Vistar Media

This Services Privacy Notice (“Notice”) describes how Vistar Media, Inc. (“Vistar”) processes
personal information when providing advertising, measurement, and related services to our
clients. This Notice also describes your choices over such processing.

This Notice applies to only our core services, which help clients identify where and when to
place advertisements on mobile and digital-out-of-home (“DOOH”) media to reach target
audiences (“Services”). This Notice does not describe how we process personal information in
relation to our websites, platforms, and other digital properties (“Sites”). You can read more
about how we process personal information in relation to our Sites by reading our Website
Privacy Notice.

“Personal information” is information that identifies or can be reasonably linked, directly or
indirectly, with an individual. This Notice does not apply to anonymous, de-identified, or
aggregate personal information as defined under applicable law.

This Notice addresses the following topics:

1. How We Collect Personal Information
2. How We Use Personal Information 
3. How We Disclose Personal Information
4. Your Rights Over Your Personal Information  
5. Contact Us 
6. Changes To The Policy 
7. Additional Information For UK & European Residents 
8. Your California Privacy Rights 
9. Your Virginia & Other State Privacy Rights

1. How We Collect Personal Information

We provide the Services using personal information obtained from third parties, such as our
clients, data suppliers, and measurement partners. We may process the following types of
personal information in the course of providing the Services:

• Device Information: We may receive information such as device identifiers, mobile
  advertising identifiers, and device type. We may also receive information regarding
  devices that presented or were near Vistar-facilitated advertisements.
• Demographic Information: We may receive demographic information, such as
  information about income or age range and household locations, associated with device
  identifiers.
• Device Location Histories: We may receive device location histories associated with
  device identifiers.
• Commercial Activity and Preferences: We may receive information about commercial
  activity, such as preferences such as buying preferences, associated with device identifiers. We may also receive survey responses tied to device or other unique identifiers.
• Publicly Available Information: We may also collect publicly available information, such
  as point of interest information.

The Services do not require – and we do not aim to collect – information that directly reveals an
individual’s identity, such as name or email address.

Our clients and data suppliers may collect the information above from individuals using a variety
of technologies, including cookies, software development kits, and other digital trackers
deployed on websites, mobile applications, or other digital services. They might collect device
location information via GPS, WiFi, or other location-based features. You may be able to modify
or disable the sharing of device location in your device settings.

2. How We Use Personal Information

We use the information we collect to provide services to our clients. That includes:

• Learning where to place DOOH ads to best reach defined audiences;
• Delivering ads to DOOH or mobile devices;
• Learning how individuals respond to ads;
• Analyzing device movement patterns;
• Learning whether devices that are exposed to ads are more likely to visit certain locations; and
• Providing clients with reports illustrating how ad exposure may influence consumer outcomes.

We may use or disclose information that is anonymous, de-identified, or aggregated for any
purpose. We do not, and will not attempt to, re-identify de-identified information. Where
permitted by law, we use the information we collect to improve our products and services.

We act as a “data processor” when providing the Services in the European Economic Area
(“EEA”) and the United Kingdom, which means that we process personal information at the
direction and for the benefit of our clients, who are “data controllers” or who act on behalf of
other “data controllers.” Please visit “Additional Information for European Visitors” for more
information about what this means for you.

3. How We Disclose Personal Information

We disclose personal information to the following categories of persons and in the following circumstances:

