Privacy Policy

This Privacy Policy covers the interactions we have with our customers and potential customers, as well as other individuals from or about whom we may collect Personal Data. We interact with our customers and potential customers via our website, via marketing tools, our stores, customer service interactions, and social media. The data controller (which determines the purpose and way your Personal Data is used) is HR Executive Compliance Council (referred to in this Privacy Policy as “we” or “us”). We use other entities to process data on our behalf (referred to in this Privacy Policy as “Data Processors”). Further details of the parties with which we share your data are set out below. When you visit our website, shop, our stores, interact with customer service representatives, work with us, apply to work with us, or otherwise engage or interact with HR Executive Compliance Council or its employees, contractors, agents, or representatives, you represent that you have read, understand this Privacy Policy, and consent to our collection, use, and disclosure of Personal Data that we may collect from or about you during your engagement or interaction with us. If you do not agree with this Privacy Policy, do not access or interact with our website, shop, our stores, customer service representatives, work with us, apply to work with us, or otherwise engage or interact with HR Executive Compliance Council. We are committed to doing the right thing when it comes to how we collect, use, disclose, and protect your Personal Data. That’s why we’ve developed this Privacy Policy and a Cookies Declaration, which: • set out the different ways you interact with us and the types of Personal Data that we collect; • explain the reasons why we use the data we collect; • explain when and why we will disclose Personal Data within HR Executive Compliance Council and to other organizations; and • explain the options and choices you may have when it comes to your Personal Data. This Privacy Policy applies to you when you interact with us. The different ways you interact with us are further described in this Privacy Policy. If you reside in the European Union or the United Kingdom, please see the “EU and UK Privacy Rights” section below. If you reside in the United States or Canada, please see, in addition to all sections except the “EU and UK Privacy Rights” section, the “United States/Canada Privacy Principles” section below. If you are a resident of California and an employee of HR Executive Compliance Council, an applicant for employment at HR Executive Compliance Council, an emergency contact or beneficiary of an employee or applicant for employment at HR Executive Compliance Council, or an independent contractor of HR Executive Compliance Council, we will collect additional Personal Data, including Sensitive Personal Data; please see Section 13 below, in addition to all other sections. Our website may contain links to other websites operated by other organizations that have their own privacy policies. This Privacy Policy does not apply to any third-party websites, applications, or services or to any Personal Data or other information that you may provide to such third parties. Please make sure you read the terms and conditions and privacy policy carefully before providing any Personal Data on a website operated by another organization, as we do not accept any responsibility or liability for websites of other organizations.

"Personal Data" means information that identifies, relates to, describes, is reasonably capable of being associated with, is linked to, or could reasonably be linked, directly or indirectly, to a particular identified or identifiable individual or household. It does not include de-identified or aggregate data or data that is publicly available. Types of Personal Data In this section we have defined the different types of Personal Data. Please note that the fact that we have identified these types of Personal Data does not mean we actually process all data as defined, please read the entire Privacy Policy to understand what data we process and why. Contact Data: This is information that details how we can contact you, such as your physical address, email address, or telephone number. Feedback Data: This is information collected about you as a user of our stores, our website, or our products and services more generally. This may include where you engage with HR Executive Compliance Council in response to a survey or via social media; provide feedback on your shopping experience or on our products and services; or engage with customer service (such as through a telephone call, an online chat, or email). Financial Data: This is information about your bank account or payment card account or other payment methods such as your ApplePay or PayPal account. Identity Data: This is information that helps us identify who you are, such as your name, title, gender, certain preferences, or Order Number. Pseudonymous Data: This is Personal Data that cannot be attributed to a specific individual without the use of additional information. Sensitive Personal Data: This is Personal Data that applicable privacy laws determine to be more sensitive and therefore warranting more protection. Sensitive Personal Data is defined as information that reveals: (a) an individual’s Social Security, passport, or other state identification number; (b) an individual’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (c) an individual’s precise geolocation; (d) an individual’s racial or ethnic origin, religious or philosophical beliefs, mental or physical health, medical treatment or diagnosis, sex life or sexual orientation, citizenship or immigration status, or union membership; (e) the contents of an individual’s mail, email, or text messages, unless the business is the intended recipient of the communication; (f) biometric or genetic information for purposes of uniquely identifying an individual; (g) the contents of your mail, email, or text messages unless we are the intended recipient of the communication; or (h) information collected from a known child. Currently HR Executive Compliance Council only collects Sensitive Personal information if you are a Member and have an account log-in. This information is used solely to maintain your account. We may also Collect Sensitive Personal Information if you submit a job application to us and if you are being employed by us. In such case this information is only used for the application process and/or your employment with HR Executive Compliance Council. Should HR Executive Compliance Council at any other time collect Sensitive Personal Data in our interactions with you, we will provide you clear notice of the type of data we collect, what it is used for, and we will obtain your consent before collecting this data. Technical Data: This is information about your device used to access our website and about how you interact with our products and services. This could be information that identifies your device, its operating system, internet address, your login data; browser and plug-ins; or behavioral data such as browsing history, time spend on website and conversion rates. This allows us to create an analysis of you as a consumer to better judge what products and services to offer. If you use our in-store WIFI we will collect information about where and when you accessed our network. Technical Data is collected through the use of cookies and other techniques, as described elsewhere in this Privacy Policy and in our Cookies Declaration. Transaction Data: This is information about your purchase of a product or service from us. This includes when, where, what, and how you purchased that item or service. It will also include where we sent that product or service and other information related to the purchase itself. Job Applications: If you submit a resume, job application, or related materials or other information to us, we may use that information to evaluate your qualifications and consider or respond to your inquiry or application. Your submission of a resume, job application, or related information does not in any way require us to review that information or consider you for employment. To view career opportunities at HR Executive Compliance Council or to submit a job application, you may be redirected to an online career portal operated by a third party. We encourage you to review any terms and privacy policies posted on that portal (if applicable).

