1. Scope of This Policy

Blueprint Audiences Inc. ("Blueprint," "we," "our," or "us") respects your privacy. This Privacy Policy explains how we collect, use, and share Personal Information that we may learn about you from using our website at https://blueprintaudiences.com (the "Site") or in connection with our products and services, including our DTC Audience offering (collectively, the "Service"). If you have any questions regarding this information or our privacy practices, please contact us via the methods set out in the Contact Us section at the end of this Privacy Policy.

2. Definitions

• "Consumer" generally refers to an individual acting in a personal or household context. However, under certain state privacy laws (for example the California Consumer Privacy Act ("CCPA")), "Consumer" may also refer to an employee or representative of a business.
• "DTC" means Direct-to-Consumer.
• "Inference" means a prediction or conclusion drawn from other information, particularly where health-related attributes are derived from non-health data. Blueprint Audiences does not use Inferences in its audience creation processes.
• "Personal Information" means information that identifies, relates to, describes, or could reasonably be linked, directly or indirectly, with a particular individual.
• "Sale" or "Sharing" of data refers to the exchange of Personal Information for monetary or other valuable consideration, including Sharing for cross-context behavioral advertising.
• "Sensitive Personal Information" means data defined as sensitive under applicable laws (such as health information, race/ethnicity, genetic data, precise geolocation, etc.). Our audience segments do not include or constitute Sensitive Personal Information under any state privacy laws.
• "Targeted Advertising" means displaying advertisements to a Consumer where the advertisement is selected based on Personal Information obtained from the Consumer's activities over time and across nonaffiliated websites or applications.

3. Agreement to Terms

By using or accessing our Service in any manner, you acknowledge that you accept the practices and policies outlined below and the policies outlined in our Terms of Use, and you hereby consent that we may collect, use, and disclose your Personal Information as described in this Privacy Policy. If you do not agree with the terms of this Privacy Policy and our Terms of Use, then you should immediately discontinue use of the Service without providing us with any Personal Information.

4. Information We Collect

We may collect the following categories of Personal Information (a) directly from you (such as when you contact us), (b) from third parties such as licensed data and/or analytics providers, (c) from the device and browser that you use to access the Site, and (d) from cookies and similar technologies.

We collect and use information differently depending on whether it comes from visitors to our Site or is intended for use in connection with our DTC Audience product. For example, our DTC Audience product uses a combination of licensed Personal Information and aggregated health insights, as described below.

4A. Site Visitor Information

Identifiers

We may collect your first name, last name, and email address.

Professional and/or Employment Information

We may collect your job title and the name of your employer.

Other Identifying Information that You Voluntarily Choose to Provide

We may collect identifying information that you choose to include in emails, letters, texts, or other communications that you send to us.

Device Information

We may collect device information when you visit our Site. Device information may include your device type, browser type, online and/or unique identifiers, IP address, and geolocation information.

Internet Activity

We may collect information concerning your interaction with the Site, including when you access the Site and your browsing activity on the Site (such as which pages you visit, in what order, and for how long). This may also include "traffic data" or tracking information provided by the Site's host or similar providers (e.g., Google Analytics) that may be helpful for marketing purposes or for improving the Site.

4B. DTC Audience Information

For our DTC Audience product, we collect and use Personal Information sourced from licensed third-party data providers. This data may include:

Identifiers

We may collect pseudonymous identifiers provided by third parties.

Pseudonymized Information

To create our audience segments, we may work with pseudonymized data sets that could still be considered personal information under applicable privacy laws. While this data is not fully de-identified under HIPAA, it is handled in accordance with HIPAA de-identification standards. Specifically, we apply strong safeguards such as maintaining separation of identifiers, use of secure environments, and contractual restrictions, to prevent re-identification and to ensure that no individual can be reasonably identified from the data we use.

We do not collect, store, or use PHI or Individually Identifiable Health Information, as defined by the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"). Instead, we receive aggregate insights from certified HIPAA-compliant analytics partners. These partners analyze groups and return only statistical summaries showing, for example, that a particular group has a higher-than-average prevalence of a given health condition. We do not receive or use individual-level health data, and we do not make predictions or Inferences about the health status of any identifiable person.

Pseudonymous identifiers and aggregated insights are used exclusively to create and activate pseudonymized audience segments for healthcare advertising purposes. These segments are distributed through approved onboarding and ad delivery partners, but only for campaigns that we or our clients control.

5. Cookies

DTC Audiences

Our DTC Audience offering does not use cookies or track individuals online directly. Instead, our data onboarding and distribution partners handle onboarding and distribution of audiences to advertising platforms.

Site

If you visit our Site, we store certain information that gets collected automatically at our end through cookies and other similar technologies. A cookie is a small string of information that a website that you visit transfers to your browser for identification purposes. Cookies can be used to follow your activity while using a website or across websites, and that information helps companies understand your preference and tendencies, as well as improve and personalize your website experience. Some cookies are necessary to operate a website, while others can be functional or analytical. Cookies on the Site are generally divided into the following categories:

Strictly Necessary Cookies. These are required for the operation of the Site. They include, for example, cookies that ensure that the Site displays properly on your device. These cookies are session cookies that are erased when you close your browser.