• Clients: To clients or their agents for their own purposes. The information we disclose may include, for example, information about the devices exposed to Vistar-facilitated advertisements and reports about the impact that Vistar-facilitated advertisements had on consumer preferences and activities. We do not share device location histories with clients.
• Advertising Intermediaries and Market Research Companies: To advertising intermediaries and market research companies involved in the delivery and measurement of advertisements on behalf of our clients. We do not share device location histories with advertising intermediaries and market research companies.
• Service providers. To service providers that process or collect personal information on our behalf, for example to provide services such as marketing support, technical assistance, data hosting, payment processing, customer service support, and data analytics.
• Legal Compliance and Protection of Our Rights: To regulators, law enforcement, government authorities, and other third parties where we believe it necessary to comply with a legal or regulatory obligation, including a court order, subpoena, and regulatory request. We may also disclose information when we believe in good faith that such disclosure will help us protect our rights, interests, or safety, the rights, interests, or safety of third parties, or detect, prevent, or respond to fraud, intellectual property infringement, cybersecurity intrusions, or other illegal activities.
• Transfer of Business Assets. To a third party involved in the consideration, negotiation, or completion of a merger or sale (including transfers made as part of insolvency or bankruptcy proceedings) involving all or part of Vistar or as part of a corporate reorganization or stock sale or other change in corporate control.

We may disclose information that is anonymous, de-identified, or aggregated to any recipient for any purpose.

4. Your Choices

There are many ways to opt out of receiving targeted advertising that our clients may facilitate
using our Platform or other technology. Different devices use different technologies and
identifiers, so users must separately opt out from each browser and device. Once you opt out of
targeted advertising, your personal information will no longer be processed for targeted
advertising on that device or browser.

Mobile Apps and Location Data

Your mobile device may give you the ability to opt out of the use of information regarding the
apps that you use for targeted advertising. You may opt out of the collection of location
information by specific apps or from your entire device at any time by changing your
preferences on your mobile device. For more information regarding your preferences and
options, please see the link found here http://www.networkadvertising.org/mobile-choice and in
the Cookies, Tracking, and Interest-Based Advertising section below.

• Cookies, Tracking, and Interest-Based / Targeted Advertising

If you would like to stop or restrict the placement of cookies or flush any cookies that may
already be on your computer or device, please refer to and adjust your web browser
preferences. Further information on cookies is available at www.allaboutcookies.org. By deleting
cookies or disabling future cookies, you may not be able to access certain areas or features of
certain services or some of its functionality may be affected.

For clarity, cookie-based opt-outs must be performed on each device and browser that you wish
to have opted out. For example, if you have opted out on your device browser, that opt-out will
not be effective on your mobile device. Additionally, if you opt out on one of your devices, that
opt out may not be effective on all of your devices. You must separately opt out on each device.

Please note that cookie-based opt-outs are not effective on some mobile services. Users may
opt out of certain advertisements on mobile applications or reset advertising identifiers via their device settings. To learn how to limit ad tracking or to reset the advertising identifier on your
iOS and Android device, click on the following links:

iOS - https://support.apple.com/en-us/HT202074

Android - https://support.google.com/ads/answer/2662922?hl=en

You may also download and set your preferences on the DAA’s App Choices mobile
application(s) provided by the Digital Advertising Alliance (DAA) available in Google Play or the
Apple App stores to opt-out of behavioral advertising from DAA members.

• Do Not Track

Some browsers have a “do not track” (also known as DNT) feature that lets you tell websites
that you do not want to have your online activities tracked. Please note that, unless required by
law, we do not respond to or honor DNT signals or similar mechanisms transmitted by web
browsers. However, we treat Global Privacy Control signals as opt-out of sharing of personal
information for cross-context behavioral advertising requests under the California Consumer
Privacy Act/California Privacy Rights Act, and as opt-out of processing for targeted advertising
requests under the Virginia Consumer Data Protection Act.

Subject to local law, you may have certain rights over your personal information. These rights
may include, depending on the circumstances, the rights to:

• access your personal information;
• delete personal information collected from you;
• receive additional information regarding the sources from which we collect personal
  information, the purposes for which we collect and share personal information, the
  personal information of yours we hold, and the categories of parties with whom we share
  your personal information;
• not be subject to unlawful discriminatory actions based on exercising your rights;
• stop certain disclosures of your personal information; and
• withdraw any consent you have given to such processing.