We may collect, use, and disclose Personal Data from you in various situations and for various purposes. A. When you sign-up for our emails In order to receive our e-mails, you will provide us your name and email address. You can sign-up at any time, for example while purchasing online or in our stores, while using the website or during other interactions with us. We may collect: Contact Data and Identity Data. You consent to such processing by signing up. You can withdraw your consent at any time by following the process set out in section 12 below. Purpose and legal basis: We collect and process Personal Data to market our products and services. You consent to this processing by signing up. You can withdraw your consent at any time by following the process set out in Section 12, below. Data disclosure: We may disclose this Personal Data to our IT Providers, Marketing Providers and Analytics Providers. B. When you become a member via our website or in our stores. In order to become a member, you must create an account, which requires providing us your name and email address and creating a password. By becoming a member, you have automatically opted in to receive our e-mails. To further complete your profile, you can provide additional Personal Data and certain preferences. Please note that your account log-in may be regarded as Sensitive Personal Data, by creating a membership account you give your consent in collecting such data. We may collect: Contact Data and Identity Data, and Sensitive Personal Data (meaning account log-in and password). Purpose and legal basis: We collect and process the Contact Data and Identity Data to market our products and services, for customer analysis, for personalization of our website, and for marketing. This is necessary for our legitimate interest of growing our business, marketing our products and developing our website. You consent to this processing by signing up as a member. You can withdraw your consent at any time by following the process set out in section 12, below. We collect account log-in and password to create your password-protected account. Data disclosure: We may disclose this Contact Data and Identity Data to IT Providers, Marketing Providers, and Analytics Providers C. When you browse our website We wish to understand the browsing behavior of our customers and visitors when you browse our website. We use session replay software in order improve our website and fix technical issues. We may collect: Identity Data, Technical Data, Feedback Data and Pseudonymized Data. Purpose and legal basis: We collect Identity Data, Technical Data, Feedback Data, and Pseudonymized Data in order to market our products and services and to understand the browsing behavior of our customers and visitors. This is necessary for our legitimate interest of growing our business, marketing our products and developing our website. You consent to such processing by using our website. If you access our website from Europe (including the UK), you elect to consent to such processing via our cookie consent tool. Data disclosure: We may disclose this Personal Data to IT Providers, Marketing Providers, and Analytics Providers. D. When you shop with us online or place an order via customer service If you place an order, we will need to have Personal Data in order to process your order and payment. We may collect: Identity Data, Contact Data, Financial Data, Transaction Data, Technical Data, Feedback Data, and Pseudonymized Data. Purpose and legal basis: We collect and process the Identity Data, Contact Data, Financial Data, and Transaction Data in order to process your order and payment. Our legal basis for doing this is that it is necessary for the performance of our contract with you. If you have given consent to receive our marketing emails, we may also use your Contact Data to send you marketing communications. Our legal basis for doing this is your consent. You can withdraw your consent at any time by following the process set out in section 12 below. Data disclosure: We may disclose this Personal Data to IT Providers, Marketing Providers, Analytics Providers, Payment Providers, Fraud Detecting Companies, and Logistics Providers. E. When you contact us regarding your order or products or services in general or when you have a complaint or inquiry or wish to return a product. This includes contacting us via a chatbot or live chat, in which case we may keep a copy of the chat. In order to help you with your order, complaint, or inquiries, or if you wish to return a product, we will need to have collect and retain your Personal Data in order to help you in the best possible way, and to generally improve our services. We may collect: Identity Data, Contact Data, and Transaction Data. Purpose and legal basis: If you have contacted us about returning a product, we will use your Personal Data to process (return) orders and payments. Our legal basis for doing this is that it is necessary for the performance of our contract with you. If you have contacted us about a complaint or inquiry, we will use the Personal Data you provide in order to respond to that complaint or inquiry. Our legal basis for doing this is that it is necessary for our legitimate interest of assisting our customers and responding to their complaints. Data disclosure: We may disclose this Personal Data to IT Providers, Payment Providers, and Logistics Providers. F. When you take part in promotions, competitions, surveys, or reviews about our products If you participate in competitions or review our products online, or use “Refer a Friend,” we may collect Personal Data either because we need to be able to contact you or because you want it to become known to the public. We may collect: Identity Data, Contact Data, Technical Data, and Feedback Data. Purpose and legal basis: We collect and process your Personal Data in order to process your participation in the promotion, competition, survey, or review. Our legal basis for doing this is that it is necessary for the performance of our contract with you. We also collect and process the Personal Data for the legitimate interests of marketing our products and services, customer analysis, personalization of our website, and marketing. You also consent to such processing by signing up for the promotion or competition or participating in the survey or review. Data disclosure: We may disclose this Personal Data to IT Providers, Marketing Providers, and Analytics Providers. G. When you follow us on social media If you follow us on social media, like our posts, share our posts, or post on our pages, we may collect Personal Data. We may collect: Identity Data, Contact Data, Technical Data, and Feedback Data. Purpose and legal basis: We collect and process your Personal Data to market our products and services, for customer analysis, and personalization of our website and marketing. These social media companies may share data with us about your use of their services in accordance with their terms and conditions. In addition, we process this Personal Data for the legitimate interest of marketing our products and services, analyzing our customers, personalization of our website, and marketing. Data disclosure: We may disclose this Personal Data to Marketing Service Providers and Analytics Providers. H. When you visit our stores If you visit our stores you may provide your Personal Data by paying for a product or returning a product. You also may have certain inquiries we need to follow-up on. We may collect: Identity Data, Contact Data, Financial Data, and Transaction Data. Purpose and legal basis: We collect and process your Personal Data in order to process your order and payment or process your return of a product, and for fraud detection. Our legal basis for collecting Personal Data related to an order, payment, or a return is that it is necessary for the performance of our contract with you. If you have contacted us about any other inquiry, we will use your Personal Data in order to respond to that inquiry. Our legal basis for doing this is that it is necessary for our legitimate interest of assisting our customers. We may also collect and process the Personal Data for the legitimate interests of marketing our products and services, analyzing our customers, personalization of our website, marketing, and fraud detection. Data disclosure: We may disclose your Personal Data to IT Providers, Marketing Providers, Payment Providers, and Fraud Detection Companies.

