automated Decisions), RABS shall provide suitable measures to safeguard the User’s legitimate interests, such as providing the User an opportunity to have a customer support representative review the decision manually and permit the User to provide their point of view.

V. PURPOSES FOR PROCESSING USER INFORMATION

RABS must disclose the nature and type of User Information processed and transferred. Generally, RABS processes User Information to facilitate the Services Users request, resolve disputes, troubleshoot problems, process transactions, collect fees owed, inform Users about updates, detect and protect RABS against error, fraud and other criminal activity, enforce the Service’s terms and conditions and as otherwise described to Users at the time of collection.

The Services’ privacy policy shall be accessible via a link in a prominent location of each Service and/or displayed during registration provides additional details according to applicable law regarding the collection, processing, protection and transfer of User Information.

VI. SECURITY

RABS uses physical, technical and organizational security controls commensurate with the amount and sensitivity of the User Information to prevent unauthorized access, use, loss, destruction and damage. RABS uses encryption, firewalls, access controls, standards and other procedures to protect User Information from unauthorized access.

VII. USER CHOICES

RABS will strive to provide Users with the opportunity to review, access and rectify their own User Information using the appropriate online tool or self service process. In all cases, Users have the right to submit a data subject access request to view User Information not accessible via the Service’s website. User should contact customer support via directions provided by the Service. RABS will comply with reasonable requests in a commercially reasonable period of time so long as it does not require a disproportionate effort to retrieve and where applicable law requires access. In these instances, Users may be required to provide proof of their identity and may be subject to a servicing fee as permitted by applicable law.

VIII. TRANSFERRING AND SHARING USER INFORMATION

RABS share User Information in the normal course and scope of business with other RABS worldwide to facilitate the Services Users request, prevent fraud, provide joint content and Services and as described in the Services Privacy Policy or at the time of collection.

RABS may share User Information with third party processors (such as service providers or vendors) worldwide who help with their business operations. The Service’s Privacy Policy further describes the types of third parties RABS may share User Information with and under what circumstances. Contracts with third party processors require sufficient technical and organizational security measures, limit the use of User Information to purposes defined by the Data Controller and retain control of User Information where applicable.

According to applicable law, treaties or applicable international conventions, RABS may share User Information with law enforcement, regulatory authorities or other third parties when: required as a matter of law; it is necessary to protect RABS’s rights; it is necessary to keep the Services free from abuse; or there is a legitimate purpose (e.g., to prevent imminent physical harm, financial loss or to report suspected illegal activity).

RABS may disclose User Information to other third parties for the third party’s own purposes in accordance with the User’s instructions or with the unambiguous informed consent of the User (where permissible under applicable law).

Users who object to the processing of their User Information may request to have their accounts closed by following the instructions provided via the Service’s website. RABS will remove or render anonymous a User’s information from a Service as soon as reasonably possible based upon account activity and in accordance with applicable law. In some instances, RABS may delay the closure of an account or retain User Information to conduct an investigation or where required by law. RABS may also retain User Information from closed accounts to comply with law, prevent fraud, collect any fees owed, resolve disputes, troubleshoot problems, assist with any investigations, enforce a Service’s terms and conditions, comply with legal requirements and take other actions otherwise permitted by applicable law.

IX. COMPLAINT HANDLING PROCESS

If a User believes that his/her User Information has been processed in violation of the Corporate Rules, the User may report concerns to RABS via the Service’s website, email, or as otherwise indicated in the Service’s terms and conditions. Users can generally find answers to the most common privacy questions and concerns by typing the word “privacy” into the relevant Service’s help section, which will usually direct the User to a privacy specific page or policy. The “help” section of the relevant Service is the unique entry point for all Users’ queries relating to their privacy or the processing of their User Information and provides User’s the opportunity to contact customer support. Customer support shall investigate and attempt to resolve concerns raised by Users. Employees responsible for addressing privacy related concerns work closely with the RABS privacy team and issue comments consistent with the policies, procedures and guidance issued by the RABS privacy team. If a User believes their concern has not been addressed adequately, they can request their concern be escalated to the legal department or the RABS privacy team. Escalation paths shall be determined based upon the nature and scope of the concern and shall be forwarded to the appropriate team without delays. A response to the complaint shall be provided to the User within a reasonable timeframe.

X. LIABILITY AND THIRD PARTY BENEFICIARY RIGHTS

RABS will comply with these Corporate Rules. The Corporate Rules are binding obligations and failure to follow them may result in employee corrective action, including termination and other penalties as provided by law.

The enforcement rights and mechanisms described above are in addition to other remedies or rights provided by RABS or available under applicable law.

XI. AUDIT PROCEDURES

To help ensure compliance with the Corporate Rules, the RABS privacy team reviews, on a regular basis, User Information processing activities and practices or recommends that RABS’s internal audit team conduct a review of the identified activities and practices. The internal audit team and the RABS privacy team shall, if necessary, require an action plan to ensure compliance with the Corporate Rules. To the extent that internal groups do not resolve matters adequately, RABS may appoint independent external auditors for further resolution.

The RABS privacy team shall review and address matters relating to non-compliance with the Corporate Rules identified in the course of a review or upon notice by RABS, User, employee or other individual. Audit findings are available to relevant data protection authorities upon request. RABS will redact portions of the audit to ensure confidentiality of proprietary or otherwise company confidential information. Further, RABS will only provide audit findings relating to privacy.

XII. MODIFICATIONS TO THE CORPORATE RULES

RABS reserves the right to modify the Corporate Rules as necessary, for example, to comply with changes in laws, regulations, RABS’ practices, procedures and organizational structure or requirements imposed by data protection authorities. The RABS privacy team must approve all changes to the  Corporate Rules and shall track all modifications to the Corporate Rules as well as any change in the RABS bound by the Corporate Rules. RABS shall report to the relevant data protection authorities changes to the Corporate Rules where approval is required or at least on an annual basis.

XII. OBLIGATIONS TOWARD DATA PROTECTION AUTHORITIES

RABS will respond diligently and appropriately to requests from data protection authorities about the Corporate Rules and their compliance with privacy laws and regulations. If an employee receives such a request from a data protection authority, he or she should immediately inform a member of the RABS privacy team or legal department so that the relevant RABS Entity can provide the data protection authorities with names and contact details of relevant contact persons within RABS who will reply to the data protection authority.

With regard to transfers of User Information between RABS, the importing and exporting entities will cooperate with inquiries and accept audits from the data protection authority responsible for the entity exporting the data, and respect decisions, consistent with applicable law and due process rights.

Changes to the Corporate Rules shall be applicable to all existing entities bound by the Corporate Rules on the effective date of implementation. Newly formed or acquired entities shall be bound by the Corporate Rules or guarantee an adequate level of protection prior to processing User Information.

RABS will provide notice of material changes to Users in accordance with their Service preferences and/or shall post the revised Corporate Rules on select external websites accessible by Users. Revisions to the Corporate Rules are effective within a reasonable period after RABS notifies the User and/or posts the revised Corporate Rules.