Analytical/Performance Cookies. These allow us to recognize and count the number of visitors to the Site and understand how such users navigate through the Site (e.g., when and which pages are visited, in what order the pages are visited, and where a user is located. We also use Google Analytics for part of this process. For more information about Google Analytics, please visit www.google.com/policies/privacy/partners/. Google provides users with the ability to prevent their data from being used by Google Analytics—learn more by going to https://tools.google.com/dlpage/gaoptout.

You can also prevent the use of certain cookies by modifying your Internet browser settings, typically under the sections "Help," "Internet Options," or "Settings." If you disable or delete certain cookies in your Internet browser settings, you may still access our Site, however, you might not be able to access or use important functions or features of our Site.

Do-Not-Track Signals

At this time, we do not recognize automated "do-not-track" browser signals.

6. Children's Privacy

The Service is not intended for users under the age of 18 and Blueprint does knowingly collect or process personal data of individuals under the age of 18. If you are aware of, or suspect that, someone under the age of 18 is using the Service without permission, please notify us immediately by contacting us as detailed in the Contact Us section below. If you have questions or concerns about the Internet and privacy for your child, we encourage you to check out the FTC Guidelines for protecting your child's privacy online.

7. How We Use Personal Information

We collect and use your Personal Information for the following purposes:

• Providing the Service to you and providing products or services requested by, or reasonably anticipated within the context of our relationship with, you;
• Managing our relationship with you, and responding to your inquiries or requests, and requesting feedback;
• Analyzing use of the Site;
• Improving and personalizing your experience with the Service;
• Providing relevant promotional materials or other marketing
• Detecting security incidents and protecting against malicious, deceptive, fraudulent, or illegal activity, or prosecuting those responsible; and
• Complying with legal and regulatory obligations.

Additionally, we may use Personal Information differently for each of our products:

DTC Audiences:

• Create audience segments based on licensed pseudonymized Personal Information;
• Use aggregated health insights to validate the prevalence of certain medical conditions within groups; and
• Distribute segments to advertising platforms via onboarding and delivery partners.

8. How We Disclose Personal Information

We may disclose your Personal Information to the following categories of third parties:

• Service providers, including analytics platforms, onboarding services, and email communication tools. In some instances, service providers will be directly responsible to you for their use of your Personal Information. They may be obliged by law to provide you with additional information regarding the Personal Information that they hold about you and how and why they process that information. Further information may be provided to you in a separate notice or may be obtained from such service providers directly, for example, via their websites. These providers are contractually obligated to handle Personal Information only as necessary to provide their services to us and in accordance with applicable privacy laws.
• Our clients and business partners such as agencies, advertisers, and advertising platforms. We share audience segments with clients in a way that avoids the inclusion of Sensitive Personal information or health Inferences, in accordance with applicable privacy laws.
• Advertising networks to provide you with relevant marketing.
• Advisers and financial institutions, including auditors, notaries, business continuity support service providers, and legal, tax, and risk and compliance advisors.
• With third parties in connection with a change to the control or financial status of the company, including a corporate restructuring, sale, acquisition, financing, reorganization, bankruptcy, receivership, transfer, assignment of assets, or business merger or divestiture. Personal Information and other information may be shared in the diligence process with counterparties and others assisting with the transaction and transferred to a successor or affiliate as part of that transaction.
• Government bodies, dispute resolution organizations, law enforcement agencies, or third parties in connection with (a) responding to a subpoena, search warrant, or other lawful request for information that we receive; (b) cooperating in a law enforcement or similar investigation; or (c) otherwise protecting our rights, as applicable.

9. Your Rights and Choices

If you no longer want to receive our marketing communications, you may unsubscribe at any time by following the unsubscribe link in any Blueprint Audiences marketing email.

Please note that you cannot unsubscribe from certain correspondence from us, including messages relating directly to your use of the Services.

10. Additional Disclosures Required by State Privacy Laws

This section applies only to residents of California, Colorado, Connecticut, Delaware, Iowa, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Utah, and Virginia.

For residents of these states, this section describes how we collect, use, and disclose, and/or "sell" (as defined under certain state privacy laws) the personal information of state residents, and the rights you may have under your state's privacy law. These disclosures are intended to supplement this Privacy Policy with information required by state law.

To understand what personal information we may have collected about you in the past 12 months, and from where we collected it, please see the section Information We Collect above.

We collect this personal information, as further described in the How We Use Personal Information section above, to operate, manage, and maintain our business, to provide our products and services, and to accomplish our business purposes and objectives.

We may disclose personal information to the categories of third parties listed above in the section How We Disclose Personal Information. Below, we have provided more detail regarding the two ways we share your personal information: (a) general disclosures of information for a business or commercial purpose, and (b) "sales" of personal information.

Disclosure of Personal Information for a Business or Commercial Purpose:

To manage our business and provide services to you, we sometimes disclose personal information to third parties. These third parties cannot further collect, sell, or use the personal information we share with them except as necessary to perform our purposes, as instructed by us.