We may also collect and process Personal Data about you from other sources, such as public sources, specialist companies that supply information, data brokers or data intelligence companies, and other entities. Examples of information we receive from other sources include Personal Data you have provided to other entities and for which you have given them permission to transfer to others. For example, other Personal Data helps us to review and improve the accuracy of the data we hold and improve and measure the effectiveness of our marketing communications, including online advertising.

We may disclose Personal Data about you to other entities for various reasons, including to provide our goods and services to you, and to deliver advertising targeted to address your interests, as described below. These other entities are required to protect Personal Data in accordance with applicable data protection laws and with our instructions. These other entities may have their own separate privacy policies and cookie notices that apply if you interact with them. The types of entities we disclose Personal Data to include: IT Providers: We use various entities to provide information technology (IT) solutions and/or services, and enable us to operate our IT infrastructure. We need our IT infrastructure to operate our business. Logistics Providers: We use several entities to provide logistical solutions and/or services, which enable us to communicate with customers, and to deliver or accept returns of products you purchased via our website or our stores. Marketing Providers: We use several entities to provide us solutions and/or services to help us market and promote our products and services. Analytics Providers: We use several entities to provide us solutions and/or services to better understand our customers and visitors to our website, to better understand our competition, and to help us prevent misuse of our website. Payment Providers (PP): If you purchase our products via our website or in our stores, your payment is processed via a PP. A PP is a company that offers us services for accepting electronic payments by a variety of payment methods including credit card and bank-based payments such as direct debit, bank transfer, and real-time bank transfer based on online banking. A PP allows us to accept a wide variety of payments through a single channel. The PP works with acquiring banks (payment processors) to manage the entire transaction process from start to finish and as such it is an independent Data Controller. Fraud Detection Companies: In order to prevent fraud, we use companies that specialize in fraud detection. These companies have their own databases and after we provide them with data, they are responsible for decisions on processing Personal Data as it relates to fraud prevention and detection. As such, they are both independent data controllers and Data Processors on our behalf. Social Media: We use social media networks to help us market and promote our products and services and engage with our customers and potential customers. All Data Recipients with which we share your Personal Data are required to protect it in accordance with applicable data protection laws and they may only use it for specified purposes. Apart from sharing Personal Data with the Data Recipients specified above, we might also share Personal Data with other organizations in the following circumstances: • Within the HR Executive Compliance Council where this is necessary for our internal processing purposes; • In the event of a merger, sale, change in control, or reorganization of all or part of our business; • When we are required to disclose Personal Data to respond to subpoenas, court orders, or legal process, or to establish or exercise our legal rights or defend against legal claims; • Where we have a good-faith belief sharing is necessary to investigate, prevent, or take actions regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, or violations of our Website Terms of Use, or as otherwise required to comply with our legal obligations; or • As you may otherwise consent from time to time.