If you would like exercise your rights under local law, please contact us at
Privacy@VistarMedia.com, or using our Opt-Out form , or at 1-833-202-5126 to leave us a
message, or send a letter to our Privacy Officer at 149 Fifth Avenue, Sixth Floor, New York NY
10010.

California residents should consult the “Additional Information for California Residents” section
for more information about their rights and additional disclosures.

5. Contact Us

If you have questions or concerns regarding the way in which we process your personal information, please contact us at Privacy@VistarMedia.com.

6. Changes to the Policy

We may modify or update this Notice from time to time. Any modifications or updates that we post will be effective immediately except where prohibited by law or as we otherwise indicate. We will notify you of changes to this Notice by updating the date at the top of this Notice or by providing notice by other means as may be appropriate.

7. Additional Information for UK & European Residents

The Services may be provided to clients subject to the United Kingdom and/or European
Union’s General Data Protection Regulation (“GDPR”). When providing Services to such clients,
Vistar operates as a “data processor,” which means that we collect personal information related
to individuals in the EEA and the United Kingdom only on behalf of and pursuant to the
instructions of our clients, who are “data controllers” or who act on behalf of other “data
controllers.”

In practice, this means we do not collect, use, or retain personal information subject to the
GDPR for our own purposes. At the end of an engagement, we follow our client’s instructions on
how to use and retain personal information subject to the GDPR that we collected on that
client’s behalf.

8. Your California Privacy Rights

In the course of providing the Services, Vistar processes device location histories as a
“business” under the California Consumer Privacy Act (“CCPA”) and California Privacy Rights
Act (“CPRA”), and, collectively, the “California Consumer Privacy Laws”, which means that we
decide how to collect, use, and retain device location histories of California residents. Vistar
provides other aspects of the Services, such as advertisement measurement, as a “service
provider,” which means that we collect, use, disclose, and retain personal information relating to
California residents on behalf of and pursuant to the instructions of our clients.

The rest of this section relates to our processing of personal information as a “business.”

These provisions apply only to California consumers and supplement this Notice. This California
Privacy Rights section describes your rights under the California Consumer Privacy Laws,
explains how you may exercise your rights, and provides an overview on the types of personal
information we collect.

California Consumer Privacy Laws provide you with the following rights:

• Right to know. You have the right to know what categories and specific pieces of
  personal information we collect about you, the sources from which we collect personal
  information, our business or commercial purpose for the collection, use, and sharing of
  your personal information, and any categories of third parties to whom we sell or with
  whom we share your personal information.  
  
  
• Right to data portability. You have the right to request a copy of personal information
  we have collected and maintained about you in the past 12 months. California Consumer
  Privacy Laws allow you to request your information from us up to twice during a twelve
  (12) month period.  We will provide our response in a readily usable format, which is
  usually electronic.
  
  
• Right to delete. You have the right to request that we delete the personal information
  that we have collected from you and maintained, subject to certain exceptions. Please
  note that if you request deletion of your personal information, we may deny your request or may retain certain elements of your personal information if it is necessary for us or our
  service providers to:
  • Complete the transaction for which the personal information was collected,
    provide a good or service requested by you, or reasonably anticipated within the
    context of our ongoing business relationship with you, or otherwise perform a
    contract between our business and you.
  • Detect security incidents, protect against malicious, deceptive, fraudulent, or
    illegal activity; or prosecute those responsible for that activity.
  • Debug to identify and repair errors that impair existing intended functionality.
  • Exercise free speech, ensure the right of another consumer to exercise his or her
    right of free speech, or exercise another right provided for by law.
  • Comply with the California Electronic Communications Privacy Act pursuant to
    Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal
    Code.
  • Engage in public or peer-reviewed scientific, historical, or statistical research in
    the public interest that adheres to all other applicable ethics and privacy laws,
    when the deletion of the information is likely to render impossible or seriously
    impair the achievement of such research, if you have provided informed consent.
  • To enable solely internal uses that are reasonably aligned with your expectations
    based on your relationship with us.
  • Comply with a legal obligation.
  • Otherwise use the personal information, internally, in a lawful manner that is
    compatible with the context in which you provided the information.
    