In the past 12 months, we may have disclosed the following categories of personal information for our business or commercial purposes to the categories of recipients listed below:

"Sales" of Personal Information:

Blueprint operates in the audience segment creation business. In this context, we create and make available audience segments to advertisers. These segments are pseudonymized and do not contain information that directly identifies any individual or associate identifiable individuals with any specific diagnoses or health information. However, we may receive monetary compensation from third-party platforms or advertisers for making these segments available for use in advertising. As a result, these disclosures may qualify as a "sale" of personal information under certain state privacy laws, even though the information is not individually identifiable.

In the past 12 months, we may have "sold" the following categories of personal information to the following third parties:

We do not sell, or have actual knowledge of any sale of, the personal information of minors under 16 years of age.

Your Rights:

Depending on the state in which you reside, you may have the following rights, subject to certain limitations:

• Access: You have the right to access a copy of the categories and specific pieces of personal information that we have collected about you.
• Correction: You have the right to request that we correct inaccurate personal information that we hold about you, taking into account the nature of the personal information and the purposes of the processing of the personal information.
• Deletion: You have the right to request that we delete or anonymize your personal information, with certain exceptions.
• Data Portability: You have the right to request a copy of your personal information in a machine-readable format. You can also request that we transmit your personal information to another business where technically feasible.
• Sale and Sharing/Targeted Advertising Opt-out: You have the right to opt-out of the sale of your personal information or the sharing of your personal information for purposes of targeted advertising.

Additional Rights for California Residents:

In addition to the rights listed above, California residents also have the following rights:

• Notice Upon Collection: Under California law, you have the right to notice, upon collection, of the categories of personal information collected and the purposes for which the information will be used. We have provided this notice through this Privacy Policy.
• No Retaliation: You have the right to be free from discrimination or retaliation for exercising your rights under the CCPA.
• Opt-Out of Third-Party Marketing (California "Shine the Light" Disclosure): Under California Civil Code Sections 1798.83-1798.84, California residents are entitled to contact us to prevent disclosure of personal information to third parties for such third parties' direct marketing purposes.

Exercising Your Rights:

You or your authorized agent may exercise your rights to access, correct, transfer, or delete your personal information by submitting a request at https://blueprintaudiences.com/privacy-choices.

You or your authorized agent can also call us toll-free at 833-577-4822 or email us at privacy@blueprintaudiences.com with the subject line "U.S. Privacy Rights" so that we can direct your email to the right team. Once we receive a request, we will take steps to verify your request, including by asking you to provide information that is reasonable in light of the nature of your request. We will respond to your request consistent with applicable law.

Please note, however, before we will be able to process your request for access to or deletion of personal information, we will need to properly verify your identity for security purposes. If we possess appropriate information about you (e.g., name, email address), we will attempt to verify your identity using that information. If it is not reasonably possible to identify you, we may not be able to respond to your request.

To use an authorized agent to make a request on your behalf, we may need the authorized agent to provide proof that you gave the authorized agent signed permission to submit the request on your behalf. We may also require you to verify your identity directly with us.

Appealing a Denial of Your Privacy Rights Request:

If you are a resident of Colorado, Connecticut, Delaware, Iowa, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Tennessee, Texas, or Virginia and we refuse to take action on your privacy rights request within a reasonable period of time after receiving your request in accordance with this section, you may appeal our decision. In such an appeal, you must (1) provide sufficient information to allow us to verify that you are the person about whom the original request pertains and to identify the original request, and (2) provide a description of the basis of your appeal. Please note that your appeal will be subject to the rights and obligations afforded to you under applicable law. We will respond to your appeal in accordance with applicable law.

You may appeal our decision using the following methods:

• Email us at privacy@blueprintaudiences.com with the subject line "Privacy Rights Appeal"; or
• Call us at: 833-577-4822.

11. Data Retention

We retain Personal Information only as long as necessary to fulfill the purposes for which it was collected, comply with our legal obligations, resolve disputes, and enforce our agreements. Retention periods may vary depending on the nature of the information and the context in which it was collected.

12. Data Security

We maintain reasonable technical and organizational measures to protect Personal Information from loss, misuse, alteration, or unintentional destruction. We have implemented various security measures to protect both the Personal Information and the general information that we receive from and about you through the Service. Whenever you give out Personal Information online there is a risk that third parties may intercept and use that information. Although we seek to protect your Personal Information and privacy, we cannot guarantee the security of any information you disclose online. To the extent permitted under applicable law, we assume no liability or responsibility for disclosure of your information due to errors in transmission, unauthorized access by third parties, or other causes beyond our control.

13. Effective Date and Changes to This Policy

This Privacy Policy is effective as of the date at the top of this policy. We have the discretion to update this Privacy Policy at any time. When we do, we will revise the effective date at the top of this page. We encourage users to frequently check this page for any changes and to stay informed about how we are helping to protect the Personal Information we collect. If we make material changes, we will notify users via our website.

14. Contact Us

If you have any questions or concerns about this Privacy Policy or our practices, please contact us at: privacy@blueprintaudiences.com.