We know how important it is to protect and manage your Personal Data. This section sets out some of the measures we have in place. • We process an individual’s Personal Data in a way that is reasonably necessary and proportionate to achieve the purpose(s) for which the personal data was collected or processed. We will not process Personal Data for any additional purposes that are not reasonably necessary to or compatible with the original purposes of the collection or processing without the person’s consent. • We establish, implement, and maintain reasonable administrative, technical, physical, electronic, and procedural safeguards based on industry standards for like-sized businesses based on the volume and type of data we collect and handle, and work to reduce reasonably foreseeable risks in connection with the collection, storage, and disclosure of Personal Data; • We take reasonable and appropriate measures designed to protect the security of your information while it is being transmitted, such as by encrypting it; • We use computer safeguards such as firewalls and data encryption designed to keep data safe; • We only authorize access to employees and trusted partners who need it to carry out their responsibilities; • We regularly monitor our systems for vulnerabilities and attacks, and we carry out penetration testing to identify ways to further strengthen security; • We will ask for proof of identity before we disclose your Personal Data to you; and • We will reveal only the last four digits of your payment card number when confirming an order. While we take appropriate technical and organizational measures to safeguard your Personal Data, it is important that you keep your login details and devices protected from unauthorized access. Personal Data you provide to us should be relevant to the purposes for which it is to be used, and, to the extent necessary for those purposes, should be accurate, complete, and up to date. We value your trust in providing us your information; however, no method of transmission or method of storage is 100% secure and reliable. We cannot guarantee the security of your Personal Data.

Your personal data is stored by us and/or our service providers for as long as necessary to fulfill the specific purpose(s) described herein and to the extent permitted by applicable laws. When we no longer have a legitimate business purpose for your Personal Data, or when you request that we delete your personal data (except where we need to retain it in order to comply with a legal obligation or to establish, exercise, or defend legal claims), we will remove such information from our systems and records and direct our service providers to do the same, which includes taking steps to anonymize it so that you can no longer be identified from it.

We and our partners use cookies and similar technologies, such as tags and pixels (“Cookies”), to personalize and improve your customer experience as you use our website and to provide you with relevant online advertising. We use Cookies to help us remember and process the items in your shopping cart. They are also used to help us understand your preferences based on previous or current site activity, which enables us to provide you with improved services. We also use Cookies to help us compile aggregate data about site traffic and site interaction so that we can offer better site experiences and tools in the future. Please see our Cookies Declaration.(https://www.hrexcc.com/termsofuse) If you’re residing in the US or Canada, please see section 13. If you’re residing in Europe (including the UK), please see section 14. Your browser settings: Browsers automatically accept Cookies. You can use your browser settings to delete existing Cookies. You can also set your browser to notify you each time new Cookies are placed on your computer or other device. You can find more detailed information about how you can manage Cookies through your browser’s help function. Changing your Cookie preferences in one browser will not necessarily carry over to other browsers. You may need to adjust your preferences each time you get a new computer, install a new browser, upgrade an existing browser, or alter or delete a browser’s Cookie file. If you choose to disable some or all Cookies via your browser settings, you may not be able to make full use of our websites. For example, you may not be able to add items to your shopping basket, proceed to checkout, or use any of our products and services that require you to sign in. Opt-Out Preference Signals: An “opt-out preference signal” (including “GPC/Global Privacy Control”) is a signal sent by a platform or technology on behalf of a consumer that communicates the consumer’s choice to opt out of sale or sharing. If you use a browser with an opt-out preference signal, please see section 15.

To provide increased value to you while visiting our website, we may provide links to websites operated by other entities. Once you are visiting another entity’s website, separate data privacy policies and cookie notices might apply, and the data controllers that operate these sites might collect and process your Personal Data and provide it to other parties for reasons other than those set out in our Privacy Policy as this Privacy Policy does not apply to those websites or entities. We have no responsibility or liability for these independent policies or actions, and we are not responsible for the privacy practices or the content of such websites. Nonetheless, we seek to protect the integrity of our website and the links placed upon it and therefore we request feedback on not only our own website, but for websites we link to as well (including if a specific link does not work). We have links of the following third-parties on our website: • Facebook - HR Executive Compliance Council has a social media presence on Facebook, owned by Meta. • Google Maps - HR Executive Compliance Council uses Google maps to locate HR Executive Compliance Council stores near specific locations, and validate addresses entered in checkout. • ID.me (http://ID.me)- ID.me (http://ID.me)is a digital identity network that simplifies how individuals securely prove their identity online. HR Executive Compliance Council offers discounts to select individuals who verify their occupational or education status with this partner. • Instagram - HR Executive Compliance Council has a social media presence on Instagram, owned by Meta. • Klarna –A partner of HR Executive Compliance Council’s used for payment and express checkout options in our online checkout. • Linkedin - HR Executive Compliance Council has a professional presence on LinkedIn, a platform owned by Microsoft. • PayPal – A partner of HR Executive Compliance Council’s used for payment and express checkout options in our online checkout. • Wix – A partner of HR Executive Compliance Council’s used to provide the website, registration, payments and/or any forms necessary to submit a data subject rights request in support of regulations such as the GDPR and CCPA.