    
• Right to opt out of selling or sharing. At the time this Notice was last updated, we do
  “sell” and “share” (as defined in the CCPA) personal information.
  You have the right to opt out of the sale or sharing of your personal information, along
  with the right to later opt in to the sale of such information. If we sell or share any of your
  personal information, you may, at any time, tell us not to sell or share your personal
  information. You can make this request by clicking here. We will also treat Global
  Privacy Control (“GPC”) browser signals as opt-out of sale/share requests.
  
  
• Right to correct. You have the right to request the correction of any personal
  information we maintain about you.
  
  
• Right to nondiscrimination. You have the right not to receive discriminatory treatment
  by us for the exercise of your CCPA privacy rights. Unless permitted by the CCPA, we
  will not:
  • Deny you goods or services.
  • Charge you different prices or rates for goods or services, including through
    granting discounts or other benefits, or imposing penalties.
  • Provide you a different level or quality of goods or services.
  • Suggest that you may receive a different price or rate for goods or services or a
    different level or quality of goods or services.

We disclose the following categories of personal information to third parties for our business
purposes:

As described in “Your Rights Over Your Personal Information,” California residents have rights
relating to their personal information, including the rights to know and to deletion. Please contact
us at Privacy@VistarMedia.com, or using our Opt-Out form, or at 1-833-202-5126 to leave us a
message, or send a letter to our Privacy Officer at 149 Fifth Avenue, Sixth Floor, New York NY
10010.

Except with respect to opt out requests, we will need to verify your identity and that the
information you requested relates to you before completing your rights request. We will make
every effort to respond to your request within forty-five (45) days from when you contacted us. If
you have a complex request, the California Consumer Privacy Laws allow us up to ninety (90)
days to respond. We will still contact you within forty-five (45) days from when you contacted us
to let you know we need more time to respond.

CALIFORNIA “SHINE THE LIGHT”

Under California Civil Code Section 1798.83 (“Shine the Light”), California residents have the
right to request in writing from businesses with whom they have an established business
relationship: (a) a list of the categories of personal information, as defined under Shine the
Light, such as name, email address, and mailing address, and the type of services provided to
the customer that a business has disclosed to third parties (including affiliates that are separate
legal entities) during the immediately preceding calendar year for the third parties’ direct
marketing purposes; and (b) the names and addresses of all such third parties. To request the
above information, please contact us by email at  Privacy@VistarMedia.com. If you do not want
your personal information shared with any third party who may use such information for direct
marketing purposes, then you may opt out of such disclosures by sending an email to us at
Privacy@VistarMedia.com.

We generally do not associate personal information (such as device history) with identified
individuals when providing the Services, meaning we generally do not have information such as
names or email addresses connected to device location histories. We use device identifiers
(such as mobile advertising identifiers) instead, so please submit your device identifiers with
your request. This will help us determine whether we process information about your device, though we may require additional steps to prove that you own the device to which the identifier
relates.

If you are submitting a request through an authorized agent, the authorized agent must provide
your signed permission alongside the request. We may also request that authorized agents
verify their identity, and we may ask you directly to confirm your identity and that you have
authorized the agent to submit the request on your behalf.

8. Your Virginia & Other State Privacy Rights

Virginia law provides Virginia residents with the rights listed below, subject to applicable law. To
the extent your home state has a similar law that Vistar is subject to, we will provide these same
rights to you. Virginia residents may exercise these rights as detailed below or by visiting the
Opt-Out form.

The categories of personal information we process, our purposes for processing your personal
data, the categories of personal data that we share with third parties and the categories of third
parties with whom we share it are detailed above in this Notice.

