I. PURPOSE

America’s Group is committed to respecting and protecting all information entrusted to us in the course of our business. This includes confidential and non-public information (“NPI”) that America’s Group may receive from our Consignors concerning their consumer. The purpose of this policy is to establish a companywide approach for the consistent handling and control of all data with respect to NPI, access, and confidentiality. It describes how America’s Group treats and safeguards such Consignor consumer NPI to prevent the compromise and misuse of NPI. America’s Group will make all efforts to ensure that each department within America’s Group applies this policy for the purpose of carrying out business.

II. SCOPE

This policy applies to all employees and contractors who may have access to America’s Group Consignor consumer NPI.

III. NON-PUBLIC IDENTIFIABLE INFORMATION

America’s Group receives only relevant information provided directly to America’s Group by the Consignor or the Consignor’s consumer. NPI includes any and all non-public information or data that identifies or can be used to identify, contact, or locate an individual or that relates to an individual. America’s Group aims to receive only the minimum amount of NPI necessary to provide services to our Consignors. Some examples of NPI that America’s Group may receive in its course of business are names, addresses, phone numbers, driver’s license information, account number, and vehicle information.

IV. RESPONSIBILITY

The IT Department is responsible for security implementation and periodic user access reviews. Security reviews of servers, firewalls, routers, and monitoring platforms will be conducted on a regular basis. Supervisors, managers, and department heads are responsible for ensuring that individuals who work in their department are complying with applicable policies, procedures, and guidelines for safeguarding NPI.

V. PURPOSE FOR WHICH NPI MAY BE USED OR DISCLOSED

America’s Group receives and uses NPI only for purpose of providing services to our Consignors and their consumers. America’s Group acts on the instructions of our Consignors when using their consumers’ NPI. Disclosure depends on the nature of the information and the purpose for which the NPI was disclosed. America’s Group will not disclose and will cause their respective employees not to use or disclose NPI other than as permitted or required under an agreement to carry out the purpose for which the NPI was disclosed and as required by law.

VI. STORING & ACCESSING INFORMATION

The NPI that America’s Group receives is securely stored and is not accessible to third parties. America’s Group will take all necessary precautions to ensure that all NPI is protected from unauthorized access and disclosure and ensure that NPI is not processed in other ways contradictory to this policy. Access to NPI will only be given to individuals who are properly trained and need access to carry out the purpose for which the NPI was disclosed. Access to the network, servers, and systems should be achieved by employees with unique logins and require authentication. Strong passwords are required and must follow America’s Group Password Standard Policy (IT-STD-002). All users of systems that contain NPI and/or confidential data are required to have background checks performed prior to gaining access to information.

VII. RETENTION PERIOD

In general, unless required in connection with the purpose(s) for which it was received, America’s Group keeps NPI for as long as required to fulfill our legal and regulatory obligations. All NPI must be safeguarded and destroyed when there is no longer a business necessity to keep the information. Any information must be destroyed or disposed of in such a way that the information cannot be read or reconstructed, such as shredding for paper documents and erasing for electronic information.

VIII. SHARING INFORMATION

America’s Group does not sell or share information received, except in response to a lawful request issued by a court, government agency, or regulatory authority.

IX. NOTIFICATION OF BREACH

America’s Group will maintain sufficient procedures to detect and respond to security breaches involving NPI. America’s Group will inform Consignors as soon as practicable when America’s Group suspects or learns of malicious activity or any other security breach involving NPI and will take corrective action to cure any deficiencies and take action pertaining to such unauthorized use or disclosure. America’s Group will use reasonable efforts to prevent a recurrence.

X. EXERCISE OF RIGHTS

In the event that a Consignor’s consumer wishes to exercise any rights, such as access or correction, America’s Group will promptly notify the Consignor so that the Consignor can respond.

XI. CCPA COMPLIANCE

America’s Group does not collect or share data from our Consignors’ consumers, nor does it have personal information collected on behalf of our business.