We use automated decision-making tools or processes in order to prevent misuse of our website and to prevent fraud when you purchase via our website. This may lead to a refusal of the transaction. Should you not agree with this refusal, please contact our customer service department.

This site is not intended for the use of children under the age of 16, nor do we have a reason to believe children use our site. Cole Haan does not knowingly collect Personally Identifiable Information from any children under 16 years of age. If you learn that a child has provided us with Personal Data, then you may contact us at: info@hrexcc.com(mailto:info@hrexcc.com)

If you at any time choose to no longer receive mailings from us and wish to opt-out from any future mailings, you can unsubscribe via the link at the bottom of the e-mail. Alternatively, you can change your email marketing preferences in your HREXCC account if you are registered. In our stores and via our customer service department, you can opt out of e-mail, phone contact, and/or direct mail. It will take up to 24 hours to make an opt-out effective. We will continue using your e-mail address for other purposes for which we are not relying on your consent, for example, where we need it in order to fulfil an order.

Certain U.S. states and Canada provide their residents with certain rights—subject to all applicable limitations, exemptions, or exceptions— regarding their Personal Data that is collected by businesses, including: The right to receive, at or before the point at which Personal Data is collected, a notice describing the categories of Personal Data to be collected, the categories of third parties Personal Data is shared with, the purposes for which those categories of Personal Data are collected or used, whether that Personal Data is sold or shared (for cross-context behavioral advertising) to third parties, and the length of time each category of Personal Data will be retained or the criteria used to determine that period; the right to request that a business disclose the specific Personal Data it has collected about them (i.e., data portability); the right to request the deletion or correction of certain Personal Data; the right to know what Personal Data about them has been sold, shared, or disclosed for a business purpose to third parties; the right to opt-out of: the sale or sharing of their Personal Data, the use of their Personal Data for targeted advertising, or profiling of them in furtherance of decisions that have legal or other significant impacts on them; the right to limit the use or disclosure of (or completely opt out of, if allowed under applicable privacy law) Sensitive Personal Data; and the right not to receive discriminatory treatment for the exercise of any of these privacy rights. HR Executive Compliance Council (HREXCC) has decided to allow all its customers and other persons in the U.S. and Canada to make the same requests, which we call Personal Data requests, regardless of where they reside and regardless of whether their place of residence affords them the legal right to make such requests. Notwithstanding the foregoing, all applicable exceptions or exemptions under applicable privacy laws apply. HREXCC and its vendors’ response to an individual’s requests may vary depending on the individual’s place of residence. HREXCC reserves the right to discontinue this policy at any time, and at its sole discretion, and to limit Personal Data requests to only those residents of those jurisdictions with privacy laws affording the applicable rights. This section provides information about the types of Personal Data HREXCC collects and discloses to other companies. It also explains how you may make a Personal Data request if you are a U.S. or Canadian resident. The following definitions are important to have a good understanding of this section. “Sell” means disclose Personal Data to a third party for monetary or other valuable consideration. “Share” means disclose Personal Data to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration. “Cross-context behavioral advertising” means the targeting of advertising to a person based on the person’s Personal Data obtained from the person’s activity across businesses, distinctly branded websites, applications, or services, other than HREXCC's. “Targeted advertising” means displaying advertisements to a person where the advertisement is selected based on Personal Data obtained from that person’s activities over time and across nonaffiliated websites or online applications to predict such consumer’s preferences or interests, but does not include advertisements based on activities within HREXCC’s own websites or online applications or in response to a person’s request for information or feedback, or processing Personal Data solely for measuring or reporting advertising performance, reach, or frequency. Request to Know What Personal Data We Have Collected: You may request that we disclose to you the below information. 1. The categories of Personal Data we have collected about you, directly or indirectly, including through or by a service provider or contractor; 2. The categories of sources from which the Personal Data was collected; 3. The business or commercial purpose for collecting or selling Personal Data; 4. The categories of third parties with which we share Personal Data; 5. The categories of Personal Data about you that we have sold or shared and the categories of third parties to which the Personal Data was sold or shared; 6. The categories of Personal Data about you that we disclosed for a business purpose and the categories of third parties to which the Personal Data was disclosed; 7. The specific pieces of Personal Data we have collected about you; Please note that all requested information includes information from a 12-month period preceding our receipt of your request. You may request information beyond this 12-month period, and we will provide the information as long as it is not impossible or involve a disproportionate effort for us to do so. The request for information beyond the 12-month period applies only to information collected on or after January 1, 2022. You may request the disclosure of the information listed above by emailing info@hrexcc.com.(mailto:info@hrexcc.com) You may also request that we transfer specific Personal Data to another entity to the extent technically feasible. We will verify your identity before complying with any such request. In case of an online or telephonic request we will require you to provide your name and e-mail address, after which you will receive an e-mail with the request to confirm your identity. Request Deletion of Personal Data: You may request that we delete any Personal Data about you, and that we notify any service provider, contractor, or third party to delete your Personal Data from its records. Such a request may be referred to as a request to delete. However, your Personal Data may not be deleted if an exemption or exception applies under applicable privacy law. You may request the deletion of your Personal Data by emailing info@hrexcc.com.(mailto:info@hrexcc.com) Before deleting your Personal Data, we will verify your identity. In case of an online or telephonic request we will require you to provide your name and e-mail address, after which you will receive an e-mail with the request to confirm your identity. Request Correction of Personal Data: You may request that we correct any inaccurate Personal Data about you. This request can be made by emailing info@hrexcc.com.(mailto:info@hrexcc.com) We may deny your request subject to any and all exemptions or exceptions that may apply under applicable privacy law. Before correcting your Personal Data, we will verify your identity. In case of an online or telephonic request we will require you to provide your name and e-mail address, the data you believe to be inaccurate, and the corrected data, after which you will receive an e-mail with the request to confirm your identity. Request Opt-Out from Sale or Sharing of Personal Data or Use of Personal Data for Targeted Advertising or Profiling: We do not “sell” Personal Data in the normal sense of that word, meaning we do not provide Personal Data to third parties in exchange for money. However, we do disclose Personal Data to third parties for targeted advertising that is based in part on your activities on our website and elsewhere on the Internet, and such disclosure may constitute a “sale” and/or “sharing” under the law of California or other states. “Profiling” means any form of automated processing performed on Personal Data to evaluate, analyze, or predict personal aspects related to an identified or identifiable natural person’s economic situation, health, personal preferences, interests, reliability, behavior, location, or movements. . We do create consumer profiles in order to better market to consumers. However, we do not engage in profiling that produces legal or similarly significant effects within the meaning of applicable laws. You may direct us not to do the following: • Sell your Personal Data; • Share your Personal Data with third parties for cross-context behavioral advertising; • Use your Personal Data for targeted advertising. You may exercise any of the opt-out options listed above by emailing info@hrexcc.com.