Certain rights that you may have concerning your personal data are set forth in this Notice. The
VCDPA provides you with the following additional rights:

• Right to know. You have the right to know and see what personal data we have
  collected about you.
  
  
• Right to data portability. You have the right to obtain a copy of your personal data that
  you previously provided to us in a portable and, when feasible, readily usable format,
  where the processing is carried out by automated means.
  
  
• Right to delete. You have the right to request that we delete the personal data we have
  collected about you.
  
  
• Right to opt out of selling or sharing. You have the right to opt out of the sale of your
  personal data and/or the processing of your personal data for purposes of (i) targeted
  advertising or (ii) profiling in furtherance of decisions that produce legal or similarly
  significant effects concerning you. As of the latest date of the Notice:
  • We do engage in profiling decision based on your personal information that
    produce legal or similarly significant effects concerning you.
  • If you wish to opt out of the processing of your personal information for any of the
    purposes set forth in this sub-section, please click HERE.
    
    
• Right to correct. You have the right to request that we correct inaccurate personal data.
  
  
• Right to nondiscrimination. You have the right not to receive discriminatory treatment
  by us for the exercise of your VCDPA privacy rights. Unless permitted by the VCDPA,
  we will not:
  • Deny you goods or services.
    
  • Charge you different prices or rates for goods or services, including through
    granting discounts or other benefits, or imposing penalties.
  • Provide you a different level or quality of goods or services.
    
  • Suggest that you may receive a different price or rate for goods or services or a
    different level or quality of goods or services.

Exercising Your Virginia Privacy Rights 

If you wish to opt out of the processing of your personal information for targeted advertising,
please click fill out the Opt-Out form.

To exercise any of your Virginia privacy rights, or if you have any questions about your privacy
rights, you may contact us by:

• Calling us at 1-833-202-5126
  
• Emailing us at Privacy@VistarMedia.com

Verification of Your Identity. After submitting a request, we will take steps to verify your
identity in order for us to properly respond and/or confirm that it is not a fraudulent request. In
order to verify your identity, we will request, at a minimum, that you provide your name, email
address, phone number, address, and relationship to us, so that we can seek to match this
information with the information existing in our systems. When providing us this information, you
represent and affirm that all information provided is true and accurate. If we are unable to verify
using reasonably commercial efforts that the consumer submitting the request is the same
individual about whom we have collected personal information, then we are not required to
comply with the request; we may contact you for more information reasonably necessary to
authenticate the request, but ultimately we may not be able to meet your request.

Only you may make a verifiable request related to your personal information. If you are making
a request as the parent or legal guardian of a known child regarding the processing of that
child’s personal information, we may ask you to submit reliable proof of your identity.

Our Response Time to Your Request

We will make every effort to respond to your request within forty-five (45) days from when you
contacted us. If you have a complex request, the VCDPA allows us up to ninety (90) days to
respond. We will still contact you within forty-five (45) days from when you contacted us to let
you know we need more time to respond and the reason for the extension.

Your Right to Appeal

If we decline to take action regarding a request that you have submitted, we will inform you of
our reason for declining to take action and provide instructions for how to appeal the decision. In
the event that we do not respond to a request that you make pursuant to one of the privacy
rights set forth in this Virginia Privacy Rights section, you have the right to appeal our refusal to
take action within a reasonable period of time after you receive our decision. Within 60 days of
our receipt of an appeal, we will inform you in writing of any action taken or not taken in
response to the appeal, including a written explanation of the reasons for the decisions. If the
appeal is denied, we will also provide you with an online mechanism, if available, or other
method through which you may contact the Attorney General to submit a complaint

.Your Nevada Privacy Rights 

If you are a resident of Nevada, you have the right to opt-out of the sale of certain personal
information to third parties who intend to license or sell that personal information. You can
exercise this right by contacting us using the Opt-Out form or email us at
Privacy@VistarMedia.com with the subject line “Nevada Do Not Sell Request” and providing us
with your name and the email address associated with your account.