(mailto:info@hrexcc.com) Because the Sales and Sharing and targeted advertising mainly takes place via Cookies on our website, you will also need to set your cookie preferences accordingly. We may deny your request subject to any and all exemptions or exceptions that may apply under applicable privacy law. Cookies: We use TrustArc to help you manage Cookies. Consents you have given can be withdrawn again via TrustArc. You can find more information on how we use cookies on the Cookies Declaration page (https://www.colehaan.com/cookie-declaration.html). Opt-Out Preference Signals: If you wish to opt-out via GPC, you must: reside in a state that requires the honoring of GPC signals, use a browser that supports GPC, and opt-out per device you are using. Sensitive Personal Data: Applicable privacy laws specify special categories of Personal Data that are considered Sensitive. HREXCC collects and uses the following categories of Sensitive Personal Data when you voluntarily provide them: (a) an individual’s gender, race, ethnicity and veteran status when applying for a position with Cole Haan (not mandatory); (b) an individual’s, citizenship or immigration status, or union membership, social security/insurance number, passport, work visa information, or other state identification number when becoming an employee of HREXCC; (c) an individual’s account log-in when a Member. HREXCC collects and uses the foregoing categories of Sensitive Personal Data for the following legitimate business purposes: • to carry out our obligations under employment law • for the performance of our contract and to provide services reasonably expected in our relationship • to protect Cole Haan’s legal interests and to ensure the physical safety of the our business and other individuals • as otherwise required by law Where we have a legitimate need to process Sensitive Personal Data for purposes not identified above, we will only do so after providing you with notice and, if required by applicable law, obtaining prior consent. Appeal a Denial of a Personal Data Request: Should we deny your Personal Data request, you may appeal the denial within the time period required under applicable privacy law. You may submit an appeal by emailing HREXCC.com.(http://HREXCC.com) If your appeal is denied, we will provide you with an online mechanism, if available, or other method through which you may contact the Attorney General of your state (or the Minister of Justice for Canadian provinces) to submit a complaint or express your concerns. Authorized Agent: You may use an authorized agent to submit Personal Data requests, including through the use of a technology including, but not limited to, an Internet link or a browser setting, browser extension or global device setting, indicating your intent to opt out of certain processing of Personal Data. To use an authorized agent, you must provide the agent with a signed authorization. We will require the agent to provide us with proof of the signed authorization. In addition, we may require you to verify your identity with us and directly confirm that you authorized the agent to submit the Personal Data request on your behalf. Such requirements, however, will not apply where you have provided the agent with power of attorney pursuant to applicable state or provincial law. Authorized agents may submit Personal Data requests by calling emailing info@hrexcc.com.(mailto:info@hrexcc.com) An authorized agent must include proof of signed permission from the person on whose behalf the agent is submitting the request. For requests to delete, requests to know, and requests to correct, you will also be required to verify your own identity to us and directly confirm that you have provided the authorized agent permission to submit the request; however, this requirement and the requirement that an authorized agent submit proof of signed permission will not apply if you have provided the authorized agent with power of attorney pursuant to applicable state or provincial law (though the agent will be required to submit proof of such power of attorney). In addition, the requirement for an authorized agent to obtain and provide written permission does not apply to requests made by an opt-out preference signal. Non-discrimination: We will not discriminate against a person because the person exercised a Personal Data Request, including, but not limited to, by: 1. Denying goods or services to the person; 2. Charging different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; 3. Providing a different level or quality of goods or services to the person; 4. Suggesting that the person will receive a different price or rate for goods or services or a different level or quality of goods or services; 5. Retaliating against an employee, applicant for employment, or independent contractor for exercising any Personal Data Requests. However, we may offer a person a different price or rate or provide a different level or quality or selection of goods or services if the offer is related to the person’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts, or club card program and the difference is reasonably related to the value provided to us by that person’s Personal Data. In addition, we may offer financial incentives, including payments as compensation, for the collection of Personal Data, the sale or sharing of Personal Data, or the retention of Personal Data. We will provide notice of the material terms of a financial incentive program before a person enrolls, and will enter a person into such a program only if the person gives us prior opt-in consent, which may be revoked by the person at any time. We will not use financial incentive practices that are unjust, unreasonable, coercive, or usurious in nature. Personal Data Collected: In the preceding 12 months, we have collected the following categories of Personal Data from the following sources and for the following purposes. We may collect only certain pieces of Personal Data described in a given category and may not collect certain pieces of Personal Data described in each category. We collect additional categories of Personal Data from California residents who are our employees, applicants for employment, emergency contacts or beneficiaries of employees or applicants, or independent contractors who work with us. Retention of Personal Data: HREXCC will retain the Personal Data only for as long as it is reasonably necessary to fulfill an order, process a return, respond to potential warranty claims, or to protect its financial and legal interests, or to satisfy legal requirements or protect against potential legal claims. If you have signed up marketing e-mails or if you have signed-up as a member, we will keep Personal Data for as long as you are signed-up. If you are a resident of California and an employee of HREXCC, an applicant for employment at HREXCC, an emergency contact or beneficiary of an employee or applicant for employment at HREXCC, or an independent contractor of HREXCC we may retain your Personal Data for as long as needed in order to fulfil our legal and financial obligations as an employer or contract party. Categories of Personal Data “Sold” or “Shared”: In the preceding 12 months, we have “sold” or “shared” for cross-context behavioral advertising the following categories of Personal Data to or with the following categories of third parties for the following business or commercial purposes. While we do not sell Personal Data in the ordinary meaning of that term (i.e., we do not disclose Personal Data to third parties in exchange for money), we may “sell” or "share" within the broad meaning of the laws of some states, such as California, and so are including such disclosures here. HREXCC does not have any knowledge of having “sold” or “shared” the Personal Data of persons under 16 years of age. Categories of Personal Data Disclosed for a Business Purpose: In the preceding 12 months, we have disclosed for a business purpose the following categories of Personal Data about our users to the following categories of third parties (to the extent the disclosure was made to a third party). Below is exclusive of “sale” or “sharing” disclosures as described above.

In this section, “GDPR” includes the EU General Data Protection Regulation and the UK General Data Protection Regulation. International Transfers HR Executive Compliance Council is based in the United States and all of the data we collect is processed in the United States. Note that, by providing your Personal Data to us, you acknowledge that your data will be processed outside the EU/EEA/EFTA/UK. Most of the third parties with whom we share Personal Data of European residents on are based outside the EU/EEA/EFTA/UK. The countries where your data may be transferred to are set out below: Should we transfer your data out of the EU/EEA/EFTA/UK, we will ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented: • We may transfer your Personal Data to countries that have been deemed to provide an adequate level of protection for Personal Data by the European Commission and/or the UK Information Commissioner’s Office (“ICO ”). • Where we use certain service providers, we may use specific contracts approved by the European Commission and/or ICO which give Personal Data the same protection it has in Europe. • In appropriate circumstances, we may rely on other safeguards allowed by GDPR and UK GDPR, such as arrangements replacing the EU-US Privacy Shield. Please contact us if you want further information on the specific mechanism used by us when transferring your Personal Data out of the EU/EEA/EFTA/UK. Cookies We use TrustArc in order to get your approval for using cookies and to help you manage the acceptance and non-acceptance of Cookies. Consents you have given via TrustArc can be withdrawn again via TrustArc. You can find more information on how we use cookies on the Cookies Declaration page.(https://www.colehaan.com/cookie-declaration.html) What are your rights and how can you exercise them. Under Articles 15 to 22 of the GDPR, data subjects are entitled to exercise certain rights in relation to the Personal Data that Cole Haan holds about them (known as a “Data Subject Request” or “DSR”). Under the GDPR and applicable data protection laws in the EU/EEA/EFTA/UK countries, you have the rights listed and explained below, subject to certain limitations in individual cases. We need to confirm your identity before we can handle your requests. When we refuse your request for legal reasons, we will tell you why. For all inquiries concerning your privacy and Personal Data, please submit a request at this email: info@hrexcc.com.(mailto:info@hrexcc.com) We will verify your identity before complying with any such request. We will require you to provide certain information about you and/or your account with us and you will have to declare that are who you claim to be. Get a copy of your Personal Data You have the right to obtain a copy of your Personal Data, if it does not have negative effect on other people. Access to information about your Personal Data You have the right to know whether or not we use your Personal Data, as well as the following information: a) why we have your Personal Data; b) what categories of data we have; c) what we do with your Personal Data; d) who has access to your Personal Data (and where they are); e) where your Personal Data might be transferred to; f) how long we are keeping your Personal Data; g) if you didn’t provide your Personal Data directly to us, how did we get it; h) your rights under applicable laws and the possibility to restrict processing; and i) if we use your Personal Data for any automated decision-making; and j) in some cases, you have the right to know how our automated decision-making works, if the decision significantly affects you. Make sure your Personal Data are correct You have the right to make sure we are using accurate details about you. Delete your Personal Data You have the right to ask us to delete your Personal Data. Restrict how we use your Personal Data You have the right to ask us to stop doing certain things to your Personal Data when: a) you don’t think we are using the right Personal Data; b) you don't want us to delete your Personal Data, but you also don't think we are complying with the law; c) you want to make a legal complaint against us, but we want to delete the data; or d) you challenge our explanation of our use based on a "legitimate interest". When you successfully restrict how we use your Personal Data, we will only use your Personal Data with your consent, or unless it is required by law. Obtain a portable file so you can share it with another company You have the right to obtain a portable file that contains the Personal Data you provided to us where the legal basis is either consent or the performance of contract and the processing is carried out by automated means. Withdraw your consent When we use your Personal Data based on your consent, you have the right to change your mind and withdraw your consent at any time. Object when we process your Personal Data based on “Legitimate Interest” When we process your Personal Data based on “Legitimate Interest” as specified in this Privacy Notice, you may have the right to disagree and stop us from processing your Personal Data for this purpose. We may have compelling reasons, though, to continue processing your Personal Data even in the light of your objection. In such cases we will provide you with our rationale. We will respect and implement your objection in any case where it is related to direct marketing purposes. Challenge the decision generated by our automated decision-making process When we use automated decision-making tools or processes that lead to an outcome which produces a legal or other significant effect, you may have the right to understand the logic involved, the significance and possible consequences of this process. You may also have the right to request human intervention, especially when this is used to conclude a contract with us. You can challenge our decision by expressing your opinion. File a complaint with your local data protection supervisory authority If you are not happy with how we have handled your Personal Data, or how we have responded to your rights provided here, you have the right to make a complaint against us with your local data protection supervisory authority in the country where you live, work or where the infringement took place. To raise any concerns about our processing of EU/EEA/EFTA/UK data, please contact us at: HR Executive Compliance Council Inc. 1401 21st ST STE R Sacramento, CA, 95811, US info@hrexcc.com (mailto:info@hrexcc.com)

Our website does not respond to Do-Not-Track signals regarding the collection of personally identifiable information about a consumer’s online activities over time. However, as discussed above, Cole Haan provides consumers with the ability to control how their personal information is used or disclosed by allowing them to opt-out of certain uses and disclosures of their Personal Data. Global Privacy Control (GPC) is a browser setting that notifies websites of a user's privacy preferences, such as not to share or sell personal data without their consent, by sending a signal to each website that a user visits. Our website only respects such signals if you reside in a state that requires the honoring of GPC signals. If you wish to opt-out via GPC in such case, you must: use a browser that supports GPC, and opt-out per device you are using.

Our website may incorporate content, including feeds, scripts embedded in the website’s code, and visible content (e.g., videos), provided by third parties. In some cases, those third parties collect data about how you interact with their content. For example, Google Maps or Vimeo. Google Maps. Our website may include Google Maps features and content. Google Maps features and content is subject to the then-current versions of Google Maps/Google Earth Additional Terms of Service at https://maps.google.com/help/terms_maps.html (https://maps.google.com/help/terms_maps.html)and Google Privacy Policy at https://www.google.com/policies/privacy/.(https://www.google.com/policies/privacy/) Vimeo . Our website may use Vimeo to make content in video format available to you. By accessing a part of the Sites where videos are available, watching an embedded video, or otherwise interacting with any content made available through Vimeo, you signify your agreement with Vimeo’s terms and conditions. Vimeo collects and otherwise has access to usage data (e.g., what videos you accessed and watched) through videos embedded in the Services as further described in Vimeo’s Privacy Policy. Vimeo adheres to Google's privacy policies and principles, part of which allow you to control certain privacy settings and which data are collected. For more information, please visit www.vimeo.com.(http://www.vimeo.com)

If you have any questions about this Privacy Policy or our collection, use, or disclosure of information, please contact us via email at info@hrexcc.com.(mailto:info@hrexcc.com)